Slashdot Mirror
Lessons Learned From Blaster
CowboyRobot writes "It's been nearly a year since Blaster struck, causing hundreds of millions of dollars in fixes and lost revenue.
Jim Morrison of Symantec goes step-by-step in looking at how the Blaster worm got out of control so quickly, and what lessons can be learned from that event, by studying how one utility company dealt with it." The story is written as a fun, technothriller narrative; here's an snippet: "The laptops, usually out in the field, were always a hit-and-miss proposition to find on the network and deliver a patch or to have the user take the machine to a field office. That meant that on the 16th they could see a flood of traffic launched against Microsoft. The second phase of Blaster, launching a DoS (denial of service) attack against windowsupdate.com, was imminent."
Don't run windows. :D
I thought Blaster was a RPC virus, i.e. not one broacast via email? I'm sure that's the one that got me a couple of times before I installed a decent firewall (you have 5 seconds to close all work...). Bloody swine of a thing it was - I'd always seem to be winning at Counterstrike too! (Well, that was my excuse, anyway)
The main weakness that allowed ingress was that any outside machine with a VPN connection also has a real IP address as well. Those machines, since they were unpatched, were sitting ducks for the virus... and then the trusted nature of the VPN assured that the virus would spread to the inside.
A basic firewall on the deployed machine to drop any packet not from the VPN could have stopped this before it started...
Blaster didn't require user intervention to run. Default Windows installations came with the RPC service turned on, and that was all it took to be at risk. If your machine listened on port 135, the virus had a way in.
A contractor using the guest offices brought Blaster inside. His laptop infected the security-counter image-storage system, which then found its way to the HR server. That in turn spawned the infections to the HR XP laptops where the patch failed.
The first thing you learn in ANY security job is that most breaches are from the inside.
As someone standing right behind the front lines, I will tell you that employees with laptops are the worst. Most end up with administrator access (not that hard to crack if you don't have it). And the fact that they bring their computers home and on the road makes them feel a certain entitlement to install whatever they feel like. Contractors are even worse, since most of the time these laptops ARE their personal PCs. Desktops and servers inside the DMZ are the least likely originators of malware. (Not to say you couldn't surf pr0n on the company mail server as an admin. But then you deserve what you get.)
Network admins need to lock down MAC addresses and start treating their network like the PBX folks. Nothing gets wired except approved company equipment.
Have you Meta Moderated t
A key paragraph in the story...
"We had to do some research, but we found out that the way we locked down the users prevented the patch from running properly," lamented one of the policy admins. "What we discovered was that the software restriction policy for the local computer allowed only local computer administrators to select trusted publishers. Because our patch agent ran as a pseudo user, the agent did not have the necessary rights. This was causing the failure. We changed the group policy for the HR systems so that we can patch remotely from now on."
Sometimes, locking your system too tightly ends up locking the keys in the car. When you really need something to run, it doesn't...
On the one hand, virus writers are aggressively pursued and prosecuted with claimed damages of billions of dollars; on the other hand, these losses are not included in the TCO of Windows! What gives?
The utility company lost more than $1 million in revenue that would normally have been generated from the pay systems during the time they were down.
Wait a second. Blaster didn't directly cut off any customers. How could the virus cost revenue?
Well, in the case of this story's Mona, it was because her power was cut off despite the fact she had the money to pay her bill through the last-minute pay system. That means a few days that she didn't use power, plus the cost of a needless disconnect that they couldn't charge for.
If the power company had a brain or heart, they would have not done any disconnects due to non-payment during this time frame. Sure, some deadbeats would get 3 days of free power, but the majority of people who missed their payment deadline would happily pay if just given the chance.
In short, they could have saved time and money if the bill collectors would have been told to take some time off...
NAT makes a very good poor man's firewall. Unsolicited packets get dropped... and services you didn't realize you had listening can't be reached.
I don't really think anything like this will be accepted by enough people to become widespread enough to be seriously useful, but for the sake of arguement, let's assume it will, and someone with big money wants to implement it immediately, and solutions can quickly be found to such problems as where to store all the info on users (it can't be on the individual user's machine, obviously, as the worst offenders will never get around to downloading the patch or upgrade needed, and yet the scoring system is going to have to trigger something or someone reaching into clueless machines and turn on firewall software and such.).
In that case, there's still one thing needed. The value has to decrement under certain conditions, e.g. every month the user goes without a new virus, reduce the count by 1. Nearly all social control systems need something like this, and what you're describing IS a social control system.
Who is John Cabal?
Another reason it's safer than Windows is that all the ports are turned off by default.
