Send firewall-wizards mailing list submissions to
firewall-wizards@honor.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@honor.icsalabs.com
You can reach the person managing the list at
firewall-wizards-admin@honor.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. RE: The home user problem returns (Hawkins, Michael)
2. RE: The home user problem returns (Tina Bird)
3. Re: The home user problem returns (Jim Seymour)
4. RE: The home user problem returns (R. DuFresne)
5. RE: The home user problem returns (Tina Bird)
6. RE: The home user problem returns (Marcus J. Ranum)
7. RE: The home user problem returns (Jim Seymour)
8. Re: The home user problem returns (Jim Seymour)
9. RE: The home user problem returns (Jim Seymour)
10. RE: The home user problem returns (lordchariot@earthlink.net)
--__--__--
Message: 1
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 20:06:00 -0400
From: "Hawkins, Michael" <MHawkins@TULLIB.COM>
To: "hermit921" <hermit921@yahoo.com>,
<firewall-wizards@honor.icsalabs.com>
Look what was said some time ago:
"The superior man, when resting in safety, does not forget that danger
may come. When in a state of security he does not forget the possibility
of ruin. When all is orderly, he does not forget that disorder may come.
Thus his person is not endangered, and his States and all their clans
are preserved." -- Confucius
Ask yourself this question: Why did Confucius feel the need to say the
above? Was it because all people are constantly aware of existing and
new threats as they exist in and around their environment? Or was it
because Confucius knew that people were habitually forgetful entities
that quickly fall into the most hideous comatose states before a
repeated unwanted event wrenches them back to reality where they linger
only momentarily in their sorrow before falling back into the same
comatose life, happily cruising along into their next repeated
misadventure?
Mike Hawkins
Office: 212-208-3888
Mobile: 917-887-3614
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of
hermit921
Sent: Tuesday, September 13, 2005 6:46 PM
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
I will weigh in with my experience. About 2000 users in my company, and
nearly 20% of them managed to get infected during one week a year or two
ago. That mess generated enough pressure that many of the desktops now=20
have patches forced onto them, but almost none of the users learned=20
anything. I take that back, several of them learned I am a NUT, because
I=20
said Internet Explorer isn't safe to use.
On the good side, I have a friend who is almost totally computer=20
illiterate, but has never had a virus or spyware or any other malware.
Rule #1: never double click any attachment. If you have to open it,
choose=20
a program that should open that type of file and do a File -> Open.
Blindly following these rules has kept her safe for over 10 years. So I
know people can learn, at least by rote, regardless of understanding.
Rule #2: never use Microsoft software. This probably helps an immense=20
amount, too.
hermit921
At 10:09 AM 9/13/2005, Scott Pinzon wrote:
>I've been watching with a certain morbid fascination as Marcus has
>ranted in his own blog and in FW-WIZ (and who knows where else) that
>educating users about security is one of the "dumbest ideas" and "if it
>was ever going to work, it would have by now." I have tremendous
respect
>for you, Marcus (epecially since you have, I dunno, six times the years
>in computer security that I do). But I can't help feeling, in my
>pipsqueak opinion, that on this one you're way off base.
>
> My reasoning, in short:
>
>-- Ignorance is never better than knowledge in any realm. But
particular
>to network security, my experience is that most clueless users are also
>people of good will who will cease dangerous behaviors once they
>understand those behaviors ARE dangerous.
>
>-- Educating users is another layer in "Defense in depth." If 10 out of
>100 users click evil email attachments, and through education you
reduce
>that to 3 out of 100, you've improved that layer.
>
>-- Educating users has been proven to work at company after company.
>Help desk calls, viral infections, falling victim to phishing emails,
>and more, have been quantitatively and demonstrably reduced at
companies
>that institute end-user security training.
>
>-- And how do you know "it" (educating end users) is not working? We
>have no before/after comparison on what the Internet would be like if
>all of us who preach security had stopped five years ago.
