RE: [ISN] Researchers predict worm that eats the Internet in 15 minutes

From: InfoSec News (isnat_private)
Date: Wed Oct 23 2002 - 23:47:18 PDT

  • Next message: InfoSec News: "Re: [ISN] INFOSEC: Certifiably Certified"

    Forwarded from: Ryan Counts <webmasterat_private>
    	I hate to say it, but getting organizations to release patches
    to security holes is only 10% of the cure.  If I remember right,
    either Code Red or Nimda (or both, I can't find the emails that
    corroborate my thoughts) targeted security holes that Microsoft had
    already released patches for; not to mention a properly configured
    server (simple things such as setting the webroot to any other drive
    than C, and disabling unused virtual hosts and services) eliminated
    the threat.
    So, why did these worms succeed?  Poor security policies; poor
    maintenance and non-updated Operating Systems.  Is this really
    Microsoft's fault, or the organizations that either don't hire
    experienced personnel or have lazy or overtaxed admins?  My vote is
    for the latter, and it's a situation that has no clear solution.  I
    can almost guarantee you that if such a worm outbreak such as the one
    described in this article occurs, it will probably use an old, well
    known security hole that's been addressed by the manufacturer.  And no
    matter whether the worm targets Windows, Unix, Linux, OSX or all of
    the above, the worm will owe its success to the same factors that made
    Nimda so successful.
    In my opinion, the critical question is how to fix this problem?  Do
    we require IT Personnel to get a license before practicing
    administration like Doctors and hold them accountable?  Do we fine
    companies for not keeping their hardware and software maintained?  Or
    do we hand out a bunch of Etch-a-Sketches?
    -----Original Message-----
    From: owner-isnat_private [mailto:owner-isnat_private] On Behalf
    Of InfoSec News
    Sent: Wednesday, October 23, 2002 12:55 AM
    To: isnat_private
    Subject: Re: [ISN] Researchers predict worm that eats the Internet in 15
    Forwarded from: Russell Coker <russellat_private>
    On Tue, 22 Oct 2002 10:56, InfoSec News wrote:
    > By Ellen Messmer
    > Network World Fusion
    > 10/21/02
    > The three authors of the research, published two months ago, present
    > a future where worm-based attacks use "hit lists" to target
    > vulnerable Internet hosts and equipment, such as routers, rather
    > than scanning aimlessly as the last mammoth worm outbreaks, Nimda
    > and Code Red, did last year. And this new breed of worms will carry
    > dangerous payloads to allow automated denial-of-service and file
    > destruction through remote control.
    Let's talk about "dangerous payloads".  A large part of the problem
    here is that daemons get too much access to a typical server.  
    There's no need for a daemon to have access to write any file on the
    system (root access on a typical Unix machine).  Posix capabilities
    combined with non-root operation are a good step in the right
    direction but still aren't as comprehensive as you would like.  Also
    Posix capabilities don't work well when a program has a need to change
    UIDs or write files owned by other users on occasion.
    Any decent Mandatory Access Control scheme should allow the daemons to
    be restricted enough that they have minimal opportunities to do
    damage.  Even a compromised sshd should not result in the server being
    However if "dangerous payload" means a DOS attack on
    then that's something that is probably impossible to prevent.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Oct 24 2002 - 02:48:52 PDT