James, I agree with you. It was n3td3v that stated the following - "The wireless devices were most likely the primary source of the spread. Media outlets are reporting wireless devices were only an accessory to the spread of the worm."
I agree with Jan, that host based IPS could have stopped this. Cisco's CSA is a good example of this type of technology. Host based IPS system are commonly seen as anti-rootkit solutions, which is also a very very good thing to have. But patch management should not be overlooked just because you have a host IPS. The host IPS will give you time to patch, but patch management is the last line of defense for vulns. I never said it should be the first or only line of defense. I am very firm believer in the defense in depth methodology. -Todd > -----Original Message----- > From: James Tucker [mailto:[EMAIL PROTECTED] > Sent: Monday, August 22, 2005 4:08 PM > To: Todd Towles > Cc: Ron DuFresne; full-disclosure@lists.grok.org.uk > Subject: Re: [Full-disclosure] Zotob Worm Remover > > It seems to me that the attack was less than a week old from > the start date. Default settings on a relatively unchanged > box would provide a suitable window of opportunity given the > availability of the worm to the deployer. This is more > important than network connectivity, which is not of security > concern as this is not the exploited layer. Disconnecting > networks is what you suggest when you're in trouble, not when > you're trying to maintain the daily balance of cost vs > function. Moreover, wireless is recieving the blame - however > this will only continue whilst your laptop is the device you > are using. Eventually will you blame the mobile phone > companies for allowing "dangerous traffic" to flow through > the repeaters? What about sattelite links - should we filter > those and knock the latency up another notch? No, it's the > software, once again. > Connectivity increases exposure, it doesn't decrease security > - the two are not one and the same. 1000 laptops in a city > centre network becoming infected less than a week from update > release would be unsuprising > (read: defaults are once a week at 3). The security of these > laptops was not compromised by the wireless presence, it was > a medium of travel only. Now lets say, we go back in time and > remove all of the wireless NIC's. Now, there are only 750 > laptops cause we can't generate as much revenue (joke), and > of these they're all still connected, just with a different > medium. The medium is (specification)centralised and routable > in the same manner (ah, so the medium can have 'implications' > ;) - the infection rate is the same. Why? because they are > all connected. It's BEING CONNECTED not BEING WIRELESS that's > the issue here. Yes you may argue, pointlessly however, that > wireless has increased average connectivity, however once > again, this is only a medium. It's business/personal drive > that requires connectedness, not the technology itself. > > Todd Towles wrote: > > This is correct for the first day, maybe two. Then > unpatched laptops > > leave the corporate network, hit the internet outside the > firewall and > > then bring the worm back right to the heart of the network the very > > next day, bypassing the firewall all together. Firewall is just one > > step..it isn't a solve all. Patching would be the only way to stop > > this threat in all vectors. That was my point. > > > > If you aren't blocking 445 on the border of your network, you have > > must worse problems with Zotob. > > > > > >>-----Original Message----- > >>From: Ron DuFresne [mailto:[EMAIL PROTECTED] > >>Sent: Monday, August 22, 2005 3:15 PM > >>To: Todd Towles > >>Cc: n3td3v; full-disclosure@lists.grok.org.uk > >>Subject: RE: [Full-disclosure] Zotob Worm Remover > >> > >>On Mon, 22 Aug 2005, Todd Towles wrote: > >> > >> > >>>Wireless really isn't a issue. You can get a worm from a > >> > >>cat 5 as easy > >> > >>>as you can from wireless. The problem was they weren't > patched. Why > >>>weren't they patched? Perhaps Change policy slowed them > >> > >>down, perhaps > >> > >>>it was the fear of broken programs..perhaps it was the QA > group..it > >>>doesn't really matter. They go the worm because they were > >> > >>not patched. > >> > >>And because they didn't properly filter port 445 is my > understanding. > >>Unpatched systems behind FW's that fliter 445 were untouched. > >> > >>Thanks, > >> > >>Ron DuFresne > >>-- > >>"Sometimes you get the blues because your baby leaves you. > >>Sometimes you get'em 'cause she comes back." --B.B. King > >> ***testing, only testing, and damn good at it too!*** > >> > >>OK, so you're a Ph.D. Just don't touch anything. > >> > >> > >> > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/