Slashdot Mirror
HomeSec Warns Again About Microsoft's Insecurity
cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."
The security people at my office were talking about this vulnerability yesterday in our monthly meeting, they were saying it is likely going to be worse than slammer/code red/etc (which the article seems to back up)... Do you guys think this is that serious of a threat? A lot of what they were saying sounded like worst case scenario kind of stuff, hopefully it will not be that large of an issue. One interesting thing that the security people mentioned, that the article doesn't, is that windows 98/windows 98se is vulnerable but Microsoft has not released a patch because they no longer support the product.
Visualize the world of wine
This is turning out to be a huge problem, we got the exploit a bit *cough*early*cough* and by simply joining a channel on IRC you get a handful of IPs, of which at least a few are exploitable. And then they wonder why there are a thousands of ddos zombie machines running windows!
But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.
2 years / millions of dollars and the Home Land Security people tell me that people like to attack Microsoft Products.
I'm glad I pay all those taxs!
-- Disclaimer: I can't really back up anything I post on
If ew can get them to arrest the board of MS directors, in cluding BIll Gates, and treat them as POWs, that would help things considerably.
"We are all geniuses when we dream"
- E.M. Cioran
My friend works at MIT's network security.
From wednesday to thursday they're compromise rate
went from 3 computers an hour to 30.
Right now they're just blocking the RPC port
but the routers are starting to take some heavy
traffic. Looks like this one is going to be pretty
bad.
ThunderBird. Nuff said.
Could we not go around referring to The Department of Homeland Security as HomeSec? The last thing we need is /. popularizing a cool sounding name for this behemoth.
If we need to refer to it then use the initial letters of its name... DoHs.
Somehow appropriate when they put out warnings like the last one.
John.
Sounds more like The Department of Homeland in-security :)
Joking aside I find the US media's "fear hyping" to be outrageous.
"It could happen to you" Is a major catch phrase for the US media, and they are not talking about winning the lottery.
After all, they're giving Microsoft $90 million to run their computers.
wonder how they (DoHS) are feeling about their OS investment already? :)
Sehr geehrter Toilettenbenutzer!
i could have sworn that 2 weeks ago, here on this very same slashdot....there was a story about HomeLand Security securing a very large purchase from Microsoft....aka 100 million, or some outrageous number like that..
isn't this a bit irresponsible of them, now that they are declaring Windows a vulnerability?
We're like rats, in some experiment! -- George Costanza
Microsoft is now officially a threat to Homeland Security. Maybe George should drop some bombs on Redmond! We know where they are and they keep putting out a product that threatens our security. Oh wait, the government saw fit to give them a slap on the wrist and turn around and contracted even more unsafe software from them. They'll undoubtedly be mentioned in future hindsight publications from congress but on blanked out pages for national security reasons. That's what we do for "friends".
Ugh.
Wilersh
On the DHS alert color code, blue means "guarded", just one notch lower than the alert level the USA have been living in for the last few months (with occasional orange flares). Should this color be reconsidered in sight of the well known Blue Screen of Death?
Along those lines, since most of the design flaws are downplayed for weeks/months/years after exploits are found. Apple, RedHat and SuSe have a good lead time to prepare switch campaigns.
I'm sure a dollar value can be put on the peace of mind and increase productivity that goes with moving to a better workstation platform.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Patch your stuff and for goodness sake put up a firewall! RPC port open to the word? Why?!
It's time the government started to realize its own linux version has been developed to preclude vulnerabilities such as these that are caused mostly by sloppy programming.
Of those to whom much is given, much is required.
A well engineered worm would:
Work on many different system.
Use more than one security flaw. (spread by email, + kazaa, + IE hole, + sendmail hole)
Patch that flaw once compromised, and open a separate hole
Have at least different attack modes (slow and quiet and local sub nets, fast and hard and whole internet)
Build up to critical mass before initiating fast attack mode.
