I'm just going to be facetious here and say What's Zotob?
Seriously, you can have all the arguments you want about how worm X
infection rate is increased due to whatever reason but as J Tucker
pointed out it's the software that's the issue.
As for us *shrugs*, we don't suffer the plight of worms. I guess that's
the advantage of running a 100% Linux shop.
Stu
On Mon, 2005-08-22 at 22:08 +0100, James Tucker wrote:
It seems to me that the attack was less than a week old from the start
date. Default settings on a relatively unchanged box would provide a
suitable window of opportunity given the availability of the worm to the
deployer. This is more important than network connectivity, which is not
of security concern as this is not the exploited layer. Disconnecting
networks is what you suggest when you're in trouble, not when you're
trying to maintain the daily balance of cost vs function. Moreover,
wireless is recieving the blame - however this will only continue whilst
your laptop is the device you are using. Eventually will you blame the
mobile phone companies for allowing dangerous traffic to flow through
the repeaters? What about sattelite links - should we filter those and
knock the latency up another notch? No, it's the software, once again.
Connectivity increases exposure, it doesn't decrease security - the two
are not one and the same. 1000 laptops in a city centre network becoming
infected less than a week from update release would be unsuprising
(read: defaults are once a week at 3). The security of these laptops was
not compromised by the wireless presence, it was a medium of travel
only. Now lets say, we go back in time and remove all of the wireless
NIC's. Now, there are only 750 laptops cause we can't generate as much
revenue (joke), and of these they're all still connected, just with a
different medium. The medium is (specification)centralised and routable
in the same manner (ah, so the medium can have 'implications' ;) - the
infection rate is the same. Why? because they are all connected. It's
BEING CONNECTED not BEING WIRELESS that's the issue here. Yes you may
argue, pointlessly however, that wireless has increased average
connectivity, however once again, this is only a medium. It's
business/personal drive that requires connectedness, not the technology
itself.
Todd Towles wrote:
This is correct for the first day, maybe two. Then unpatched laptops
leave the corporate network, hit the internet outside the firewall and
then bring the worm back right to the heart of the network the very next
day, bypassing the firewall all together. Firewall is just one step..it
isn't a solve all. Patching would be the only way to stop this threat in
all vectors. That was my point.
If you aren't blocking 445 on the border of your network, you have must
worse problems with Zotob.
-Original Message-
From: Ron DuFresne [mailto:[EMAIL PROTECTED]
Sent: Monday, August 22, 2005 3:15 PM
To: Todd Towles
Cc: n3td3v; full-disclosure@lists.grok.org.uk
Subject: RE: [Full-disclosure] Zotob Worm Remover
On Mon, 22 Aug 2005, Todd Towles wrote:
Wireless really isn't a issue. You can get a worm from a
cat 5 as easy
as you can from wireless. The problem was they weren't patched. Why
weren't they patched? Perhaps Change policy slowed them
down, perhaps
it was the fear of broken programs..perhaps it was the QA group..it
doesn't really matter. They go the worm because they were
not patched.
And because they didn't properly filter port 445 is my understanding.
Unpatched systems behind FW's that fliter 445 were untouched.
Thanks,
Ron DuFresne
--
Sometimes you get the blues because your baby leaves you.
Sometimes you get'em 'cause she comes back. --B.B. King
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/