>
>Maybe I'm misunderstanding you, but my take-away from your blog article
>is that you are so discouraged by end-user ignorance, you think we
>should all stop wasting our breath on them. Your recommendation is that
>we set up an environment through quarantining and what-not where users
>have no opportunity to hurt themselves. In rebuttal, I cite the crusty
>old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
>(through technology) create an environment where clueless users can't
>hurt themselves. To keep a network secure, we need users on our side.
We
>can get them there if we try.
>
>Am I really the only one on this list who thinks so? Or Marcus, did I
>misinterpret you?
>
>
>SCOTT PINZON, CISSP
>Editor-in-Chief, LiveSecurity Service
>WatchGuard Technologies, Inc.
>505 5th Ave. South | Suite 500 | Seattle | WA | 98104
>206.613.6648
[deleted]=20
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
-------------------------------
The information contained in this email is confidential and may also =
contain privileged information. Sender does not waive confidentiality or =
legal privilege. If you are not the intended recipient please notify the =
sender immediately; you should not retain this message or disclose its =
content to anyone.
Internet communications are not secure or error free and the sender does =
not accept any liability for the content of the email. Although emails =
are routinely screened for viruses, the sender does not accept =
responsibility for any damage caused. Replies to this email may be =
monitored.
-------------------------------------------------------------------------=
-------------------------------------------------------------------------=
-------------------------------
--__--__--
Message: 2
From: "Tina Bird" <tbird@precision-guesswork.com>
To: "'Marcus J. Ranum'" <mjr@ranum.com>,
"'Mason Schmitt'" <mason@schmitt.ca>
Cc: "'Paul D. Robertson'" <paul@compuwar.net>,
"'Kevin'" <kkadow@gmail.com>, <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 17:07:36 -0700
> Now, look at Internet security. If I educate 50% of the
> population about the
> need to worry about security, I still lose - horribly -
> because the other 50% of
> my population fails and their machines are used to attack the
> educated 50%!!
> That wouldn't be a problem except for transitive trust(*) - a
> big chunk, I have
> no idea how big, of the educated 50% would find themselves
> vulnerable to
> attacks from trusted parties and would be vulnerable, and
> then you'd very
> quickly be left with the only survivors being those who
> didn't trust anyone.
hmm. transitive trust is certainly a big problem. however...if your "aware"
population follows a couple of obvious rules (install patches*; run an AV
and maybe a PFW**), they're more than likely not gonna get hammered by the
vicious mindless auto-propagating crap. so all of a sudden your disease
isn't rampaging.
the sophisticated attacks that are likely to affect the "aware" folks are
less likely to spread on their own. at least that's how it was while i was
at stanford.
cheers - tbird
--
* yeah, i know. turd polishing. but just enable auto-updates on your OS of
choice and stop thinking about it.
** i'm unconvinced about the value of firewalls on an endpoint system if
you're able to disable incoming connections. when i'm anywhere but in my
living room, i disable the MS client for networks on my laptop, and all
those nasty MS-protocol-borne attacks go away.
--__--__--
Message: 3
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:16:27 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
"Marcus J. Ranum" <mjr@ranum.com> wrote:
>
> Mason Schmitt wrote:
[snip]
>
> >User education
> >----------------
> >User education still needs to happen
>
> Pointless. If educating users was going to work, it would have worked
> by now. If Anna Kournikova worm and phishing hadn't gotten people
> to take this seriously years ago, they aren't going to next year, either.
[snip]
>
It may be pointless in home user space, but, IME, it's most definitely
*not* pointless in the workplace. I regard end-user education as one
of my best defenses. And it has worked for me.
Some things that've no doubt helped: Relatively small company--only 150
or so desktops. Good support from management: Official dispensation to
*immediately* remove from the network misbehaving machines. I once
disconnected an entire R&D department. Another time I suspended a
manager's account (for password sharing). I'm allowed Draconian email
filtering at the mail gateways. Most of that same filtering is done on
internal mail servers. But still: End-user education is an important
component. I have somebody either come to me or email me about how "I
received this, and it looked suspicious, so I didn't open it. Do you
want to see it?" on a fairly regular basis.
