Would a firewall prevent Sasser worm?

Discussion in 'Computer Security' started by Piotr Makley, May 4, 2004.

  1. Piotr Makley

    leslie Guest

    Leythos () wrote:
    : I designed networks for medical centers and other health-care provider
    : networks, but I don't have a clue as to what IRIX is?

    IRIX is the sect of the unix religion for SGI (nee Silicon Graphics)

    --Jerry Leslie
    Note: is invalid for email
    leslie, May 12, 2004
    1. Advertisements

  2. While off the top of my head I don't remember the name of the specific
    malware, there ARE one and perhaps several viruses for Linux. All of
    them, I believe, however, are "blended" attacks - involving worm,
    virus and/or trojan - and AFAIK none of them are using a root exploit
    to actually gain root status - so their effect on a well-managed Linux
    system is likely to be minimal.

    At this point and for the foreseeable future, viruses are not an issue
    on Linux. Whether they will be when the Linux desktop percentage hits
    10% or more is an open question. Given the history of the community's
    ability to detect and patch vulnerabilities within hours of the
    report, I doubt Linux viruses will be a significant factor. Of
    course, idiot users run insecure machines because they don't apply
    upgrades and they run anything they see in administrator mode.
    Nothing can solve that. Code quality on Linux, however, is generally
    acknowledged to be better than on Windows apps and probably on the
    Windows OS as well, so there is and probably will continue to be less
    available exploits on Linux than Windows.

    Complexity is a security risk and Windows is FAR too complex for its
    own good.
    Richard Steven Hack, May 12, 2004
    1. Advertisements

  3. This is about HIPAA, which is federal rules, therefore the probability
    of braindeadness is high!

    James F. Cornwall, May 12, 2004
  4. Piotr Makley

    Leythos Guest

    I just checked several things on Symantec's site and found that IRIX is

    Supported operating systems for Symantec Enterprise Security Manager 5.1

    I also found a list of Linux Worms and Viruses that Symantec can protect
    against for Linux systems. It's interesting to read about the Worms and
    exploits that are found on the Linux platforms.
    Leythos, May 12, 2004
  5. James F. Cornwall () wrote:
    : wrote:
    : >
    : > > wrote:
    : > >>
    : > >> Don't you read the thread ?? You don't need AV software for un*x since
    : > >> there is no such virii.

    1) not currently but there is nothing to preclude them in the future. Remember the Morris worm
    was a 'virus' in the same sense many of the explouts being currently used against Microsoft are.
    Many of the potential explouts we have seen against Linux and Unix [and products such as sendmail]
    could have been used in the same manner. I agree that currently there is not the file
    infection vector that is the majority of Microsoft infections. I consider AV software to be a subset
    of host based IPS. It is actually a good thing to have a host based IPS for any system.

    2) In our environment, Unix AV [in the sense of RTP for files added to unix based samba filesystems
    is important since unix and limux systems provide NAS filesystems for Microsoft clients. If someone
    from a Microsoft client sotres an infected file to a unix server, it would be useful to have AV running
    to prevent it from being spread through the unix host.

    : >
    : > > I think his point is that he needs AV software because the hospital
    : > > policy requires it, not because he expects to have viruses found on the
    : > > box in question.
    : >
    : > Quite possible, but that is as stupid as to demand lead-free gasoline
    : > in all company cars - even if they are diesel powered.
    : >
    : > Braindead policys is one of the big risks !!

    : This is about HIPAA, which is federal rules, therefore the probability
    : of braindeadness is high!

    There is no HIPPA security rule or privacy rules that mandates AV software. The privacy rule stipulates
    that 'best practices' must be used to maintain the confidentiality and integraty

    I just checked the final rule. There is no longer specific reference to anti-virus but a mandate to
    include 'protection from malicious software' in the configuration section.

