RE: RE: MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434!

["Schmehl, Paul L" <pauls () utdallas edu>]

-----Original Message-----
From: hellNbak [mailto:hellnbak () nmrc org] 
Sent: Sunday, January 26, 2003 11:11 PM
To: Schmehl, Paul L
Cc: Ron DuFresne; Full-Disclosure
Subject: RE: [Full-disclosure] RE: MS SQL WORM IS DESTROYING INTERNET
BLOCK PORT 1434!

On Sun, 26 Jan 2003, Schmehl, Paul L wrote:

> > This simply shows your ignorance of the issues, Ron.  Port 1434 was 
> > not a normal port for SQL server *until* MSDE came out.  We obviously

> > blocked 1433 long ago, as did almost every edu in the universe.  But 
> > 1434 was a recent "innovation" to make SQL server capable of running 
> > multiple instances on multiple ports.
>
> Ummm, Paul -- what ever happened to the first rule (maybe its the
second 
> or third perhaps) of building a firewall -- "deny all" and only allow 
> outgoing/incoming what you need.  Even if you were not aware of 1434 
> being used, it should have been blocked by default by any firewall
admin 
> with a clue.

No, with a clue *and* permission.  I'd be really surprised to find a
single edu that has a "deny all" stance.  Worldwide.  That is a complete
paradigm shift for edu.  Fortunately, the med schools are being forced
to do that now due to HIPAA, and hopefully it will be true some day in
all of edu.  For now, very few edus even have firewalls, much less a
"deny all" policy.

It's time some folks got a grasp on reality.  I have a deny all policy
on every box that I control, but for the entire network?  Good luck.
Maybe some day, after edus have suffered enough that the upper
administration and the faculty get some clues, but not today.  Not in
edu.  I wish it were true.

> > Now you're being silly.  I'm certain that every edu in the world was 
> > rushing to close port 1434 yesterday.  But the horse was already out 
> > of the barn.

> I know a few that did not have to bother -- even with unpatched SQL
boxes 
> for the simple reason I stated above -- no traffic was allowed from the

> net to the boxes anyways.

I'd be real interested to hear the names of any edus that 1) have a
firewall and 2) have a "deny all" policy in place and *implemented*.

> That is great to hear.  Lets hope that you are not the benchmark but 
> only the baseline at most.  Perhaps some of the .edu admins need to 
> first understand that they are an .edu and educate themselves on 
> basic network design concepts and security.  And no Paul, I am not 
> reffering to you specifically either.

There are others in edu who are much more knowledgeable than I.  I
certainly wouldn't call myself an expert.  But I haven't found anyone in
edu in the security or networking areas that doesn't know what needs to
be done and devoutly wishes they could implement it.

> > As far as waiting for vendors to fix things goes, why do you think 
> > I've abandoned MS products at work and refuse to use them for any of 
> > my security related work?

> Huh?  That makes zero sense in the real world - there is always a work 
> around there are always to mitigate risk.  Besides, there are a good 
> handful of non-MS product holes that have not been fixed in quite 
> sometime.  But making the blanket statement -- I refuse to use "them" 
> for any of my security related work -- is plain ignorant.  Granted, 
> for specific security tasks there are better products out there to 
> use other than MS ones.

Given your last statement is true, then why should I use MS products for
security?

1) I don't trust MS products for security related tasks.  The idea of
implementing a firewall based on an MS OS scares the hell out of me.  2)
Their performance sucks.  Compared to *nix based products, it takes
twice the box to do the same job - whether it's scanning for
vulnerabilities or using an IDS, setting up a firewall, you name it.
And then there's the cost.  ISS wants 6 figures (for software and the
necessary equipment) to scan for vulnerabilities.  Why should I spend
the few precious dollars we have for that when I can use nmap and nessus
and get better results?

> > Blaming the admins for what happened is akin to prosecuting a woman 
> > for being raped.  Instead of going after the perpetrators who wrote 
> > and released the worm, you want to go after the admins whose networks

> > were taken advantage of.  And you *assume* they were lazy,
incompetent 
> > or any of the other perjoratives that make you feel better about 
> > yourself.

> No, it is more like blaming the woman for not even attempting to
protect 
> herself.

And here I thought we'd progressed into the 21st century.  It is *never*
the victim's fault, no matter the provocation, for a crime having been
committed against them.  Never.  Their behavior might mitigate the
criminal's punishment, but it does not excuse the crime.

> Come on Paul, how long have we had problems with *ALL* software and 
> required patches??

Since software was first written.

> Any admin worth his paycheck knows that systems need patching.  I
personally 
> don't assume that they were lazy or incompetent as I have experianced
the 
> various politics around patching servers, change control, etc etc....
but 
> there are few organizations that do not have a specific IT Security
role 
> anymore

We just got ours in September, 2002.

> -- at a minimum these guys should be alerting admins about patching
boxes

Hell, I've been doing that for four years - long before I got this
position.  I sent the notice on this particular problem in July, when
the patch was first announced.  We still had six boxes hit.  Most were
on desktops in schools, in places we weren't aware of.

