[Previous entry: "How to block SoBig"] [Main Index] [Next entry: "Uber-pedophile priest killed in prison."]
08/24/2003 Entry: "Farber asks, I answer"
Farber asks, I answer.
Dave Farber, the postmaster of the interesting persons email list asks how worms and viruses of the SoBig and Blaster variety can be avoided in the future. I wrote up some suggestions and scenarios.
Dave,A few very doable fixes to stop most worms and viruses.
1. Microsoft must make their next Service Pack for both XP and 2000 set
autoupdate to "install without asking." It should warn the users its doing
this so advanced users can disable it.
2. Micosoft should also turn XP's firewall on by default. I believe they
are planning on doing this in the near future.
3. MS could develop a "security wizard." Kind of like its Baseline Security tool but for the home user. It runs, sees if your MS networking ports are
open to the world, checks to see if you're behind a firewall, etc and gives
you tips. It should auto-run every 30 days unless its deactivated.
4. Outlook/Outlook express should refuse to open any attachment that is a
true executable or script like exe, vbs, pif, etc. The user should be
forced to save the file to his or her hard drive first. This will stop
accidental double clicks and give the AV software a chance to scan the file.
So instead of "Open this?" the dialog box will say "Where do you want to
save this potentially dangerous file?" Also users without AV should be
warned by their OS or mailer. "Warning: I can't detect an anti-virus
program on your computer!"
5. Corporate networks must block port 25 from the inside. This will keep
client computers from become spam machines.
6. Residential ISPs must block all RPC and Windows networking ports. My
cable modem provider blocks windows networking and its probably saved us
from collapsing more than a couple times over the years. Add ports 135, 445, etc and we'll be sitting pretty. Users can always do HTTP or FTP downloads and uploads.
The bright side of the current situation is that the worse these worms and viruses
get the more incentive IT managers have to buy better protection and secure
their networks. I'm sure funding to buy an SMS package, AV on the mail
server, etc is much easier to get now than it was last week. Not to mention
many higher ups want to know why they got 500+ emails during lunch and why
their IT department isn't doing anything about it.
The downside is that there's a certain balance to maintain. If worms get
worse before security gets better than we might just see a virus with the
penetration of SoBig but instead of attacking windowsupdate.com it will
corrupt the registry on the local computer, corrupt all documents on all
drives (including networked drives), etc on a set date. So far the popular
worms and viruses have been very, very benign.
As far as the 'get a Mac' comment goes. Well, the computer I'm using right
now has been upgraded to the point where it can't be upgraded any further.
My next machine will probably be OSX with this and my laptop running 2K.
Mike Skallas
Replies: 1 Comment
If my residential ISP did as you suggest in #6 without asking me, he'd lose me as a customer. Rather, residential ISPs should teach the user about security and the value of port blocking and offer port blocking as a feature, perhaps offered even as a default and then let sophisticated users act as they will. I use a hardware firewall that does stateful packet inspection and allows me to do my own port blocking (if I want to do so). I don't want my ISP making choices for me and my family.
/Steve
Posted by Steve Davidson @ 08/30/2003 09:22 PM CST