    We have interpreted the requirement to have our plocu require managed AV software to be installed on all
    systems for which a product is available. Unfortunately, you are correct that many people who write these
    policies do not understand that and you end up with a requirement that cannot be met. [AV does not
    currently exist for some platforms]. Generally you should simply document the fact and ask for an exception
    from the body charged with enforcement [and usually sending it to the compliance officer will help as well].

    As compared to many gov't regs, HIPAA privacy and security are actually prettyl well done. The original rule
    had some really stupid things but the comment period has placed a large amount of common sense into the mix.
    However, this has not been exposed to the trial lawyers test yet and there is no telling what type of new
    requirments will be imposed due to case law being applied.

    Richard H. Miller, MCSE, CCSE+
    Information Security Manager
    Information Technology Security and Compliance
    Information Technology - Baylor College of Medicine
    Richard H Miller, May 12, 2004
  6. :> > wrote:

    :> >>>I am -trying- to satisfy a hospital's security policy that all hosts
    :> >>>that connect remotely to them be running virus scanners (and the
    :> >>>virus definitions and virus engine updates have to be checked for daily
    :> >>>under the policy.) I am, though, having, rather some difficulty
    :> >>>in finding a filesystem virus scanner for IRIX.

    :> > I think his point is that he needs AV software because the hospital
    :> > policy requires it, not because he expects to have viruses found on the
    :> > box in question.

    :> Braindead policys is one of the big risks !!

    :This is about HIPAA, which is federal rules, therefore the probability
    :eek:f braindeadness is high!

    It isn't actually about HIPAA, as we are in Canada, but we have
    multiple levels of privacy laws that lead the same effect.

    The hospital in question agreed today to waive the virus-scanning
    requirement, so someone did have some good sense: the good sense just
    wasn't written down in the policy.
    Walter Roberson, May 12, 2004
  7. :I just checked several things on Symantec's site and found that IRIX is

    :Supported operating systems for Symantec Enterprise Security Manager 5.1

    That's IRIX 6.2. Even if you go up to version 6.0, the last supported
    version was IRIX 6.3. And the only thing that was supported was the Agent.

    Enterprise Security Manager does not appear to incorporate a filesystem
    virus scanner as any of components: It's a policy enforcement package.
    Walter Roberson, May 12, 2004
  8. Piotr Makley

    phn Guest

    Un*x at 1988 was in a state that might resemble windows 2000 as regards to immature
    code and security issues. 1989 was un*x "secured" and in a much better
    state then windows(and continues to increase the distance due to a better
    security model and a different development process). There is (currently) no fear that un*x
    will deteriorate and become vulnerable.
    That is a different issue, i've seen AV software that RUNS on Linux but looks
    for windows threats.
    phn, May 13, 2004
  9. Piotr Makley

    Grant Wagner Guest

    FACT: there are exploitable vulnerabilities in Linux. Unless of course we're
    back to the "Linux is more secure" argument.
    FACT: end users do NOT patch their machines with the regularity that a system
    administrator of a network or Linux enthusiast would.

    So, there would be unpatched vulnerabilities on many more systems if Linux
    desktop use was more widespread, which would make them a much more inviting
    target to worm and virus authors.
    Who said anything about Windows XP Home in the preceeding paragraph? Apache and
    sendmail come running, out of the box, with some versions of Linux, those
    products have KNOWN vulnerabilities which would NOT be patched by a typical home
    computer user running Linux. That would make them a prime target for exploits
    targeting those vulnerabilities.
    I see plenty of people IRCing (and presumably they are performing other tasks)
    as root. Implying not all Linux systems are as well-protected, nor all Linux
    users as well-informed, as you would like to believe.
    Spontaneous reboots? It's not spontaneous if you connect to windowsupdate once a
    month to obtain the patches, it's part of a planned maintenance schedule, sort
    of like running up2date on a regular basis to keep up with new patches.
    If they are going "belly-up", then they aren't professionally maintained,
    despite the letters after the names of people administering them.
    I didn't say anything about a security announcement. I said that managed code in
    ..NET will solve some of the problem because by its very nature it can't be
    exploited by one of the largest attack vectors Microsoft (and most software)
    suffers from.

