Slashdot Mirror

BloodBR @ Zone-H

What an impressive list of websites...

Silly people ... sigh ...

How hard could it be to install a virus-scanner, proxy server (squid anyone?), and a firewall? Then only leave open necessary ports (25, 110, 443, 80, etc). How come government is given a free pass when it comes to incompetence? If stuff like this happened in the private sector, shareholders would be calling for heads on platters.

Right, that's why vulnerabilities are never reported in commercial software. Oh, wait -- they are.

If you think .gov systems are so insecure, I suggest you pop on over to the zone-h defacement mirror and do some stats on .gov versus .com/.net/.org defacements.

The fact is that the U.S. government is not so bad at security as a some folks seem to think. Yes, federal employees don't often get fired, but guess what: most IT systems management is done by contractors, who are quite easy to replace.

Also, I have news for you: the techniques you have in mind don't protect you against a huge variety of attacks. Many compromises these days exploit vulnerabilities in vendor-supplied web-based products, which are totally exposed in your rudimentary protection regime. Your ideas about how to protect a network are fine when you've got one /24 under centralized management. The approach you're talking about doesn't work in the real world of trash vendor software. Unfortunately, .gov folks are at the mercy of vendors, and usually much more so than in the private sector because there aren't that many .gov positions for actual programmers, and the wages are often too low to attract people with even a clue about security.

The title is obviously a provocation. I am considered a balanced personality but sometimes, I like to stretch things to the extreme and to provoke reactions. This article is one of my rare attempts to provoke you... or not? Today, after the alarm caused by the fast diffusion of the Sobig virus, we are all talking about the reasons why virus writers are coding more and more viruses.

"They should stop, somebody stop them!" I hear all the time but... is this right?

We try to answer to this question with an interview with Professor Samuel D. Forrester, one of the most famous immunologists in the world. Dr. Forrester is on the run this year to get the Nobel Prize for his recent discovery of the mechanisms of aggression of over-reacting immune cells and antibodies. He teaches at the Immunology faculty at the Konigsberg University since 1986.

Zone-H: ZH

Professor Samuel D. Forrester: SDF

ZH: Thanks for having accepted to release an interview to Zone-H

SDF: Thank you, even if it is quite unusual to be interviewed by a computer security website.

ZH: Dr. Forrester, can you tell us what is the branch of the immunology?

SDF: Immunology is the study of the complex and sophisticated immune system. The immune system is a network of cells and organs that work together to defend the body against attacks by "foreign" invaders or germs. The body provides an excellent environment for germs. When they do break into a system, it is the immune system's job to keep them out or to seek and destroy them.

ZH: What is the job of the immunologist?

SDF: Clinical immunologists research new tests and treatments involving allergic and immunologic disorders of the immune system. They work with physicians in general practice and in hospital-based specialties to treat diseases using complex and sophisticated clinical techniques. The science of clinical immunology is a fast developing area of the medical profession. The role of the immunologist is increasingly important, both in laboratory work and in patient care.

ZH: Have you heard about the recent Sobig-F virus deployment?

SDF: Yes, I read something on the newspapers. Even if computer science is not my science, the topic of the computer viruses is obviously of my interest. See, many aspects of the traditional immunology and the computer viruses are in common.

ZH: And this is the reason why Zone-H wanted this interview.... Dr. Forrester, what do you think about computer viruses, what do you know about them?

SDF: Computer viruses are exactly like the normal viruses. They can kill you if your immune system doesn't work, but at the same time, your body should thank them if your immune system is today capable to protect you from deadly illnesses.

ZH: Can you please develop the concept?

SDF: It's simple: every time you get a cold, you sneeze. But you could die, actually. The only reason why you don't die is because your immune system has been programmed to react to the "threat" posed by a germ. It's a paradox, but it's the same germ that could kill you that trained your immune system to react when invaded.

ZH: And what makes the difference? How is it possible that a germ can kill you and the same germ can train your immune system making you stronger?

SDF: It's just a matter of doses. Like with wine, one glass every day makes your heart stronger and lowers your blood pressure, one bottle every day can kill you. This is the concept on which vaccines are based.

ZH: We understand that. Can we stretch the concept saying that a constant flow of germs, if received in the proper dose, makes the body actually stronger?

SDF: Absolutely. If hypothetically we could take two n

This also effectively says "You WILL do it like this" to the federal agencies.

