Slashdot Mirror

Seems impressive that such a severe exploit has been in popular operating systems for many years - when was NT 4 released? 97?

If linux had 90+% of the desktop how long would it take for its remote exploits to be taken advantage of?

Yeah, because only Windows has known vulnerabilities.

Two security companies and a publisher (and a regular joe). I'll bet if Foundstone and eEye turned *alot* of their resources on the linux os/apps or Sun os/apps, we'd see alot more reports. The reports wouldn't be nearly as visible since Microsoft actually bothers to go out of their way to annouce them.

> Every MS virus, worm, and what not does not cause BILLIONS in lost dollars. There are I am sure some cases of actual lost real money, but if they totalled billions I'd be surprised.

So be surprised.

Here are some virus costs from Wired:

Nimda -- $635 million
Code Red -- $2.62 billion
SirCam -- $1.15 billion
Love Bug -- $8.75 billion

While we're looking at statistics, here's another...

According to CERT, the number of reported security incidents grew, starting in 1988, until they hovered at just over two thousand incidents per year from 1994 to 1997.

But then in 1998, the number of incidents started to explode:

1998 -- 3,734
1999 -- 9,859
2000 -- 21,756
2001 -- 52,658
2002 -- 82,094
2003 -- 76,404 (so far)

So what happened in 1998?

Microsoft introduced embedded e-mail scripting in Outlook Express!

Even an idiot could have predicted the consequences.

But why would Microsoft do something that was so clearly incompetent and irresponsible?

The answer can be found in another event that occurred in 1998, namely, the leaked release of the Halloween document. That internal Microsoft document described a strategy for fighting Open Source, as follows:

> OSS projects have been able to gain a foothold in many server applications because of the wide utility of highly commoditized, simple protocols. By extending these protocols and developing new protocols, we can deny OSS projects entry into the market.

So there you have it. The embedded scripting in Outlook Express is just one part of a general Microsoft strategy to decommoditize (i.e. break) Internet protocols.

In other words, these viruses and worms, which are costing us $billions, are just a side effect of MICROSOFT'S EXTENDED DENIAL OF SERVICE ATTACK ON OPEN SOURCE USERS.

If Jeffrey Parson might be going to jail for his denial of service attack (modifying the DDOS Blaster worm), then why not the president of Microsoft?

FWIW, I notice that he is "mail",

Here's the smtp:
possum@gandalf:~$ telnet mail.sco.com 25
Trying 216.250.130.37...
Connected to mail.sco.com.
Escape character is '^]'.
220 mail.sco.com ESMTP Postfix

Hmmm, according to CERT(R) Advisory CA-2003-07 Remote Buffer Overflow in Sendmail, if they had not patched this, it would be trivial for any script kiddie to exploit.

Now, I don't have access to the logs, but from what I can ascertain from the outside, this is most likely an good hack....

It's worse than just staffers, what about programs the company installs by default? Especially when these programs have vulnerabilities, and no auto update feature. This can leave quite a few computers wide open to exploitation.

My roommate's Compaq came preloaded with some support program. I checked on the internet to find out what it was, and it turns out that not only does it give Compaq complete control over his computer, there was an exploit for the thing too, so script kiddies could take over his computer too.

Maybe it's nice for lusers to have this (and he is one) so tech support can fix his computer, but it's a major security risk. What if he had some important and confidential documents/ programs/ whatever on his computer? I wouldn't want my important files messed with or downloaded at by some random punk or even supposedly "trusted" tech support people.

He didn't even know what the program was, so obviously he wasn't going to patch it, and you'd have to assume he knew how to find and apply the patches in the first place. I didn't want to dick around with his computer trying to look for some stupid patch, so I just turned it off.

I suppose it doesn't matter on his computer anyway. When he's asked me to fix his computer, I've found all sorts of trojan programs (like the pr0n dialers and crap) installed on his compter. He's too much of a luser to buy a virus scanner for his Windows 98 computer, so I had to show him Housecall. Though I'm sure it doesn't stop all virii (using this plural form to piss off grammar nazis. Anyway "viruseses" sucks)--it just sits on top of Windows.