Attempt to hide itself from scans. (maybe randomly stop functioning for a while to offer false sense of security)
Adjust its fingerprint so that it isn't simple to find computers which have the worm (use different ports, different protocols, send some different data when filling buffers etc)
Offer a payload that makes patching difficult, goes after security websites that often offer patches, targets financial institutions, etc.
Patch other programs on the system, back to previous insecure versions.
And that's just off the top of my head. If someone really is sitting down and thinking about this, Im sure they could come up with much more dangerous specifications.
I think someone should be writing a competing worm that patches all vulnerable systems, just in case this breaks out in to a chrisis.
Im not here now... Im out KILLING pepperoni
Most government departments actually are designed to achieve the opposite of their names. For example, the "Department of Homeland Security" is in fact designed to control the level of insecurity that people feel. Likewise, the ministry of defence is really about offence, and in 1984 the Ministry of Information is about disinformation and so on.
In the book, the language was controlled to the point of creating new terms like IngSoc, MiniPax (ministry of peace, really designed to perpetuate war), and Double-plus good.
The whole point here is to justify the actions of the government. Because it becomes alot easier to justify removing civil rights when there is the perceived threat of some common enemy.
-- the only thing we have to fear is really scary things
The patch from MS is really a trojan!
Go to this link to learn more!
I guess that is why our IT Department doesn't want to update the desktops beyond Windows 98. "Hackers target the newest OS" is what he said. Apparently system stability is not a high concern :(
Can't you see??? If they don't tell anyone about these vulnerabilities, "terrorists" will take advantage of them and kill hundreds of thousands of people! What if "terrorists" hacked into the Win98 computer controlling one of the many Nuclear Reactors based in the United States? Can you imagine the havoc that could cause?!?!
This suggests a new marketing slogan:
"If you don't upgrade to Windows XP, then the terrorists have already won!"
"Which port is it that you need to block?"
:-D
To make windows secure?
All of them.
You only have to block the port where the power cord goes into the computer.
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Instead of saying open source versus closed source, how about we just start saying open source versus untrustable? That might help to chivvy things along.
If you were blocking sigs, you wouldn't have to read this.
I'm a tech on a Windows network for the local government here and we immediately disable Automatic updates on machines now. Lord knows it's not because we're Linux users (I'm the only one) but because the updates all too often BREAK things that were already working.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
Concidence or not? google news' primary link to this story points to the register's article about this vulnerability. In their best sour Brit register tradition theyre none too congratulatory about "free patches". Does bandwidth cost money?
Of those to whom much is given, much is required.
Windows of Mass Destruction?
A clever person solves a problem. A wise person avoids it. -- Einstein
Think of it as "Homeland Security eats its own dog food..." In other words, they are using the same operating system that the vast majority of people use, so they will experience the same vulnerabilities. They'll be able to advise people about computer security from first-hand experience, not just from a few pristine 'test lab' machines.
That's a good spin on an incredibly incompetent IT decision, but at the end of the day, spin is all it is.
You want a testbed for vulerability? Fine. Set up a windows lab with its own dedicated internet connection and absolutely no way to talk to the rest of your internal network. Catalog, experience, and enjoy the chaos that ensues.
Do not, I repeat, do not deploy it as your platform for collecting, collating, analyzing, and addressing security threats. What good is Homeland INSecurity going to be when they need to address a real, meatspace threat and a Microsoft worm has taken down most of their IT infrastructure?
Some perhaps, but they certainly will be operating at a severely degraded effeciency level.
The Future of Human Evolution: Autonomy
Jeez, you Microserf zealots are getting irrational and touchy. Back off man, that's our shtick. ;-P
If you were blocking sigs, you wouldn't have to read this.
You know guys, not everybody in the government is fawking off and trying to screw you out of your legitimate right to freely download copyrighted music.
There are thousands of hardworking men and women serving in Coast Guard ships off our coasts, monitoring land border crossings, inspecting imported cargo containers, and serving as airport security inspectors and skymarshals, all to keep your bloody arses safe behind your monitors as you make fun of them.
Sorry for the rant, but reality check, there ARE bad people in the world that are intent upon harming the United States and a good number of Americans working at the Department of Homeland Security are intent upon preventing that from happening.