First of all: the word is "shall", and second: no, it doesn't say that at all. It's a guide, and quite clear about it. Recent FISMA requirements are causing CSIRTs to spring up in many government agencies, and the guide was created to assist new CSIRTs in devising procedures and policies that are more or less consistent with best practices. Believe it or not, developing a security program can be a pretty complex task, not only in technical terms, but even more so in terms of acquiring the necessary authority and budget. A document such as this helps acquaint managers with generic practices so they can develop a good team, and so they have some idea of what they're getting into. See for example the paragraphs on morale and cost in section 2.4.2.

To address some of the disparaging nonsense people have posted about .gov IT people: as a member of a .gov incident response team, I can tell you that the U.S. government is well stocked with talented IT people. When it comes to security, too often it is the vendors who provide poorly configured, insecure software to the government. This is one of the major reasons that .gov sites occasionally get hacked*: the .gov folks have to rely on a lot of vendors to provide software, and many of these vendors employ lots of idiots who don't know jack about security.

Furthermore, U.S. government sites don't really get hacked all that often, even though they are heavily targeted. I encourage those who think otherwise to compare the statistics over on zone-h.org. (zone-h is down at the time of this posting -- I'm sure they'll be back soon.)

* Yes, I know about "hack" and "crack". It's a language; it changes. Deal with it.

This also effectively says "You WILL do it like this" to the federal agencies.

First of all: the word is "shall", and second: no, it doesn't say that at all. It's a guide, and quite clear about it. Recent FISMA requirements are causing CSIRTs to spring up in many government agencies, and the guide was created to assist new CSIRTs in devising procedures and policies that are more or less consistent with best practices. Believe it or not, developing a security program can be a pretty complex task, not only in technical terms, but even more so in terms of acquiring the necessary authority and budget. A document such as this helps acquaint managers with generic practices so they can develop a good team, and so they have some idea of what they're getting into. See for example the paragraphs on morale and cost in section 2.4.2.

To address some of the disparaging nonsense people have posted about .gov IT people: as a member of a .gov incident response team, I can tell you that the U.S. government is well stocked with talented IT people. When it comes to security, too often it is the vendors who provide poorly configured, insecure software to the government. This is one of the major reasons that .gov sites occasionally get hacked*: the .gov folks have to rely on a lot of vendors to provide software, and the many of these vendors employ lots of idiots who don't know jack about security.

Furthermore, U.S. government sites don't really get hacked all that often, even though they are heavily targeted. I encourage those who think otherwise to compare the statistics over on zone-h.org. (zone-h is down at the time of this posting -- I'm sure they'll be back soon.)

* Yes, I know about "hack" and "crack". It's a language; it changes. Deal with it.

It's a little bit vague, are they talking about "number of domains defaced" or "number of physical machines compromised"? Browse a little at Zone H to get an idea about how this could be misleading.

I can't begin to try and understand your logic. Go to http://www.zone-h.org/en/defacements and look at the servers that are getting defaced. It's mostly linux servers. If linux were the "it" OS, there would be tons of people who would be writing viruses saying "Linus, why do you make it so easy!!!1"

I am actually more interested in the possible effect of the distributed spamming method as a check on different spam blocking ideas:

An approved sender list is suddenly worthless, as it is someone you know sending the virus/spam.

A checksum/hash stamp method, which requires computing time, would also be rendered useless, since the load would be distributed over all of the client/infected machines.

Outbound filtering would also not do the trick, because as long as someone has the virus, the spam gets sent. Especially in relation to the other article posted today This type of virus would be essentially unblockable, because it could send plain spam e-mails to those within these "blocked zones" and everyone would be spammed. The idea of Herd immunity for viruses also would not apply, since the vector does not need infectable computers to spread the spam! Essentially all computers (99.99%+) would need to be proofed for there to be any real slowdown.

The only method I could think of is a mutilated word recognition check like those used by sittes to prevent auto-registrations. (I hope people know what I'm referring to.) This check would have to be done per-email, since otherwise anyone on the approved list would be a potential spammer.

Of course, a method like this would not really work, since it is illegal and traceable, but if you want "viral marketing," it doesn't get better than this!

Immunology is the study of the complex and sophisticated immune system. The immune system is a network of cells and organs that work together to defend the body against attacks by "foreign" invaders or germs. The body provides an excellent environment for germs. When they do break into a system, it is the immune system's job to keep them out or to seek and destroy them.

