RE: Recent Attacks

[David LeBlanc <dleblanc () mindspring com>]

At 10:44 AM 2/23/00 -0500, Roger Nebel wrote:

> I believe he meant that the people who put up insecure systems which are
> then compromised and used to attack others and not the targets who may
> be a patch or two out of date.  So he's not blaming the victims for
> being attacked but rather the morons who connected a system to the
> Internet that was easily subverted.

Then we all must be morons, since nearly every one of us has had systems
that either could have been subverted or have been subverted.  You wake up
one morning to find that your nice FTP app that everyone uses is actually
exploitable, and that there have been underground exploits for it for the
last six months.  The list goes on and on.

To go back to some real-world analogies, most houses have extremely flimsy
front doors, and windows can often be popped easily.  Most people can break
into their own house if they need to.  With the exception of vehicles with
anti-theft devices, anyone who is good with a slim jim can open a locked
car door in less than a minute, and can then get around the steering wheel
lock and ignition very quickly as well.  I used to be a mechanic, and have
had to overcome all of these systems at one time or another for customers.

So most of our vehicles are easily subverted.  When your locked car gets
stolen, the cop doesn't blame you - they blame the thief.  The overall cost
to society is too high to put systems on all cars that are harder to
overcome, so we accept that some people will steal cars, and we have to
hunt them down.

Sure, people ought to patch their systems, and there's a lot of work we all
need to do to make things better - but if you look around you, most
real-world security systems depend fairly heavily on there being some level
of law enforcement to back them up.  Expecting everyone to maintain their
computer systems to the level that we'd like to see just isn't realistic -
and I think that even among the security crowd (if we're being honest), we
all have to admit that we have all at one time or another either had a
system that is hackable or had a system get hacked.  I was told one day
that I had to add domain admins to my local administrators group - the guy
did something that wasn't very bright, got the whole domain hacked, and the
bozos chose to use my system to demonstrate the problem.  So if we're
defining moron to include people who put systems up that can be
compromised, then I think we need to remember that present company will be
included.  So if we're a bunch of morons, then what the hell do we expect
ordinary people to do?

So, trying to move beyond the blame game, here's what I think we need to do
(reflects a paper that Alan Paller and several others have helped with):

1) We need better practices by ISPs to limit spoofing - ingress and egress
filtering should be the norm.  We need to eliminate spoofing by dial-up
customers.  Even if you can spoof from inside a site, it still makes
tracking it a LOT easier.

2) We need to be doing more security auditing - this is really essential.
ISPs ought to provide that as a service to customers.  Notify people when
they are leaving themselves wide open - most of them probably don't realize
they have a problem.

3) Education is a part of the solution - educate developers, admins,
end-users and law enforcement.

4) We need to work towards making keeping a machine secure a lot easier -
get the machine to check a web site (or something) and see if it needs any
patches, then throw a pop-up, send mail, do something.


David LeBlanc
dleblanc () mindspring com