I don't think this is the same vulnerablility. I don't feel like searching for it. This was a long time ago, but I think the problem was a default password and the thing left a port wide open to the internet.

please please please PLEASE do not reference wired if you wish to garner any kind of respect.

ok

And I wouldn't surprised if Longhorn had built-in virus protection. Not only would it make the OS less susceptible to viruses/worms/etc, but it would also be a nice revenue stream for Microsoft (like they'd give away the definitions for free, maybe bundle them with windows patches) And just for the record, the last virus I actually got was the Italien A virus (an old dos virus).

I realize you're probably not entirely serious, but this is definitely the wrong attitude. The flood of virus warnings and bounces caused by Sobig, not to mention all the machines knocked off the Internet by Blaster, shows that a horde of hopelessly insecure machines on the Internet are dangerous to everyone, including those of us with some common sense about security. If one acknowledges that spam costs time and money to deal with, then Sobig is damaging even people who have gone completely uninfected - the virus messages and bounces are every bit as annoying and numerous as spam, albeit easier to filter.

At any rate, although it would be nice to see businesses move away from Windows after this or the next MS "trustworthy computing" fiasco, I doubt it will happen. In my experience, anyway, the MCSE types will probably be more likely to shell out big bucks for a mail filter on their Exchange server (you know, the ones generating all the "YOUR MESSAGE CONTAINS A VIRUS" warnings sent to addresses that Sobig spoofed) than to switch from Windows or even patch it more often. One can always hope, though...

Anyway, even if everyone switched to real OSes, most of them have their share of security problems, too. These types of virus epidemics will probably still be a danger until either the majority of people get a clue about security, or until the majority of OS vendors get a clue about designing systems that are secure by default so the users don't have to work quite as hard to make and keep them safe.

A well-known class of Win-Mac viruses are the Microsoft Office macro viruses. MS Office is available for both Windows and Macintosh, and the versions for both platforms accept the same documents and viruses. With so few Mac-specific viruses available, these macro viruses were once the biggest threats to Mac users, but only those who had certain Microsoft programs. Now these viruses are forgotten as newer Office versions protect against macro viruses.

However, even that was actually a potential threat rather than real one. Virii are rarely truly portable. The (in)famous Melissa was probably the closest to be a cross-platform virus. It could infect MacOS Office documents, but still it could not affect MS Outlook for MacOS (and thus could not spread further). So yes, theoretically you could write a cross-platform virus that would achieve exactly the same effect on Windows and MacOS (provided that both will have Microsoft Office), but the guys who write this stuff rarely put portability on the top of their priority list. They are really screwed, no question about it, but not that much...

There is more information on this virus at http://www.cert.org/incident_notes/IN-2003-03.html .

The SANS report is just a summary of current vulnerabilities. While that issue of the report was published on August 11, the vulnerability itself was first published on July 31. Apple was a bit slow on this one for some reason...

Oh, but proftpd has a history of insecurities too.

There's also Pure-FTPd which is secure and GPLed.

A more specific example of this is infiNET solutions QuikPAY. This product is based around TomCat but they only provide support if the server is configured with Apache + mod_jk + mod_ssl. A request has been pending for infiNET to approve upgrading OpenSSL. After an entire year of running with a known root exploit, we still have not recieved authorization to patch the system without voiding support. At the same time, infiNET continues to get praise by EduCAUSE members. If you are really worried about identity theft such as capturing of credit card information, then feel free to call the 888 number on the press release and ask why they don't provide any indemnification or at least approval to patch known root expoits in connection with their products.

Cert says the SYN attack is not active, yet:

Lab testing has confirmed that the worm includes the ability to launch a TCP SYN flood denial-of-service attack against windowsupdate.com. We are investigating the conditions under which this attack might manifest itself.

However, this could become really nasty for windows users...

Luckily, it's an easy one to stop: Download this security update. Once you've installed that patch, go here and download the removal tool."
Not really... there have been several reports that the thing has flogged machines so badly that it might not be even posible to connect to windowsupdate/any other internet site. For proper removal instructions, take a look at CERT's advisory or Trendmicro's KB

The Cert advisory can be found here

The Cert advisory can be found here

Simple, submit the info of the exploit and fix to CERT and they will take care of the rest.

I always use ALT tags, but you know - I'll keep my nested tables, thanks. I see absolutely no reason to get rid of them when they've been working just fine for years.