> -- its not like this was a zero day.  Thinking that we will get secure
and 
> useful out of the box is a dream -- it won't happen as soon as you open
up 
> services you open up risk.  Of course we can all be 100% patched and
still 
> get owned but at least in this specific case the worm would not have
spread 
> as easy as it did.

All that is true.  But the admins whose networks got hit *still* didn't
release the worm.  I know very good admins, in very tight networks, who
got taken completely by surprise by one remote user who connected to the
network before they could detect them.  It's real easy to kneejerk and
blame them for the problem.  All I can say is, walk a mile in their
shoes.  Until you've been responsible for 10,000 desktops of every size,
shape and description, you have no idea what you're talking about.  Talk
is cheap.

> If this is truly the case Paul then you have my sympathy.

I'm not looking for sympathy.  I trying to point the blame for these
problems at the real culprits.

> But I really want to say WTF -- they are a freakin educational
institution -- 
> you would think they know a thing or two.

Knowledge is one thing.  The power to implement what you know is another
entirely.

> Perhaps some litigation over being a launching point for an attack will

> straighten things out.

Sure it will!  You'll fill a few lawyers pockets and leave the admins
behind with less money now than they had before.  Now *there's* a
"solution" that has real merit.

For those of you smartass know-it-alls that think you've got the tiger
by the tail, here's a suggestion for you - volunteer your time to some
of the local educational institutions.  Pick a non-profit in your local
area and help them with their network.  Do some fund raising to get them
the equipment they need.  Or donate the equipment you throw out because
it's "out of date".  DO something about the problem instead of bitching
about it in the lists and blaming the poor admins who have no power to
fix it.

> I don't think anyone can completely control their work situation.  
> We all have to deal with BS politics and actually prove the risk 
> before some pointy haired boss agrees to the change.  This is a 
> reality inside the .edu and outside.  Perhaps the .edu admins and 
> security guys need to do a better job in proving the risk.  Tie 
> the risk to actual costs in bandwidth and loss of reputation etc... 
> would these tactics not work in an .edu environment?

They help.  I never miss an opportunity to use an incident like this to
ask for permission to implement better solutions.  Sometimes I implement
them first and get chewed out later.  Whatever gets the job done.  But
the larger the institution, the more difficult it is for the poor grunts
who do the work to get anything substantive done.

> Why not blame the networks that allow these jerks to release their 
> worms, run their DDoS networks and do all the other crap they do?  Why

> is it still possible to host a website on the Internet that freely 
> makes worms, viruses and exploit code available to the world?  (Yeah, 
> I know, it's a freedom of speech issue, right?  Yeah, right!)

> No Paul, to me this isn't a freedom of speech thing.  It is a learning 
> thing -- many (including me) crave to learn and know what the .edu 
> system cannot teach.

I have no problem with that.  Just learn it in a controlled environment
that *you* own.  Learning it at someone else's expense is theft - pure
and simple.

Some people have cried for litigation to "force" networks to "clean up"
and get rid of "lazy" admins.  How about we ask for legislation to put
hackers away for life?  Would you like that?

> A lot of common sense is required to know what is right and what is 
> wrong but taking the information off of the Internet won't solve the 
> problems. What do we bust down doors and take everyone's computer 
> books away and burn them?  Do we lock up the RFCs and only let 
> Microsoft, Sun, Cisco, HP, etc... see them (control them).  What 
> about computer science courses and all thsoe guys with the Bsc. 
> and PHD in computer sciences?  Shit, we had better lock them up cause 
> they are terroritsts right?

No, that's silly.  But when someone "experiments" and takes down
networks, stop blaming the networks for the problem.  Blame the person
responsible.

> Removing the information from the Internet won't stop its flow and 
> won't stop the malicious from using what they learn via other channels.

So we should just give up?

Did it ever occur to you that my posts might also be informational and
educational?  That they might influence someone *not* to experiment with
other people's networks?

> The least we all can do as IT guys and IT Security guys is raise the 
> fucking bar a little.  Right now a 12 year old MafiaBoy wanna-be with 
> even less knowledge can take out portions of the net -- what does that 
> tell you?

It tells me there's a large gap between utopia and reality.

> The worst change control procedure I have ever experianced took 
> 30-45 days for a "critical" patch to be lab tested packaged and 
> pushed out.  This organization was still patched in time.

What's change control?  ;-)

Look, do admins need to do better?  Of course they do.  Do networks need
to take security more seriously?  Of course they do.  But stop blaming
the networks every time there's a problem.  Blame the culprits who
release these bugs.  If it wasn't considered so gosh darn cool to
release something that takes down the Internet, maybe less people would
consider doing it.

As long as they can hide in the smoke of the blame game, they'll keep
releasing bugs.  When everybody gets focused on the real problem -
people who don't give a damn how they hurt others, they *maybe* some of
this will stop.

Meanwhile, I have work to do, and I've pretty much said my piece, so
y'all can hash it over here and talk about how stupid my ideas are.  I'm
done with this.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/~pauls/
AVIEN Founding Member 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html