Nimda, Slammer and the like

Now that Microsoft have released a patch for the recent DNS RPC vulnerbility IT Admins should be deploying it as quickly as possible - I was talking to a friend about this today and we got to talking about how the threat landscape had changed over the years.

Many years ago a vulnerbility would be announced on bugtraq or the like, Microsoft would rush a patch out and then few people would deploy it - IT Admins would brief easy because a patch was out and things would continue.
Then the virus would hit. It would exploit a hole that had been patched MONTHS before hand. After the problem was fixed, the virus cleaned out and tools or a white paper written on how the bug worked and how slack Microsoft was in making products with security holes in.

Fast Forward a couple of years and look at the operating system. Its resonably secure out of the box, there are templates for making it more secure, there is COPIOUS amounts of documentation on locking it down. How many people ACTUALLY lock down a new server? How many apply the security templates or even take a template and modifty it? Show of hands?

Thought so.

Why do we as IT Admins wring our hands and blame Microsoft for all the security woes on the planet when they provide us with things like security templates that very few use?

The threat landscape has changed. It's highly unlikely there will ever be another SQL slammer, Nimda, love bug or code red style attack. It's just not worth it. With firewalls, IPS/IDS and Anti Virus all over the place writing a virus is actually quite difficult. It's even more difficult to get it unleashed on a network via email or similar because people are aware of it.

The new threat landscape comes from Information Disclosure. It's now routine for applications to phone home and send anonymous information 'back to base' in order to 'improve the application'. I do wonder just what information is sent back. I also wonder just how many applications turn this ability on and do NOT TELL THE USER.
Obviously, If a vendor gets caught sending back a bit too much information from your PC then they will look foolish and it will hurt their sales for a while but is this enough?

The single biggest abuser of the 'phone home' capability is spyware. The little applications that install from some websites. Some of this spyware is incredibly intelligent in how it hides itself and in what it selects to send home.

I firmly think that today, this is our biggest challenge.

Author image
IT Person | Veeam Vanguard | VMware vExpert | Windows admin | Docker fan | Spiceworks moderator | keeper of 3 cats | Avid Tea fan