Post #77,473
1/28/03 2:31:43 AM
|
Re: The other question: Why so many net-connected SQL serve
kmself wrote:
The other question is: why were all these MS SQL Server nodes on the open Net? I'm starting to suspect many of them weren't actual SQL Server hosts, but boxes with a SQL Server runtime as part of an associated service, the Microsoft SQL Desktop Engine (MSDE).
That was what some of us-all (Ben Tilly? Peter?) were saying on the Jabber conference, right around the time Sam Varghese, the Australian IT reporter, sent me e-mail asking me that very question. (Apologies to Ben and/or Peter if I failed to attribute their ideas to them, in answering Sam's question. I honestly didn't know my e-mail reply to Sam was going to end up [link|http://smh.com.au/articles/2003/01/27/1043533995068.html|in print].)
Certainly, Win2k containing MSDE is a partial explanation to the otherwise puzzling question of why the frell people are doing something so extremely whacked (leaving MS SQL Server fully exposed to the Internet, and then failing to apply 6-month-old patches for remote-exploit vulnerabilities).
But my mind is still boggling that so many people are really that stupid. I guess I just can't imagine putting a host on an Internet-facing network without knowing exactly what's reachable on it -- since those are obvious points of attack from anywhere else in the world.
I especially find this hard to picture given how pigheaded most businesses are about trapping everyone and everything behind "firewalls" -- either filtering routers that permit next to nothing through, or application-level proxy gateways that let nothing at all through. The whole idea of that security model is to permit only maybe one or two specially designated hosts (if even that) be fully exposed to the Internet, and then watch 'em like a hawk.
So, hey, I guess all I can say is that if people so flamboyantly screw up even that simple and failsafe a security model, then there's a serious need for corrective education (or something!).
Accordingly, I guess WAN/LAN consultants (and such) to business should always security-scan customers' Internet-facing hosts (with permission), regardless of whether they so request. It seems there's a big problem out there.
Rick Moen rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #77,478
1/28/03 5:17:19 AM
|
So many people don't understand firewalls.
Which I'm sure you already know.
I had a manager once who thought that a Linux firewall would protect his IIS servers from exploits. "Umm, no" I said and proceeded to explain why.
Wade, who no longer supports Microsoft Internet technology.
Is it enough to love Is it enough to breathe Somebody rip my heart out And leave me here to bleed
| | Is it enough to die Somebody save my life I'd rather be Anything but Ordinary Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #77,481
1/28/03 5:38:29 AM
|
Re: So many people don't understand firewalls.
Wade wrote:
So many people don't understand firewalls. Which I'm sure you already know.
I had a manager once who thought that a Linux firewall would protect his IIS servers from exploits. "Umm, no" I said and proceeded to explain why.
Wow.
That's pretty much epic-scale incomprehension: He didn't even figure out that there's an inside and an outside. People who understand the concept of "firewall"[1] even a little will guess that it involves a perimeter. I would hope most laymen grok at least that much without assistance, just from the word alone.
[1] The metaphor derives from the solid firebreak wall separating humans from engines, in locomotives and automobiles.
Rick Moen rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #77,483
1/28/03 5:54:08 AM
|
Re: So many people don't understand firewalls.
The general skill level among the corporate admin class is very low in my experience.
-drl
|
Post #77,529
1/28/03 9:49:07 AM
|
Ahh.. the IT ignorant in it's native environment....
That was very good Rick... I chuckled... that is a rarity lately involving IT in general. Epic-scale... oh yeah... even when spending 45,000USD on a solution that SUCKS... and doesn't even provide all the functionality of the FREE netfilters out there. Illusions are great... ;) But... People who understand the concept of "firewall"[1] even a little will guess that it involves a perimeter. I would hope most laymen grok at least that much without assistance, just from the word alone. and this [1] The metaphor derives from the solid firebreak wall separating humans from engines, in locomotives and automobiles. I have to agree, that's where it came from for the current incarnation... but THEY got it from the original one meaning a fire containing wall originally termed for firing ovens of various kinds in the middle 1400s (can't find a reference right now) grrr... saturation still effecting certain places I guess... ):
[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT | [link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!] [link|http://pascal.rockford.com:8888/SSK@kQMsmc74S0Tw3KHQiRQmDem0gAIPAgM/edcurry/1//|ED'S GHOST SPEAKS!] | Heimatland Geheime Staatspolizei reminds: These [link|http://www.whitehouse.gov/pcipb/cyberstrategy-draft.html|Civilian General Orders], please memorize them. "Questions" will be asked at safety checkpoints. |
|
Post #77,644
1/28/03 7:52:34 PM
|
Firewalls
Rick is pretty well right - the firewall was to prevent fire from an engine reaching the occupants - it was implemented in 1st WW aircraft due to so many pilots being burned alive when these guys figured out they could shoot at each other in the air and which usually required settin the engine on fire (bullets usually did little control damage to the frame).
Of course when cars started colliding the issue of engine fires also encouraged the implementation of firewalls, but surprisingly it seems aircraft may have come first.
What I can tell you is that the firewall was not invented by the Irish to protect their low cost stoves manufactured from hardwood (how do I know that <grin>, one side of my familiy were Irish immigrants to NZ who were well known there for a range of stoves called the 'HAYES Cooker'. <vb grin>
Cheers
Doug
|
Post #77,651
1/28/03 8:28:32 PM
|
Yep.
That's pretty much epic-scale incomprehension: He didn't even figure out that there's an inside and an outside. People who understand the concept of "firewall" even a little will guess that it involves a perimeter. I would hope most laymen grok at least that much without assistance, just from the word alone.
"Epic-scale incomprehension" sums it up fairly well. As does "willfully ignorant". He had deliberately chosen to run his webhosting business on Windows 2000 and IIS - he wasn't impressed about subsequently spending several hours bringing all his web servers up to date with MS hotfixes, IIRC, but he knew enough not to take it out on me.
He did understand "inside" and "outside" the firewall, actually, to a limited degree. It was how the port-forwarding worked that he hadn't grasped. The guy had inherited a Linux firewall and some expertise (not me - I came later) when he bought his equipment and hadn't managed to replace it with a Windows solution.
Wade.
Is it enough to love Is it enough to breathe Somebody rip my heart out And leave me here to bleed
| | Is it enough to die Somebody save my life I'd rather be Anything but Ordinary Please
| -- "Anything but Ordinary" by Avril Lavigne. |
|
Post #77,645
1/28/03 7:53:01 PM
1/29/03 8:58:11 PM
|
No objections here
I wanted to see the point repeated - glad to see that it has been.
I also would like to point out that this worm is, unlike many, not an illustration of the dangers of a software monoculture. Estimates are what, 19,000 infected machines on the public internet? Go after a minority webserver, like webstar on the macintosh, and you have both more targets available and it isn't as easy to fix it just by blocking an obscure port that shouldn't really be open anyways...
Instead this is an illustration of what a well-executed attack on a minority platform looks like. A diverse computing platform means that you can get lots of little flus, but few deadly plagues. Well this (no matter how much Korea might think otherwise) is a minor flu...
Cheers, Ben
Update: I was wrong about 19000. I was apparently misremembering statistics about the number seen scanning one host (and should have said 16000). According to [link|http://ca.news.yahoo.com/030126/5/rioe.html|http://ca.news.yahoo...30126/5/rioe.html] the real figure is about 150,000 to 200,000. Presumably many of these are not readily accessible from the internet. Compare that to website listings at: [link|http://www.netcraft.com/Survey/Reports/0301/|http://www.netcraft....vey/Reports/0301/] (Note that websites ne machines, but the above list is all stuff that is visible on the internet.)
"good ideas and bad code build communities, the other three combinations do not" - [link|http://archives.real-time.com/pipermail/cocoon-devel/2000-October/003023.html|Stefano Mazzocchi]
Edited by ben_tilly
Jan. 29, 2003, 08:58:11 PM EST
|
Post #77,713
1/29/03 1:58:35 AM
|
Re: No objections here
Ben wrote:
I also would like to point out that this worm is, unlike many, not an illustration of the dangers of a software monoculture.
This is an excellent point, and thank you for making it.
Once I got over sheer astonishment that people would allow this sort of vulnerability to persist on Internet-facing systems, I mulled over what the technical community might do to help -- and, for that matter, what business opportunities this presents. One obvious fact is that these people never cultivated the habit of portscanning their outside networks. I considered doing an article, pitched so that any businessman can understand it, explaining how to do that using, say, nmap and snort, both of which can be run straight from a downloadable [link|http://www.lnx-bbc.org/|LNX-BBC] mini-disc. I think I could do that successfully.
But the difficult part would be explaining how to interpret those results. OK, so host foo has active processes listening on TCP ports blah blah: How do you teach them how to determine what that is, and whether they want to continue running it?
I'll bet it wouldn't be difficult to make a dedicated bootable image that portscans a specified network and then reports back, in fairly human-friendly language, what was found. It could even be packaged in an embedded device with a cheap processor.
Rick Moen rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|