Well that's your decision of course, but you are aware you are relying on non-standard behaviour, aren't you? There's nothing in the specifications that require a pixel-perfect representation of a table in the way you expect. That's the fundamental problem with abusing elements that denote meaning, rather than presentation.

What happens when browsers don't render tables the way they always have? The default look of table elements is quite dated now, perhaps browser vendors want to update the look a little. You think no browsers will ever stray from the table-layout tradition? They already have.

Imagine if there were 'security standards' that told you to leave your computer unplugged from the Internet, because it wasn't very secure.

Well CERT already advise switching off client-side scripting in web browsers.

Why should I have to replace my font tags and tables, that have worked absolutely well for *years*, with some new fangled technology that does the same thing?

You don't have to. It's just there are benefits to doing so. And I don't know where you get the idea that HTML does the same thing as CSS, they are completely different languages with completely different goals.

Dude, if you can't change the font of the site you're reading, try using a decent browser - maybe Internet Explorer.

Internet Explorer won't let you alter the font size when the author has specified it in pts or pxs. Doing the proper thing and using relative sizes makes things a lot better for many people. And no, I don't consider having to fiddle with my font settings every time I go to a new site to be pleasant.

Guess what? Plain old 'current' standards like HTML work well with the vast majority of browsers, are attractive, useable, and pretty damned accessible.

CSS 2 is five years old, it's used in many websites, I would describe it as a current, established technology. Whilst HTML-only sites may be attractive, usable, and accessible, this doesn't mean that this is due to the use of HTML, it means that the sites are that way despite this abuse of HTML.

*Why* can't blind reading software handle tables, hmm?

They can. They just do it in a way you don't like, but in a way that is perfectly sensible when faced with properly-authored websites.

If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?

Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?

EAL4 - methodically designed, tested and reviewed

EAL4 permits a developer to maximize assurance gained from positive security engineering based on good commercial development practices. Although rigorous, these practices do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. It is applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs, and are prepared to incur additional security-specific engineering costs.

An EAL4 evaluation provides an analysis supported by the low-level design of the modules of the TOE, and a subset of the implementation. Testing is supported by an independent search for vulnerabilities. Development controls are supported by a life-cycle model, identification of tools, and automated configuration management.

If Win2k gets a higher rating than Linux, then why do we have stuff like this happening?

Isn't it odd that a "comprehensive security rating" can overlook something as serious as a complete remote compromise?

Check out CERT, a good site for this stuff. Here's their warning (more info than DHS). A list of what they have to block:
135/TCP
135/UDP
139/TCP
139/UDP
445/TC P
445/UDP

Also, it appears 4444 is being used,

Security Focus's incidentmailing list is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch (as of 29 Jul).

They seem to have a lot of the current advisories and stuff here.

Survivability is the ability of a network computing system to provide essential services in the presence of attacks and failures, and recover full services in a timely manner.

Survivability is the ability of a network computing system to provide essential services in the presence of attacks and failures, and recover full services in a timely manner.

Look in your apache logs for Code Red probes, his IP is probably there several times.

It's even more damning because Adobe just recently upgraded their PDF Reader software from version 5 to version 6, yet have failed to patch this particular problem. You'd think that somewhere among all the features (?) added between two major releases they'd have found time for this.

Working in a software development shop with a corporate attitude, I can understand why this didn't get fixed.

In the statement they issued in response to CERT's advisory on this, they address the issue as an end-user security issue, not a DRM issue. Since they essentially claim it's really not a big deal, their development side probably considers it resolved.

With the arrest and no other obvious targets on the radar, their business & legal side probably also consider it resolved, but probably only because they consider it a case of DMCA violation and not a Big Freaking Hole in their product's DRM functionality.

no the incident had nothing to do with rot13

you can read about it here

We can't assume Apache and IIS are roughly equivalent in terms of code defects, and we certainly can't make any assumptions on the OS based on the fragmentary information given by Reasoning.

For one, a large number of the "defects" listed by Reasoning are false positives. Such as warning about dereferencing a NULL pointer where the pointer cannot possibly be NULL due to an action on the previous line.
And second, we have no idea what they compared Apache to or how they got ahold of the source code to these mystery commercial offerings. They could be making everything up, and I'm inclined to believe that they are given the reluctance of commercial providers to disclose source code.

