Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
My Mom kicks all you's buttocks. Got a Radio Shack franchise in 1983, we kids got in on the ground floor of personal computing (on Color Computers and TRS-80's). She does tech support for others her age. Or did, in Colorado in a community for older folks, and is now in Costa Rica figuring out how to get online. Seth Johnson Marshall Eubanks wrote: On Feb 12, 2007, at 4:31 AM, Alexander Harrowell wrote: On 2/12/07, Gadi Evron [EMAIL PROTECTED] wrote: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Gadi. Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. The ones whose Mom's got Macs, of course. (Well, in my case it's my Mother-in-Law, but the tech support required has dramatically reduced.) Regards Marshall -- RIAA is the RISK! Our NET is P2P! http://www.nyfairuse.org/action/ftc DRM is Theft! We are the Stakeholders! New Yorkers for Fair Use http://www.nyfairuse.org [CC] Counter-copyright: http://realmeasures.dyndns.org/cc I reserve no rights restricting copying, modification or distribution of this incidentally recorded communication. Original authorship should be attributed reasonably, but only so far as such an expectation might hold for usual practice in ordinary social discourse to which one holds no claim of exclusive rights.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, 12 Feb 2007, Sean Donelan wrote: On Sun, 11 Feb 2007, Gadi Evron wrote: Colin Powell mentioned at RSA in his extremely good, entertaining and pointless talk something of relevance. During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done. The important lesson is you can educate people. The content may have been bogus, but it was very effective at reaching most of the population. People who grew up during that era still remember it. If you can come up with a few simple things to do, it is possible to reach most of the public. But we are our own worst enemies. When we have the opportunity, instead of giving the few simple things everyone could do, we create a lot of confusion. Show me one simple thing that is very easily achievable, and it will be everywhere at the next crisis. Giving security advice today is extremely difficult, as it is not always true nor is is easy to give it one meaning. Gadi.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done. It could have kept them from running around the streets screaming we're all going to die. It may well save people if they are on the edge of the survival zone, that may not be a good idea but at least they know what to expect I don't pretend to know the real reason but keeping control is usually better even if you can't change the outcome. brandon
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, Feb 12, 2007 at 01:45:41AM -0500, Sean Donelan [EMAIL PROTECTED] wrote a message of 16 lines which said: The important lesson is you can educate people. The content may have been bogus, Right on spot: it is easy to educate people with simple and meaningless advices such as Install an antivirus or Hide under the desk or (my favorite, now known by most ordinary users) Do not open attachments from unknown recipients. But most security risks do not require monkey advices (advices that an ordinary monkey could follow). They require intelligence, knowledge in the field, and time, all things that are in short supply. The discussion about the NPO who had the choice between breaking stuff that works because of patches or risking an attack was a very good one and the IT manager at the NPO was quite reasonable, indeed: the aim is not security (except for security professionals), the aim is to have the work done and, if you listen only the security experts, no work will ever be done (but you will be safe). If you can come up with a few simple things to do, it is possible to reach most of the public. Sure, just find these few simple things that will actually improve security. (My personal one would be Erase MS-Windows and install Ubuntu. If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.)
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, 12 Feb 2007, Stephane Bortzmeyer wrote: On Mon, Feb 12, 2007 at 01:45:41AM -0500, Sean Donelan [EMAIL PROTECTED] wrote a message of 16 lines which said: The important lesson is you can educate people. The content may have been bogus, snip If you can come up with a few simple things to do, it is possible to reach most of the public. Sure, just find these few simple things that will actually improve security. (My personal one would be Erase MS-Windows and install Ubuntu. If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.) As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Gadi.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, Feb 12, 2007 at 03:23:26AM -0600, Gadi Evron [EMAIL PROTECTED] wrote a message of 25 lines which said: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? I already do it. With my mother, not yours. And she uses MS-Windows so I can testify that the whole argument MS-Windows requires less tech support than Unix is completely bogus.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On 2/12/07, Gadi Evron [EMAIL PROTECTED] wrote: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Gadi. Name anyone techie who doesn't have to do tech support for their mother on MS Windows..
