HomeSec Warns Again About Microsoft's Insecurity 497
cbrandtbuffalo writes "The Department of Homeland Security has posted this advisory about an impending attack on MS systems. This RPC attack has already been seen in some localized systems, but may spread as unpatched computers are exploited. Some of the national news like CNN are running stories too."
How big a threat is this? (Score:5, Interesting)
Switch campaign kick-off (Score:5, Insightful)
Along those lines, since most of the design flaws are downplayed for weeks/months/years after exploits are found. Apple, RedHat and SuSe have a good lead time to prepare switch campaigns.
I'm sure a dollar value can be put on the peace of mind and increase productivity that goes with moving to a better workstation platform.
Re:Switch campaign kick-off (Score:3, Insightful)
It's possible that the reason this bug is getting publicity by the Dept of Homeland Security and others didn't is simply because they know about this one. Yes, other security problems are out there and "known" but maybe not by the people at HS. Remember even though it's
Re:Switch campaign kick-off (Score:3, Interesting)
Maybe because their PR department was scheduled to prodce some proof for their right to exists,but they didn't have any terrorists handy ATM.
Seriously, this shouldn't be their job, in the end they will be just echoing CERT or bugtraq, while wasting a lot of money into "network security research".
Re:How big a threat is this? (Score:4, Funny)
So upgrade to Windows XP, or the 73rr0r1575 \/\/1ll win.
Re:How big a threat is this? (Score:3, Insightful)
Re:How big a threat is this? (Score:4, Informative)
Windows XP isn't really a upgrade for Win98 machines. Win 98 was delivered on PII 266mhz, 32/64MB RAM, 2-4MB PCI Video systems. I would hate to try anything on a system like that with XP. Sure the CPU could handle it, but the memory would need to be seriously upgraded. There's also the issue regarding device drivers. There's a LOT of hardware out from that time period that doesn't have XP drivers.
Re:How big a threat is this? (Score:5, Insightful)
Re:How big a threat is this? (Score:3, Insightful)
It is possible, and it is useable, it certainly is not too responsive.
Re:How big a threat is this? (Score:5, Informative)
Re:How big a threat is this? (Score:5, Interesting)
Re:How big a threat is this? (Score:4, Informative)
Re:How big a threat is this? (Score:2, Informative)
Well engineered worms (Score:5, Insightful)
A well engineered worm would:
Work on many different system.
Use more than one security flaw. (spread by email, + kazaa, + IE hole, + sendmail hole)
Patch that flaw once compromised, and open a separate hole
Have at least different attack modes (slow and quiet and local sub nets, fast and hard and whole internet)
Build up to critical mass before initiating fast attack mode.
Attempt to hide itself from scans. (maybe randomly stop functioning for a while to offer false sense of security)
Adjust its fingerprint so that it isn't simple to find computers which have the worm (use different ports, different protocols, send some different data when filling buffers etc)
Offer a payload that makes patching difficult, goes after security websites that often offer patches, targets financial institutions, etc.
Patch other programs on the system, back to previous insecure versions.
And that's just off the top of my head. If someone really is sitting down and thinking about this, Im sure they could come up with much more dangerous specifications.
I think someone should be writing a competing worm that patches all vulnerable systems, just in case this breaks out in to a chrisis.
Re:Well engineered worms (Score:5, Insightful)
Personally, this RPC bug doesn't really get me thinking much. Anyone stupid enough to allow incoming RPC packets from the internet deserves what they've got coming. Now, on the otherhand, if a live exploit for BGP4 was ever discovered and published, we'd be in a world of hurt for quite a while.
Re:Well engineered worms (Score:5, Insightful)
True, but that doesn't cover any/all cases at all. Businesses with Windows servers can't turn off RPC (and sometimes can't turn off DCOM) on their users' laptops, right? So a laptop user goes home and uses dialup, or he has broadband and no router and gets infected. No he comes back into work the next day. The MS-supplied patch doesn't work in all cases, so even if they have a good patching system and a great firewall, they've still got a compromised, infectious system on their LAN. Mobile-user VPN has the same risks.
