----- Original Message ----- From: "Derek D. Martin" <[EMAIL PROTECTED]> To: "Rich C" <[EMAIL PROTECTED]> Cc: "GNHLUG" <[EMAIL PROTECTED]> Sent: Tuesday, October 02, 2001 2:56 PM Subject: Re: Website defacement (was: Anti-terrorism bill...)
> Rich, as counterevidence of my statement, you point to one of the > examples of exceptions that I specifically stated existed. Nimda is > one of the few exceptions, and as I said it probably could qualify as > terrorism owing to the scale of the attack and the damage it caused. > The only problem is that most acts of terrorism have a specific > target, and it's difficult to say who the target of Nimda was. I > suppose you could say it was Microsoft... You could say that...but what was affected? E-commerce; corporations; internet users. Usually what is/are affected is/are the targets. As far as other viruses go, just because they are not as effective, don't assume that the motivation for using them is different. It has taken us 100 years or so to make the automobile go 200 miles an hour. Some period of development should be required to make virus attacks effective too. It seems that, given our experience with viruses over the last 20 years, that they should have LESS of an effect on our overall computing experience, rather than MORE of an effect. > > My systems are "attacked" at least a dozen times a day (and usually > much more than that), using DoJ's definitions, and the vast majority > of these attacks are pretty harmless. Virtually all of them are > rendered harmless by the basic dilligence that is the responsibility > of all sysadmins who manage a publicly accessible computer. No, that > does not excuse the attackers, but it's just the same as putting > proper working locks on the doors of your home. Few people will be > sympathetic to your cause if all your stuff gets stolen and you had no > locks. So if someone throws an egg at your window instead of a rock, that excuses them because the attack was "harmless"? An attack is an attack. Attacks come for 2 reasons: either someone is testing your vulnerabilities because you hired them to, or they are doing it to find a way in. And even if I have no locks on my doors, and somebody steals all my stuff, yeah, you can call me stupid, but the guy who stole my stuff is still a crook. My being stupid doesn't make HIM any less of a crook, except that I can't charge him with "breaking and entering," just "criminal trespass" (I don't know which carries the stiffer penalty.) > > And with those very few exceptions, they're still not tantamount to > terrorism, and hardly worthy of life in prison. It would certainly discourage cracking, unlike now where when the cracker gets caught, he has a guaranteed 100K a year security job waiting for him. > > I am still unfailingly bewildered by the overwhelming lack of effort > to make Microsoft take responsibility for these problems. Ultimately, > it's their utterly crappy software and their unwillingness to > re-examine their (lack of a) security model that allowed these attacks > to be successful. I agree with you here. But that will be Microsoft's ultimate downfall (reference E-Week's "Securing the Enterprise" Newsletter, (email subscription, October 2, 2001 / Volume 1, Issue 15)) The lead article is entitled "Fed up with IIS? Me Too." (Sorry, I couldn't find a link on eweek.com, but I've reproduced it below....hopefully I won't get into trouble :o)) -----[Begin Quote]---- ========================================================= Guarding the E-Gates ========================================================= FED UP WITH IIS? ME TOO. -- By Timothy Dyck -- I'm just weary of it all. How many attacks against your Web servers and e-mail inbox does it take? How many companywide e-mails do you need to send warning users not to browse the Web until IT staff can verify that their copies of IE (Internet Explorer) have been patched or have had scripting turned off to guard against Nimda, because IE blithely runs executables that are MIME-typed as sound files? Sigh. (To read about an eWEEK article about how Nimda spreads, click here:) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eLKO0DEpgR0E4J0N6Q0AJ (To read a Microsoft security bulletin on how MIME headers cause IE to execute e-mail attachments, click here:) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eLKO0DEpgR0E4J0N6R0AK It now appears that even those running the very latest IE 6.0 are vulnerable to Nimda in some situations. (To read incidents.org's coverage of Nimda, click here:) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eLKO0DEpgR0E4J0N6S0AL SHAKE MY HEAD When I was installing and running the new IIS (Internet Information Services) Lockdown Tool that Microsoft released on Aug. 23, I rechecked my IIS configuration on an external server and noticed that the .printer extension and /Printers folder mapping had somehow been re-enabled. I have no idea how this happened, because I had deleted it. Somewhere, the Windows installer must have restored it as part of some other reconfiguration task. That just made me angry. I had some grim satisfaction at that point, because although the mapping had been silently restored, it was nonfunctional. I had long ago renamed the directory that the /Printers mapping points toward as "renamed to prevent IIS exploit (printers)" as a warning to other administrators to leave my changes in place. One needs defense in depth not only against crackers but also against one's own software vendor. Gartner Group analyst John Pescatore recommended shortly after Nimda first hit that "enterprises hit by both Code Red and Nimda immediately investigate alternatives to IIS". At that point, I had to check what Gartner itself uses--iPlanet's Netscape Enterprise 4.1 on Solaris. (To read a report by Gartner Group's John Pescatore on patching servers to protect against Nimda, click here:) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eLKO0DEpgR0E4J0N6T0AM (To read Netcraft's report on Gartner Group's uptime and statistics, click here:) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eLKO0DEpgR0E4J0N6U0AN That comment has become something of a lightning rod for the ever-growing dissatisfaction of IIS administrators with the product. It's not that IIS can't be kept secure--with enough time, effort and expense, it can be done, and we've done so in eWEEK Labs. But IIS is starting to keep me up at night. Who knows what's next? How much should IT spend on rear-guard actions in the meantime? Microsoft officials responded to the Gartner statement by saying, "It is a folly to believe that if you switch from one product to another, you are protected." To read a ComputerWorld article on Microsoft's response to Gartner Group's criticisms, click here: http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eLKO0DEpgR0E4J0N6V0AO This is an, ahem, uninformed statement. The truth of its converse is exactly why products like OpenBSD are so popular among the security-conscious. Any careful study of IIS' track record shows how wrong Microsoft's claim is. Here's just one proof-point: In an IIS-vs.-Apache HTTP Server security analysis in July, I wrote, "In a default Windows 2000 installation, IIS 5.0 installs with seven externally accessible DLL file extensions accessible through 13 URL mappings, plus FrontPage Server Extensions. Every one of these eight components has had security updates since Windows 2000 was shipped." (To read eWEEK Labs' security analysis of Apache HTTP Server and IIS, click here:) http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eLKO0DEpgR0E4J0N6W0AP Many eWEEK readers use IIS, and we are committed to helping them take the best advantage of the infrastructure they have. We also will speak clearly about the need to make drastic changes when circumstances demand them. For many, that time has come. If you administer IIS servers, let me know your strategies for coping. Is manual server-hardening working out? Have you chosen more invasive but also more effective application-level firewalls such as Entercept Security Technologies Inc.'s Entercept and eEye Digital Security Inc.'s SecureIIS? Is switching to some other Web server platform something you're actively investigating? What are the issues keeping you on IIS if switching isn't an option? We'll get the information out in a future eWEEK story. To e-mail eWEEK Labs West Coast Technical Director Timothy Dyck, click here: mailto:[EMAIL PROTECTED] -----[End quote]----- In the e-commerce/airline terrorism analogy, Microsoft is somewhat like Logan Airport. ;o) Rich Cloutier President, C*O SYSTEM SUPPORT SERVICES www.sysupport.com ********************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the following text in the *body* (*not* the subject line) of the letter: unsubscribe gnhlug **********************************************************
