December 3, 2007 at 3:08 am
Comments posted to this topic are about the item Unprotected Queries
December 4, 2007 at 2:04 am
Worth remembering the oft-quoted cliche that a little knowledge is a dangerous thing. Presenting data on the Internet is easy to achieve. Presenting data safely and securely on the Internet is far more difficult.
Some time ago, I found a few articles detailing the use of Google to query systems for the purposes of hacking. I've seen examples of Google search criteria which list UNIX servers on the Internet which have blank root passwords, or allow at least read access to the whole file system. I've seen examples of using Google to find insecure databases, including SQL Server ones (check out this link). I've seen examples of using Google to find Excel spreadsheets containing budgetary information (or, perhaps, medical or financial records). All scary stuff.
Personally, I see it as one of my major responsibilities to recognise my limitations. I'm a DBA, not a security expert. I understand a lot of the tricks used, but it's not my core expertise, which is why we employ people who do have that under their remit. Therefore, anything we roll out is looked at with several pairs of eyes instead of just one pair. Easier said than done in a small company, I'll admit, but failing to do so is a gamble you will, sooner or later, definitely lose.
Semper in excretia, suus solum profundum variat
December 4, 2007 at 6:57 am
I suspect it's the small companies that suffer the most. They aren't big enough to have a security person on staff, which means someone does the best they can. The first part is hoping they recognize what they don't know and ask for help, the next part is figuring out who to ask and what to buy, and those two become the chicken and the egg, because if you're going with software like ISA you need an ISA expert, if you're using Cisco or whatever hardware device then you need someone that can configure that. Or, you can just find an "expert" and let them tell you what you need, and hope that they have a sense of your budget and the realities of your business!
December 4, 2007 at 3:44 pm
I had an object lesson in this, fortunately with a friend's computer, not a SQL Server. He was running Win2K Pro and something really hosed his permissions and it boiled down to needing to do a reinstall. Unfortunately I hadn't brought my laptop with me and had no way to download SP4. He had a broadband connection but without a router. After the install was completed and we rebooted, the machine was instantly rooted by bots sitting on Qwest's network. We never had a chance at downloading SP4 and IE 6 to get the minimum level of protection needed.
We went out and bought a copy of XP Pro that had SP2 pre-installed. Off-line installation went fine, system actually ran faster. We installed Zone Alarm Pro, and as soon as we put the system online again, you could see the root kit bots hammering away.
Tried to get the guy to buy a router but he wouldn't.
Oh, and a special shout out to Qwest for doing such a great job of monitoring their network to prevent bots from compromising their user's equipment! 😀
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
December 4, 2007 at 3:59 pm
I came across that article a little while ago. The scariest part to me was that these servers were usually also not patched in any way, so they were the "perfect" breeding grounds/launching grounds for any number of exploits. Slammer is still alive and well thanks to these servers.....
It's reminiscent of this guy's take on unpatched machines[/url].....
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
December 5, 2007 at 7:41 am
I wonder how unfair it is to refuse to buy a router or not protect your machine? Is it like driving without headlights? Is it refusing to tune your engine so it doesn't stall?
It's tough to get your machines protected. The downloads from MS don't work, you need to get stuff before you put your machine line, but really I think ISPs are a little negligent if they don't give you a router up front and build the cost into the price they charge.
December 5, 2007 at 8:02 am
Steve Jones - Editor (12/5/2007)
I wonder how unfair it is to refuse to buy a router or not protect your machine? Is it like driving without headlights? Is it refusing to tune your engine so it doesn't stall?It's tough to get your machines protected. The downloads from MS don't work, you need to get stuff before you put your machine line, but really I think ISPs are a little negligent if they don't give you a router up front and build the cost into the price they charge.
Really? I don't know how it is in the US, but here in the UK I can't think of any ISP that doesn't provide at least one package which includes a router. If an ISP provides two packages (one with a router and one without), and a customer makes an active decision to go with the one without, do you really think it's the ISP at fault?
I read a story about someone who bought a Winnebago, put it on cruise control, went into the back to make a cuppa, then sued Winnebago because of the ensuing crash. Irrespective of the way the ruling went, do you really think it was Winnebago's fault?
Where I would say ISPs are at fault is in having the ability to easily spot virus-generated traffic on their network, not using that ability and failing to suspend the connections used by the virus-ridden machines. There, I believe there is a good case to be made for negligence.
Semper in excretia, suus solum profundum variat
December 5, 2007 at 8:27 am
The problem we had in the US is that a lot of ISPs put up a modem, but not a router. They were trying to charge a fee for every machine, not the connection. It hasn't worked terribly well and I'm surprised if anyone doesn't require a router these days.
