SQL Slammer Worm - Whose Fault and How to Fix?
Posted 09 February 2003 - 03:48 AM
I have heard it is a lot of SysAdmins' faults because they couldve secured their network better (any security links would help because this is SERIOUS and Im in my MCSE training so this is what im going to be doing).
Then people say it is M$s fault for releasing a patch that breaks another patch, or having interlinked software to begin with. Others say Windows sucks don't use it.
Then you have the people say that well you shouldve been using *nix, because it is more secure, and something like this would never happen.
So whose fault is it, and more importantly how do we as internet users stop something like this from happening. The internet is becoming more and more a staple of [Sub]urban life, and this recent attack even made ATMs useless and Seattle's 911 Service inoperable. So not only is this affecting networks, but other things people use in day to day life.
The question left to ask is when and what is the next attack going to do?
Posted 09 February 2003 - 09:37 AM
Posted 10 February 2003 - 12:09 AM
Most SQL Admins would not install a major SP, such as SP3, without a month or two of testing to be sure it doesn't have any undocumented surprises... or other unexpected side effects.
And, what a royal pain it was to apply the two patches (which had to go on SP2)? This was not a matter of just clicking on a web link, sitting back, and rebooting an hour later; this requried moving files around, or writing a script to do that. And if you applied the security patch without first applying the fix for the memory leak...
So, in my view, MS is getting away with murder if most of the world thinks that it was lazy or ignorant sysadmins who couldn't be bothered keeping their machines patched.
I agree with you that's not a good thing, but it is the fault of MS, not the admins, in my opinion.
Anyways, just figured I should share some $0.02
Posted 11 February 2003 - 12:56 AM
Posted 11 February 2003 - 03:30 AM
Now should I come out and say "it is the Admin's fault" .... well then I would be implying that my boss was either misinformed or incompetant
Lemme side step with this ....
Accidents don't happen, they are caused. Caused by either neglect or stupidity. Having our SQL servers exposed to the internet, was not an accident (library catalog web servers and such). Yet having them unpatched and having the ACL on the PIX for them wide open .... well maybe that was an accident...
In the end, I blame both MS and poor administration.
Just think Clutch, when everything gets ported over to DB filesystems and everyone runs MSDE just to access there MP3s ....
The entire planet is getting more and more database enabled...
Either people will get serious about security, or there will be wailing and gnashing of teeth
End of Rant ... Thank you Clutch and others for putting up with that
Posted 11 February 2003 - 06:14 AM
Most of the issues can be avoided by simply eliminating connection to ports that shouldn't be open to begin with. Next, allow *only* what transactions/commands to be executed with a default "off" for everything else (like in URLScan) to prevent new tricks from attacking both old and new exploits.
So, did you get t-boned with this one? You don't seem like the type to get nailed on it (yeah, a rarity, that was a *compliment*; you may commence with the "oooohs" and "ahhhhhs") so I would imagine it was before you could catch it, or you were under the impression someone else had it under control.
As for me, I can generally count on one hand the amount of ports per IP that I allow through my firewall, so monitoring this is much easier. Also, since I am in charge of these things, I can do whatever the hell I please with complete disregard for others.
Posted 11 February 2003 - 06:30 AM
Nah, I was too busy filling out TPS reports *1*
Boned at exactly 12:39 AM, Saturday, EST
Bulls Eye ... My responsibilites include, but are not limited to AD, Exchange2000, Wireless, blah blah .... however PIX administration and SQL servers belong to others ... who are, shall I say, less informed
However everyone in my department plays janitor when one person makes a critical error into a huge problem.
Takes a bow
Then again, the "oooohs" and "aaaahhss" were replaced with grunts and "@#^%!^!&" as Ipsentry keep paging me throughout the night.
A lesson well learned apparently from previous mistakes.
*1* Quote from Office Space .... great movie
Posted 11 February 2003 - 06:00 PM
mr. clutch hit the nail on the head. it used to be u had to know how to use a computer to set one up and it took a few years of experience. everything is so automatic that anyone can setup a sql server.
i wonder if it will come down to having to be liscenced to operate a server or a specific type of server on the internet.
man doesnt that open a can of worms.
Posted 12 February 2003 - 12:29 AM