Re:Well engineered worms (Score:3, Insightful)
Re:Well engineered worms (Score:4, Interesting)
1. They made patches for this covering all the way back to NT 4.0
2. They don't charge for these patches.
3. The bloody patch doesn't work.
Re:Well engineered worms (Score:3, Insightful)
Re:Well engineered worms (Score:4, Interesting)
Re:Well engineered worms (Score:3, Insightful)
While it's generally true that historically, most viruses have had feeble or non-existent payloads, the evidence [lurhq.com] is strong that some of the waves of infection this year have been created by spam gangs, using viral infections to install proxy software.
Re:Well engineered worms (Score:4, Interesting)
Yeah, I like the idea of changing DLLs on a system back to insecure versions and (of course) keeping the Add/Remove Programs list saying they patches have been applied. Needless to say this would be other worms/viruses would get in further making diagnosing more difficult.
If we want to see what nasty viruses do we need only look at nature. For example, AIDS (or the HIV virus if you want to be exact) attacks the immune system -- the part of the body that fights viruses. People with AIDS then die with opportunistic viruses, like pneumonia, take advantage of the situation. If you wrote a computer virus that only attacked the immune system of the net it would be quite a sight to see.
Re:Well engineered worms (Score:5, Insightful)
IANAWC (I am not a worm creator), but, you could have all kinds of worms running around. One that attacked on a large scale, seeking to infect as many systems as possible. Then it would download extra components as needed, but otherwise sit dormant, awaiting the final component. One that sought out unpatched, vulernable, Windows 2000/XP boxes, to use as a permanent base of operations (This one could be BIG). One that sought out infected systems, and modified the worm continuously, to confuse scanners. Any maybe, you could even have the dang things self-destruct? I don't know much about this, but you can setup applications on a Windows 2000/XP box that won't run until the next realmode boot, right? If it installs itself as a system file, scanners won't be able to remove it unless they run before the system is fully booted up. But if your worm runs the next time pre-bootup system maintenance is scheduled, and runs before any other task, you could have it eat the harddrive.
If one were to prepare this sort of thing ahead of time, and released the worms one by one, most of the security community wouldn't anticipate the attack. Especially if they were all encrypted, and you released them in a quick enough period such that it would not be obviously that they were working together until after the fact.
The other thing I wonder is why worms haven't targeted the infrastructure of weak networks. Like that worm that was discovered on the comcast dns servers. If somewhere were to create something that attacked the Windows 2000/XP (or any other operating system, but Windows seems like it would be the most vulnerable) TCP/IP stack, and only attacked systems behind vulnerable routers, and then utilized the hacked TCP/IP stack and hacked routers to hide all of the traffic, it would be extremely hard for anyone to tell what had happened, right?
Of course, all of the things I have just said won't work, as I've described them. My knowledge of this topic is just too limited to really make much sense, but my point is I don't think we have seen a coordinated effort to run multiple, smaller worms in concert. This way you can spread a rapid, smaller infection, and use it to pave the way for a much more deadly, and harder to remove infection.
Re:How big a threat is this? (Score:5, Informative)
The primary vehicle for spreading this type of exploit, are all the MS clients of broadband users, many untechy PC owners will be to blame if this things hits hard. And yes, I think it could be worst then slammer/code red because its RPC. Pretty much all the MS client out there are going to have it running (versus an IIS exploit).
Re:How big a threat is this? (Score:3, Insightful)
Perhaps ISP's should just block RPC at their routers that feed broadband users. I can't think of any good reason most people would want it to be exposed anyways, on a resident
Re:How big a threat is this? (Score:2, Flamebait)
why not, i got karma to burn...
Re:How big a threat is this? (Score:3, Interesting)
Of course, the vulnerability requires that it be possible to reach the machine with an inbound connection, so firewalled networks will be protected until someon
Re:How big a threat is this? (Score:4, Interesting)
If this is true, Microsoft doesn't even acknowledge [microsoft.com] that it affects Windows98. It's one thing to not release a patch for an affected OS, it's quite another to not mention that it's affected.
Re:How big a threat is this? (Score:2)
Production networks are complex, sometimes you can't kickin a reboot or even change services, especially when you're talking about the core method Microsoft uses to make things 'easier'.
That and now the various viral writers are producing payloads that hit the DCOM ports (mumu.a variants).
Re:How big a threat is this? (Score:4, Interesting)
so that makes all "OFFICIAL" machines in corperate will be hosed as usual when these things come through... Just like the stupid policy of no virus updates from anywher but the corperate server which is always at least 4-5 behind the software companies site. (Another policy I ignore.. I keep everything at the latest DAT)
Microsoft really did it this time.. (Score:5, Interesting)
But there's another problem, a lot of people are starting to distrust microsoft and are turning off the automatic update / not getting service packs instead of switching to another operating system.
