[ISN] It's Not Paranoia When It's the Truth

From: InfoSec News (isnat_private)
Date: Wed Sep 17 2003 - 22:38:12 PDT

  • Next message: InfoSec News: "[ISN] NSA, DOD push Common Criteria for civilians"

    By Peter Coffee 
    September 17, 2003   
    When it comes to computer and network security, I'm moving toward the
    doctrine adopted by Sangamon Taylor for nighttime bicycle safety. "I
    assume I'm wearing fluorescent clothes, and there's a million-dollar
    bounty going to the first driver who manages to hit me. And I ride on
    that assumption," says Neal Stephenson's fictional toxic-waste
    vigilante in the 1988 novel, "Zodiac."
    Taylor's approach is beginning to seem like the only viable strategy
    for Internet self-defense. "I assume that everyone in a car is out to
    get me," Taylor ruminates. "My nighttime attitude is, anyone can run
    you down and get away with it." If your safety depends on anyone
    perceiving that you're in danger, and actually making any effort not
    to kill you, he concludes, "you've already blown it." Bingo.
    That's the network environment in which we live, where even the
    aggregate bandwidth consumed by millions of Windows Update users is
    beginning to look like a denial-of-service attack on the Internet as a
    whole. The cure is almost as bad as the disease.
    In fact, so hostile has the environment become that the anti-virus
    instructions page at MIT, in Cambridge, Mass., instructs all users of
    Institute facilities: "To prevent your machine from being compromised
    while you are applying the patch, Network Security encourages users to
    implement port filtering described at
    http://web.mit.edu/net-security/prevent-reinfection.html." Based on
    eWEEK Labs experience during past worm episodes, I'd call that good
    advice: We've seen systems attacked multiple times during the period
    required to download the latest patches following an out-of-the-box
    What really drove the point home was a little item I saw at The
    Inquirer, concerning the ease with which an attacker can reinstall a
    vulnerable version of an ActiveX control that might have been
    previously, conscientiously, removed from a machine. "If some evil
    mail or website tries to introduce it to your system you'll get the
    standard popup, much like the one you get on Office Update," observed
    writer Rick Reroy, continuing, "Click 'Yes,' and your computer is ripe
    for a reinstallation. You can save that click if you on a previous
    occasion checked the box that says 'Always trust content from
    Microsoft Corporation' (what were you thinking?)'"
    I'm thinking that the system not only comes out of the box unsafe, it
    almost appears designed to ensure that it stays that way.
    And if I may borrow Reroy's question, I'd like to know what Microsoft
    itself is thinking when it can't even give consistent warnings on its
    own Web pages concerning the latest RPC-borne worm. At one URL, the
    company warns its enterprise and developer customers that "Microsoft
    tested Windows Millennium Edition, Windows NT Workstation 4.0, Windows
    NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows
    2000, Windows XP and Windows Server 2003 to assess whether they are
    affected by this vulnerability. Previous versions are no longer
    supported, and may or may not be affected by these vulnerabilities."
    That same page, however, offers a link to an "end user version" of
    this bulletin, where we learn that "Windows 98, Windows 98 Second
    Edition (SE), and Windows 95 also are not affected by this issue.  
    However, these products are no longer supported." Am I the only one
    who finds the second statement much more useful than the first, and
    wonders why enterprise buyers don't get the same story right up front?
    What I'm also thinking is that it's worth the effort to dismiss, many
    times an hour, the warnings that I get from Norton Internet Security
    about what's attempting to access my system, and how. I'm thinking
    that it's worth the effort to "stealth" all of my ports to minimize
    the chance that an attack even comes my way. I'm thinking like a
    bicyclist on a dark night on Storrow Drive, winding along the Charles
    River between Boston and Cambridge, as the bars close and the drunks
    all head for home.
    At least, for the most part, the drunks actually had to pass a driving
    test: Too many Internet users lack even that level of preparation.
    So you might as well behave as if they're all out to get you on
    purpose. Accident or malice, it doesn't much matter when the bumper
    hits you in the back.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 18 2003 - 01:18:15 PDT