I do have a NAT box, but the problem is that it doesn't solve the problem for everyone - I don't use my laptop only at home; I use it on my school's network too... so if you're anything like me, you need firewall software on the individual computers as well.
Side note - I don't know any good firewall (or antivirus, for that matter) software for OS X; anybody want to suggest some?
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
dammit, I knew I was forgetting one. I know what .com, .exe, and .scr is but what is .etc I can't find any reference to that, is it the email trojan controll applet specification?
Seriously though, it's a good idea to auto-flag such emails and make the recieving user jump through a simple hoop or two to recieve those, but you can't just auto-delete such in many environments, there can be legitimate reasons for sending such things.
But for one thing, e-mail clients should at least pop up a warning box, one that contains usefull info for joe sixpack. EG: "warning this e-mail contains an runnable program attachment. If you're NOT expecting to recieve a program from this person, it is most likely a virus. In that case likely the sender has no knowledge his machine sent it to you. Viruses can have severly harmfull effect on your computer up to and including rendering it unuseable without expensive repairs" with click-boxes that take a second to figure out forcing the reciever to think rather than blindly click OK.
In the meantime why not have the mail server send a warning e-mail with message inlined, but not the attachment, and instruction on how to get the attachment the server has quarantined if it turns out to be a legitimate e-mail.
Mycroft
https://signup.leagueoflegends.com/?ref=4c3ed6600b6ea
Did anyone else read to the end where the employees discuss "lessons learned"? Really encapsulates whats wrong with IT. First, nobody says the obvious, that they shouldn't have used Windows for a dedicated, distriubted application. I guess at least someone must have thought that, and was afraid to speak up. There are hints in the article of an upper manager beating his chest and making the peons shake.
Second, they vow to not let contractor notebooks on their network without a thorough security vetting. Great, more IT-fascism, and totally impractical. IT needs to support the organization's business objectives, not obstruct them. If you have an attorney who bills $400/hour coming in to meet with the Chief Counsel, and he's got one hour before he has to drive to the airport, who is going to hold him up and scan his notebook? What if you screw it up in the process? There are lots of more practical solutions to this problem, once you accept the basic fact that IT is not an end in itself but just a business enabler.
Also, did you notice how Windows' overly complicated permission system caused a disaster? The machines were locked down to prevent tampering, which prevented the patch scripts from running. In the end, they had to send people out to each location to fix the machines. I've never had this problem with Unix, because Unix permissions are simple and logical; therefore a sysadmin can easily understand the implications of any permission setting.
I particularly liked the phrase (quoting from memory) "one of the policy admins". One? Not only do they seem to have a full time employee maintaining these tragic "policies", but they have a team? And still caused a train wreck? Windows is close to being a job-creation program for mediocre technical types.
The worm came months after the patch, how was the worm faster?
There has already been a worm that disabled a software firewall. It was a 3rd party one, I believe the name was BlackIce.
-]Phreak Out[-
I'm suprised ISPs aren't taking proactive steps and setting up firewalls in front of their DSL/cable/dialup users. Even a Cisco CBAC firewall or simple router access-lists would be better than nothing. I know some of them block NetBIOS ports, but they should really just block anything incoming to an enduser unless it is part of an established connection. Also, block outbound SMTP and require HTTP/HTTPS access to go through a proxy server to stop worms from just hitting other ISPs willy-nilly.
For large corporations, I always quite liked the idea of sending occasional spoofed e-mails with dodgy attachments, similar to your average e-mail virus. If a user opens the attachment, MIS gets notified, and a "three strikes" rule applies.
The first time, they get a polite warning about their behaviour and how damaging it could be if that had been a real virus, and a friendly reminder to read the corporate IT policy. You're not trying to piss these people off and alienate them, you're trying to educate them.
The second time, they get another warning, and all non-essential access revoked for a week: no personal mail, no web browsing, nothing. You might mention that this is the sort of thing that viruses try to do to everyone in the company, which is why it's so important not to run attachments carelessly.
The third time, they get the book thrown at them: automatic formal disciplinary procedures, loss of all personal usage privileges and direct monitoring of their usage by MIS, etc.
Of course, you need some very senior people on your side to make this work, particularly because managers are often the most incompetent in this respect. However, if your CIO has any clout at all, a quick explanation about the impacts of a real virus on the company and the most likely way to get one should get the CFO and CEO on-side.
The nice thing about this approach is that it's fair. No-one who's not a liability will be affected. Anyone who's simply naive will be given a friendly reminder of the danger, and how to avoid it. You have to screw up spectacularly several times before really bad stuff happens. And if you really are that stupid, inconsiderate or incompetent, the rest of the organisation doesn't have to suffer the risk you bring to their livelihoods.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.