Re:Microsoft really did it this time.. (Score:5, Interesting)
Shoot, this was a problem years ago leading me to never enable automatic updates after more than one Windows machine was completely FUBAR'ed after an update. We fought with security issues on Windows for a while, then dealt with the expense and hassle of IRIX (although IRIX is impressively stable), went back to Windows due to the cost and then simply migrated our servers to Apache on OS X. Safe, simple, stable, affordable and secure.
Re:Microsoft really did it this time.. (Score:3, Interesting)
One of their "updates" to Movie Maker (which I use solely to grab DV from an encoder) made the output files incompatible with other video programmes, in particular VirtualDub. Thankfully I was able to get the previous version back by doing a system restore but that's the last time I'll upgrade an MS app when the one I've got is working fine.
How long? (Score:5, Funny)
I'm glad I pay all those taxs!
Re:How long? (Score:5, Interesting)
Anyone want to talk to their representative or senators about that decision?
Re:How long? (Score:5, Interesting)
Re:How long? (Score:5, Funny)
And I'm glad our "edjacashun" budget keeps rising to make the US more smarterer.
Now if we can get them to arrest (Score:2, Funny)
Re:Now if we can get them to arrest (Score:4, Funny)
Pretty Bad (Score:5, Insightful)
From wednesday to thursday they're compromise rate
went from 3 computers an hour to 30.
Right now they're just blocking the RPC port
but the routers are starting to take some heavy
traffic. Looks like this one is going to be pretty
bad.
Re:Pretty Bad (Score:2)
Re:Pretty Bad (Score:5, Funny)
To make windows secure?
All of them.
That's not true (Score:5, Funny)
To make windows secure?
All of them.
You only have to block the port where the power cord goes into the computer.
Re:Pretty Bad (Score:2)
It's basically all the NetBIOS and Microsoft-ds ports.
Re:Pretty Bad (Score:5, Informative)
135/TCP
135/UDP
139/TCP
139/UDP
445/T
445/UDP
Also, it appears 4444 is being used,
Security Focus's incidentmailing list [securityfocus.com] is also enlightening. And for good measure, a posting on the ineffectiveness one of MS's patch [securityfocus.com] (as of 29 Jul).
Fixes (Score:3, Informative)
I updated all my systems,and firewalled 135/139/445(UDP and TCP) and 4444(TCP).
I know I am gonna get modded down for this,but if you dont have already, I suggest you fix this ASAP.
You can get the fix from here [microsoft.com] for windows 2000, and here [microsoft.com] for windows xp.
The exploit [packetstormsecurity.nl] has it in the code:
target_ip.sin_port = htons(4444);
Also, notice the comment about the shell code:
Dan
Security consultant
Click [clicknews.ro]
Re:Pretty Bad (Score:3, Informative)
NetBEUI = Port 135 netBEUI is only required when you have non-Windows 2000 clients to support. However, NetBIOS over TCP/IP prevents any need for NetBEUI. These days NetBEUI is the usual answer for connection problems that turn out to be name resolution or NetBIOS configuration problems. The other ports listed, 139 and 445, are used for Server Message Block (which with Win2000 can run directly over TCP/IP rather than needing to run on top of NetBIOS) respectively. SMB is a
Re:Pretty Bad (Score:4, Informative)
installed and enabled.
Re:Pretty Bad (Score:3, Informative)
>ncadg_ip_udp : UDP port 135
>ncacn_np : \pipe\epmapper, normally accessible via SMB null session on TCP ports 139 and 445
Etc. Etc. Etc.
The ironic part is that a Win9x box doesn't run these services. Or any other services - to use a technical term, in comparison to XP and 2K, an out-of-the-box 9x install doesn't listen to jack shit. If you do the 30-second tweak to disable/unbind the NetBIOS crap, you can safely (!) run 9x without a firewall because such a box doe
Re:Pretty Bad (Score:4, Insightful)
Am I correct in saying that a router can be used at home to prevent these kinds of attacks in the first place?
With more families getting online and having multiple computers in a network, wouldn't it make sense to install a router that protects against the silly port attacks?
I believe a router these days costs about $50 USD, so it's far cheaper to purchase one than to buy a software based "firewall" solution, that might be turned off by little johnny anyhow.
