I think firewalls make people lazy. Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.
No, firewalls are for use as your needs require.
I, for instance allow no incoming, but don't restrict outgoing. It's not a huge corporation, it's a R + D lab, where the overhead and hassle I'd cause by restricting outbound traffic would stiffle the lab users productivity. Still, I added the block to that specfic port in the slim chance that an internal box was infected (lord knows how) that it would be a localised problem, not contributing.
I don't think you should tell people what firewall rules they should be running.
I find it lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you? /sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
Re:It's lucky that the worm writer
on
Cross-Site-TRACE
·
· Score: 1
The only difference between unpatched and patched windows boxes is:
a: whether the exploit is known about (which it was here),
b: whether there was a release (which there was here)
and c: whether admins of these boxes apply it. (which is the age old problem)
Targetting SQL servers is quite clever, as many of them will be in hosting centres with 34Mbs, burstable to 155Mb (for example).
It's lucky that the worm writer
on
Cross-Site-TRACE
·
· Score: 1
It's lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter. You are filtering it out on your firewalls, aren't you? /sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
Well, even though I got butally "Offtopic'd", I thought I should share the answer with you.
A small bit of Etherealing later, showed I was sending a packet with the SYN, ECN, and CWR flags. The ft.com server immediately replies with a RST, ACK packet, which terminated the tcp connection.
I tried disabling ECN ( echo 0 >/proc/sys/net/ipv4/tcp_ecn ), and whaddaya know - I can now hit ft.com. Does this mean they don't understand the ECN flag? Surely, if they were congested, it wouldn't close the connection - it would just ask for smaller, less frequent packets?
I've often thought about this. This is my solution.
Assuming you run Linux, make a loopback crypto partition. However, don't just use a password for the encryption key.
Make a smallish file (128 bytes) of random uuencoded data into a file (random128bytes).
Write a shell script that prompts for your password, and uses the contents of that file with the password appended.
That way, the password is still required, but if in doubt, you can shred -u random128bytes, and you'll never be able to get it back. Knowing the password won't help you at all.
Any suggestions for improvements from the Slashdot paranoids?:)
wget -O/dev/null http://www.sims.berkeley.edu/~ping/peep/peepdemo.a vi &
Mind you, it's a.edu, which means they'll have lots of bandwidth.
Place your bets now....
on
Peephole Displays
·
· Score: 3, Insightful
VIDEOS
To play DivX video, get a free decoder from divx.com. You can play DivX videos on Linux, MacOS, or Windows.
* video demonstration for CHI 2003, 16 Dec 2002 (5m 52s)
o high quality: AVI (72 Mb, DivX)
o medium quality: AVI (33 Mb, DivX)
o low quality: AVI (16 Mb, DivX)
* video figure for CHI 2003, 23 Sep 2002 (2m 35s)
o AVI (13.8 Mb)
o QuickTime (27.6 Mb)
* submitted to UIST 2002, Apr 2002 (3m 31 s)
o AVI (46 Mb, MPEG4.2)
o QuickTime (50 Mb, MJPEG)
o DivX (45 Mb)
Not wishing to diss Mr Mitnick, but having read his book, and viewed his telnet sessions, I wouldn't be so sure that he fell under that catagory.
More like a confidence trickster genius:)
PS - What has happened to takedown.org - did they take it down now he's coming out?
It would be kind of funny/ironic if the FreeBSD team deliberately put out ISOs with a fault or flaw in them, just to put off people who link to and download them before the proper release message.
Doubtful, but if they get annoyed at this, look out for it next time.
Slashdot Mirror
This one has surprised me most so far:
tybclbsqla02.listbuilder.com
Hmm. Lists equal large databases.
Large databases usually mean a DBA.
DBAs should know better.
whois listbuilder.com
Technical Contact:
Microsoft (EJSEHEQUAO)
msnhst@MICROSOFT.COM
Microsoft
One Microsoft Way
Redmond, WA 98052
US
425-882-8080
dig -x 64.4.30.24
;; ANSWER SECTION:
24.30.4.64.in-addr.arpa. 3600 IN PTR gfx.pav1.hotmail.com
I think it's just the replies to a hotmail request that I picked up. (I'm watching tcp and udp 1433, and 1434)
Firewalls promote softer security.
"Oh, it's OK because it's behind the firewall..."
I think firewalls make people lazy. Imagine if we didn't have firewalls. We'd have to keep our passwords good, our services minimal, and make sure we were running the latest, most secure daemons.
I am now seeing connections from the HTTP ports?
14:18:44.018023 64.4.30.24.http > 193.128.xxx.xxx.ms-sql-m: FP 537:706(169) ack 334 win 16983
14:18:44.019965 64.4.30.24.http > 193.128.xxx.xxx.ms-sql-m: . 1:537(536) ack 334 win 16983
Is this a new variant already?
No, firewalls are for use as your needs require.
I, for instance allow no incoming, but don't restrict outgoing. It's not a huge corporation, it's a R + D lab, where the overhead and hassle I'd cause by restricting outbound traffic would stiffle the lab users productivity. Still, I added the block to that specfic port in the slim chance that an internal box was infected (lord knows how) that it would be a localised problem, not contributing.
