Its amazing how reporters has to butcher technology information to make it understood by their editors
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?eref=rss_topstories
Its amazing how reporters has to butcher technology information to make it understood by their editors
http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?eref=rss_topstories
Ugh, yeah. Things look pretty good presently.
It was clear from the highly reliable index I call the "Nanogdex" that
nothing was seriously amiss.
Ndex value of 0, i.e. no traffic on-list, means either "all systems
go!" or "outage so serious that Mitre is unreachable. Stockpile
ammunition"
Ndex value of 5, i.e. +/=100 mails/day, means "serious crisis"
A caveat - Ndex 4 is usually "situation normal, members bored and
discussing the relative merits of the Chicago and Kansas City cable
tie knots."
Alexander Harrowell wrote:
It was clear from the highly reliable index I call the "Nanogdex" that
nothing was seriously amiss.
Yes, but it got so much bloody press that ambitious copycats can't be
too far behind.
Jeff
to be fair that was a pretty informative discussion for those of us
who were still wearing diapers when ma bell was broken up.
But that aspect was wasted time, since they're putting Ma Bell back
together again...
--Steve Bellovin, http://www.cs.columbia.edu/~smb
But that aspect was wasted time, since they're putting Ma Bell back
together again...
Speaking of putting Ma Bell Back together again - you have to
see this You Tube Video on AT&T - before they yank it. It does
accurately chronicle the AT&T divestiture and Assembly again.
ENJOY.
Cheers,
Hank
When 2 of 13 root systems are affected (>90% loss), how many systems will withstand such an attack when targeted lower within the hierarchy? FWIW, the attack rates did not seem that high.
-Doug
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Douglas Otis wrote:
Alexander Harrowell wrote:
It was clear from the highly reliable index I call the "Nanogdex"
that nothing was seriously amiss.Yes, but it got so much bloody press that ambitious copycats can't be
too far behind.When 2 of 13 root systems are affected (>90% loss), how many systems
will withstand such an attack when targeted lower within the hierarchy?
FWIW, the attack rates did not seem that high.-Doug
- ------------------------------------
On the same note and this just an observation, I hear two thoughts, some
talk not using anycast and then there are others who stand their ground
about anycast deployment.
Looking at these attacks, F in particular, if my memory serves me
correct, there are 35 f-root anycast nodes deployed. Maybe this helped
in some respect.
Then again, I like to see what kind of analysis comes out from the
collected data.
regards,
/virendra
Looking at these attacks, F in particular, if my memory serves me
correct, there are 35 f-root anycast nodes deployed. Maybe this helped
in some respect.
Dave Knight's lightning talk in Toronto seemed to indicate that F's anycast platform did a good job at sinking the bulk of the attack traffic in Seoul and Beijing, and that the spill-over from the region was mopped up easily by the very large nodes in California. Most other locations that have a local F-root server saw very little impact.
Isolation of attack traffic seems like a big help to me.
Then again, I like to see what kind of analysis comes out from the
collected data.
Joe
Do we keep missing opportunities?
Yes, it was a minor incident, just like a minor earthquake, the hurricane that doesn't hit, the fire that is exitinguished. But it was also an opportunity to get the message out to the public about the things they can do to take control.
We remind people what to do in a tornado, earthquake, flood, hurricane, etc. This on-going education does help; even though some people still
drive their cars through moving water or go outside to watch the tornado.
Instead of pointing fingers at South Korea, China, etc, every country
with compromised computers (all of them) are the problem. The United States may be slow as far as broadband, but it makes up for it in the number of compromised computers.
We may know the drill, but it doesn't hurt to repeat message everytime
we have the public's attention for 15 seconds.
1. Turn on Automatic Update if your computer isn't managed by a full-time IT group.
Microsoft Windows, Apple MAC OS/X, and several versions of Linux
have Automatic Update available. Most vendors make security patches
available to users whether or not the software is licensed or
un-licensed.
Zero day exploits may be sexy and get the press attention, but the
long-term problem are the computers that never get patched. The VML
exploit on the football stadium websites was patched last month; but
its not how fast a patch is released, its how fast people install it.
2. Use a hardware firewall/router for your broadband connection and turn on the software firewall on your computer in case you ever move your
computer to a different network.
Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access
point, or turn off the radio on both your home gateway and computer
if you are not using WiFi.
3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust.
Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But
don't assume because you are using them, you can click on everything
and still be safe. The miscreants are always finding new ways around
them.
It may just be human nature, but people seem to engage in more risky
behavior when they believe they are protected.
4. If your computer is compromised, unplug it until you can get it fixed.
Its not going to fix itself, and ignoring the problem is just going
to get worse.
