http://www.eweek.com/article2/0,4149,1271385,00.asp By Peter Coffee September 17, 2003 When it comes to computer and network security, I'm moving toward the doctrine adopted by Sangamon Taylor for nighttime bicycle safety. "I assume I'm wearing fluorescent clothes, and there's a million-dollar bounty going to the first driver who manages to hit me. And I ride on that assumption," says Neal Stephenson's fictional toxic-waste vigilante in the 1988 novel, "Zodiac." Taylor's approach is beginning to seem like the only viable strategy for Internet self-defense. "I assume that everyone in a car is out to get me," Taylor ruminates. "My nighttime attitude is, anyone can run you down and get away with it." If your safety depends on anyone perceiving that you're in danger, and actually making any effort not to kill you, he concludes, "you've already blown it." Bingo. That's the network environment in which we live, where even the aggregate bandwidth consumed by millions of Windows Update users is beginning to look like a denial-of-service attack on the Internet as a whole. The cure is almost as bad as the disease. In fact, so hostile has the environment become that the anti-virus instructions page at MIT, in Cambridge, Mass., instructs all users of Institute facilities: "To prevent your machine from being compromised while you are applying the patch, Network Security encourages users to implement port filtering described at http://web.mit.edu/net-security/prevent-reinfection.html." Based on eWEEK Labs experience during past worm episodes, I'd call that good advice: We've seen systems attacked multiple times during the period required to download the latest patches following an out-of-the-box installation. What really drove the point home was a little item I saw at The Inquirer, concerning the ease with which an attacker can reinstall a vulnerable version of an ActiveX control that might have been previously, conscientiously, removed from a machine. "If some evil mail or website tries to introduce it to your system you'll get the standard popup, much like the one you get on Office Update," observed writer Rick Reroy, continuing, "Click 'Yes,' and your computer is ripe for a reinstallation. You can save that click if you on a previous occasion checked the box that says 'Always trust content from Microsoft Corporation' (what were you thinking?)'" I'm thinking that the system not only comes out of the box unsafe, it almost appears designed to ensure that it stays that way. And if I may borrow Reroy's question, I'd like to know what Microsoft itself is thinking when it can't even give consistent warnings on its own Web pages concerning the latest RPC-borne worm. At one URL, the company warns its enterprise and developer customers that "Microsoft tested Windows Millennium Edition, Windows NT Workstation 4.0, Windows NT Server 4.0, Windows NT Server 4.0, Terminal Server Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities." That same page, however, offers a link to an "end user version" of this bulletin, where we learn that "Windows 98, Windows 98 Second Edition (SE), and Windows 95 also are not affected by this issue. However, these products are no longer supported." Am I the only one who finds the second statement much more useful than the first, and wonders why enterprise buyers don't get the same story right up front? What I'm also thinking is that it's worth the effort to dismiss, many times an hour, the warnings that I get from Norton Internet Security about what's attempting to access my system, and how. I'm thinking that it's worth the effort to "stealth" all of my ports to minimize the chance that an attack even comes my way. I'm thinking like a bicyclist on a dark night on Storrow Drive, winding along the Charles River between Boston and Cambridge, as the bars close and the drunks all head for home. At least, for the most part, the drunks actually had to pass a driving test: Too many Internet users lack even that level of preparation. So you might as well behave as if they're all out to get you on purpose. Accident or malice, it doesn't much matter when the bumper hits you in the back. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 18 2003 - 01:18:15 PDT