Not stopping virus traffic is a problem. I think it becomes hard to tell sometimes what's legitimate and what's not, but they should be able to figure it out more often than not. At least they could be working with SANS or someone else to identify virus/bot/other traffic and shut it down.
December 5, 2007 at 3:35 pm
Steve Jones - Editor (12/5/2007)
The problem we had in the US is that a lot of ISPs put up a modem, but not a router. They were trying to charge a fee for every machine, not the connection. It hasn't worked terribly well and I'm surprised if anyone doesn't require a router these days.Not stopping virus traffic is a problem. I think it becomes hard to tell sometimes what's legitimate and what's not, but they should be able to figure it out more often than not. At least they could be working with SANS or someone else to identify virus/bot/other traffic and shut it down.
When I signed up for Qwest's DSL, I got a wireless router from them. It is unfortunately mediocre quality, so I hooked up a Linksys wireless router on top of it. 🙂 The combo seems to work well. I'm planning on eventually buying an Apple Airport base station, but not any time soon.
I've never understood why ISPs won't monitor their traffic for zombies. I would give odds that the public reason is "we don't have the bodies to do the monitoring" whereas the real reason is they don't want to lose the $20-50 a month a zomibied customer represents. Obviously they don't care what the security costs are for the rest of the world, or, for that matter, the rest of their customers!
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
December 5, 2007 at 3:44 pm
I tend to agree with Wayne. I think it's not necessarily in their interest. They certainly don't want to deal with customers getting shut off and then calling, incurring a support cost. Especially when the customer will expect them to explain what needs to be done to get their computer hooked back up!
December 5, 2007 at 3:53 pm
Steve Jones - Editor (12/5/2007)
I tend to agree with Wayne. I think it's not necessarily in their interest. They certainly don't want to deal with customers getting shut off and then calling, incurring a support cost. Especially when the customer will expect them to explain what needs to be done to get their computer hooked back up!
Also - in our interesting little world, HAVING someone doing that actually will increase the company's "liability", since it would be some type of implicit "assumption of responsibiliy" (i.e. we hired someone to keep the bugs out - so it's now our JOB to keep them out), so they could get into legal trouble for doing a bad job at it....
----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
December 6, 2007 at 8:48 am
At a theoretical level, an ISP could set up a slush fund to retain a computer maintenance company not unlike Geek Squad, basically a local company or geek who could do a basic AV/Trojan scan and clean, and perform that service at a reduced price for the zombied customer. That would give the ISP a disconnect from the further responsibility to keep their computer clean. A local company gets more business, the zombied computer gets cleaned up. Of course, there are zombies that require a full reformat/reinstall of the OS, and that would incur a higher cost for the customer. And most ISPs are nation-wide operations, so they'd have really far too much hassle trying to set up local contacts to subcontract such a service to.
Education is the key here. Most people don't know how to provide minimal defenses for their PC. Most of us at SQLServerCentral have our home computer behind a router with A/V and anti-malware software, maybe with Zone Alarm or something else installed, but we're definitely the minority. The retired couple across the street just want to send pictures and email back forth to their kids and grand kids, but once they get rooted, they'll also get pretty confused when you start trying to teach them how to defend their computer.
Solution? Dunno. Look at how many computers get the "Free Anti-Virus" which is a 45-day eval which then goes south, and the people think they're still protected because they've got Norton. I think one step would be better initial configuration from the vendor, possibly requiring them to at least update their install images monthly so that fewer patches have to be downloaded after the PC is purchased. And this could be a behavior required by MS. I know some small PC vendors pre-package live, free A/V like AVG, something like Spybot, but then you once again run into the education issue so that people know the proper way to respond to AV alerts, much less something like alerts from Zone Alarm Pro.
And people wonder why I went to a Mac? 😀 I may not be immune to malware, but I'm certainly much more resistant.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
November 6, 2012 at 9:04 pm
To be fair to the ISP's out there, we aren't talking a few connections here, we're talking many tens or hundreds of thousands if not millions (for the bigger providers) of links. All of which would require deep packet inspection in order to determine what the packet actually is.
To do this in real time requires some very scary kit indeed and it isn't cheap in anyone's language.
Then as has been previously mentioned, there is the liability (in terms of privacy as well as what happens should a customer still get infected). The water gets deep and murky very quickly.
Most ISP's tend to block types of traffic (file sharing bit torrent for example) rather than individual applications.
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply