RE: Security of Equipment in poorly-secured locations.
Well I work for a very large company that runs premium data centers, while camera's are great, real security are on those sites monitoring 24/7 It is not my intent to malign Verizon, nor any other major provider, in my opinion critical infrastructure equipment must be protected, while I do not believe terrorists were involved in this particular incident, I do believe enterprising individuals taking advantage of the current political hysteria took equipment to possibly set up their own high speed network, because it was accessable. -Henry --- "Williams, Jeff" <[EMAIL PROTECTED]> wrote: > > Although a webcam is cheaper, Netbotz has a slick > rackmount camera that does > envionmentals as well. On motion detection it snaps > 5 frames off to a > central server which can be tied into a NMS. > > In this particular case, the colo being open racks > (apparently), physical > security was lacking a lot. But, just as with spam, > the measure - > counter-measure struggle goes on. "Locks only keep > honest people out." > > Jeff > > 'scuse the disclaimer below. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Bruce Campbell > Sent: Tuesday, May 04, 2004 2:04 PM > To: North American Noise and Off-topic Gripes > Subject: Security of Equipment in poorly-secured > locations. > > > > On Tue, 4 May 2004, Jay Hennigan wrote: > > > Subject: Re: "Network Card Theft Causes Internet > Outage" > > Of course, it's just as likely that a Verizon > employee lifted them as > > a colocation customer, and either is far more > likely than terrorists. > > So, say that your equipment, sitting in a shared > facility, suffered > 'tampering' of some description. What would you do > to prevent that > happening in the first place, or failing that, to > have a positive > description to hand to the local authorities? > > To start off, what we've done with our gear thats > located in a shared > facility is to change the locks on our racks so the > facility rack key (which > everyone has a copy of) doesn't work. The > administrators of the facility > have a copy of our rack key in order to do any > remote hands work that we > need though. > > What has been suggested (but not implemented) for > our gear is to have a > network camera on the inside of each rack activated > by the racks being > opened (for some vague definition of 'opened'). > Easily defeated by lifting > the floor tiles and disconnecting the uplink cable > of course, but reasonable > peace of mind against the casual equipment lifter. > > -- > Bruce Campbell. > Sysadmin/Etc. > > > ** > This message, including any attachments, contains > confidential information intended for a specific > individual and purpose, and is protected by law. If > you are not the intended recipient, please contact > sender immediately by reply e-mail and destroy all > copies. You are hereby notified that any > disclosure, copying, or distribution of this > message, or the taking of any action based on it, is > strictly prohibited. > TIAA-CREF > ** >
RE: FW: Worms versus Bots now religion host security vs firewall/nat/acl
> Smith, Donald wrote: > Feel free to read the document and make suggestions > (within scope) for improvements. I would change the title to something like "install windows xp and all updates securely". The current title misleads the reader into thinking that (s)he could actually use the computer at the end of the first day. > " Steps outlined in this guide should be seen as > minimum due diligence to make it through the first > day of using Microsoft Windows XP." I disagree with this. Minimum due diligence _before_ using XP is IMHO something along the lines of the list I posted earlier. A Windows computer that does not have an antivirus is not ready to be used. A Windows computer that does not have a good software firewall is not ready to be used. Use != install. Michel.
Dial up goes boom
Sorry for the premature message of: "Once, twice, three times... an outtage. TNT's just went bonkers" Anyone else in NYC, Westchester having issues? =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . orghttp://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net 'Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.' -- Marcus Aurelius
Re: Dial up goes boom
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . orghttp://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net 'Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.' -- Marcus Aurelius On Tue, 4 May 2004, J. Oquendo wrote: > > Once, twice, three times... an outtage. TNT's just went bonkers > > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ > J. Oquendo > GPG Key ID 0x51F9D78D > Fingerprint 2A48 BA18 1851 4C99 > > CA22 0619 DB63 F2F7 51F9 D78D > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D > > sil @ politrix . orghttp://www.politrix.org > sil @ infiltrated . net http://www.infiltrated.net > > 'Everything we hear is an opinion, not a fact. Everything we > see is a perspective, not the truth.' -- Marcus Aurelius >
Dial up goes boom
Once, twice, three times... an outtage. TNT's just went bonkers =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . orghttp://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net 'Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.' -- Marcus Aurelius
Re: Worms versus Bots
At 4:19 PM -0500 5/4/04, Laurence F. Sheldon, Jr. wrote: chuck goolsbee wrote: However, up to 90% of the users *are* stupid: I didn't say that, I only quoted (Valdis Kletnieks) it... to which I replied that compensating for stupidity is a zero-sum game. Seriosuly though, the Internet might be a better place for it. After all, 90% of those "stupid" people just want email and HTTP. Do we have a pointer to a rigorous study that indicates either assertion? First of all, I was disagreeing with Valdis' assessment of "stupidity"... a more accurate term would be "non-technical." I have no rigorous study to point to sorry. But I will say virtually all the "home users" I have encountered are running Windows for the purpose of getting email and using "the Web". That machine is usually in some unprotected, or already compromised state. I make similar/same suggestions to them that have already been stated here: Nuke/pave, enable what security features are available in the OS, get a firewall, NAT, etc etc. The prescription seems to be viewed to be as difficult as the disease it cures. Zero-sum. So maybe they WOULD be better with a "WebTV" model. Or a Macintosh. Or is it possible there are other explanations? Perhaps. I'm just reporting what I am seeing. What will be do when they figure out that paying us to let them hurt themselves is a sub-optimal use of their money? How is WebTV doing these days? Since it is now Microsoft can their boxen get rooted/zombied/botted now too? I'll admit I never paid too much attention to WebTV. Perhaps there is a market for "safe Internet access"... I don't know. But I suspect the barrier to entry is either making it work with the dominant platform, or asking the market take the leap to another platform. Both are unlikely. What I do know is that the dominant platform is inherently insecure, and many of its users, those "non-technical" folks I referred to... they seem to be mostly unaware of the danger they pose to themselves and everyone else on the Network. --chuck
Re: Worms versus Bots
Steven M. Bellovin wrote: However, up to 90% of the users *are* stupid: Or is it possible there are other explanations? Don Norman has argued quite eloquently that it's a technology and human factors failure -- see, for example, http://www.interesting-people.org/archives/interesting-people/200312/msg00105.html (reprinted from RISKS Digest). Now, I'm not saying that it's easy to get things like this right, and I've argued loudly against the notion that auto-patching is a sane approach. But if we deny that there's a problem except for "stupid people", we're not likely to find a solution. That last sentence is the point I was trying to get to. After all, nearly half the people here are below the average for intelligence. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Worms versus Bots
In message <[EMAIL PROTECTED]>, "Laurence F. Sheldon, Jr." writes: > >chuck goolsbee wrote: > >>> However, up to 90% of the users *are* stupid: > > >> Seriosuly though, the Internet might be a better place for it. After >> all, 90% of those "stupid" people just want email and HTTP. > >Do we have a pointer to a rigorous study that indicates either >assertion? > >Or is it possible there are other explanations? > Don Norman has argued quite eloquently that it's a technology and human factors failure -- see, for example, http://www.interesting-people.org/archives/interesting-people/200312/msg00105.html (reprinted from RISKS Digest). Now, I'm not saying that it's easy to get things like this right, and I've argued loudly against the notion that auto-patching is a sane approach. But if we deny that there's a problem except for "stupid people", we're not likely to find a solution. --Steve Bellovin, http://www.research.att.com/~smb
RE: FW: Worms versus Bots now religion host security vs firewall/nat/acl
The goal of the document is clearly stated below. Feel free to read the document and make suggestions (within scope) for improvements. The document is not intended to take the place of hardening XP documents. Today I learned from Sean that the firewall portion of XP sp1 comes up after services are enabled. I will request that information be added to the pdf. I am NOT arguing against firewalls. I like them, I use them, their grr8! Security in depth is a good idea, one that I support, encourage and practice. [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 > -Original Message- > From: Rob Nelson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 04, 2004 4:26 PM > To: Smith, Donald; Daniel Senie; Sean Donelan > Cc: [EMAIL PROTECTED] > Subject: RE: FW: Worms versus Bots > > > > >The goal of this document is help new XP users survive long > enough to > >do their updates. Many of them cant/wont put up > acls/nat/firewalls ... > >but if they follow the steps listed they have a better chance of > >successfully downloading and updating their new machine then > they will > >have with OUT these steps. > >It is not meant as a complete XP hardening document. There > are lots of > >documents that discuss in detail how to harden > >windows (xp,nt,2k...). > > If the person doesn't continue to do acls/nat/firewalls, > they'll just get > infected after the next hole is discovered. And yes, there > are plenty of > holes that a firewall/nat box won't fix. Still, better than > the user only > doing Windows Update on the day of install and never having a > firewall... > > Rob Nelson > [EMAIL PROTECTED] > >
Re: BGP Exploit
What would a Cisco log if the IP's for the BGP sessions were attacked & MD5 was in place ? "No MD5 digest from ", " Invalid MD5 digest from " or something else ? So far, grepping through my logs all I see for "MD5" are the the times I set MD5 for my BGP sessions. -- James H. Edwards Routing and Security At the Santa Fe Office: Internet at Cyber Mesa [EMAIL PROTECTED] [EMAIL PROTECTED] (505) 795-7101
RE: FW: Worms versus Bots
The goal of this document is help new XP users survive long enough to do their updates. Many of them cant/wont put up acls/nat/firewalls ... but if they follow the steps listed they have a better chance of successfully downloading and updating their new machine then they will have with OUT these steps. It is not meant as a complete XP hardening document. There are lots of documents that discuss in detail how to harden windows (xp,nt,2k...). If the person doesn't continue to do acls/nat/firewalls, they'll just get infected after the next hole is discovered. And yes, there are plenty of holes that a firewall/nat box won't fix. Still, better than the user only doing Windows Update on the day of install and never having a firewall... Rob Nelson [EMAIL PROTECTED]
Re: Worms versus Bots
chuck goolsbee wrote: However, up to 90% of the users *are* stupid: Seriosuly though, the Internet might be a better place for it. After all, 90% of those "stupid" people just want email and HTTP. Do we have a pointer to a rigorous study that indicates either assertion? Or is it possible there are other explanations? What will be do when they figure out that paying us to let them hurt themselves is a sub-optimal use of their money? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: Worms versus Bots
> In other words: if one is stupid, one gets worm'ed or bot'ed. However, up to 90% of the users *are* stupid: http://www.silicon.com/software/security/0,39024655,39118228,00.htm Any network security scheme that fails to either (a) lower the stupidity rate or (b) deliver a system that will protect that 90% from themselves is doomed. "There's only so much stupidity you can compensate for; there comes a point where you compensate for so much stupidity that it starts to cause problems for the people who actually think in a normal way." --Bill Dickson, digital.forest tech support Which leads to the logical conclusion: We may be looking at a move back towards the WebTV appliance model (which would thrill the media conglomerates to no end). =) Seriosuly though, the Internet might be a better place for it. After all, 90% of those "stupid" people just want email and HTTP. --chuck
RE: Security of Equipment in poorly-secured locations.
Although a webcam is cheaper, Netbotz has a slick rackmount camera that does envionmentals as well. On motion detection it snaps 5 frames off to a central server which can be tied into a NMS. In this particular case, the colo being open racks (apparently), physical security was lacking a lot. But, just as with spam, the measure - counter-measure struggle goes on. "Locks only keep honest people out." Jeff 'scuse the disclaimer below. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Campbell Sent: Tuesday, May 04, 2004 2:04 PM To: North American Noise and Off-topic Gripes Subject: Security of Equipment in poorly-secured locations. On Tue, 4 May 2004, Jay Hennigan wrote: > Subject: Re: "Network Card Theft Causes Internet Outage" > Of course, it's just as likely that a Verizon employee lifted them as > a colocation customer, and either is far more likely than terrorists. So, say that your equipment, sitting in a shared facility, suffered 'tampering' of some description. What would you do to prevent that happening in the first place, or failing that, to have a positive description to hand to the local authorities? To start off, what we've done with our gear thats located in a shared facility is to change the locks on our racks so the facility rack key (which everyone has a copy of) doesn't work. The administrators of the facility have a copy of our rack key in order to do any remote hands work that we need though. What has been suggested (but not implemented) for our gear is to have a network camera on the inside of each rack activated by the racks being opened (for some vague definition of 'opened'). Easily defeated by lifting the floor tiles and disconnecting the uplink cable of course, but reasonable peace of mind against the casual equipment lifter. -- Bruce Campbell. Sysadmin/Etc. ** This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies. You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. TIAA-CREF **
Verizon TLS ?
Does anyone have any positive/negative experiences to share with Verizon TLS service (At the Gigabit level)? thanks, DJ
Re: Worms versus Bots
On Mon, 03 May 2004 20:53:50 PDT, Michel Py said: > In other words: if one is stupid, one gets worm'ed or bot'ed. However, up to 90% of the users *are* stupid: http://www.silicon.com/software/security/0,39024655,39118228,00.htm Any network security scheme that fails to either (a) lower the stupidity rate or (b) deliver a system that will protect that 90% from themselves is doomed. We may be looking at a move back towards the WebTV appliance model (which would thrill the media conglomerates to no end). pgp0jDLSyB4cF.pgp Description: PGP signature
Security of Equipment in poorly-secured locations.
On Tue, 4 May 2004, Jay Hennigan wrote: > Subject: Re: "Network Card Theft Causes Internet Outage" > Of course, it's just as likely that a Verizon employee lifted them as > a colocation customer, and either is far more likely than terrorists. So, say that your equipment, sitting in a shared facility, suffered 'tampering' of some description. What would you do to prevent that happening in the first place, or failing that, to have a positive description to hand to the local authorities? To start off, what we've done with our gear thats located in a shared facility is to change the locks on our racks so the facility rack key (which everyone has a copy of) doesn't work. The administrators of the facility have a copy of our rack key in order to do any remote hands work that we need though. What has been suggested (but not implemented) for our gear is to have a network camera on the inside of each rack activated by the racks being opened (for some vague definition of 'opened'). Easily defeated by lifting the floor tiles and disconnecting the uplink cable of course, but reasonable peace of mind against the casual equipment lifter. -- Bruce Campbell. Sysadmin/Etc.
RE: BGP Exploit
I have seen 3 pubic ally available tools that ALL work. I have seen 2 privately tools that work. A traffic generator can be configured to successfully tear down bgp sessions. Given src/dst ip and ports : I tested with a cross platform EBGP peering with md5 using several of the tools I could not tear down the sessions. I tested both Cisco and juniper BGP peering after code upgrades without md5 I could not tear down the sessions. [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Steven M. Bellovin > Sent: Tuesday, May 04, 2004 11:54 AM > To: Kurt Erik Lindqvist > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: Re: BGP Exploit > > > > > In message > <[EMAIL PROTECTED]>, Kurt > Erik Lindq vist writes: > > >> > >> Now that the firestorm over implementing Md5 has quieted > down a bit, > >> is anybody aware of whether the exploit has been used? > Feel free to > >> reply off list. > > > >Even more interesting, did anyone manage to reproduce it? > > > > I don't know if it's being used; I know that reimplementations of the > idea are out there. > > > --Steve Bellovin, http://www.research.att.com/~smb > > >
Re: BGP Exploit
In message <[EMAIL PROTECTED]>, Kurt Erik Lindq vist writes: >> >> Now that the firestorm over implementing Md5 has quieted down a bit, is >> anybody aware of whether the exploit has been used? >> Feel free to reply off list. > >Even more interesting, did anyone manage to reproduce it? > I don't know if it's being used; I know that reimplementations of the idea are out there. --Steve Bellovin, http://www.research.att.com/~smb
RE: FW: Worms versus Bots
> Smith, Donald wrote: > The goal of this document is help new XP users > survive long enough to do their updates. It is regrettable though that no mention is made of real personal firewalls such as ZoneAlarm (ICF has no egress control whatsoever). Although the intentions behind this document are good, I am concerned that users might get a false sensation of security after reading it (because after doing some steps it is now "safe" to plug the network). > Many of them cant/wont put up acls/nat/firewalls... IMHO there is no excuse not to have a $39 box on a broadband connection. And, contrary to ICF, it can't be deactivated. Talking about defense in depth, this box _is_ the first line of defense. When I install a PC at friends and family, my sequence is: 1. Hardware NAT/router/firewall. Deactivate uPNP and wireless. 2. Passwords 3. Windows Update 4. Office online 5. Norton anti-virus with automatic updates and scheduled scans. 6. ZoneAlarm 7. Ad-aware with update 8. Run a full virus scan 9. Run a full spyware scan ICF is not even part of the picture as it does not remove the need for the hardware nor the need for ZoneAlarm. As far as spending money on hardware, it's part of what is required to have my help, along with beer and baked goods. Michel
RE: FW: Worms versus Bots
At 12:35 PM 5/4/2004, Smith, Donald wrote: Daniel I agree a nat/firewall/router with acl's ... will all help prevent windows compromises. I believe security in depth is an essential element of any good security system. The goal of this document is help new XP users survive long enough to do their updates. Many of them cant/wont put up acls/nat/firewalls Note that I said "have this NAT box in your bag." My suggestion is that this be used during installation. Is $50 too high an extra expense to suggest people just buy one with the machine, and use it as a tool for doing installations? That's what I was suggesting. For the money, this is FAR better protection than that provided by the document. ... but if they follow the steps listed they have a better chance of successfully downloading and updating their new machine then they will have with OUT these steps. It is not meant as a complete XP hardening document. There are lots of documents that discuss in detail how to harden windows (xp,nt,2k...). [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Daniel Senie > Sent: Tuesday, May 04, 2004 9:39 AM > To: Sean Donelan > Cc: [EMAIL PROTECTED] > Subject: RE: FW: Worms versus Bots > > > > At 10:54 AM 5/4/2004, Sean Donelan wrote: > > >On Tue, 4 May 2004, Smith, Donald wrote: > > > If you follow these steps outlined by SANS you should be able to > > > successfully update and NOT get infected. This is short, > easy, fully > > > documented (with pictures :) > > > http://www.sans.org/rr/papers/index.php?id=1298 > > > >The risk is smaller, but still exists if you follow these directions > >for XP pre-SP2. See the Microsoft release notes for XP SP2 > for details > >about the fix. > > > >If you do not have XP SP2, you need to disconnect your computer from > >the network prior to every boot cycle until it is fully patched. > > A much simpler mechanism than that described by SANS is to > have a small, > cheap NAT box in your bag (e.g. D-Link DI-604 or similar). > Worth the $50 > cost to have one available. Put the little router between the > new machine > to be brought up and whatever network you have access to. Now > you can bring > up the new machine and update it without having it get > instantly infected. > (Use some common sense... don't set up email until the > machine is patched, > or use any other sort of mechanism to pull in potential > viruses before > patching is done). > > (To deflect the inevitable "NAT is not a firewall" > complaints, the box is a > stateful inspection firewall -- as all NAT boxes actually are). > >
L2TPv3 encaps performance (again)
I had quite a large number of people reply privately to me on this (see below), but a singular lack of vendors (just one) who had anything to say on the subject. So, before I conclude that there is only one vendor in the world that supports L2TPv3 at anything close to gigabit speeds, I thought I'd ask again, more explicitly: If there are any vendors interested in selling L2TPv3 boxes, and they'd like the list of potential customers who have sent me mail about this to find out about them, then they should feel free to send me a sentence or two about what their boxes can do so I can pass the information on. Suggestions and recommendations from operators would be also wildly good to hear. Thanks! Begin forwarded message: From: Joe Abley [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 28, 2004 11:05 AM To: [EMAIL PROTECTED] Subject: L2TPv3 encaps performance Someone asked me the other day if I could recommend some L2TPv3 tunnel termination devices which might be capable of encaps/de-encaps of traffic which bursts near to 1Gbit/s (e.g. with GE uplinks to a core/transport network, and GE interfaces for hand-off towards the subscriber). Application is providing transparent/pseudowire wide-area ethernet transport service over a routed-IP but non-LDP-capable core. This didn't sound like a particularly hard question, but I couldn't find any performance numbers on L2TPv3 edge boxes anywhere. What boxes exist that can do this stuff at gig speeds? Replies off-list would be fine, I can summarise if there's interest.
RE: FW: Worms versus Bots
Daniel I agree a nat/firewall/router with acl's ... will all help prevent windows compromises. I believe security in depth is an essential element of any good security system. The goal of this document is help new XP users survive long enough to do their updates. Many of them cant/wont put up acls/nat/firewalls ... but if they follow the steps listed they have a better chance of successfully downloading and updating their new machine then they will have with OUT these steps. It is not meant as a complete XP hardening document. There are lots of documents that discuss in detail how to harden windows (xp,nt,2k...). [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Daniel Senie > Sent: Tuesday, May 04, 2004 9:39 AM > To: Sean Donelan > Cc: [EMAIL PROTECTED] > Subject: RE: FW: Worms versus Bots > > > > At 10:54 AM 5/4/2004, Sean Donelan wrote: > > >On Tue, 4 May 2004, Smith, Donald wrote: > > > If you follow these steps outlined by SANS you should be able to > > > successfully update and NOT get infected. This is short, > easy, fully > > > documented (with pictures :) > > > http://www.sans.org/rr/papers/index.php?id=1298 > > > >The risk is smaller, but still exists if you follow these directions > >for XP pre-SP2. See the Microsoft release notes for XP SP2 > for details > >about the fix. > > > >If you do not have XP SP2, you need to disconnect your computer from > >the network prior to every boot cycle until it is fully patched. > > A much simpler mechanism than that described by SANS is to > have a small, > cheap NAT box in your bag (e.g. D-Link DI-604 or similar). > Worth the $50 > cost to have one available. Put the little router between the > new machine > to be brought up and whatever network you have access to. Now > you can bring > up the new machine and update it without having it get > instantly infected. > (Use some common sense... don't set up email until the > machine is patched, > or use any other sort of mechanism to pull in potential > viruses before > patching is done). > > (To deflect the inevitable "NAT is not a firewall" > complaints, the box is a > stateful inspection firewall -- as all NAT boxes actually are). > >
Re: "Network Card Theft Causes Internet Outage"
On Tue, 4 May 2004, Charles Sprickman wrote: > On Tue, 4 May 2004, Andy Dills wrote: > > > So it's a fingerpointing battle, Sprint pointing fingers at Verizon, > > Verizon pointing fingers at terrorists. > > That's just a move to help further their argument that no one should be > allowed to co-locate in COs. After all, it's a matter of national > security... Of course, it's just as likely that a Verizon employee lifted them as a colocation customer, and either is far more likely than terrorists. -- Jay Hennigan - CCIE #7880 - Network Administration - [EMAIL PROTECTED] WestNet: Connecting you to the planet. 805 884-6323 WB6RDV NetLojix Communications, Inc. - http://www.netlojix.com/
RE: FW: Worms versus Bots
Sean thanks I just reread XP sp2 details and your right sp2 starts the firewall SOONER during boot (like before it starts most network services :-) http://msdn.microsoft.com/security/default.aspx?pull=/library/en-us/dnwx p/html/securityinxpsp2.asp Boot time security. In earlier versions of Windows there is a window of time between when the network stack started and when ICF provided protection. Consequently, a packet could have been received and delivered to a service without ICF filtering it, potentially exposing the computer to vulnerabilities. In SP2, the firewall driver has a static rule called a boot-time policy to perform stateful filtering. This will allow the computer to perform basic networking tasks such as DNS and DHCP and communicate with a Domain Controller to obtain policy. Once the firewall service is running, it will load and apply the run-time ICF policy and remove the boot-time filters. This change should increase system security without affecting applications. [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 > -Original Message- > From: Sean Donelan [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 04, 2004 8:55 AM > To: Smith, Donald > Cc: [EMAIL PROTECTED] > Subject: RE: FW: Worms versus Bots > > > On Tue, 4 May 2004, Smith, Donald wrote: > > If you follow these steps outlined by SANS you should be able to > > successfully update and NOT get infected. This is short, > easy, fully > > documented (with pictures :) > > http://www.sans.org/rr/papers/index.php?id=1298 > > The risk is smaller, but still exists if you follow these > directions for XP pre-SP2. See the Microsoft release notes > for XP SP2 for details about the fix. > > If you do not have XP SP2, you need to disconnect your > computer from the network prior to every boot cycle until it > is fully patched. > >
Re: "Network Card Theft Causes Internet Outage"
On Tue, 4 May 2004, Andy Dills wrote: > So it's a fingerpointing battle, Sprint pointing fingers at Verizon, > Verizon pointing fingers at terrorists. That's just a move to help further their argument that no one should be allowed to co-locate in COs. After all, it's a matter of national security... Charles > Andy > > --- > Andy Dills > Xecunet, Inc. > www.xecu.net > 301-682-9972 > --- >
Re: How long before infected - Internet addresses are not uniform
