[Dshield] DCOM morning after

Shawn Cox shawn.cox at pcca.com
Tue Aug 12 21:26:35 GMT 2003

    You and I believe the same thing, but you seem to think that every
computer user has the knowledge and expertise to install these patches or
defenses.  It's crazy to think that Joe business owner who goes down to
"ComputerWorld" is going to go out and install these patches before he fires
up Solitaire.  I'm looking at the entire computer workspace throughout the
world here, it will never be fully patched and will therefore remain

> > I disagree.   To stop this sort of attack takes only one thing:
> > invulnerable
> > software and that doesn't nor will it ever exist.  As long as a
> > percentage
> > of machines remain unpatched the threat exists.  Sure you can
> > aleviate the
> > headaches, but 'prevent' is like asking a scientist to prove
> > something.
> This is incorrect in the extreme.  Invulnerable software is absolutely not
> requirement to prevent being infected by worms like MSBlast, Bugbear, et

Yes it is correct, because you cannot rely on every user implementing
defenses.  You just can't.

> A significant percentage of the machines on my network are not fully
> patched, yet not a single one has been infected this week.  Prevention is
> simple matter of not allowing insecure protocols like MSRPC/DCOM past the
> borders in either direction.

Crazy again.  Where's the next big hole?  Is it in TCP port 80, which I'm
sure is open through your firewalls/VPNs?  Your defense strategy won't save
you there.  We don't know where the next big flaw is, just like we didn't
know there was a DCOM hole until this year.  Next time we may not have the
luxury of knowing upfront that a hole exists.  Just imagine if Blaster had
been launched on January 1.

> Of course there is a solution to these attacks.  The most rudimentary
> freeware software firewall would have prevented these machines from being

Sure, but who's going to install and configure it?  Are you going to go door
to door to offer to install a firewall for free?  It's not logistically

> compromised.  Connecting even one machine directly to the Internet without
> anything more than its OS to defend it is reckless and irresponsible.  I

Certainly it is, but people haven't learned that.

> seriously doubt any one of these customers would leave piles of cash
> on their front counter with the door unlocked when they leave home at
> yet that's exactly what they (or those who they've hired) have chosen to
> with their computers.

I agree, because they know the consequences of leaving cash on their
doorstep.  Leave cash on door step = missing cash.  Most don't know the
consequences of leaving their computer open to the Internet and therefore
don't take steps to protect it.

> Hopefully those involved have learned that lesson and will realize that it
> is far cheaper and easier to put some basic safeguards in place than
> exposing their machines to the abundant risks involved otherwise.
> -Darren, not flabbergasted, just disappointed

Your feelings for the world are noble, but I'm afraid you're going to be
disappointed for a long while.


More information about the list mailing list