    As for security improvements in Microsoft products, Microsoft moved the core
    functionality of IIS into the kernel in Windows 2003, which was initially
    regarded as a mistake by many. However, Microsoft spent a great deal of time
    ensuring that the code would either product meaningful results or spit any input
    back out without damage. So far, no exploits have appeared against IIS in
    Windows 2003.

    <url: http://www.serverwatch.com/tutorials/article.php/3294371 />
    Grant Wagner, May 14, 2004
  10. Piotr Makley

    phn Guest

    FUD !

    Current distributions has few if any vulnerabilitys open. ( that is
    most distributions has some vulnerable product, but it's not enabled
    in a default install.
    Some distributions are worse, but none is as vulnerable as windows when
    installed from cd.
    True. Reason is that a great many of these install is safe when installed
    and will remain safe during prolonged periods.
    Agree. There is a lot more to learn for both linux and windows users.
    Well, most updates on linux concerns applications, no need to reboot.
    How did you came to the conclution that .NET is any safer then
    any other jevels MS has delivered ? Mark my words, wait and see.,.
    Hmm. Too late to browse CERT but i _think_ you are wrong here.

    phn, May 14, 2004
  11. Not necessarily true. I upgraded my Linux system using a CD. Then I
    connected to the Internet to get & patch the latest holes. In 30
    minutes, my Linux machine had a root kit, before I was able to update
    the OS and close the holes.

    Any install from a CD that is not fresh is a danger.
    Bruce Barnett, May 15, 2004
  12. $DRIFT ON

    I don't know which Windows version you use, but you may want to have a
    look at TweakUI's "Activation follows mouse (X-Mouse)" facility on its
    Mouse tab. That will give you focus-follows-mouse.

    I have used TweakUI on NT and 2000. I only have an old pointer which
    does not mention XP, but I assume that there is an XP version or


    I hope this helps.

    Frank Slootweg, May 15, 2004
  13. Duane,

    What is the problem here? I don't care how often you mispell it, Linux is
    still more secure than Windows. Personal attacks are a last resort of the
    desperate who can no longer turn to reason.

    The BSD's (including OS/X) are probably more secure than Linux. Here is why
    I think Windows is less secure than the *nix platforms.

    1) XP & Server 2003 are stable & the UI is lovely, tat makes them useful,
    but it doesn't address security. In fact, all the the code that make it
    lovely and easy to use make Windows insecure.
    2) With a *nix, you have vastly more control to run applications with
    restricted privileges. This really matters- it makes it harder to get
    rooted. Tools like su, sudo and systrace have no comparable tool in
    3) With a *nix box, you don't need to have a web browser, or even a GUI.
    This really helps security. If you assume that coders produce bugs at a
    similar rate (a few per thousand lines of code perhaps), then the name of
    the game is reducing the number of lines of code. ESPECIALLY the number of
    lines of code that run with unrestricted permissions. I, and presumably an
    uberhacker like yourself, can build a minimal Linux kernel & load only the
    services that you need. Since this is a FIrewall newsgroup, you can build
    a minimal Linux firewall that boots from a single floppy. Windowa probably
    needs hundreds of times more code than these minimal distributions.
    4) I will bet that the Linux sorce code is cleaner than Windows source code.
    As we have found from the SCO lawsuite, much of the Linux code is common
    with the BSD codebase. This traces back to Bill Joy and the other
    legendary coders at Berkeley in the 80's. Microsoft has some great coders,
    but I don't think they are better on average than Bill Joy. Since then,
    much of this code has been being examined by students & researchers. Many
    of the stdents are mediocre, but a few are brilliant. They have been
    removing & finding bugs for over two decades.
    5) Many hackers hate Microsoft & take pleasure in breaking Windows.
    6) Internet Explorer is absolutely inexcusable. When my XP computers
    switched from IE to Firefox, my administration headaches dropped
    dramatically. There is a ton of spyware that is IE specific.
    7) By DEFAULT, XP Home Edition users are added with admin rights. Changing
    this premission to 'linited' makes a huge difference in security, but can
    break some games and other programs.
    8) UW Madison's CS department created the 'Fuzz test'. Open source beat
    commercial Unix. Commercial Unix beat Windows quite handily. This is
    pretty clearn emperical evidence that is consistent with my