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, Feb 12, 2007 at 09:31:21AM +, Alexander Harrowell [EMAIL PROTECTED] wrote a message of 28 lines which said: Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. Political fix: and their father, too :-)
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, 12 Feb 2007, Alexander Harrowell wrote: On 2/12/07, Gadi Evron [EMAIL PROTECTED] wrote: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Gadi. Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. Especially on family holidays, right? Tech support on usability is not that much of an issue as it is on Linux, whether because of years of use and becoming used to the Microsoft interface, or because no matter what Linux is just not that user friendly. Tech support on Windows has interface questions, but much less than on Linux. The real question is, are you willing to support my mother, too? 1. What would be the cost of doing such tech support at an ISP compared to Windows? 2. How secure would Linux be if massively used and in a default installation. We already have massive Linux server botnets, let's avoid the home users. x Gadi.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, 2007-02-12 at 10:13 +0100, Stephane Bortzmeyer wrote: Sure, just find these few simple things that will actually improve security. (My personal one would be Erase MS-Windows and install Ubuntu. If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.) Isn't that like treating smallpox with anthrax? Consumers are cheap and lazy. What they need is a serious incentive to care about security. Society holds individuals accountable for many forms of irresponsible behaviour. There's no need to make exceptions for computer users. Make computer-owners/users pay in full for damages caused by their equipment with no discount for incompetence. Insecure products might then be considered inappropriate for public consumption and that would be a powerful signal to the IT industry to change their ways. Maybe the market also finally would challenge the validity (or even existence) of std.disclaimer statements common in today's software licences. -- Per Heldal - http://heldal.eml.cc/
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Feb 12, 2007, at 4:31 AM, Alexander Harrowell wrote: On 2/12/07, Gadi Evron [EMAIL PROTECTED] wrote: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Gadi. Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. The ones whose Mom's got Macs, of course. (Well, in my case it's my Mother-in-Law, but the tech support required has dramatically reduced.) Regards Marshall
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
My two (and a half) cents. 1. Systems that need a firewall, antivirus and antispyware software added on to survive for more than a few minutes SHOULD NOT BE CONNECTED TO THE INTERNET IN THE FIRST PLACE. They're simply not good enough. It's like bringing a knife to a gunfight. (nod to Mr. Connery) 2. The idea that you can run a program on a known-compromised OS and count on that program to detect and/or remove the problem is fundamentally flawed. The only way to have much confidence in the former is to boot from a known-UNcompromised OS and run it from there; the only way to have some confidence in the latter is to wipe the drives and start over. And there are still ways that both of these can fail (e.g., sufficiently clever malware which hides from the first and manages to survive the second by concealing itself in restored data). Hitting the scan and disinfect button or whatever they call it this week is well on its way to becoming a NOOP. 3. Banks, credit card companies, and numerous online merchants have trained their users to be excellent phish victims by training them to read their mail with a web browser. Anyone who is serious about stopping phishing will stop sending mail marked up with HTML. 4. Network operators need to be far more proactive about keeping Bad Stuff from *leaving* their networks. (After all, if it can be be detected inbound to X's network, then in most cases it can be detected outbound from Y's -- the exceptions being things like slow, highly distributed attacks which originate nowhere and everywhere.) 5. I have no sympathy for anyone who still uses the IE and/or Outlook malware-and-exploit-propagation-engines-disguised-as-applications. Not that the alternatives are panaceas -- of course they're not -- but at least they're a big step away from two of the primary compromise vectors. I figure little, if anything, substantive will be done about 1-4, but I have some hope that 5 is simple enough that sufficient repetition will eventually have some effect. ---Rsk
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
Name anyone techie who doesn't have to do tech support for their mother on MS Windows.. The ones whose Mom's got Macs, of course. (Well, in my case it's my Mother-in-Law, but the tech support required has dramatically reduced.) Marshall beat me to it. I have a T-shirt that says Mac: So simple my parents can use it. It's funny because it's true. -- Dave Pooser, ACSA Manager of Information Services Alford Media http://www.alfordmedia.com
