I'm just going to be facetious here and say "What's Zotob"? Seriously, you can have all the arguments you want about how worm X infection rate is increased due to whatever reason but as J Tucker pointed out it's the software that's the issue.
As for us *shrugs*, we don't suffer the plight of worms. I guess that's the advantage of running a 100% Linux shop. Stu On Mon, 2005-08-22 at 22:08 +0100, James Tucker wrote: > It seems to me that the attack was less than a week old from the start > date. Default settings on a relatively unchanged box would provide a > suitable window of opportunity given the availability of the worm to the > deployer. This is more important than network connectivity, which is not > of security concern as this is not the exploited layer. Disconnecting > networks is what you suggest when you're in trouble, not when you're > trying to maintain the daily balance of cost vs function. Moreover, > wireless is recieving the blame - however this will only continue whilst > your laptop is the device you are using. Eventually will you blame the > mobile phone companies for allowing "dangerous traffic" to flow through > the repeaters? What about sattelite links - should we filter those and > knock the latency up another notch? No, it's the software, once again. > Connectivity increases exposure, it doesn't decrease security - the two > are not one and the same. 1000 laptops in a city centre network becoming > infected less than a week from update release would be unsuprising > (read: defaults are once a week at 3). The security of these laptops was > not compromised by the wireless presence, it was a medium of travel > only. Now lets say, we go back in time and remove all of the wireless > NIC's. Now, there are only 750 laptops cause we can't generate as much > revenue (joke), and of these they're all still connected, just with a > different medium. The medium is (specification)centralised and routable > in the same manner (ah, so the medium can have 'implications' ;) - the > infection rate is the same. Why? because they are all connected. It's > BEING CONNECTED not BEING WIRELESS that's the issue here. Yes you may > argue, pointlessly however, that wireless has increased average > connectivity, however once again, this is only a medium. It's > business/personal drive that requires connectedness, not the technology > itself. > > Todd Towles wrote: > > This is correct for the first day, maybe two. Then unpatched laptops > > leave the corporate network, hit the internet outside the firewall and > > then bring the worm back right to the heart of the network the very next > > day, bypassing the firewall all together. Firewall is just one step..it > > isn't a solve all. Patching would be the only way to stop this threat in > > all vectors. That was my point. > > > > If you aren't blocking 445 on the border of your network, you have must > > worse problems with Zotob. > > > > > >>-----Original Message----- > >>From: Ron DuFresne [mailto:[EMAIL PROTECTED] > >>Sent: Monday, August 22, 2005 3:15 PM > >>To: Todd Towles > >>Cc: n3td3v; full-disclosure@lists.grok.org.uk > >>Subject: RE: [Full-disclosure] Zotob Worm Remover > >> > >>On Mon, 22 Aug 2005, Todd Towles wrote: > >> > >> > >>>Wireless really isn't a issue. You can get a worm from a > >> > >>cat 5 as easy > >> > >>>as you can from wireless. The problem was they weren't patched. Why > >>>weren't they patched? Perhaps Change policy slowed them > >> > >>down, perhaps > >> > >>>it was the fear of broken programs..perhaps it was the QA group..it > >>>doesn't really matter. They go the worm because they were > >> > >>not patched. > >> > >>And because they didn't properly filter port 445 is my understanding. > >>Unpatched systems behind FW's that fliter 445 were untouched. > >> > >>Thanks, > >> > >>Ron DuFresne > >>-- > >>"Sometimes you get the blues because your baby leaves you. > >>Sometimes you get'em 'cause she comes back." --B.B. King > >> ***testing, only testing, and damn good at it too!*** > >> > >>OK, so you're a Ph.D. Just don't touch anything. > >> > >> > >> > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/