On Tue, 4 May 2004 02:42:10 -0400 (EDT) Sean Donelan <[EMAIL PROTECTED]> wrote: > > On Mon, 3 May 2004, william(at)elan.net wrote: > > Similarly when settting up computers for several of my relatives (all > > have dsl) I've yet to see any infection before all updates are installed. > > The folks at CAIDA can do the math, but it turns out many of the recent > worms have some interesting gaps in their address scanning routines. > There are some Internet address ranges scanned every few seconds, while > other address ranges may go weeks between scans. This is part of the > reason why "network telescope" estimates of how many infected computers > are so wrong. They assume a uniform distribution of worm scans and > infected computers. I think that their math is challenged in general - Sasser appears to do TCP scanning of the entire multicast address range, which betrays a lack of knowledge or concern about Internet routing. Regards Marshall Eubanks > > I've seen "raw" Windows boxes connected to the Internet for 4 weeks > without being compromised. A watched honeypot never attracts the bear :-) > I've also seen Windows boxes compromised during the boot process between > the time the network interface is enabled and XP's built-in firewall > being activated, less than 1 second. > > Of course we still have the human factor. Some system compromises require > the user to save an attachment, rename the file, open the file, enter a > password, extract another file and then run it in order to compromise > the computer. Its amazing how many infected computers are behind > NAT/firewalls. Firewalls and antivirus help, but please when you > get a message from your ISP saying your computer is infected check > it out. Don't assume it can't happen to you just because. > > I have not found an official Microsoft source for MD5 hashes of > Windows, so its difficult to find unknown stuff on your computer. There > are some third-party products which can do change monitoring of Windows. > But I agree with Rob Thomas and others, the only way to restore trust > in your Windows' system is to re-install from a known, good distribution. > Unfortunately, this is beyond the capabilities of many home (and even > office) users.
RE: FW: Worms versus Bots
At 10:54 AM 5/4/2004, Sean Donelan wrote: On Tue, 4 May 2004, Smith, Donald wrote: > If you follow these steps outlined by SANS you should be able to > successfully update > and NOT get infected. This is short, easy, fully documented (with > pictures :) > http://www.sans.org/rr/papers/index.php?id=1298 The risk is smaller, but still exists if you follow these directions for XP pre-SP2. See the Microsoft release notes for XP SP2 for details about the fix. If you do not have XP SP2, you need to disconnect your computer from the network prior to every boot cycle until it is fully patched. A much simpler mechanism than that described by SANS is to have a small, cheap NAT box in your bag (e.g. D-Link DI-604 or similar). Worth the $50 cost to have one available. Put the little router between the new machine to be brought up and whatever network you have access to. Now you can bring up the new machine and update it without having it get instantly infected. (Use some common sense... don't set up email until the machine is patched, or use any other sort of mechanism to pull in potential viruses before patching is done). (To deflect the inevitable "NAT is not a firewall" complaints, the box is a stateful inspection firewall -- as all NAT boxes actually are).
Re: "Network Card Theft Causes Internet Outage"
On Tue, 4 May 2004, Christopher L. Morrow wrote: > On Tue, 4 May 2004, Stephen Sprunk wrote: > > > > > Thus spake "Andy Dills" <[EMAIL PROTECTED]> > > > Just in case any of you don't read slashdot: > > > > > > http://www.eweek.com/article2/0,1759,1583347,00.asp > > > > > > "Law enforcement officials said four DS-3 cards were reported missing from > > > a Manhattan co-location facility owned by Verizon Communications Inc. The > > > theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is > > > being investigated by New York City Police and members of the joint > > > terrorism task force, according to NYPD spokesman Lt. Brian Burke. " > > > > One must wonder why the headline is "Network Card Theft Causes Internet > > Outage" instead of "Carrier Sercurity Negligence Causes Internet Outage". > > blame is bad, hype is good! Interestingly, the word is that Sprint is blaming this 100% on Verizon, first claiming outright theft (publically, to customers who called asking for an explanation), later toning that down to something like "a Verizon union worker damaged our equipment". So it's a fingerpointing battle, Sprint pointing fingers at Verizon, Verizon pointing fingers at terrorists. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
Re: "Network Card Theft Causes Internet Outage"
On Tue, 4 May 2004, Stephen Sprunk wrote: > > Thus spake "Andy Dills" <[EMAIL PROTECTED]> > > Just in case any of you don't read slashdot: > > > > http://www.eweek.com/article2/0,1759,1583347,00.asp > > > > "Law enforcement officials said four DS-3 cards were reported missing from > > a Manhattan co-location facility owned by Verizon Communications Inc. The > > theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is > > being investigated by New York City Police and members of the joint > > terrorism task force, according to NYPD spokesman Lt. Brian Burke. " > > One must wonder why the headline is "Network Card Theft Causes Internet > Outage" instead of "Carrier Sercurity Negligence Causes Internet Outage". blame is bad, hype is good!
Re: "Network Card Theft Causes Internet Outage"
I admit, my first reaction was, "Maybe they should interview anyone that just brought in an empty router chassis and now has DS3's running..." (gotta keep a hot spare after all) ** Reply to message from "Stephen Sprunk" <[EMAIL PROTECTED]> on Tue, 4 May 2004 09:37:10 -0500 > Thus spake "Andy Dills" <[EMAIL PROTECTED]> > > Just in case any of you don't read slashdot: > > > > http://www.eweek.com/article2/0,1759,1583347,00.asp > > > > "Law enforcement officials said four DS-3 cards were reported missing from > > a Manhattan co-location facility owned by Verizon Communications Inc. The > > theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is > > being investigated by New York City Police and members of the joint > > terrorism task force, according to NYPD spokesman Lt. Brian Burke. " > > One must wonder why the headline is "Network Card Theft Causes Internet > Outage" instead of "Carrier Sercurity Negligence Causes Internet Outage". > > S > > Stephen Sprunk"Stupid people surround themselves with smart > CCIE #3723 people. Smart people surround themselves with > K5SSS smart people who disagree with them." --Aaron Sorkin -- Jeff Shultz A railfan pulls up to a grade crossing hoping that there will be a train.
Re: "Network Card Theft Causes Internet Outage"
The disproportionate reaction doesn't surprise me in the least. I've been working in industrial fire/rescue within the petrochemical sector since I left the realm of ISPs. I've seen similar responses as a result of intoxicated subjects trying to climb facility fences or art-school students trying to take pictures of refining vessels. _ Tony Rowley | "To confine our attention to terrestrial Lansdowne PA USA | matters would be to limit the human spirit." [EMAIL PROTECTED] | -- Professor Stephen Hawking
Re: "Network Card Theft Causes Internet Outage"
Thus spake "Andy Dills" <[EMAIL PROTECTED]> > Just in case any of you don't read slashdot: > > http://www.eweek.com/article2/0,1759,1583347,00.asp > > "Law enforcement officials said four DS-3 cards were reported missing from > a Manhattan co-location facility owned by Verizon Communications Inc. The > theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is > being investigated by New York City Police and members of the joint > terrorism task force, according to NYPD spokesman Lt. Brian Burke. " One must wonder why the headline is "Network Card Theft Causes Internet Outage" instead of "Carrier Sercurity Negligence Causes Internet Outage". S Stephen Sprunk"Stupid people surround themselves with smart CCIE #3723 people. Smart people surround themselves with K5SSS smart people who disagree with them." --Aaron Sorkin
RE: FW: Worms versus Bots
On Tue, 4 May 2004, Smith, Donald wrote: > If you follow these steps outlined by SANS you should be able to > successfully update > and NOT get infected. This is short, easy, fully documented (with > pictures :) > http://www.sans.org/rr/papers/index.php?id=1298 The risk is smaller, but still exists if you follow these directions for XP pre-SP2. See the Microsoft release notes for XP SP2 for details about the fix. If you do not have XP SP2, you need to disconnect your computer from the network prior to every boot cycle until it is fully patched.
Re: Worms versus Bots
On Mon, 03 May 2004 13:51:35 -0600 Mike Lewinski <[EMAIL PROTECTED]> wrote: > Then again, I've seen businesses who had sensitive client financial data > on compromised systems completely ignore this advice, so it's generally > given without much hope, esp. where the stakes are lower. ditto. i have some very specific memories of explaining to a CEO who should have known better (an ex engineer) why we really needed to "nuke the servers from orbit, it's the only way to be sure" after an infestation at a startup some years back. sigh, richard -- Richard Welty [EMAIL PROTECTED] Averill Park Networking 518-573-7592 Java, PHP, PostgreSQL, Unix, Linux, IP Network Engineering, Security
Re: "Network Card Theft Causes Internet Outage"
On Tue, 4 May 2004, Andy Dills wrote: > http://www.eweek.com/article2/0,1759,1583347,00.asp > > "Law enforcement officials said four DS-3 cards were reported missing from > a Manhattan co-location facility owned by Verizon Communications Inc. The > theft at 240 E. 38th St. occurred just after 10:30 p.m. on Sunday and is Is this part really surprising to anyone who's got gear in unsupervised LEC colos where everyone is in open relay racks in a large open space? > being investigated by New York City Police and members of the joint > terrorism task force, according to NYPD spokesman Lt. Brian Burke. " This seems a bit over the top. A couple years ago when we had a part stolen out of one of our routers in a WCOM colo facility, we couldn't get the local PD to do jack. A report was filed...but I think they filed it in the circular file, because nobody ever investigated, despite the fact that WCOM had just installed a card reader system to replace the simplex door locks, so in theory, they knew who was in the room when our stuff was stolen, but they refused to release the info to us. I guess we should have suggested it was an act of terrorism. > Trying to fix our terrorism problem like this is like trying to fix the > spam problem using IP-based blacklists. No...I'd say it's more like fighting the spam problem with nuclear weapons...now there's an idea. -- Jon Lewis [EMAIL PROTECTED]| I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
RE: FW: Worms versus Bots
If you follow these steps outlined by SANS you should be able to successfully update and NOT get infected. This is short, easy, fully documented (with pictures :) http://www.sans.org/rr/papers/index.php?id=1298 [EMAIL PROTECTED] GCIA http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC pgpFingerPrint:9CE4 227B B9B3 601F B500 D076 43F1 0767 AF00 EDCC kill -13 111.2 > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Henry Linneweh > Sent: Tuesday, May 04, 2004 2:19 AM > To: Eric Krichbaum; [EMAIL PROTECTED] > Subject: Re: FW: Worms versus Bots > > > > It is amazingly simply to pull an ethernet cable out > of the back of your box to update a box from a CD > especially in a suspect environment where you have had many problems. > > I have had the displeasure of having had to go from > box to box and clean each individually and while many > problems were stopped by Netscreen at the door, we > still had to run enterprise protection per machine as > a second line of defense and separate domains in the > company for greater protection between the groups. > > -Henry > > > --- Eric Krichbaum <[EMAIL PROTECTED]> wrote: > > > > I see times more typically in the 5 - 10 second > > range to infection. As > > a test, I unprotected a machine this morning on a > > single T1 to get a > > sample. 8 seconds. If you can get in 20 minutes of > downloads you're > > luckier than most. > > > > Eric > > > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of william(at)elan.net > > Sent: Monday, May 03, 2004 11:49 PM > > To: Sean Donelan > > Cc: Rob Thomas; NANOG > > Subject: Re: Worms versus Bots > > > > > > On Mon, 3 May 2004, Sean Donelan wrote: > > > > > On Mon, 3 May 2004, Rob Thomas wrote: > > > > ] Just because a machine has a bot/worm/virus > > that didn't come with > > > > a ] rootkit, doesn't mean that someone else > > hasn't had their way > > with it. > > > > > > > > Agreed. > > > > > > Won't help. What's the first thing people do > > after re-installing the > > > operating system (still have all the original CDs > > and keys and product > > > > > activation codes and and and)? Connect to the > > Internet to download the > > > > > patches. Time to download patches 60+ minutes. > > > Time to infection 5 minutes. > > > > Its possible its a problem on dialup, but in our ISP > > office I setup new > > win2000 servers and first thing I do is download all > > the patches. I've > > yet to see the server get infected in the 20-30 > > minutes it takes to > > finish it > > (Note: I also disable IIS just in case until > > everything is patched..). > > > > Similarly when settting up computers for several of > > my relatives (all > > have dsl) I've yet to see any infection before all > > updates are > > installed. > > > > Additional to that many users have dsl router or > > similar device