Re:Pretty Bad (Score:3, Informative)
Actually that is not correct. A "router" in a nutshell is just used to "route" traffic from point A to point B.
What what people need is a hardware based NAT switch with firewall firmware. It places that nice "buffer" zone between your machines and the web.
If if the NAT switch/firewall is compromised somehow, it will not get the hacker very far without the presence of an OS. Your boxes behind s
Re:Pretty Bad (Score:3, Informative)
Personally, I use a linux system with two NICs as my router/gateway. netfilter/iptables p
Ugh. (Score:5, Funny)
If we need to refer to it then use the initial letters of its name... DoHs.
Somehow appropriate when they put out warnings like the last one.
John.
Re:Ugh. (Score:5, Funny)
Re:Ugh. (Score:2)
HomeSec. Ingsoc. MiniPax. Double-plus good. (Score:5, Funny)
Most government departments actually are designed to achieve the opposite of their names. For example, the "Department of Homeland Security" is in fact designed to control the level of insecurity that people feel. Likewise, the ministry of defence is really about offence, and in 1984 the Ministry of Information is about disinformation and so on.
In the book, the language was controlled to the point of creating new terms like IngSoc, MiniPax (ministry of peace, really designed to perpetuate war), and Double-plus good.
The whole point here is to justify the actions of the government. Because it becomes alot easier to justify removing civil rights when there is the perceived threat of some common enemy.
Unfair to public servants (Score:3, Interesting)
There are thousands of hardworking men and women serving in Coast Guard ships off our coasts, monitoring land border crossings, inspecting imported cargo containers, and serving as airport security inspectors and skymarshals, all to keep your bloody arses safe behind your monitors as you make fun of them.
Sorry for the rant, but reality check, there ARE bad
Re:Ugh. (Score:2)
Sounds too much like DOS.
oh, wait....
The Department of Homeland Security? (Score:5, Insightful)
Joking aside I find the US media's "fear hyping" to be outrageous.
"It could happen to you" Is a major catch phrase for the US media, and they are not talking about winning the lottery.
They should know! (Score:3, Funny)
I feel bad for the Poor slob(s).... (Score:5, Insightful)
wonder how they (DoHS) are feeling about their OS investment already? :)
Are you kidding me? (Score:2)
Re:Are you kidding me? (Score:2)
But as far a IT goes, MS advisories are one of the few things you can count on.
windows at the office?? (Score:5, Interesting)
isn't this a bit irresponsible of them, now that they are declaring Windows a vulnerability?
Re:windows at the office?? (Score:2)
I, personally, am rather angry that my fucking tax money is being spent by the DoHS and all they have come up with is a dependency on an insecure OS and a stupid colour coded system that NO ONE understands!
Re:windows at the office?? (Score:2)
Homeland INSecurity Spinning a Bad Decision (Score:3, Insightful)
That's a good spin on an incredibly incompetent IT decision, but at the end of the day, spin is all it is.
You want a testbed for vulerability? Fine. Set up a windows la
Hilarious! (Score:5, Funny)
Ugh.
Wilersh
Re:Hilarious! (Score:3, Funny)
Color scale? (Score:5, Funny)
Again.. (Score:5, Insightful)
Re:Again.. (Score:5, Funny)
So it can be saved and get into heaven. Oh, you mean world.
how long has the patch been available? (Score:2, Interesting)
would every geek please walk over to their nearest 4 non-geek's MS boxes and flick 'autoupdate' on? maybe we can spare a few routers in the future?
i mean, if they insist on having those boxes, the least we can do is make sure they're patched up.
say what you will about MS - but these big exploits don't usually hit until weeks after the patch has been available.
and if you're relaxed enough with control over your box to run MS in the first place, autoupdate ain't any worse.
Re:how long has the patch been available? (Score:5, Funny)
Govt should use its own OS. (Score:5, Insightful)
Free patches! (Score:2)
Yeah, they're offering the patches free of charge. But it wouldn't be that big of a deal if their junk wasn't broken so much to begin with! If MS actually *charged* for security patches, okay, it needn't be MS necessarily -- any proprietary software vendor, they'd take a hit in sales.
Notice that Server 2k3 is affected, too. Keeping count, the rate of vulnerabilities is slowing down a bit, but they
DoHS is anti-Internet anyway (Score:2)
the patch is really a trojan (funny) (Score:2, Funny)
The patch [microsoft.com] from MS is really a trojan!
