Blasted Blaster

I'm puzzled...practically at a loss for words. The cause? The fact that yet again, Microsoft finds and patches a vulnerability before an exploit is widely available, and still, hundreds of thousands of computers are infected. This is inexcusable.

Home users get somewhat of a break, if only because many of them are simply ignorant of good security practices (rule #1, use NAT, or a firewall to close any unused ports). Yes, they should be patching their computers, but too often they don't. But the really amazing thing is the number of businesses or government agencies getting hit hard. The DMV in Maryland shut down yesterday because of this worm. I want to know who's responsible for network security at the DMV, and I want them fired...NOW! I'm glad I don't live in Maryland (though I suspect my state may not be much better), given that this worm could potentially have been designed to lift information from computers, rather than just stage a DDOS attack.

What's the point of this rant? Just this...we, the more computer savvy of society, have a responsibility to do what we can to prevent crap like this. The reality is that software is never going to be perfect, as long as humans are writing it. And Microsoft is in a bind because consumers would freak if Microsoft shipped their OS with firewall and automatic updates enabled. So, IMO, it is encumbent on us to educate our less computer-savvy friends, relative, and even those we work with (bosses, co-workers, and even clients) about the importance of firewalls, patching, and other important security practices. We can make a difference, if we make the effort.

OTOH, perhaps a better idea would be to institute a system of fines in which each time your computer is infected with a worm or other malware that can cause problems for others, you're fined $50. Perhaps a hit in the pocketbook would make people more aware of taking the necessary steps to secure their machines.

Keith Warren even suggested the idea of writing worms to “vaccinate” vulnerable machines:

It all makes me wonder why we have not evolved in this fight much in a way that the medical field does. I am talking about vaccination. Vaccines in large part work by giving a small dose of the problem and I do not understand why we do not take that little tidbit and run with it. After knowledge of the vulnerability was available someone could have created a worm vaccine that replicated and propagated itself in an identical fashion but had an actual purpose; to download and install the patch! Doing this coupled with a patch campaign would significantly reduce the attack surface.

It's a clever idea, but obviously one that won't fly legally. Any other ideas for preventing worm/virus propagation and getting users/managers/admins to take security seriously? I'd love to hear them.

6 Comments

  • "I want to know who's responsible for network security at the DMV, and I want them fired...NOW!"



    It may not be that person's fault: I know of at least two companies that applied Microsoft's security patch on all computers in-house, but were infected when a remote user connected to the network.

  • Doug,



    That's a good point regarding patches breaking things...but it doesn't address the issue of firewalls. There have been a number of issues that have come up (the SQL worm was one) for which I had a machine that wasn't patched (since the MSDE patch was so difficult to install), but was never affected by, because none of the ports used by the worm were open in my router.



    Phil,



    You're right that problem at the DMV could have been remote users...I've got a colleague who had exactly that problem at his business. But my take on it is that if they're going to allow workers to connect to the office LAN from home without restricting the ports they can access, then the network security folks need to be sure that those workers are keeping their machines up to date. So perhaps there's enough blame to go around, but at the end of the day, the IT people at the DMV have to take responsibility for the security of their network.

  • I believe it was the LoveBug virus where it had gotten so out of control that some developers *were* writing "hacks" that would basically hack a target machine, clean the virus, and leave a little text file on their desktop stating such.



    Obviously, it's not legal, but when will consider these security issues out of hand, and taking these types of steps each time?

  • Good question, Jason. I should add that I'm not categorically against a little "white hat" hacking in an effort to stem the tide of such attacks. But it's clearly not legal, as you state, and it also has the potential to cause more problems than it solves, particularly if the "white hat" isn't as skilled as they think they are.



    IOW, writing virii/worms to fix vulnerabilities is a nice fantasy, but I think a real-world implementation is problematic.

  • Nononononnononononooooo!

    You obviously haven't worked in the trenches with end-users who struggle to find the start button, or get confused when you tell them to open an internet page when they only have intranet pages.



    There simply has to be an auto-setting, a complete "I am an idiot, do everything for me" setting. We take for granted our instinctive ability with computers, just as my joiner takes for granted his skill with a chisel. But you wouldn't want to let me loose with a chisel (trust me).

  • Damian,



    I don't really disagree with what you say...but I don't think that an "I'm an idiot" setting is realistic. Part of the problem is that people don't trust Microsoft sufficiently, so if they released an OS in which the default was all ports closed, and auto-update enabled, people would scream that Microsoft was trying to "control everything".



    That said, would I like to see a link on the desktop in XP that says "Lock down this machine" that turns all security defaults to their tightest? Sure would. But I don't think that's a panacea, because many people still wouldn't use it.



    The problem isn't the people who know that they're not computer savvy. Many of them will ask for advice and attempt to keep on top of things as best they can. It's the people who think they know what they're doing, won't ask for help, run all kinds of free downloaded software, etc. that are the problem, and these are the very people who would never use the "I'm an idiot" setting if it existed.



    If you can't trust your users to take care of themselves, then the only secure option is to limit the trust they have on your network. As long as you allow untrusted users to access your network, you're going to be vulnerable to problems like this. The solution is a question of policy in this case, not software, IMO.

Comments have been disabled for this content.