and many > > such beasts will provide NATed ip block and act like > > a firewall not > > allowing outside servers to actually connect to your > > home computer. > > On this point it would be really interested to see > > what percentage of > > users actually have these routers and if decreasing > > speed of infections > > by new virus (is there real numbers to show it > > decreased?) have anything > > to do with this rather then people being more > > carefull and using > > antivirus. > > > > Another option if you're really afraid of infection > > is to setup proxy > > that only allows access to microsoft ip block that > > contains windows > > update servers > > > > And of course, there is an even BETTER OPTION then > > all the above - STOP > > USING WINDOWS and switch to Linux or Free(Mac)BSD ! > > :) > > > > > Patches are Microsoft's > > > intellectual property and can not be distributed > > by anyone without > > > Microsoft's permission. > > I don't think this is quite true. Microsoft makes > > available all patches > > as indidual .exe files. There are quite many of > > these updates and its > > really a pain to actually get all of them and > > install updates manually. > > But I've never seen written anywhere that I can not > > download these .exe > > files and distribute it inside your company or to > > your friends as needed > > to fix the problems these patches are designed for. > > > > > The problem with Bots is they aren't always > > active. That makes them > > > difficult to find until they do something. > > As opposed to what, viruses? > > Not at all! Many viruses have period wjhen they are > > active and > > afterwards they go into "sleep" mode and will not > > active until some > > other date! > > > > Additionally bot that does not immediatly become > > active is good thing > > because of you do weekly or monthly audits (any many > > do it like that) > > you may well find it this way and deal with it at > > your own time, rather > > then all over a sudden being awaken 3am and having > > to clean
Re: Worms versus Bots
On Mon, 3 May 2004, william(at)elan.net wrote: > Its possible its a problem on dialup, but in our ISP office I setup new > win2000 servers and first thing I do is download all the patches. I've yet > to see the server get infected in the 20-30 minutes it takes to finish it > (Note: I also disable IIS just in case until everything is patched..). The frequency of scans is such that I'd say you have been lucky. Some worms also weight scans by IP (ie they can the local /16 more than the local /8 more than the /0).. in which case if you're a dialup customer you stand a higher chance of infection Steve
RE: Worms versus Bots
True, but this isn't just an XP issue. Look at how many ppl are still infected with Code Red/Nimda/Slammer/etc. A Windows 2000 box doesn't fair any better. Heck, I still see Happy99. Eric -Original Message- From: Buhrmaster, Gary [mailto:[EMAIL PROTECTED] Sent: Monday, May 03, 2004 11:28 PM To: Eric Krichbaum; [EMAIL PROTECTED] Subject: RE: Worms versus Bots Microsoft has said Windows XP SP2 will have the firewall turned on by default, and that they have "considered" reissuing the installation CD's such that a new installation will have the firewall enabled to deal with just this problem. I do not know the current state of the consideration, but to me it seems reasonable that Microsoft should at least make the offer of a new CD (to anyone who has a valid XP license key?) No, many people will not request a new CD, but then many people never apply patches either. I think this is a horse and water problem. Gary > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of Eric Krichbaum > Sent: Monday, May 03, 2004 8:13 PM > To: [EMAIL PROTECTED] > Subject: FW: Worms versus Bots > > > I see times more typically in the 5 - 10 second range to infection. > As a test, I unprotected a machine this morning on a single T1 to get > a sample. 8 seconds. If you can get in 20 minutes of downloads > you're luckier than most. > > Eric > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of william(at)elan.net > Sent: Monday, May 03, 2004 11:49 PM > To: Sean Donelan > Cc: Rob Thomas; NANOG > Subject: Re: Worms versus Bots > > > On Mon, 3 May 2004, Sean Donelan wrote: > > > On Mon, 3 May 2004, Rob Thomas wrote: > > > ] Just because a machine has a bot/worm/virus that didn't > come with > > > a ] rootkit, doesn't mean that someone else hasn't had their way > with it. > > > > > > Agreed. > > > > Won't help. What's the first thing people do after > re-installing the > > operating system (still have all the original CDs and keys > and product > > > activation codes and and and)? Connect to the Internet to > download the > > > patches. Time to download patches 60+ minutes. > > Time to infection 5 minutes. > > Its possible its a problem on dialup, but in our ISP office I setup > new win2000 servers and first thing I do is download all the patches. > I've yet to see the server get infected in the 20-30 minutes it takes > to finish it > (Note: I also disable IIS just in case until everything is patched..). > > Similarly when settting up computers for several of my relatives (all > have dsl) I've yet to see any infection before all updates are > installed. > > Additional to that many users have dsl router or similar device and > many such beasts will provide NATed ip block and act like a firewall > not allowing outside servers to actually connect to your home > computer. > On this point it would be really interested to see what percentage of > users actually have these routers and if decreasing speed of > infections by new virus (is there real numbers to show it decreased?) > have anything to do with this rather then people being more carefull > and using antivirus. > > Another option if you're really afraid of infection is to setup proxy > that only allows access to microsoft ip block that contains windows > update servers > > And of course, there is an even BETTER OPTION then all the above - > STOP USING WINDOWS and switch to Linux or Free(Mac)BSD ! :) > > > Patches are Microsoft's > > intellectual property and can not be distributed by anyone without > > Microsoft's permission. > I don't think this is quite true. Microsoft makes available all > patches as indidual .exe files. There are quite many of these updates > and its really a pain to actually get all of them and install updates > manually. > But I've never seen written anywhere that I can not download these > .exe files and distribute it inside your company or to your friends as > needed to fix the problems these patches are designed for. > > > The problem with Bots is they aren't always active. That > makes them > > difficult to find until they do something. > As opposed to what, viruses? > Not at all! Many viruses have period wjhen they are active and > afterwards they go into "sleep" mode and will not active until some > other date! > > Additionally bot that does not immediatly become active is good thing > because of you do weekly or monthly audits (any many do it like that) > you may well find it this way and deal with it at your own time, > rather then all over a sudden being awaken 3am and having to clean up > infected system. > > -- > William Leibzon > Elan Networks > [EMAIL PROTECTED] > > >