Go to this link [chartertn.net] to learn more!
Download Bush's Executables? (Score:2)
security through obscurity (Score:3, Funny)
No patch for Win98/SE? (Score:5, Funny)
"If you don't upgrade to Windows XP, then the terrorists have already won!"
Re:No patch for Win98/SE? (Score:3, Informative)
Can I suggest some newspeak (Score:3, Funny)
google is fun (Score:4, Interesting)
WoMD? (Score:3, Funny)
Security (Score:5, Funny)
To make your computer truely secure, follow these simple steps:
Should be truely secure... But for the overtly paranoid, concider dropping the planet into your local black hole. Please note that there may be information leakage as any entropy is represented on the black hole's event horizon.
Not practical... But fun.
It's all right (Score:5, Funny)
"Based on this notification, no change to the Homeland Security Advisory System (HSAS) is anticipated; the current HSAS level is YELLOW."
Hasn't it been yellow for like ever? I think they just can't figure out how to change the bulb.
Slightly more seriously, are we all comfortable with the idea that the Vaterland Security Advisory System is now here to stay, and that it's now featured in contexts where the words "external" or "terrorists" don't appear? That Homeland Security bulletins, much like the "troops killed in Iraq" daily scorecard, are now routine routine occurances?
I've just had a kid. When he starts asking what the HSAS is, what do I tell him? "We're at War, junior. We've always been at War. Terrorists, drug barons, organized criminals, religious extremists, crackers, hackers, commies, arabs, they're all out to get us, and it's important to know just how scared the government wants us to be that we're going to die today."
Nice world he's going to grow up in.
Port blocking (Score:5, Insightful)
Already hearing it as an excuse... (Score:4, Insightful)
As far as DoHs getting in on the action - I think they'll cry wolf at anything to keep interest. The more afraid the public is on a daily basis, the more they are legitimized. I was appalled the other day to see this [cnn.com] article on the front page a few days ago - no shit guys, thanks for the press release. Ya know what else? .COM stocks might not be the best investment if the company hasn't produced a product.
Obviously this hole is a major one, but we've kinda known that unfirewalled Windows boxen on the net are a Bad Thing (tm). This hasn't changed, and it's not much more likely now for a worm to run rampant through everything that it was in the past - it'll happen, it'll suck, and everyone will do the same fire drill as every other time it happened. And a few, bright IT departments will switch to FreeBSD or similar for their external machines or put up a bloody firewall.
Port/Process utility for Windows? (Score:3, Informative)
Re:Port/Process utility for Windows? (Score:4, Informative)
But you can get an idea about what ports are sitting out there either listening or actively transferring.
Microsoft's Insecurity? (Score:3, Funny)
DHS warns about windows. (Score:3, Funny)
I see.
Did their solution involve duck tape and plastic sheeting?
(Though I must admit, after about 20 minutes the computers protected this way will be VERY secure.
The Net is safe from my computer (Score:3, Funny)
Don't unleash your powerful computer on the Internet. Tame it with Microsoft(R) brand software today.
Scanning != virus (Score:3, Insightful)
It's getting to where knowledge is a crime, and while I feel it would be prudent to learn more and more about computer security, I fear that merely knowing it might make me liable to be wrongly prosecuted. There's just come to be so many legal barriers or poltergeists that it just carries too great of risks for the curious to enter the field.
HomeSec should stay out of this (Score:3, Insightful)
Windows has yet to see a serious threat by a popular worm and when it does there will be a lot of heat on Microsoft, whether they deserve it or not. "Wintel everywhere" is a classic eggs in one basket gambit and heads are going to roll if 1/3rd of all computers on the internet suddenly refuse to boot up again. Something like 40% (?) of all computers on the net are not behind a firewall and who knows how many are patched.
What I'm afraid of is that if something this bad and on this scale happens then DRM will go from controversial content protection to a Tom Ridge mandated upgrade. Your computer WILL download the newest patch and you will not rip MP3s from the newest Shania Twain CD or face the consequences (ISP banning you, fines, etc).
Re:Affect Win98? (Score:2)
Re:Affect Win98? (Score:2)
How about hardware based firewall?
Re:Why are they even working on this? (Score:2, Funny)
Linux Users? (Score:5, Informative)