The facts is, IIS has a much smaller market share than Apache according to netcraft and is closed-source so attackers can't just read the code... Yet it's broken more often according to Zone-H and more advisories come out for IIS than Apache according to CERT.
Statistically speaking, IIS must have a much higher incidence of severe defects.

Your comment was not insightful. It was misleading.

1) Book Mark this site. This is the first and best place to go when hacked and is a great source of education in general for victims of hacking.

2) You're right about the FBI. They are very limited in their scope of assistance. The only other victims they would take immediate action with are attacks on other State, local or US governmental sites (ie. State Funded Universities, Governmental offices, etc.)

3) Scan your logs on a regular basis.

4) Check this link out. This is the NSA'a recommendations on how to hammer down Cisco Routers, Windows 2K, XP, and NT4 Operating systems. These should be used as a guide as following all the steps in this manual would turn your machine(s) into bastion servers.

5) Be Prepared for the ISP not talking to or Working with you on this issue. Prodigy, Qwest, and Sprint used to be and in some cases are REALLY bad at this.

Dolemite
______________________

MS SQL Server

Outlook

Internet Information Server (IIS)

Internet Explorer

Word / Office

All versions of Windows running almost any email client

And if that's not enough, there are many more examples.

MS SQL Server

Outlook

Internet Information Server (IIS)

Internet Explorer

Word / Office

All versions of Windows running almost any email client

And if that's not enough, there are many more examples.

MS SQL Server

Outlook

Internet Information Server (IIS)

Internet Explorer

Word / Office

All versions of Windows running almost any email client

And if that's not enough, there are many more examples.

No - only actions which are in breach of the law.

And in particular, when in the history of this world, has "malicious code [been] deliberately released" as part of an OSS?

Well, OpenSSH was trojaned. But frankly, the frequency of the incidents is pretty much irrelevant. The point is one of principle - is it right for an employee of a company to place it in jeopardy without it having any method of lowering its exposure to liability?

The upside for the company is an increase of good will, which transates into sales.

You're preaching to the converted, reverend! The question isn't whether OSS makes good business sense or not - it does. The question is simply one of whether the company has any right to exercise control over the output of its employees when working on company time - and IMHO it does. I wish that people were honest and wouldn't commit actions which harm others, but our laws are designed for the people we have, not those we'd like to have.

--Ng

But can Mozilla keep up with this?

Given that this is a class of attacks, not a specific attack. How does one inform all of the maintainers of every possible vulnerable application, without it becoming known everywhere? The site discusses a half dozen different applications, by dozens of authors.

Easy, The CERT Coordination Center. This is exactly why they exist. Yes, (and I know from prior experience), the are a PAIN to deal with, and they WILL take longer than seems reasonable to coordinate disclosure and release, but they WILL do it an a responsible manner.

Then I wonder what you have to say about the end of this advisory from CERT. Note at the bottom when it says:

Snort 2.0 has undergone an external third party professional security audit funded by Sourcefire.

Oops. I was afraid I'd mess that up. (Was typing from memory.) SQL Slammer was the big one, but there was a follow-up attack that used the other port and other protocol, but I forget how that worked.

The SQL Slammer worm (I thought it was 3 tries in a row, but not in today's logs):

May 29 16:03:10 (myhostname) kernel: Packet log: input DENY eth0 PROTO=17 66.108.147.93:1339 xxx.xxx.xxx.xxx:1434 L=404 S=0x00 I=62109 F=0x0000 T=110 (#12)

Here's the TCP 1433 one. (Aha, this was Spida.) This may be the 3-in-a-row one, but I was filling my pipe today with BitTorrents of Knoppix 3.2 (deleted it; d'oh!) and ClusterKnoppix so some packets probably dropped:

May 29 07:33:46 (myhostname) kernel: Packet log: input DENY eth0 PROTO=6 200.56.97.98:5612 xxx.xxx.xxx.xxx:1433 L=48 S=0x00 I=37032 F=0x4000 T=114 SYN (#11)
May 29 07:33:49 (myhostname) kernel: Packet log: input DENY eth0 PROTO=6 200.56.97.98:5612 xxx.xxx.xxx.xxx:1433 L=48 S=0x00 I=37117 F=0x4000 T=114 SYN (#11)

(These are syslog messages logged by ipchains rules.)