Instead of easily making fun of these institutions, how about sitting down and thinking about better ways to reduce risks cost effectively. Propose it, then make your criticisms.
"We're sorry, but the website you're trying to reach has been disconnected."
To make your computer truely secure, follow these simple steps:
Should be truely secure... But for the overtly paranoid, concider dropping the planet into your local black hole. Please note that there may be information leakage as any entropy is represented on the black hole's event horizon.
Not practical... But fun.
-- The universe began. Life started on a billion worlds...
-- Except on one where stupidity was there first.
"Based on this notification, no change to the Homeland Security Advisory System (HSAS) is anticipated; the current HSAS level is YELLOW."
Hasn't it been yellow for like ever? I think they just can't figure out how to change the bulb.
Slightly more seriously, are we all comfortable with the idea that the Vaterland Security Advisory System is now here to stay, and that it's now featured in contexts where the words "external" or "terrorists" don't appear? That Homeland Security bulletins, much like the "troops killed in Iraq" daily scorecard, are now routine routine occurances?
I've just had a kid. When he starts asking what the HSAS is, what do I tell him? "We're at War, junior. We've always been at War. Terrorists, drug barons, organized criminals, religious extremists, crackers, hackers, commies, arabs, they're all out to get us, and it's important to know just how scared the government wants us to be that we're going to die today."
Nice world he's going to grow up in.
If you were blocking sigs, you wouldn't have to read this.
Is it me (insert tinfoil hat joke), or is anyone else disturbed by the increasing tendency of ISPs and vendors to say 'just block port xxx' on your network connection, as a response to problems? Is this one more step on the road of converting the Internet to simply an MSN-ified WWW? Where does the small, independent content creator turn as more and more barriers to market entry are enacted, either by FUDding ISPs, lobbying Congress, and blatant stupidity?
I want to delete my account but Slashdot doesn't allow it.
If I understand right, 4444 is the port the exploit for the DCOM bug connects to.
/* port 4444 bindshell */
I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
You can get the fix from here for windows 2000, and here for windows xp.
The exploit has it in the code:
target_ip.sin_port = htons(4444);
Also, notice the comment about the shell code:
Dan
Security consultant
ClickNews
As far as DoHs getting in on the action - I think they'll cry wolf at anything to keep interest. The more afraid the public is on a daily basis, the more they are legitimized. I was appalled the other day to see this article on the front page a few days ago - no shit guys, thanks for the press release. Ya know what else? .COM stocks might not be the best investment if the company hasn't produced a product.
Obviously this hole is a major one, but we've kinda known that unfirewalled Windows boxen on the net are a Bad Thing (tm). This hasn't changed, and it's not much more likely now for a worm to run rampant through everything that it was in the past - it'll happen, it'll suck, and everyone will do the same fire drill as every other time it happened. And a few, bright IT departments will switch to FreeBSD or similar for their external machines or put up a bloody firewall.
I write code.
Now why should I trust MicroSoft? They led me down the primrose path to endless updates that either show no noticeable effect, or cause my computer to act flakey.
Why should I trust HomeSec? I'm never going to feel secure so long as they keep throwing terror alerts in my face as an excuse to keep whittling away what's left of my civil rights.
And why should I trust the Linux community who's mainstay advice is "RTFM". I'm stuck using Lycoris until I can figure out how to get Wine to work under a better distro. (I'm sorry but some programs designed to run under MS Windows are just too cool to ignore.)
As far as I can tell, these so called updates could be trojans to give backdoor access to HomeSec so they can determine the efficacy of their scare tactics, and Linux is a twisted plot to make borderline-geeks like myself waste their time reading endless man pages trying to figure out how the damn thing works.
OK, so maybe I'm sounding a little frustrated, but all I really want is a nice little computer that does only what I tell it to do. Is that too much to ask?