Result: We haven't had a single virus/worm/Trojan get loose on the
network, with *one* exception, in the six years I've been working for
my current employer. That one exception was a "day 0" kind of a thing,
infected .zip file, sent from the outside to somebody that was
expecting an email, with an attachment, from that person. (It didn't
get far. As luck would have it: Soon after he opened that attachment,
I had logged-in remotely because of the advisories, detected the spoor,
and shut down all the mail and POP servers until I got in the next
morning.)
Jim
--__--__--
Message: 4
Date: Tue, 13 Sep 2005 20:19:33 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: Scott Pinzon <Scott.Pinzon@watchguard.com>
Cc: "Paul D. Robertson" <paul@compuwar.net>,
Chris Blask <chris@blask.org>, Mason Schmitt <mason@schmitt.ca>,
"Marcus J. Ranum" <mjr@ranum.com>,
firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
Organization: sysinfo.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 13 Sep 2005, Scott Pinzon wrote:
> I've been watching with a certain morbid fascination as Marcus has
> ranted in his own blog and in FW-WIZ (and who knows where else) that
> educating users about security is one of the "dumbest ideas" and "if it
> was ever going to work, it would have by now." I have tremendous respect
> for you, Marcus (epecially since you have, I dunno, six times the years
> in computer security that I do). But I can't help feeling, in my
> pipsqueak opinion, that on this one you're way off base.
>
> My reasoning, in short:
>
> -- Ignorance is never better than knowledge in any realm. But particular
> to network security, my experience is that most clueless users are also
> people of good will who will cease dangerous behaviors once they
> understand those behaviors ARE dangerous.
>
> -- Educating users is another layer in "Defense in depth." If 10 out of
> 100 users click evil email attachments, and through education you reduce
> that to 3 out of 100, you've improved that layer.
>
> -- Educating users has been proven to work at company after company.
> Help desk calls, viral infections, falling victim to phishing emails,
> and more, have been quantitatively and demonstrably reduced at companies
> that institute end-user security training.
>
> -- And how do you know "it" (educating end users) is not working? We
> have no before/after comparison on what the Internet would be like if
> all of us who preach security had stopped five years ago.
>
> Maybe I'm misunderstanding you, but my take-away from your blog article
> is that you are so discouraged by end-user ignorance, you think we
> should all stop wasting our breath on them. Your recommendation is that
> we set up an environment through quarantining and what-not where users
> have no opportunity to hurt themselves. In rebuttal, I cite the crusty
> old maxim, "Genius has its limits, but stupidity is infinite." We CAN'T
> (through technology) create an environment where clueless users can't
> hurt themselves. To keep a network secure, we need users on our side. We
> can get them there if we try.
>
> Am I really the only one on this list who thinks so? Or Marcus, did I
> misinterpret you?
If enduser education was the answer and worked in any sense effectivly,
then a number of companies that make their entire income from this, in the
corporate market, would be working themselves out of existance We'd also
have wittnessed a dramatic decrease in the home user issue due to the
fact that most home users also are in their employment dealing with
computers and enduser training in the worklplace. Some of those "well
learned and honed habits" should have migrated home with them.
Seriously, I've worked in security settings such as MSSP's whence
ten minutes after the user training about how to handle e-mail and
attachments properly and safely a tech on the front lines cublicle next to
me, as well as a mgr in the office on mgt row down the hall, both
unleashed the current variant of viri upon the whole network.
Again. part of the problenm is greed, and the other part of the problem is
that people tend to have this erronious attitude that what happens on the
network/internet/home net/thei desktop at work/desktop at home, is not
life impacting, as networking and computing are becoming integeral to our
daily life functions and interactions as a whole. Both tending to help
foster what Marcus talks of the tendency to think "h4cking 1s c00l" and an
end to a means to get a good paying job in the industry.