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, 12 Feb 2007 03:23:26 -0600 (CST) Gadi Evron [EMAIL PROTECTED] wrote: As a very smart person said a couple of weeks ago when this same argument was made: are you willing to do tech-support for my mother is she uses linux? Yes. Well, not your mother (unless she paid me) but I used to support my father and I ran Unix on his system. It was great. If he had a problem I could generally get into his system and work on it as if I was right there except he couldn't watch over my shoulder and interrupt me every 30 seconds with questions. Now he uses WindBlows and it is easier for me only beause I can send him to my siblings for support. If I am willing to support someone who doesn't understand the technology I would rather put them on Unix rather than MSW. -- D'Arcy J.M. Cain darcy@druid.net | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, 12 Feb 2007 09:51:38 -0600 Dave Pooser [EMAIL PROTECTED] wrote: Marshall beat me to it. I have a T-shirt that says Mac: So simple my parents can use it. It's funny because it's true. Why do I keep hearing My parents are stupid in these sorts of comments? Just wait. They get smarter as you get older. -- D'Arcy J.M. Cain darcy@druid.net | Democracy is three wolves http://www.druid.net/darcy/| and a sheep voting on +1 416 425 1212 (DoD#0082)(eNTP) | what's for dinner.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
Date: Mon, 12 Feb 2007 11:38:10 -0500 From: D'Arcy J.M. Cain darcy@druid.net On Mon, 12 Feb 2007 09:51:38 -0600 Dave Pooser [EMAIL PROTECTED] wrote: Marshall beat me to it. I have a T-shirt that says Mac: So simple my parents can use it. It's funny because it's true. Why do I keep hearing My parents are stupid in these sorts of comments? Just wait. They get smarter as you get older. My father was NOT stupid. He could use several of the more popular word processors (Wang being the last one he had used) but he could NOT, for the life of him, get used to using MS Word. Or anything else associated with Windoze. The command sequences just didn't make sense to him (Why do I have to go push start when I want to shut the system down?) - I am perfectly capable of learning from my mistakes. I will surely learn a great deal today. A democracy is a sheep and two wolves deciding on what to have for lunch. Freedom is a well armed sheep contesting the results of the decision. - Benjamin Franklin The best we can hope for concerning the people at large is that they be properly armed. --Alexander Hamilton
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done. ... I don't pretend to know the real reason but keeping control is usually better even if you can't change the outcome. The goal was some protection from flying glass and debris from a blast. The idea was if you saw the flash you'd drop under your desk. Sure, other places would provide more protection but the assumption was if you saw that nuclear flash you didn't have time to do much more than just drop under the desk and put your head between your knees and your hands over your head (and kiss your a.. goodbye as we'd say) in the hope that you'd protect your head and face and eyes etc from flying bits and perhaps the initial heat flash. You were also probably blinded by the flash so slipping under your desk was about all you could expect from 30 little kids now suddenly blinded to manage in a few seconds. Obviously if you were so close to the blast that you didnt even have time to drop under the desk that's ok, it wouldn't help. But a blast wave travels at roughly the speed of sound so that's around 4 seconds per mile so if you were at least a half mile you had time for the teacher to shout DUCK AND COVER! and drop under your desk. If a bomb siren sounded that meant you had more time, probably minutes, so you'd quickly line up and all move to the school hallway presumably away from windows etc. I lived through that era and well remember those drills (NYC public schools.) -- -Barry Shein The World | [EMAIL PROTECTED] | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Mon, Feb 12, 2007 at 12:50:20PM +0100, Per Heldal wrote: On Mon, 2007-02-12 at 10:13 +0100, Stephane Bortzmeyer wrote: Sure, just find these few simple things that will actually improve security. (My personal one would be Erase MS-Windows and install Ubuntu. If we are ready to inconvenience ordinary workers with computer security, this one would be a good start.) Isn't that like treating smallpox with anthrax? More like treating smallpox with cowpox vaccinations. That, at least, works. -- Joe Yao --- This message is not an official statement of OSIS Center policies.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust. Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But don't assume because you are using them, you can click on everything and still be safe. The miscreants are always finding new ways around them. It may just be human nature, but people seem to engage in more risky behavior when they believe they are protected. 4. If your computer is compromised, unplug it until you can get it fixed. Its not going to fix itself, and ignoring the problem is just going to get worse. 5. Paying for AV software is not a solution, no matter how often it's been on TV. (Norton - the antivirus software one finds on virus-infected computers)
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Sun, Feb 11, 2007, Alexander Harrowell wrote: 5. Paying for AV software is not a solution, no matter how often it's been on TV. (Norton - the antivirus software one finds on virus-infected computers) Don't forget the trojan payload lately that used a cracked copy of Kaspersky AntiVirus to catch subsequent infecters. :) http://sunbeltblog.blogspot.com/2006/12/hacked-version-of-dr-web-antivirus.html Adrian
RE: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Sat, 10 Feb 2007, Stasiniewicz, Adam wrote: Sean makes a good point, but there is one small problem with his suggestions. He is preaching to the choir. Just trying to get the choir to sing on key. Of course, I know the choir will probably spin off singing 18 different songs. Local interest. The next security incident, can the security experts in the US talk about what US readers can do. Experts in Europe talk about European readers can do. Experts in China, Australia, India, Brazil, Antarctica talk about what readers in those areas can do. I have no idea when, where or what the next incident will be, but can guess it will involve the usual problems. Turn on automatic update, turn off services you don't use, don't believe everything you read on the net.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Sat, 10 Feb 2007 23:36:32 -0600 Stasiniewicz, Adam [EMAIL PROTECTED] wrote: Another time I was do some consulting work for a NPO. I was going over the findings of my audit and I told the IT manager that all of his machines were missing patches. His response: we only install service packs, individual patches take too much time to install and tend to break more stuff than they fix. Ironically, a month latter he calls me back asking for help because his network got infect with Blaster... He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk? It's not an easy question to answer. One scenario that scares me is what happens if the April Patch Tuesday takes out, say, TurboTax, just as Americans are getting ready to file their tax returns. There are no good answers to this question. Of course, being an academic I can view such problems as opportunities, and it is in fact a major focus of my research. Today, though, it's a serious issue for system managers. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Sat, 10 Feb 2007, Sean Donelan wrote: On Tue, 6 Feb 2007, Roy wrote: Its amazing how reporters has to butcher technology information to make it understood by their editors http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?eref=rss_topstories Do we keep missing opportunities? Yes, it was a minor incident, just like a minor earthquake, the hurricane that doesn't hit, the fire that is exitinguished. But it was also an opportunity to get the message out to the public about the things they can do to take control. We remind people what to do in a tornado, earthquake, flood, hurricane, etc. This on-going education does help; even though some people still drive their cars through moving water or go outside to watch the tornado. Colin Powell mentioned at RSA in his extremely good, entertaining and pointless talk something of relevance. During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done. Instead of pointing fingers at South Korea, China, etc, every country with compromised computers (all of them) are the problem. The United States may be slow as far as broadband, but it makes up for it in the number of compromised computers. We may know the drill, but it doesn't hurt to repeat message everytime we have the public's attention for 15 seconds. And yet, can a non-trained user understand what awareness means? 1. Turn on Automatic Update if your computer isn't managed by a full-time IT group. Microsoft Windows, Apple MAC OS/X, and several versions of Linux have Automatic Update available. Most vendors make security patches available to users whether or not the software is licensed or un-licensed. Zero day exploits may be sexy and get the press attention, but the long-term problem are the computers that never get patched. The VML exploit on the football stadium websites was patched last month; but its not how fast a patch is released, its how fast people install it. Amen. 0days have become something petrifying. At my talk at RSA on the subject of 0days and ZERT I started by asking what a 0day is. Any guesses as to how many answers I got? One Answer I did get was that we are all petrified as we can't do anything about it (not true) and won't know about it. I am of the strong belief one should take care of known vulnerabilities first, then start worrying about 0days. That's one thing anyone can start the process of doing (and for organizations, this can take years) which will also result in a better infrastructure to contain and respond to 0day attacks. Still, how many users know how to turn on automatic updates? We are likely to see them go to google, type in automatic updates and end up downloading malware. 2. Use a hardware firewall/router for your broadband connection and turn on the software firewall on your computer in case you ever move your computer to a different network. Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access point, or turn off the radio on both your home gateway and computer if you are not using WiFi. How?? This is where providers can chime in, and provide with pre-secured hardware to any level which is above come and rape me. 3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust. How do I determine what is suspicious? This is a message telling me my mother is sick! Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But don't assume because you are using them, you can click on everything and still be safe. The miscreants are always finding new ways around them. This is too complicated. I don't understand. So you give me a solution, use this and that tool, and then I need to be careful yet again? It may just be human nature, but people seem to engage in more risky behavior when they believe they are protected. The 4-bit encryption issue. I am encrypted and thus protected. I would argue email is simply not a secure medium by which to recieve files. Call and verify when in doubt. If approached by phone, email or any other medium, verify the source independently in an unrelated fashion to any instructions provided in that approach, before trusting it. 4. If your computer is compromised, unplug it until you can get it fixed. Its not going to fix itself, and ignoring the problem is just going to get worse. A user won't unplug him or herself. An ISP might. Today the economy of this changes enough for quite some ISPs to decide it is better to kick a user than give him or her tech support. Enter walled garden. Gadi.
RE: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Sun, 11 Feb 2007, Sean Donelan wrote: On Sat, 10 Feb 2007, Stasiniewicz, Adam wrote: Sean makes a good point, but there is one small problem with his suggestions. He is preaching to the choir. Just trying to get the choir to sing on key. Of course, I know the choir will probably spin off singing 18 different songs. Local interest. The next security incident, can the security experts in the US talk about what US readers can do. Experts in Europe talk about European readers can do. Experts in China, Australia, India, Brazil, Antarctica talk about what readers in those areas can do. I have no idea when, where or what the next incident will be, but can guess it will involve the usual problems. Turn on automatic update, turn off services you don't use, don't believe everything you read on the net. Preaching to the choir indeed, only the choir is not the users. The Internet is not a secure place and we can force no one to secure their computers. We can throw them off our networks if they don't, as they cost us more than they pay. Gadi.
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Sun, 11 Feb 2007 10:49:30 -0600 Dave Pooser [EMAIL PROTECTED] wrote: He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk? That's an argument for an organizational test environment and testing patches before deployment, no? Not an argument against patching. That said, I would LOVE to see MS ship a monthly/quarterly unified updater that's a one-step way to bring fresh systems up to date without slipstreaming the install CD. Then press a zillion of 'em and put them everywhere you can find an AOL CD, for all those folks on dial-up who see a 200MB download and curl up in the fetal position and whimper. Surveys have shown an inverse correlation between the size of a company and when it installed XP SP2. Yes, you're right; a good test environment is the right answer. As I think most of us on this list know, it's expensive, hard to do right, and still doesn't catch everything. If I recall correctly, the post I was replying to said that it was a non-profit; reading between the lines, it wasn't heavily staffed for IT, or they wouldn't have needed a consultant to help clean up after Blaster. And there's one more thing -- at what point have you done enough testing, given how rapidly some exploits are developed after the patch comes out? --Steve Bellovin, http://www.cs.columbia.edu/~smb
RE: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
Yes, the place in question was very understaffed. The long term remediation plan I helped them on after the Blaster case was to deploy SUS and acquire a volume license for an AV (they had very spotty and in some sites nonexistent AV coverage on the client machines). With the pressure from upper management, I got the IT manager to do some basic tests of patches (manual install on the computers in the IT office and see if anything blew up) then push the patches via SUS. I have seen some fairly reasonable methodologies for deploying patches. In this day, being behind with patches (especially with Microsoft products) is like playing with fire. (That is not to say that it is a good idea to be behind on your *nix updates, they are just as vulnerable to exploit if they are running old versions of internet accessible apps.) Some of the strategies I have seen that work reasonably well at mitigating the risk of damage caused by patches: -Deploy patches to a small amount of computers (one or two per department). This way you get converge of all the apps used. Then after a day or two of no complaints, push patches out to the rest of the computers. -Maintain a collection of computers running all of the critical apps where you can test each patch on. -Wait a few days before patches. During this time monitor mailings lists/blogs/news sites/etc for any reports of problems, if none exist, patch. It should also be noted that over the last few years Microsoft has got a lot better at internally testing patches (remember the NT4 service packs?). So many times for my smaller and less staffed customers and private individuals I advise them to configure for automatic updating. Adam Stasiniewicz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steven M. Bellovin Sent: Sunday, February 11, 2007 12:49 PM To: Dave Pooser Cc: nanog Subject: Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) On Sun, 11 Feb 2007 10:49:30 -0600 Dave Pooser [EMAIL PROTECTED] wrote: He was both right and wrong -- patches do break a lot of stuff. He was facing two problems: the probability of being off the air because of an attack versus the probability of being off the air because of bad interactions between patches and applications. Which is a bigger risk? That's an argument for an organizational test environment and testing patches before deployment, no? Not an argument against patching. That said, I would LOVE to see MS ship a monthly/quarterly unified updater that's a one-step way to bring fresh systems up to date without slipstreaming the install CD. Then press a zillion of 'em and put them everywhere you can find an AOL CD, for all those folks on dial-up who see a 200MB download and curl up in the fetal position and whimper. Surveys have shown an inverse correlation between the size of a company and when it installed XP SP2. Yes, you're right; a good test environment is the right answer. As I think most of us on this list know, it's expensive, hard to do right, and still doesn't catch everything. If I recall correctly, the post I was replying to said that it was a non-profit; reading between the lines, it wasn't heavily staffed for IT, or they wouldn't have needed a consultant to help clean up after Blaster. And there's one more thing -- at what point have you done enough testing, given how rapidly some exploits are developed after the patch comes out? --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Sun, 11 Feb 2007, Gadi Evron wrote: Colin Powell mentioned at RSA in his extremely good, entertaining and pointless talk something of relevance. During the cold war American kids were trained to hide beneath their desktops in caseof a nuclear attack. Much good that would have done. The important lesson is you can educate people. The content may have been bogus, but it was very effective at reaching most of the population. People who grew up during that era still remember it. If you can come up with a few simple things to do, it is possible to reach most of the public. But we are our own worst enemies. When we have the opportunity, instead of giving the few simple things everyone could do, we create a lot of confusion.
Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
On Tue, 6 Feb 2007, Roy wrote: Its amazing how reporters has to butcher technology information to make it understood by their editors http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.html?eref=rss_topstories Do we keep missing opportunities? Yes, it was a minor incident, just like a minor earthquake, the hurricane that doesn't hit, the fire that is exitinguished. But it was also an opportunity to get the message out to the public about the things they can do to take control. We remind people what to do in a tornado, earthquake, flood, hurricane, etc. This on-going education does help; even though some people still drive their cars through moving water or go outside to watch the tornado. Instead of pointing fingers at South Korea, China, etc, every country with compromised computers (all of them) are the problem. The United States may be slow as far as broadband, but it makes up for it in the number of compromised computers. We may know the drill, but it doesn't hurt to repeat message everytime we have the public's attention for 15 seconds. 1. Turn on Automatic Update if your computer isn't managed by a full-time IT group. Microsoft Windows, Apple MAC OS/X, and several versions of Linux have Automatic Update available. Most vendors make security patches available to users whether or not the software is licensed or un-licensed. Zero day exploits may be sexy and get the press attention, but the long-term problem are the computers that never get patched. The VML exploit on the football stadium websites was patched last month; but its not how fast a patch is released, its how fast people install it. 2. Use a hardware firewall/router for your broadband connection and turn on the software firewall on your computer in case you ever move your computer to a different network. Use Wireless security (WEP, WPA, VPN, SSL, etc) if using a WiFi access point, or turn off the radio on both your home gateway and computer if you are not using WiFi. 3. Even if your computer is secure, miscreants depend on your trust. Be suspicious of messages, files, software; even if it appears to come from a person or company you trust. Anti-spam, anti-spyware, anit-virus, anti-phishing tools can help. But don't assume because you are using them, you can click on everything and still be safe. The miscreants are always finding new ways around them. It may just be human nature, but people seem to engage in more risky behavior when they believe they are protected. 4. If your computer is compromised, unplug it until you can get it fixed. Its not going to fix itself, and ignoring the problem is just going to get worse.
RE: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers)
Sean makes a good point, but there is one small problem with his suggestions. He is preaching to the choir. I really really hope everyone on this list knows how to do some basic security on their personal computers (not to mention the collection of security experts that are on this list). The real problem here is getting the word out to regular users about computer security. Point-in-case. A friend of mine was recently buying her daughter a new computer for her birthday. So she asked me to give them suggestions and look over the specs of a few models they where considering. On the print outs she handed me (I think from Dell) she had unchecked the AV and firewall software. When I asked her why, she responded with oh we trust our daughter, she won't go to any bad websites so anti-virus and firewall software is just an unneeded expense... It is this type of mentality that is common among consumers. Another time I was do some consulting work for a NPO. I was going over the findings of my audit and I told the IT manager that all of his machines were missing patches. His response: we only install service packs, individual patches take too much time to install and tend to break more stuff than they fix. Ironically, a month latter he calls me back asking for help because his network got infect with Blaster... Last story. In a pervious job one of my duties was to maintain the internet connection and firewall. One day I get an automatic page that our outbound bandwidth is maxed. Checking the router, sure enough, 100% utilization. So I began to back track the traffic, it all originated from the helpdesk subnet. My first assumption was that they were trying to disinfect someone's computer that got a virus. So I walked down to the desk ready to yell at the genius who plugged the computer into the production network. But I found that there were no computers in for service... Checked the router, still maxing out the internet, so I check each of the IPs of the tech workstations and found that the manger's computer matched. Checked the NIC light, blinking crazy. This definitely was the computer. Ask the manger if he knew anything about this, and he responded well there was this odd email we got in the helpdesk mailbox, I figured it was a virus, and I wanted to see what happened if I ran it. So I downloaded and ran the .exe. But nothing happened, so I thought it must have been broken or something like that... This guy is the helpdesk manager (who really should know better) and is knowingly running malicious code on his work computer (while logged in with a privileged account). So if there is anything to get from the above stories, is that when it comes to computer security, the average person is very very under educated. So where I think the real focus should be is not to scare people about attacks on abstract concepts like root servers, but instead try to educate them on personal computer security. I want to see a CNN special about someone who had their identity stolen because his did not have anti-virus software. I want to see interviews with computer criminals saying that they could have not hacked into personal computers if only the owners had put on firewalls. I want to see the media show the horror stories that a lack of personal computer security can do and then show people how to keep it from happening to them. My $0.02, Adam Stasiniewicz -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sean Donelan Sent: Saturday, February 10, 2007 10:41 PM To: nanog Subject: Every incident is an opportunity (was Re: Hackers hit key Internet traffic computers) On Tue, 6 Feb 2007, Roy wrote: Its amazing how reporters has to butcher technology information to make it understood by their editors http://www.cnn.com/2007/TECH/internet/02/06/internet.attacks.ap/index.ht ml?eref=rss_topstories Do we keep missing opportunities? Yes, it was a minor incident, just like a minor earthquake, the hurricane that doesn't hit, the fire that is exitinguished. But it was also an opportunity to get the message out to the public about the things they can do to take control. We remind people what to do in a tornado, earthquake, flood, hurricane, etc. This on-going education does help; even though some people still drive their cars through moving water or go outside to watch the tornado. Instead of pointing fingers at South Korea, China, etc, every country with compromised computers (all of them) are the problem. The United States may be slow as far as broadband, but it makes up for it in the number of compromised computers. We may know the drill, but it doesn't hurt to repeat message everytime we have the public's attention for 15 seconds. 1. Turn on Automatic Update if your computer isn't managed by a full-time IT group. Microsoft Windows, Apple MAC OS/X, and several versions of Linux have Automatic Update available. Most vendors make