I don't think you should tell people what firewall rules they should be running.
Wouldn't it be nicer if the owners of these machines bother patching the fucking things though?
As far as I'm concerned, boxes SHOULD be able to stand on their own without firewalls. A firewall just adds another layer.
Sounds like you're advocating armadillo security to me - hard on the outside, soft on the inside.
I find it lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.
/sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
The only difference between unpatched and patched windows boxes is:
a: whether the exploit is known about (which it was here),
b: whether there was a release (which there was here)
and c: whether admins of these boxes apply it. (which is the age old problem)
Targetting SQL servers is quite clever, as many of them will be in hosting centres with 34Mbs, burstable to 155Mb (for example).
It's lucky that the worm writer didn't make the worm fire out random traffic on random udp ports with spoofed addresses.
/sbin/iptables -I FORWARD -p udp --dport 1434 -j DROP
It's only the fact the traffic is all destined for a certain destination port that makes it easy to filter.
You are filtering it out on your firewalls, aren't you?
This could have been a lot lot harder to filter out. I expect we'll see ThisWorm v2 soon.
I dread the day someone finds a hole in Apache, Sendmail or something really popular and writes a worm like this...
toss in my experience hat
;)
Whatever you want to do in the privacy of your own home is fine by me, but a word of advice? Don't wear it afterwards.
Maybe you guys don't have the same usage of the word toss as we do here.
Is he this sk8ter boi I keep hearing so much about?
Well, even though I got butally "Offtopic'd", I thought I should share the answer with you.
/proc/sys/net/ipv4/tcp_ecn ), and whaddaya know - I can now hit ft.com. Does this mean they don't understand the ECN flag? Surely, if they were congested, it wouldn't close the connection - it would just ask for smaller, less frequent packets?
A small bit of Etherealing later, showed I was sending a packet with the SYN, ECN, and CWR flags. The ft.com server immediately replies with a RST, ACK packet, which terminated the tcp connection.
I tried disabling ECN ( echo 0 >
We are upgrading to XP, as Linux offers us no value
Or more likely you're blind and ignorant of the value it can add.
I can't get to ft.com, news.ft.com, orange-today.co.uk just times out...
Anyone else having these problems?
Surprisingly, Slashdot is fast and responsive
Well, the sudden surge of traffic to .au will probably cause the satellites to melt.
I can't get there at the moment, anyway. And we're about 3 posts in.
Maybe they get these numbers in the same way they calculate CD burner numbers? :)
I've often thought about this. This is my solution.
.
:)
Assuming you run Linux, make a loopback crypto partition. However, don't just use a password for the encryption key.
Make a smallish file (128 bytes) of random uuencoded data into a file (random128bytes)
Write a shell script that prompts for your password, and uses the contents of that file with the password appended.
That way, the password is still required, but if in doubt, you can shred -u random128bytes, and you'll never be able to get it back. Knowing the password won't help you at all.
Any suggestions for improvements from the Slashdot paranoids?
www.freeswan.ca
Transfer it all over IPsec. People should use it a lot more.
Lol.
/dev/null http://www.sims.berkeley.edu/~ping/peep/peepdemo.a vi &
.edu, which means they'll have lots of bandwidth.
Yeah. I don't give them more than 1 hour.
wget -O
Mind you, it's a
VIDEOS To play DivX video, get a free decoder from divx.com. You can play DivX videos on Linux, MacOS, or Windows.
;o)
* video demonstration for CHI 2003, 16 Dec 2002 (5m 52s)
o high quality: AVI (72 Mb, DivX)
o medium quality: AVI (33 Mb, DivX)
o low quality: AVI (16 Mb, DivX)
* video figure for CHI 2003, 23 Sep 2002 (2m 35s)
o AVI (13.8 Mb)
o QuickTime (27.6 Mb)
* submitted to UIST 2002, Apr 2002 (3m 31 s)
o AVI (46 Mb, MPEG4.2)
o QuickTime (50 Mb, MJPEG)
o DivX (45 Mb)
How long will their server last?
Especially if you are a hacker genius.
:)
Not wishing to diss Mr Mitnick, but having read his book, and viewed his telnet sessions, I wouldn't be so sure that he fell under that catagory.
More like a confidence trickster genius
PS - What has happened to takedown.org - did they take it down now he's coming out?
It would be kind of funny/ironic if the FreeBSD team deliberately put out ISOs with a fault or flaw in them, just to put off people who link to and download them before the proper release message.
Doubtful, but if they get annoyed at this, look out for it next time.
How friendly PCI-SIG is to monopolistic software companies....?
Just a thought...
Perhaps, if everyone possible mirrored the site, they might give up.
Or he could move it to Freenet. (Check it out if you haven't. It's full of subversive conspiracy theories - you Slashdot folk would love it)
http://www.example.com/3458976394534/admin.html
:) Google might spider a site with public proxy logs, and it gets in that way.
:)
Yeah - and just wait until that gets into Google
Wait, that's given me an idea....