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
...We waste time looking for the perfect lover
instead of creating the perfect love.
-Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFDJ2yYst+vzJSwZikRAr//AKCL5Vlxr3u+miNEUqDSLN8eSBoarwCgqW1W
NfkCj2Hv+nLGJUvHxKNm+Qo=
=Sdb1
-----END PGP SIGNATURE-----
--__--__--
Message: 5
From: "Tina Bird" <tbird@precision-guesswork.com>
To: "'Paul D. Robertson'" <paul@compuwar.net>,
"'Scott Pinzon'" <Scott.Pinzon@watchguard.com>
Cc: "'Chris Blask'" <chris@blask.org>,
"'Mason Schmitt'" <mason@schmitt.ca>,
"'Marcus J. Ranum'" <mjr@ranum.com>,
<firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 17:18:32 -0700
> Well, statistics would probably bear him out. Anna=20
> Kournikova was big=20
> enough and fast enough that it *should* have been all the=20
> wake-up call we=20
> needed. I remember talking to someone who recounted an end-user=20
> experience-=20
>=20
> Admin: "Why did you click on the virus, didn't you see all=20
> the press coverage?"
> User: "Yes, I wanted to see what it would do!"
**chuckles ruefully**
it isn't just end users who do that. while i was at counterpane, one of =
our
customers told us that s/he was glad they'd been compromised by nimda,
because it was exciting to be affected by something that got CNN =
coverage...
/me returns to pounding forehead with large rock
--__--__--
Message: 6
Date: Tue, 13 Sep 2005 20:17:24 -0400
To: "Tina Bird" <tbird@precision-guesswork.com>,
"'Mason Schmitt'" <mason@schmitt.ca>
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: RE: [fw-wiz] The home user problem returns
Cc: "'Paul D. Robertson'" <paul@compuwar.net>,
"'Kevin'" <kkadow@gmail.com>, <firewall-wizards@honor.icsalabs.com>
Tina Bird wrote:
>if your "aware"
>population follows a couple of obvious rules (install patches*; run an AV
>and maybe a PFW**), they're more than likely not gonna get hammered by the
>vicious mindless auto-propagating crap. so all of a sudden your disease
>isn't rampaging.
Nope. Because the network is down, the users that have gotten clobbered
are all standing around the coffee machine drinking coffee and whining instead
of working, and the "smart" people who defended themselves will have to:
a) fix the dumb people's computers
b) pick up the slack in productivity while the dumb people are down
c) have dumb people complaining to them
d) lose their minds
What I am trying to get across to you is that stupidity is multiplicative
whereas smart is incremental. Dumbness can rapidly go non-linear and
the Internet is an amplifier for dumbness. That's why blogs are going to
be the end of the world. ;)
mjr.
--__--__--
Message: 7
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:18:48 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
"Brian Loe" <knobdy@stjoelive.com> wrote:
[snip]
>
> I think you're wrong. I don't think an ISP should baby-sit anymore than I
> think the government should. We are all responsible for our own actions.
> That's life. Its called personal responsibility and I support it
> wholeheartedly.
[snip]
Baby-sit? I agree: No, they should not. But the ISP *is* providing
the transport to the 'net. If they detect or are informed of abuse
coming out of their space, I believe they have a responsibility to stop
transporting that abuse.
Jim
--__--__--
Message: 8
To: firewall-wizards@honor.icsalabs.com
Subject: Re: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:23:35 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Mason Schmitt <mason@schmitt.ca> wrote:
>
[snip]
>
> As has been pointed out on this list many times and even in this thread,
> the average home user does not have the knowledge or resources to really
> be responsible for the actions of their computers or those using them
> for their own nefarious purposes.
[snip]
So? They're still responsible for their own property. If I go out and
buy a firearm or automobile, fail to obtain adequate instruction in its
safe use, and subsequently create mayhem with it, will I be excused
from penalty because I didn't know what I was doing? I think not.
That being said: ISPs *could* somewhat mitigate against the clueless at
the DSL/cable modem, if they wanted to.
Jim
--__--__--
Message: 9
To: firewall-wizards@honor.icsalabs.com
Subject: RE: [fw-wiz] The home user problem returns
Reply-To: firewall-wizards@honor.icsalabs.com
Date: Tue, 13 Sep 2005 20:31:55 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
"Behm, Jeffrey L." <BehmJL@bvsg.com> wrote:
[snip]
>
> Correct. *You* are responsible for what *You* do with the gun(computer).
> That shouldn't be extrapolated into what *others* do with your
> gun(computer) without your consent.
>
> Are you held responsible for robbery if someone steals your gun and then
> commits a robbery with it, just because you left it lying on your desk
> inside your house?
[snip]
Although perhaps you shouldn't be, you may well be found to be. Well,
not the robbery, probably, but if anybody's shot with your stolen
gun... (Caveat: IANAL.)
Jim
--__--__--
Message: 10
From: <lordchariot@earthlink.net>
To: "'R. DuFresne'" <dufresne@sysinfo.com>,
"'Mason Schmitt'" <mason@schmitt.ca>
Cc: <firewall-wizards@honor.icsalabs.com>
Subject: RE: [fw-wiz] The home user problem returns
Date: Tue, 13 Sep 2005 20:34:00 -0400
> beside ingress and egress filtering, how much might ISP's suffer for
> correcting some of the windows network protocol errors by not passing
> ports 135-139, 445 and 5000 etc across perimiters? Or even allowing
> them to braodcast witin the ISP's realm? Certainly would work to neuter
> the M$ issues to a low noise level would it not?
In the last 20 minutes it took to read the last batch of posts, I got 8
probes to 445 or 139.
Of course, I'm denying all this so there is little threat to me, but I like
to keep an eye on this kind of traffic to give me a feel for what's out
there in the wild.
Sep 13 19:42:57 PF SRC=71.0.173.129 DST=192.168.2.10 PROTO=TCP SPT=2633
DPT=445
Sep 13 19:44:06 PF SRC=71.0.243.133 DST=192.168.2.10 PROTO=TCP SPT=3767
DPT=445
Sep 13 19:48:54 PF SRC=71.0.243.133 DST=192.168.2.10 PROTO=TCP SPT=2574
DPT=445
Sep 13 19:58:04 PF SRC=71.0.129.190 DST=192.168.2.10 DF PROTO=TCP SPT=1592
DPT=445
Sep 13 19:59:10 PF SRC=86.193.83.45 DST=192.168.2.10 DF PROTO=TCP SPT=3416
DPT=139
Sep 13 19:59:13 PF SRC=86.193.83.45 DST=192.168.2.10 DF PROTO=TCP SPT=3416
DPT=139
Sep 13 19:59:19 PF SRC=86.193.83.45 DST=192.168.2.10 DF PROTO=TCP SPT=3416
DPT=139
Sep 13 20:01:53 PF SRC=71.130.34.177 DST=192.168.2.10 PROTO=TCP SPT=37388
DPT=445
However, I think all ISPs should be filtering all the MS networking ports by
default. I can think of no good business reason to allow it. This would go a
long way to mitigate many of the threats out there and it would reduce the
number of calls from relatives, friends, neighbors, strangers that want me
to help them clean out their infected machines.
Now the question is, should the filtering be a premium service that users
pay extra for, or is the UN-filtered traffic now premium that I have to pay
extra for the priviledge of having?
Kudos to Mason for having some of the basic port blocking in place. This and
Anti-spoofing egress filtering should be must-haves for all ISPs.
erik
--__--__--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest
No comments:
Post a Comment