RE: Worms versus Bots

William wrote:
but in our ISP office I setup new win2000 servers and first
thing I do is download all the patches. I've yet to see the
server get infected in the 20-30 minutes it takes to finish it

It can happen in 5 or 10 minutes (I've seen it) but only if all of the
following conditions are met simultaneously:
a) administrator's password blank (or something
   _really_ easy to guess)
b) public IP (no NAT)
c) no firewall
In other words: if one is stupid, one gets worm'ed or bot'ed.

(Note: I also disable IIS just in case until
everything is patched..).

Not a bad idea, but sometimes you don't have the choice of doing it
(with scripted installs or things like SBS). Besides, IIS is not the
main source of trouble on a machine that sits on the Internet
unprotected. I consider disabling IIS a second or third line of defense,
to be used after you implemented the steps not to get screwed in the
first place (which you described).

Similarly when settting up computers for several of my
relatives (all have dsl) I've yet to see any infection
before all updates are installed.

Me too.

Additional to that many users have dsl router or similar
device and many such beasts will provide NATed ip block
and act like a firewall not allowing outside servers to
actually connect to your home computer.

Indeed. I have a $10 one that I use for installations (even when I
install from a "trusted" environment), because the danger does not come
only from the Internet, it can also come from your own LAN. By putting
the machine being installed alone on its own segment behind a NAT box,
you also shield yourself from crud that could be on the trusted network.

On this point it would be really interested to see what
percentage of users actually have these routers and if
decreasing speed of infections by new virus (is there
real numbers to show it decreased?) have anything to
do with this rather then people being more carefull and
using antivirus.

Difficult to measure, and here's why: recent worms are polymorphic and
propagate/replicate using many different mechanisms. How do you make
the difference between a) a worm that arrived trough email and then
contaminated x machines on your LAN and b) a worm that arrived through a
vulnerability of IIS and then contaminated x machines on your LAN?

The trouble here is that if you had all the time in the world _and_ if
you did not have x users screaming, you could look at logs and such and
finally figure out which of the egg or the chicken was first. In a real
world, you clean the mess and when you are done you have to catch up
with all the stuff you did not do while cleaning, and you never know.

Michel.

Date: Mon, 3 May 2004 20:53:50 -0700
From: Michel Py

> but in our ISP office I setup new win2000 servers and first
> thing I do is download all the patches. I've yet to see the
> server get infected in the 20-30 minutes it takes to finish

It can happen in 5 or 10 minutes (I've seen it) but only if
all of the following conditions are met simultaneously:

I've not confirmed, but a client told us that some MS patches are
carried by Akamai.

Eddy

Until recently, I believe that Microsoft's download servers were managed by
Akamai.

However, up to 90% of the users *are* stupid:

http://www.silicon.com/software/security/0,39024655,39118228,00.htm

Any network security scheme that fails to either (a) lower the stupidity rate
or (b) deliver a system that will protect that 90% from themselves is doomed.

We may be looking at a move back towards the WebTV appliance model (which
would thrill the media conglomerates to no end).

> In other words: if one is stupid, one gets worm'ed or bot'ed.

However, up to 90% of the users *are* stupid:

http://www.silicon.com/software/security/0,39024655,39118228,00.htm

Any network security scheme that fails to either (a) lower the stupidity rate
or (b) deliver a system that will protect that 90% from themselves is doomed.

"There's only so much stupidity you can compensate for;
there comes a point where you compensate for so much
stupidity that it starts to cause problems for the
people who actually think in a normal way."

--Bill Dickson, digital.forest tech support

Which leads to the logical conclusion:

We may be looking at a move back towards the WebTV appliance model (which
would thrill the media conglomerates to no end).

=)

Seriosuly though, the Internet might be a better place for it. After all, 90% of those "stupid" people just want email and HTTP.

--chuck

chuck goolsbee wrote:

However, up to 90% of the users *are* stupid:

Seriosuly though, the Internet might be a better place for it. After all, 90% of those "stupid" people just want email and HTTP.

Do we have a pointer to a rigorous study that indicates either
assertion?

Or is it possible there are other explanations?

What will be do when they figure out that paying us to let them hurt
themselves is a sub-optimal use of their money?

chuck goolsbee wrote:

However, up to 90% of the users *are* stupid:

I didn't say that, I only quoted (Valdis Kletnieks) it... to which I replied that compensating for stupidity is a zero-sum game.

Seriosuly though, the Internet might be a better place for it. After all, 90% of those "stupid" people just want email and HTTP.

Do we have a pointer to a rigorous study that indicates either
assertion?

First of all, I was disagreeing with Valdis' assessment of "stupidity"... a more accurate term would be "non-technical."

I have no rigorous study to point to sorry. But I will say virtually all the "home users" I have encountered are running Windows for the purpose of getting email and using "the Web". That machine is usually in some unprotected, or already compromised state. I make similar/same suggestions to them that have already been stated here:
Nuke/pave, enable what security features are available in the OS, get a firewall, NAT, etc etc.

The prescription seems to be viewed to be as difficult as the disease it cures. Zero-sum.

So maybe they WOULD be better with a "WebTV" model.

Or a Macintosh.

Or is it possible there are other explanations?

Perhaps. I'm just reporting what I am seeing.

What will be do when they figure out that paying us to let them hurt
themselves is a sub-optimal use of their money?

How is WebTV doing these days? Since it is now Microsoft can their boxen get rooted/zombied/botted now too? I'll admit I never paid too much attention to WebTV.

Perhaps there is a market for "safe Internet access"... I don't know. But I suspect the barrier to entry is either making it work with the dominant platform, or asking the market take the leap to another platform. Both are unlikely. What I do know is that the dominant platform is inherently insecure, and many of its users, those "non-technical" folks I referred to... they seem to be mostly unaware of the danger they pose to themselves and everyone else on the Network.

--chuck

or a cheap Lidel or WalMart PC with Fedora 1 on it. Epiphany,
Evolution and OpenOffice would keep vast majority of the basic
computer users happy. Distributions like Fedora[0] are pretty much
invulnerable to mass, automated worm infections[1].

Automated worms would literally be a thing of the past if everyone
switched to Fedora, RHEL or if the current dominant OS vendor adopted
similar measures (apparently they will be). Judging by the amount of
packets (couple per s) I get in to common vulnerability ports, there
are a lot of worm infected machines out there:

# iptables -L scans -v | awk 'BEGIN { printf ("\n%5s %6s %4s
%20s\n", "pkts", "bytes", "prot", "dest port"); } NR > 2 && $1 ~
/^[0-9]/ { sub (/^dpt:/, "", $11); pkts += $1; bytes += $2; printf
("%5d %6d %4s %20s\n", $1, $2, $4, $11);} END { printf ("-----
------\n%5d %6d\n", pkts, bytes);}'

pkts bytes prot dest port
1721 82856 tcp microsoft-ds
  874 42008 tcp 135
  455 21944 tcp netbios-ssn
  322 15456 tcp 3127
   36 1788 tcp ms-sql-s
  661 31776 tcp 2745
  309 14832 tcp 6129
   82 3960 tcp swat
  427 20556 tcp 1025
  263 20514 udp netbios-ns
   36 14544 udp ms-sql-m
----- ------
5186 270234

that's maybe an hours worth or less of counting too. And what uses
TCP ports 1327 and 2745?

0. http://people.redhat.com/drepper/nonselsec.pdf[2]

1. Though not to trojans which attack human vulnerabilities
obviously, or non buffer overflow attacks, eg scripting language
vulnerabilities, though these are rare.

2. Obviously, the 2 main mechanisms described in the paper originate
elsewhere in concept, but Fedora is probably the first OS of
sufficient use to a basic computer user to put it all together.

regards,

We have all been through this before. Linux out of the box is generally no more secure than Windows. Linux can also be misconfigured and hacked. The reason why you don't see as many linux virus/worms is because there aren't as many linux desktops. Once Linux becomes a real player in the residential desktop OS market you'll see more and more worms/viruses running around because of it. Now, I love Linux, I have 30 linux servers in production but it isn't the be all, end all to mass user security.

Matthew Crocker wrote:

We have all been through this before. Linux out of the box is generally
no more secure than Windows.

I would disagree with that, but that gets into a religious argument.

Really, however, the distribution involved with Linux is more critical
than that it is Linux. Some distros are wide open, some are very secure
out of the box. Again, however, this is getting into religious territory.

Linux can also be misconfigured and
hacked. The reason why you don't see as many linux virus/worms is
because there aren't as many linux desktops. Once Linux becomes a real
player in the residential desktop OS market you'll see more and more
worms/viruses running around because of it.

Except that logic doesn't work because Apache has a greater market-share
than IIS, and yet we see many more IIS worms than Apache worms.

Now, I love Linux, I have
30 linux servers in production but it isn't the be all, end all to mass
user security.

To misappropriate a phrase, "Its not magic pixie dust," I'll agree with you.

>chuck goolsbee wrote:
>
>>>However, up to 90% of the users *are* stupid:

I didn't say that, I only quoted (Valdis Kletnieks) it... to which I
replied that compensating for stupidity is a zero-sum game.

In other words: if one is stupid, one gets worm'ed or bot'ed.

My error - what I meant was "However, by that definition, 90% are stupid".

In fact, I'm in agreement with Steve Bellovin - either the users need to master
the technology (which isn't going to happen), or we need to fix the design and
HCI factors so that what ships *is* something that's actually usable.

So maybe they WOULD be better with a "WebTV" model.

Have to admit, that model *does* solve the HCI issues..

Or a Macintosh.

Actually, there's multiple solutions - remember that monocultures are bad.

Perhaps there is a market for "safe Internet access"... I don't know.
But I suspect the barrier to entry is either making it work with the
dominant platform, or asking the market take the leap to another
platform. Both are unlikely. What I do know is that the dominant
platform is inherently insecure, and many of its users, those
"non-technical" folks I referred to... they seem to be mostly unaware
of the danger they pose to themselves and everyone else on the
Network.

The trick here is realizing that compensating for stupidity doesn't have
to be a zero-sum game.

Today's window of opportunity:

"Microsoft is expected to recommend that the "average" Longhorn PC feature a
dual-core CPU running at 4 to 6GHz; a minimum of 2 gigs of RAM; up to a
terabyte of storage; a 1 Gbit, built-in, Ethernet-wired port and an 802.11g
wireless link; and a graphics processor that runs three times faster than those
on the market today."

http://www.microsoft-watch.com/article2/0,1995,1581842,00.asp

So you have several years to convince people that there are cheaper/free
solutions that are more secure *and* don't require a forklift upgrade....

In the past this may have been true, it's been my experience that most modern Linux distributions have adopted (more or less) the approach that OpenBSD has: Leave services turned off by default. In fact, a typical RedHat workstation installation goes a step further by not even installing a lot of services by default. Sure, Joe Sixpack can still install everything and uncomment everything from /etc/inetd.conf[1] and get himself pwned, but I don't think we have to worry much about your average computer user doing this.

-J

[1] Actually since RedHat uses xinetd, it involves a little more work to turn _everything_ on.

"Microsoft is expected to recommend that the "average" Longhorn PC

feature a

dual-core CPU running at 4 to 6GHz; a minimum of 2 gigs of RAM; up to a
terabyte of storage; a 1 Gbit, built-in, Ethernet-wired port and an

802.11g

wireless link; and a graphics processor that runs three times fasterthan

those

on the market today."

How about a PC that has *NO* externally accessible network
connectivity, not even wireless. But it does have an internal
100baseTx Ethernet port that uses a non-standard connector.
And it also includes a router unit running off the same
power supply as the PC but otherwise completely independent.
This router is connected to the non-standard Ethernet
interface of the PC and supplies 2 externally accessible
Ethernet ports and an 802.11g wireless capability. The
components for this stuff are small enough these days that
you can easily fit an entire router into a PC's slimline
case and the router can include a complete SI Firewall
capability. The PC BIOS will allow the initial SI Firewall
config to be done before booting the PC.

And even if there is an SI Firewall on the broadband
router serving the home, it's still worthwhile to
protect Mom's PC from worm infestations brought into
the home by junior's unsafe Internet practices.

I know Microsoft would hate the idea of a Windows
PC running Linux on an in-box firewall router
but it seems like poetic justice in a way.

--Michael Dillon

Urg, a horrible idea. Why not just make the software on the host
secure?

regards,

Because then you would have to limit the ability to modify the software to
only those trusted not to affect network security. It's the same answer as
the answer to "why not run everything as root"?

  DS

They got to it before you did; http://www.giwano.com/

Pete

I think running two separate computers is a wee bit of overkill...

A better solution would be a NIC with a built-in SI firewall...manageable from a host
app, but physically separate from the OS running on the PC.

-C

Gaak. No.

What's the point of a firewall, if the first piece of malware that does manage
to sneak in (via a file-sharing program, or a webpage that installs malware, or
an "ooh! Shiny!" email attachment) just does the network Plug-N-Play call to
tell the firewall "Shield DOWN!"?

Simple solution...build the on-NIC firewall to not use uPnP, or at least require
a password before changing rulesets.

Seriously, this is such a stupidly simple solution that I'm amazed no one's attempted
to make a product out of it yet.

-C

Uh... they have. It's called a Snapgear card
-- Jonathan