While I'm blabbering on, here are Apache log examples of Code Red and Nimda. (Code red intentionally changed so I'm not posting virus code.)

66.73.162.229 - - [29/May/2003:16:38:29 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%ublah-blah-b lah-url-encoded-code-red-worm---%u0000%u00=a HTTP/1.0" 404 205

Here's Nimda, although I haven't had it since Monday oddly enough. (Then again, Apache's been killed by the VM daily because I goofed up the swap file and didn't figure it out until today.)

66.36.142.101 - - [26/May/2003:17:14:20 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210
66.36.142.101 - - [26/May/2003:17:14:21 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
66.36.142.101 - - [26/May/2003:17:14:21 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
66.36.142.101 - - [26/May/2003:17:14:22 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
66.36.142.101 - - [26/May/2003:17:14:22 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
66.36.142.101 - - [26/May/2003:17:14:22 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249
66.36.142.101 - - [26/May/2003:17:14:23 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249
66.36.142.101 - - [26/May/2003:17:14:23 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265
66.36.142.101 - - [26/May/2003:17:14:23 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:24 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:24 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:28 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:28 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
66.36.142.101 - - [26/May/2003:17:14:29 -0500] "GET /scripts/..%%35c../winnt/system3

Oops. I was afraid I'd mess that up. (Was typing from memory.) SQL Slammer was the big one, but there was a follow-up attack that used the other port and other protocol, but I forget how that worked.

The SQL Slammer worm (I thought it was 3 tries in a row, but not in today's logs):

May 29 16:03:10 (myhostname) kernel: Packet log: input DENY eth0 PROTO=17 66.108.147.93:1339 xxx.xxx.xxx.xxx:1434 L=404 S=0x00 I=62109 F=0x0000 T=110 (#12)

Here's the TCP 1433 one. (Aha, this was Spida.) This may be the 3-in-a-row one, but I was filling my pipe today with BitTorrents of Knoppix 3.2 (deleted it; d'oh!) and ClusterKnoppix so some packets probably dropped:

May 29 07:33:46 (myhostname) kernel: Packet log: input DENY eth0 PROTO=6 200.56.97.98:5612 xxx.xxx.xxx.xxx:1433 L=48 S=0x00 I=37032 F=0x4000 T=114 SYN (#11)
May 29 07:33:49 (myhostname) kernel: Packet log: input DENY eth0 PROTO=6 200.56.97.98:5612 xxx.xxx.xxx.xxx:1433 L=48 S=0x00 I=37117 F=0x4000 T=114 SYN (#11)

(These are syslog messages logged by ipchains rules.)

While I'm blabbering on, here are Apache log examples of Code Red and Nimda. (Code red intentionally changed so I'm not posting virus code.)

66.73.162.229 - - [29/May/2003:16:38:29 -0500] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%ublah-blah-b lah-url-encoded-code-red-worm---%u0000%u00=a HTTP/1.0" 404 205

Here's Nimda, although I haven't had it since Monday oddly enough. (Then again, Apache's been killed by the VM daily because I goofed up the swap file and didn't figure it out until today.)

66.36.142.101 - - [26/May/2003:17:14:20 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 210
66.36.142.101 - - [26/May/2003:17:14:21 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 208
66.36.142.101 - - [26/May/2003:17:14:21 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
66.36.142.101 - - [26/May/2003:17:14:22 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 218
66.36.142.101 - - [26/May/2003:17:14:22 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 232
66.36.142.101 - - [26/May/2003:17:14:22 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249
66.36.142.101 - - [26/May/2003:17:14:23 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 404 249
66.36.142.101 - - [26/May/2003:17:14:23 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 265
66.36.142.101 - - [26/May/2003:17:14:23 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:24 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:24 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:28 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 231
66.36.142.101 - - [26/May/2003:17:14:28 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 215
66.36.142.101 - - [26/May/2003:17:14:29 -0500] "GET /scripts/..%%35c../winnt/system3

They pose no risk to you and only benifit the user.