Re: BGP Exploit
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > > Now that the firestorm over implementing Md5 has quieted down a bit, is > anybody aware of whether the exploit has been used? > Feel free to reply off list. Even more interesting, did anyone manage to reproduce it? - - kurtis - -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQJdXIKarNKXTPFCVEQJKTwCgmyDLv/H3Ho/iaor6RBAx3Mqy3dMAoPiF rVKmj6c4p/dHGu4I1AFvBH01 =dnJN -END PGP SIGNATURE-
Re: FW: Worms versus Bots
It is amazingly simply to pull an ethernet cable out of the back of your box to update a box from a CD especially in a suspect environment where you have had many problems. I have had the displeasure of having had to go from box to box and clean each individually and while many problems were stopped by Netscreen at the door, we still had to run enterprise protection per machine as a second line of defense and separate domains in the company for greater protection between the groups. -Henry --- Eric Krichbaum <[EMAIL PROTECTED]> wrote: > > I see times more typically in the 5 - 10 second > range to infection. As > a test, I unprotected a machine this morning on a > single T1 to get a > sample. 8 seconds. If you can get in 20 minutes of > downloads you're > luckier than most. > > Eric > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > william(at)elan.net > Sent: Monday, May 03, 2004 11:49 PM > To: Sean Donelan > Cc: Rob Thomas; NANOG > Subject: Re: Worms versus Bots > > > On Mon, 3 May 2004, Sean Donelan wrote: > > > On Mon, 3 May 2004, Rob Thomas wrote: > > > ] Just because a machine has a bot/worm/virus > that didn't come with > > > a ] rootkit, doesn't mean that someone else > hasn't had their way > with it. > > > > > > Agreed. > > > > Won't help. What's the first thing people do > after re-installing the > > operating system (still have all the original CDs > and keys and product > > > activation codes and and and)? Connect to the > Internet to download the > > > patches. Time to download patches 60+ minutes. > > Time to infection 5 minutes. > > Its possible its a problem on dialup, but in our ISP > office I setup new > win2000 servers and first thing I do is download all > the patches. I've > yet to see the server get infected in the 20-30 > minutes it takes to > finish it > (Note: I also disable IIS just in case until > everything is patched..). > > Similarly when settting up computers for several of > my relatives (all > have dsl) I've yet to see any infection before all > updates are > installed. > > Additional to that many users have dsl router or > similar device and many > such beasts will provide NATed ip block and act like > a firewall not > allowing outside servers to actually connect to your > home computer. > On this point it would be really interested to see > what percentage of > users actually have these routers and if decreasing > speed of infections > by new virus (is there real numbers to show it > decreased?) have anything > to do with this rather then people being more > carefull and using > antivirus. > > Another option if you're really afraid of infection > is to setup proxy > that only allows access to microsoft ip block that > contains windows > update servers > > And of course, there is an even BETTER OPTION then > all the above - STOP > USING WINDOWS and switch to Linux or Free(Mac)BSD ! > :) > > > Patches are Microsoft's > > intellectual property and can not be distributed > by anyone without > > Microsoft's permission. > I don't think this is quite true. Microsoft makes > available all patches > as indidual .exe files. There are quite many of > these updates and its > really a pain to actually get all of them and > install updates manually. > But I've never seen written anywhere that I can not > download these .exe > files and distribute it inside your company or to > your friends as needed > to fix the problems these patches are designed for. > > > The problem with Bots is they aren't always > active. That makes them > > difficult to find until they do something. > As opposed to what, viruses? > Not at all! Many viruses have period wjhen they are > active and > afterwards they go into "sleep" mode and will not > active until some > other date! > > Additionally bot that does not immediatly become > active is good thing > because of you do weekly or monthly audits (any many > do it like that) > you may well find it this way and deal with it at > your own time, rather > then all over a sudden being awaken 3am and having > to clean up infected > system. > > -- > William Leibzon > Elan Networks > [EMAIL PROTECTED] >
RE: Worms versus Bots
Until recently, I believe that Microsoft's download servers were managed by Akamai. -- William S. Duncanson [EMAIL PROTECTED] > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Edward B. Dreger > Sent: Tuesday, May 04, 2004 2:23 > To: Michel Py > Cc: william(at)elan.net; Rob Thomas; NANOG > Subject: RE: Worms versus Bots > > > MP> Date: Mon, 3 May 2004 20:53:50 -0700 > MP> From: Michel Py > > > MP> > but in our ISP office I setup new win2000 servers and first > MP> > thing I do is download all the patches. I've yet to see the > MP> > server get infected in the 20-30 minutes it takes to finish > MP> > MP> It can happen in 5 or 10 minutes (I've seen it) but only if > MP> all of the following conditions are met simultaneously: > > I've not confirmed, but a client told us that some MS patches are > carried by Akamai. > > > Eddy > -- > EverQuick Internet - http://www.everquick.net/ > A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ > Bandwidth, consulting, e-commerce, hosting, and network building > Phone: +1 785 865 5885 Lawrence and [inter]national > Phone: +1 316 794 8922 Wichita > _ > DO NOT send mail to the following addresses : > [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] > Sending mail to spambait addresses is a great way to get blocked. >
RE: Worms versus Bots
MP> Date: Mon, 3 May 2004 20:53:50 -0700 MP> From: Michel Py MP> > but in our ISP office I setup new win2000 servers and first MP> > thing I do is download all the patches. I've yet to see the MP> > server get infected in the 20-30 minutes it takes to finish MP> MP> It can happen in 5 or 10 minutes (I've seen it) but only if MP> all of the following conditions are met simultaneously: I've not confirmed, but a client told us that some MS patches are carried by Akamai. Eddy -- EverQuick Internet - http://www.everquick.net/ A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/ Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 785 865 5885 Lawrence and [inter]national Phone: +1 316 794 8922 Wichita _ DO NOT send mail to the following addresses : [EMAIL PROTECTED] -or- [EMAIL PROTECTED] -or- [EMAIL PROTECTED] Sending mail to spambait addresses is a great way to get blocked.