Immunology is the study of the complex and sophisticated immune system. The immune system is a network of cells and organs that work together to defend the body against attacks by "foreign" invaders or germs. Our body is susceptible to invasion from germs. When the germs do break into the body, it is the immune system's job to keep them out or to seek and destroy them.

Dennis G. Jerz

Jerz's Literacy Weblog

Today, after the alarm caused by the fast diffusion of the Sobig virus, we are all talking about the reasons why virus writers are coding more and more viruses.

"They should stop, somebody stop them!" I hear all the time but... is this right?

We try to answer to this question with an interview with Professor Samuel D. Forrester, one of the most famous immunologists in the world. Dr. Forrester is on the run this year to get the Nobel Prize for his recent discovery of the mechanisms of aggression of over-reacting immune cells and antibodies. He teaches at the Immunology faculty at the Konigsberg University since 1986.

Zone-H: ZH

Professor Samuel D. Forrester: SDF

ZH: Thanks for having accepted to release an interview to Zone-H

SDF: Thank you, even if it is quite unusual to be interviewed by a computer security website.

ZH: Dr. Forrester, can you tell us what is the branch of the immunology?

SDF: Immunology is the study of the complex and sophisticated immune system. The immune system is a network of cells and organs that work together to defend the body against attacks by "foreign" invaders or germs. The body provides an excellent environment for germs. When they do break into a system, it is the immune system's job to keep them out or to seek and destroy them.

ZH: What is the job of the immunologist?

SDF: Clinical immunologists research new tests and treatments involving allergic and immunologic disorders of the immune system. They work with physicians in general practice and in hospital-based specialties to treat diseases using complex and sophisticated clinical techniques. The science of clinical immunology is a fast developing area of the medical profession. The role of the immunologist is increasingly important, both in laboratory work and in patient care.

ZH: Have you heard about the recent Sobig-F virus deployment?

SDF: Yes, I read something on the newspapers. Even if computer science is not my science, the topic of the computer viruses is obviously of my interest. See, many aspects of the traditional immunology and the computer viruses are in common.

ZH: And this is the reason why Zone-H wanted this interview.... Dr. Forrester, what do you think about computer viruses, what do you know about them?

SDF: Computer viruses are exactly like the normal viruses. They can kill you if your immune system doesn't work, but at the same time, your body should thank them if your immune system is today capable to protect you from deadly illnesses.

ZH: Can you please develop the concept?

SDF: It's simple: every time you get a cold, you sneeze. But you could die, actually. The only reason why you don't die is because your immune system has been programmed to react to the "threat" posed by a germ. It's a paradox, but it's the same germ that could kill you that trained your immune system to react when invaded.

ZH: And what makes the difference? How is it possible that a germ can kill you and the same germ can train your immune system making you stronger?

SDF: It's just a matter of doses. Like with wine, one glass every day makes your heart stronger and lowers your blood pressure, one bottle every day can kill you. This is the concept on which vaccines are based.

ZH: We understand that. Can we stretch the concept saying that a constant flow of germs, if received in the proper dose, makes the body actually stronger?

SDF: Absolutely. If hypothetically we could take two newborn twins and put one of them under a glass-dome and the other one straight into the dangers of the real world, guess who would

According to the given link, 17 out of 17 defacements are Win2K.
How does this reflect badly on Linux?

We can't assume Apache and IIS are roughly equivalent in terms of code defects, and we certainly can't make any assumptions on the OS based on the fragmentary information given by Reasoning.

For one, a large number of the "defects" listed by Reasoning are false positives. Such as warning about dereferencing a NULL pointer where the pointer cannot possibly be NULL due to an action on the previous line.
And second, we have no idea what they compared Apache to or how they got ahold of the source code to these mystery commercial offerings. They could be making everything up, and I'm inclined to believe that they are given the reluctance of commercial providers to disclose source code.

The facts is, IIS has a much smaller market share than Apache according to netcraft and is closed-source so attackers can't just read the code... Yet it's broken more often according to Zone-H and more advisories come out for IIS than Apache according to CERT.
Statistically speaking, IIS must have a much higher incidence of severe defects.

Your comment was not insightful. It was misleading.

Zone-H has released a press release about it. Read it here.

Maybe because the hacker himself might have reported it to zone-h?

Linux (47.7%)

Win 2000 (29.5%)

Solaris/SunOS (18.2%)

Unknown (2.3%)

IRIX (2.3%)

Hahahahahaahaaaaah fagxorz!