Sean makes a good point, but there is one small problem with his
suggestions. He is preaching to the choir. I really really hope
everyone on this list knows how to do some basic security on their
personal computers (not to mention the collection of security experts
that are on this list). The real problem here is getting the word out
to regular users about computer security.
Point-in-case. A friend of mine was recently buying her daughter a new
computer for her birthday. So she asked me to give them suggestions and
look over the specs of a few models they where considering. On the
print outs she handed me (I think from Dell) she had unchecked the AV
and firewall software. When I asked her why, she responded with "oh we
trust our daughter, she won't go to any bad websites so anti-virus and
firewall software is just an unneeded expense"... It is this type of
mentality that is common among consumers.
Another time I was do some consulting work for a NPO. I was going over
the findings of my audit and I told the IT manager that all of his
machines were missing patches. His response: "we only install service
packs, individual patches take too much time to install and tend to
break more stuff than they fix". Ironically, a month latter he calls me
back asking for help because his network got infect with Blaster...
Last story. In a pervious job one of my duties was to maintain the
internet connection and firewall. One day I get an automatic page that
our outbound bandwidth is maxed. Checking the router, sure enough, 100%
utilization. So I began to back track the traffic, it all originated
from the helpdesk subnet. My first assumption was that they were trying
to disinfect someone's computer that got a virus. So I walked down to
the desk ready to yell at the genius who plugged the computer into the
production network. But I found that there were no computers in for
service... Checked the router, still maxing out the internet, so I
check each of the IPs of the tech workstations and found that the
manger's computer matched. Checked the NIC light, blinking crazy. This
definitely was the computer. Ask the manger if he knew anything about
this, and he responded "well there was this odd email we got in the
helpdesk mailbox, I figured it was a virus, and I wanted to see what
happened if I ran it. So I downloaded and ran the .exe. But nothing
happened, so I thought it must have been broken or something like
that"... This guy is the helpdesk manager (who really should know
better) and is knowingly running malicious code on his work computer
(while logged in with a privileged account).
So if there is anything to get from the above stories, is that when it
comes to computer security, the average person is very very under
educated. So where I think the real focus should be is not to scare
people about attacks on abstract concepts like root servers, but instead
try to educate them on personal computer security. I want to see a CNN
special about someone who had their identity stolen because his did not
have anti-virus software. I want to see interviews with computer
criminals saying that they could have not hacked into personal computers
if only the owners had put on firewalls. I want to see the media show
the horror stories that a lack of personal computer security can do and
then show people how to keep it from happening to them.
My $0.02,
Adam Stasiniewicz
Sean Donelan
- Even if your computer is secure, miscreants depend on your trust. Be
suspicious of messages, files, software; even if it appears to come from
a
person or company you trust.Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help.
But
don’t assume because you are using them, you can click on everything
and still be safe. The miscreants are always finding new ways
around
them.It may just be human nature, but people seem to engage in more risky
behavior when they believe they are protected.
- If your computer is compromised, unplug it until you can get it
fixed.Its not going to fix itself, and ignoring the problem is just going
to get worse.
- Paying for AV software is not a solution, no matter how often it’s been on TV. (Norton - the antivirus software one finds on virus-infected computers)
Don't forget the trojan payload lately that used a cracked copy of Kaspersky
AntiVirus to catch subsequent infecters. 
http://sunbeltblog.blogspot.com/2006/12/hacked-version-of-dr-web-antivirus.html
Adrian
Just trying to get the choir to sing on key. Of course, I know the choir
will probably spin off singing 18 different songs.
Local interest.
The next security incident, can the security experts in the US talk about what US readers can do. Experts in Europe talk about European readers can
do. Experts in China, Australia, India, Brazil, Antarctica talk about what readers in those areas can do.
I have no idea when, where or what the next incident will be, but can guess it will involve the usual problems.
Turn on automatic update, turn off services you don't use, don't believe
everything you read on the net.
He was both right and wrong -- patches do break a lot of stuff. He was
facing two problems: the probability of being off the air because of an
attack versus the probability of being off the air because of bad
interactions between patches and applications. Which is a bigger risk?
It's not an easy question to answer. One scenario that scares me is
what happens if the April Patch Tuesday takes out, say, TurboTax, just
as Americans are getting ready to file their tax returns.
There are no good answers to this question. Of course, being an
academic I can view such problems as opportunities, and it is in fact
a major focus of my research. Today, though, it's a serious issue for
system managers.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
He was both right and wrong -- patches do break a lot of stuff. He was
facing two problems: the probability of being off the air because of an
attack versus the probability of being off the air because of bad
interactions between patches and applications. Which is a bigger risk?
That's an argument for an organizational test environment and testing
patches before deployment, no? Not an argument against patching. That said,
I would LOVE to see MS ship a monthly/quarterly unified updater that's a
one-step way to bring fresh systems up to date without slipstreaming the
install CD. Then press a zillion of 'em and put them everywhere you can find
an AOL CD, for all those folks on dial-up who see a 200MB download and curl
up in the fetal position and whimper.
