Re: [ISN] InfoSec 2003: 'Zero-day' attacks seen as growing threat (Three more messages)

From: InfoSec News (isn@private)
Date: Mon Dec 29 2003 - 02:11:43 PST

  • Next message: InfoSec News: "Re: [ISN] Next stop, jail"

    [This could go on forever, this is the last three messages for this 
    thread. - WK]
    
    Forwarded from: Ido Dubrawsky <idubraws@private>
    
    On Mon, Dec 22, 2003 at 04:24:58AM -0600, InfoSec News wrote:
    > Forwarded from: Harlan Carvey <keydet89@private>
    > 
    > Rob,
    > 
    > > I don't know about you but zero-day exploits frighten me.  Theyre
    > > absolutely terrifying.  I think we should either (a) nationalize
    > > the computer security industry or (b) dismantle the Internet as a
    > > national security threat.
    > 
    > I guess I can understand your point of view, but what about defense
    > in depth?  Looking at the entire security picture as a whole, it
    > would seem the even zero-day exploits may be extremely difficult to
    > deploy *IF* more folks take a more comprehensive approach to
    > security.
    > 
    > Take Slammer last year, for example.  Infrastructures that did not
    > expose UDP port 1434 to the Internet were not infected by the worm.  
    > Looking further back, folks running IIS 4.0 who'd taken the step to
    > disable ida/idq script mappings were not infected with Code Red.  
    > These aren't necessarily zero-day exploits, but the worms do
    > illustrate the lack of vision with regards to security.
     
    Not true.  Even those who did not expose UDP 1434 to the Internet were
    affected by employees bringing the worm in with laptops that had MSDE
    installed.  Also, Slammer's scanning caused some bandwidth issues for
    some service providers and at some peering points.  I agree with you
    that *IF* more people took a more comprehensive approach to security
    then the effects of zero-day exploits would be reduced...however, the
    reality is not the case.  It reminds me of my mother who would always
    tell me when she was driving: "I'm not so concerned about my driving
    which I know is good...I'm concerned about the OTHER person's
    driving." It's a communal effort and unless more people/companies wake
    up and smell the coffee, we're in for some rough rides ahead.
    
    My .02
    Ido
    
    -- 
    ===========================================================================
                            | Ido Dubrawsky, CISSP   E-mail: idubraws@private
         |          |       | Network Security Architect
        :|:        :|:      | VSEC Technical Marketing, SAFE Architecture Team
       :|||:      :|||:     | Cisco Systems, Inc.
    .:|||||||:..:|||||||:.  | Silver Spring, MD. 20902
    ===========================================================================
    
    
    -=-
    
    
    Forwarded from: Mike Fratto <mfratto@private>
    
    > Take Slammer last year, for example.  Infrastructures that did not
    > expose UDP port 1434 to the Internet were not infected by the worm.
    
    This is a classic mistake about worm propagation. Border protection
    does diddly squat when a remote user connects via some form or remote
    access to the internal network or simply walks in the door and plugs
    directly in. I picked up Welchia on a W2K system running in VMWare
    that I *only use* to connect to my company's network. The infection
    vector works both ways.
    
    
    -=-
    
    
    Forwarded from: "Bill Scherr IV, GSEC, GCIA" <bschnzl@private>
    
    Folks...
    
       All vulnerabilities were zero-day exploits at one time.  Thats the
    rub.  Zero Days after disclosure, the vulnerability was not known!  X
    issue existed, and allowed what ever badness to be perpetrated, but
    was not widely defended.
    
       It is a fact of running today's IDE generated software.  But hey,
    IDE's cut costs so the managers get paid...
    
       Even for the diligent (i.e. Debian Linux) there is risk.  The key
    is to minimize services, and watch your systems 24/7/365.  Of course
    that job is easier if you have a multi-vendor, or non-vendor trained
    administrator.  That person can pick and choose components with an
    informed eye, and combine them into interlocking fields of defense-in-
    depth.  If you're not sure, hire the guy that built his own command
    line based computer...
    
    B.
    
    
    On 22 Dec 2003, this text appeared purporting to belong to InfoSec
    
    Date sent:              Mon, 22 Dec 2003 04:24:58 -0600 (CST)
    From:                   InfoSec News <isn@private>
    To:                     isn@private
    Subject:                RE: [ISN] InfoSec 2003: 'Zero-day' attacks 
    seen as growing threat (Three messages)
    
    Send reply to: InfoSec News <isn@private>
    
    > Forwarded from: Harlan Carvey <keydet89@private>
    > 
    > Rob,
    > 
    > > I don't know about you but zero-day exploits frighten me.  Theyre
    > > absolutely terrifying.  I think we should either (a) nationalize
    > > the computer security industry or (b) dismantle the Internet as a
    > > national security threat.
    > 
    > I guess I can understand your point of view, but what about defense
    > in depth?  Looking at the entire security picture as a whole, it
    > would seem the even zero-day exploits may be extremely difficult to
    > deploy *IF* more folks take a more comprehensive approach to
    > security.
    > 
    > Take Slammer last year, for example.  Infrastructures that did not
    > expose UDP port 1434 to the Internet were not infected by the worm.  
    > Looking further back, folks running IIS 4.0 who'd taken the step to
    > disable ida/idq script mappings were not infected with Code Red.  
    > These aren't necessarily zero-day exploits, but the worms do
    > illustrate the lack of vision with regards to security.
    > 
    > 
    > -=-
    > 
    > 
    > Forwarded from: Jon Miller <cio.ny@private>
    > 
    > These "zero day" exploits are finding previously unknown ways to do
    > the same nasty things. Fortunately these nasty things are (or at
    > least have been) finite.
    > 
    > It seems to me that a behavioral approach is now as fundamentally
    > necessary as as traditional signature based AV. Used in conjunction
    > with eachother, they offer a defense in depth approach to layered
    > security that can mitigate against patch latency and previously
    > unknown exploits of vulnerabilities.
    > 
    > Simply put, I don't care what mode of transportation a burglar takes
    > to my house, I just don't want him to get in - or if he does, to
    > take anything or do any harm.
    > 
    > About that dismantling of the Internet...  Let's also ban all food
    > additives, some may be bad - let's eat it all right away!  :)
    > 
    > 
    > ---
    > Jon Miller, CISSP
    > Chief Information Security Officer
    > The City of New York, HRA
    > 
    > 
    > -=-
    > 
    > 
    > Forwarded from: Barb  <ndex@private>
    > 
    > There is a commercial NIDS product that does anomaly based
    > detection.  It is fast and good, but I dislike the manufacturer so I
    > will not plug them.
    > 
    > Only the people who don't know that Zero-day exploits have been
    > around since the beginning of the computer age and are also in a
    > position to make IT/security policy scare me.
    > 
    > They outnumber the knowledgable, skilled and talented by hundreds to
    > one.  They are more of a problem than a solution.  They are the ones
    > to stupid, vain or lazy to use a proper password or secure shell
    > services.  They are the lame.  They should be banished from
    > cyberspace...
    > 
    > 
    > 
    > 
    > -
    > ISN is currently hosted by Attrition.org
    > 
    > To unsubscribe email majordomo@private with 'unsubscribe isn'
    > in the BODY of the mail.
    
    
    Bill Scherr IV, GSEC, GCIA
    EWA / Information & Infrastructure Technologies
    National Guard Regional Technology Center / Norwich Campus
    Northfield, VT  05663
    802-485-1962
    
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Dec 29 2003 - 04:43:24 PST