    PS. I don't run Linux, so don't flame me as a Linux fanboy.
    PPS. The 'Vulnerable by default' is a jab against the recent 'Secure By
    Default' PR campaign by Microsoft. This is very simple to understand as it
    applies to a firewall. closed = secure, open = not closed = not secure =
    vulnerable. So, 'vulnerable by default' simply means that the OS ships
    with ports open.
    Robert Folkerts, May 16, 2004
  14. I' won't agree to that all security patch is equal to a Windows security
    patch. Look at http://openbsd.org/errata34.html This is a list of fixes
    for OpenBSD 3.4, which is now six months old. I guess you could say this
    is 18 patches where are security/reliability fixes.

    However, each patch is something like 10-50 lines long. How large is a
    typical windows patch? A small patch is something like 1 MB. So, 1 MB
    would correspond with several hundred of the OpenBSD patches.

    What is a reasonable comparison? Number of patches? Size of patches? I
    don't think there are easy answers.
    Robert Folkerts, May 16, 2004
  15. the conclusion that this leads to "just as many attacks and worms hitting
    Linux" is nonetheless merely a theory or hypothesis.
    you are right, nobody did. i just thought it would be appropriate to do an
    apples-to-apples comparison to the alternative, which, i assumed, would be
    the kettles with an xp/home box.
    all distros that i recently installed (and that's quite a few, because i was
    looking around for a suitable one for a set of machines at home) would let
    you select whether you wanted to install web/email servers. evidently, you
    might argue now that the kettles misunderstood that option for whether they
    wanted email and web access, and mistakenly selected installing the servers.
    moreover, it would make those check boxes a prime target for drawing, say, a
    red box around them along with an explanation that you should select them
    only if you really, really knew what you were doing. i'd expect that this
    would fix most of the issues, would you not agree?
    i believe no such thing. i do think that the fact that you can use your
    system, and continue to use it, in user mode, while still being able to
    install software, drivers, and the like, is an important charateristic that
    improves security and has nothing to do with the qualification of users.
    the way machines are set up here by default (i cannot vouch for whether this
    is xp default, because i never personally installed an xp system, and i do
    not intend to), they do reboot spontaneously, whenever their automatic check
    for updates was successful. and yes, this happened to me while popping out
    of the office for a short while (<1h).

    not quite sure what it takes to deserve the label "professionally
    maintained" according to you, but i have worked in a number of shops that
    used windows machines, had people with corresponding letters after their
    names maintain them for a living, and without exception those things went
    "belly-up" pretty much on a regular basis, in all of these places.
    that's right, i did.
    and i said that i will reserve judgment on its contribution to the security
    of windows boxes until i see it happening.
    personally, i find it is too late in the game to be worried about
    "improvements" that concern the delta between two related ms products at
    different points in time. the interesting improvement is one that concerns
    the security of one's machines, and the most dramatic improvement of this
    kind can be obtained by installing some open source operating system. in
    contrast to the "improvement" you discussed [iis in windows 2003], this one
    is free, and its cousins are guaranteed to remain free in the future.

    it used to be te case that this strategy was only viable for a few
    specialists because, say, linux was harder to install and use than windows,
    and thus no option for, e.g., the kettles. those days have come to an end.

    -- j

    Jörn W. Janneck, May 17, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.