I use Snort (well, HenWen actually...) and it works great as a NIDS. However, if you use Snort be sure you have a more recent version (Version 2 RC1 or above) as prior versions have a vunerability that may allow users to run arbitrary code as root, thereby negating your security in the first place.

There is actually a 3-part Cryptography course (the 1st part of which is merely entitled, "Network Security") that I intend to take the 2nd two parts of pretty soon here.

Since timing will not allow me to take the entire sequence, I'm covering the material of the first course on my own.

To that end, a few resources:

[the following presumes a background in network engineering, the protocols, etc.; it also presumes some number theory but most of that is covered as needed]

1. For starters: Charles & Shari Pfleeger's Security in Computing, 2nd Edition -- this is a nice, intro text for high level (a) security, (b) encryption, (c) OS security, (d) DB security

2. Then move onto more specific texts, i.e. Silberschatz's Operating Systems Concepts, 6th Edition -- this provides a much more detailed look into OS security -- mechanisms/policies/implementations etc.

3. Then there are a couple wortwhile Cryptography only texts: (a) Schneier's Applied Cryptography, (b) Menezes' Handbook of Applied Cryptography

4. Then there is a good course website for the course I referred to, the 1st in the series of three that also has downloadable handouts as well as some coding projects that you could do independently, providing an enviro

5. Finally, I'd suggest a subscription to the Counterpane Crytpogram newsletter -- found at this link. Also, checking out this site periodically or perusing it somewhat in-depth will give you far more visibility into day-to-day threats.

If you want to get started, start by securing your home Internet connection. This will benefit you and the Internet community in general. I have a page with some information on home broadband security.

When you move to security in a business environment, in my opinion you need to frame security as a tool for risk management. CERT provides good information on handling security professionally, including their book The CERT Guide to System and Network Security Practices and a large collection of Articles, reports and papers.

Information Security Magazine will give you a sense of where the infosec business is going. On the academic side there's the new IEEE Security and Privacy Magazine and the IEEE Computer Society Technical Committee on Security and Privacy. Also on the academic side there are the more established journals from compsec online.

Try "Network Intrusion Detection: An Analyst's Handbook" by Stephen Northcutt.
"Know your Enemy" from the Honeynet Project

Experiment with the following programs:
Snort
Ethereal
IPTables
TcpDump/LibPcap

Follow articles/join mailing lists at:

CERT
Securityfocus

Examine analysis of the Scan of the Month Challenge at the Honeynet Project website.

Get yourself CISSP reference texts and generally increase your knowledge. I believe Cisco now has a few Security based certifications as well YMMV.

"Many Eyes" indeed.

It happens.

Other things that are a requirement to installing programs, such as glibc, have had major security holes in the past.

Other things that are a requirement to installing programs, such as glibc, have had major security holes in the past.

Other things that are a requirement to installing programs, such as glibc, have had major security holes in the past.

1. Only allow those ports that are absolutely necessary - i.e. HTTP, FTP, SMTP,...
2. Review log files daily. Make it part of your religion. Log files. Review. Daily.
3. Err on the side of being too restrictive.
4. Review log files daily. Make it part of your religion. Log files. Review. Daily.
5. Absolutely keep up to date with your virus signatures and patches for your workstations and servers.
6. Review log files daily. Make it part of your religion. Log files. Review. Daily.
7. Find a few quality security web sites (securityfocus.com, cert and others - check out DMOZ for a nice list of links...) and put them on your daily visit list. Make sure to go to several sites daily and use them to triangulate on what's relevant and important.
8. Review log files daily. Make it part of your religion. Log files. Review. Daily.
9. Visit the IT Security Cookbook and enjoy!!!
10. Review log files daily. Make it part of your religion. Log files. Review. Daily.
11. If you're running a web server on your network, check out the open web application security project. The OWASP Top 10 is a great tool to get you to think about how your web sites can be made more secure
12. Review log files daily. Make it part of your religion. Log files. Review. Daily.
13. Know that you're not ever going to secure everything 100% , but if you make security one of your daily duties and take a proactive approach to security instead of a reactive approach, you'll do better than 99% of the networks out there. Just be diligent, use common sense and stay on top of patches/updates and you'll be fine.
14. Review log files daily. Make it part of your religion. Log files. Review. Daily.