--
Next stop: Insanity
Is there a utility/app/shareware thing that will tell you what process on WinNT/2K/XP is associated with whatever ports are active? Thanks. Really, I mean that.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Perhaps all it needs is a big hug? I know we all call Microsoft a massive anti-competative tool of the Devil, but these comments do HURT.
I'm very much pro-Linux. I switched from Microsoft to Linux years ago. It was kind of hard because so many "fun" programs could only be had in Windows. So I ran a dual boot for quite some time.
I finally removed Windows altogether. After a few months of running only Linux it struck me. My system had NEVER crashed after doing so. Programs would sometimes hang but the system stayed up, not requiring a reboot. It was like an epiphany. I just started laughing!
I was also relieved that I no longer had to worry so much about viruses. Or do I?
My question is: If Linux becomes the dominate desktop and virus writers switch their main focus onto my OS of choice, would we be in as bad a shape as Microsoft's XP, 2000, etc?
The race isn't always to the swift... but that's the way to bet!
DHS warns about Windows.
:))
I see.
Did their solution involve duck tape and plastic sheeting?
(Though I must admit, after about 20 minutes the computers protected this way will be VERY secure.
If you open yourself to the foo, You and foo become one.
As there is a permanent terrorist alert going on, could it be possible that everybody is scared from going about and conducting their business? Can this explain USA's shitty economy while Canada's is better than ever and the CA$ is constantly going up?
[tasteless joke]
Go MiniHomeSec! Let us commie canadians get on top!
[/tasteless joke]
You're not old until regret takes the place of your dreams.
Don't unleash your powerful computer on the Internet. Tame it with Microsoft(R) brand software today.
I'm an American. I love this country and the freedoms that we used to have.
If your desktop clients aren't Win2k and higher (therefore not vulnerable to the RPC hit) and don't have publicly exposed IP address (i.e. - inside a Internet firewall or proxy) then you are just talking about servers.
In that case don't have you any remote control software (e.g. - VNC, SMS, PC Anywhere, etc.)? If so just put the patches on a common network share and remote into the boxes to install. If you aren't talking about more than 10-20 boxes it shouldn't take too long. If you are talking about more than that perhaps script out AT jobs to the boxes to execute KixTart scripts or something.
Did anyone else notice that they equated scanning to cracking? While I know that's certainly one of the possible preludes to attacks, it's certainly not a definite. I've used scanners quite legitimately more than once (checking what was visible from outside a firewall for my father in law, and testing to see if a non-responding server that I myself was responsible for even had its services running, despite it not being at my present locality). The internet was built to be open initially, and while it's understandable that it now needs security, people need to realize there's more to the internet than ports 80 and 6667, (plus those ones that most users don't ever see, like their port 25 services or port , ). There is far more to networking than HTTP, and the internet is a network.
It's getting to where knowledge is a crime, and while I feel it would be prudent to learn more and more about computer security, I fear that merely knowing it might make me liable to be wrongly prosecuted. There's just come to be so many legal barriers or poltergeists that it just carries too great of risks for the curious to enter the field.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Unplug any conputer with really sensitive data from the network
is a conputer one which is running windows?
http://www.eeye.com/html/Research/Tools/Download.a sp?file=RetinaRPCDCOM
Wow, a malicious worm. I'm completely bewildered by the fact that melissa, code red, etc didn't have a seriously nasty payload. It seems like the virus authors just wanted propagation for bragging rights. It wouldn't be so tough to write a function that will corrupt the registry or start formatting important parts of the disk after x amount of hours.
Windows has yet to see a serious threat by a popular worm and when it does there will be a lot of heat on Microsoft, whether they deserve it or not. "Wintel everywhere" is a classic eggs in one basket gambit and heads are going to roll if 1/3rd of all computers on the internet suddenly refuse to boot up again. Something like 40% (?) of all computers on the net are not behind a firewall and who knows how many are patched.
What I'm afraid of is that if something this bad and on this scale happens then DRM will go from controversial content protection to a Tom Ridge mandated upgrade. Your computer WILL download the newest patch and you will not rip MP3s from the newest Shania Twain CD or face the consequences (ISP banning you, fines, etc).