It's not an easy question to answer. One scenario that scares me is
what happens if the April Patch Tuesday takes out, say, TurboTax, just
as Americans are getting ready to file their tax returns.
<cynic mode>
No need to worry about that until MS TaxForm starts shipping.
</cynic mode>
> Its amazing how reporters has to butcher technology information to make it
> understood by their editors
>
> http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?eref=rss_topstoriesDo we keep missing opportunities?
Yes, it was a minor incident, just like a minor earthquake, the hurricane
that doesn't hit, the fire that is exitinguished. But it was also an
opportunity to get the message out to the public about the things they
can do to take control.We remind people what to do in a tornado, earthquake, flood, hurricane,
etc. This on-going education does help; even though some people still
drive their cars through moving water or go outside to watch the tornado.
Colin Powell mentioned at RSA in his extremely good, entertaining and
pointless talk something of relevance. During the cold war American kids
were trained to hide beneath their desktops in caseof a nuclear
attack. Much good that would have done.
Instead of pointing fingers at South Korea, China, etc, every country
with compromised computers (all of them) are the problem. The United
States may be slow as far as broadband, but it makes up for it in the
number of compromised computers.We may know the drill, but it doesn't hurt to repeat message everytime
we have the public's attention for 15 seconds.
And yet, can a non-trained user understand what "awareness" means?
1. Turn on Automatic Update if your computer isn't managed by a full-time
IT group.Microsoft Windows, Apple MAC OS/X, and several versions of Linux
have Automatic Update available. Most vendors make security patches
available to users whether or not the software is licensed or
un-licensed.Zero day exploits may be sexy and get the press attention, but the
long-term problem are the computers that never get patched. The VML
exploit on the football stadium websites was patched last month; but
its not how fast a patch is released, its how fast people install it.
Amen. 0days have become something petrifying. At my talk at RSA on
the subject of 0days and ZERT I started by asking what a 0day
is. Any guesses as to how many answers I got?
One Answer I did get was that we are all petrified as we can't do
anything about it (not true) and won't know about it.
I am of the strong belief one should take care of known vulnerabilities
first, then start worrying about 0days. That's one thing anyone can start
the process of doing (and for organizations, this can take years) which
will also result in a better infrastructure to contain and respond to 0day
attacks.
Still, how many users know how to turn on automatic updates? We are likely
to see them go to google, type in "automatic updates" and end up
downloading malware.
2. Use a hardware firewall/router for your broadband connection and turn
on the software firewall on your computer in case you ever move your
computer to a different network.Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access
point, or turn off the radio on both your home gateway and computer
if you are not using WiFi.
How??
This is where providers can chime in, and provide with pre-secured
hardware to any level which is above "come and rape me".
3. Even if your computer is secure, miscreants depend on your trust. Be
suspicious of messages, files, software; even if it appears to come from a
person or company you trust.
How do I determine what is suspicious? This is a message telling me my
mother is sick!
Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But
don't assume because you are using them, you can click on everything
and still be safe. The miscreants are always finding new ways around
them.
This is too complicated. I don't understand. So you give me a solution,
use this and that tool, and then I need to be careful yet again?
It may just be human nature, but people seem to engage in more risky
behavior when they believe they are protected.
The 4-bit encryption issue. I am encrypted and thus protected.
I would argue email is simply not a secure medium by which to recieve
files. Call and verify when in doubt.
"If approached by phone, email or any other medium, verify the source
independently in an unrelated fashion to any instructions provided
in that approach, before trusting it."
4. If your computer is compromised, unplug it until you can get it fixed.
Its not going to fix itself, and ignoring the problem is just going
to get worse.
A user won't unplug him or herself. An ISP might. Today the economy of
this changes enough for quite some ISPs to decide it is better to kick a
user than give him or her tech support. Enter walled garden.
Gadi.
Preaching to the choir indeed, only the choir is not the users.
The Internet is not a secure place and we can force no one to secure their
computers. We can throw them off our networks if they don't, as they cost
us more than they pay.
Gadi.
Surveys have shown an inverse correlation between the size of a company
and when it installed XP SP2.
Yes, you're right; a good test environment is the right answer. As I
think most of us on this list know, it's expensive, hard to do right,
and still doesn't catch everything. If I recall correctly, the post I
was replying to said that it was a non-profit; reading between the
lines, it wasn't heavily staffed for IT, or they wouldn't have needed a
consultant to help clean up after Blaster. And there's one more thing
-- at what point have you done enough testing, given how rapidly some
exploits are developed after the patch comes out?
--Steve Bellovin, http://www.cs.columbia.edu/~smb