Front page
Silflay Hraka?

Bigwig is a systems administrator at a public university
Hrairoo is the proprietor of a quality used bookstore
Kehaar is.
Woundwort is a professor of counseling at a private university

The Hraka RSS feed

bigwig AT

Friends of Hraka
Daily Pundit
cut on the bias
Meryl Yourish
This Blog Is Full Of Crap
Winds of Change
A Small Victory
Silent Running
Dr. Weevil
Little Green Footballs
Fragments from Floyd
The Feces Flinging Monkey
Dean's World
Little Tiny Lies
The Redsugar Muse
Natalie Solent
From the Mrs.
The Anti-Idiotarian Rottweiler
On the Third Hand
Public Nuisance
Not a Fish
Electric Venom
Skippy, The Bush Kangaroo
Common Sense and Wonder
Neither Here Nor There
The Greatest Jeneration
Ipse Dixit
Blog On the Run
Redwood Dragon
Greeblie Blog
Have A Cuppa Tea
A Dog's Life
Iberian Notes
Midwest Conservative Journal
A Voyage to Arcturus
Trojan Horseshoes
In Context
The People's Republic of Seabrook
Country Store
Blog Critics
Chicago Boyz
Hippy Hill News
Kyle Still Free Press
The Devil's Excrement
The Fat Guy
War Liberal
Assume the Position
Balloon Juice
Iron Pen In A Velvet Glove
Freedom Lives
Where Worlds Collide
Knot by Numbers
How Appealing
South Knox Bubba
Heretical Ideas
The Kitchen Cabinet
Bo Cowgill
Raving Atheist
The Short Strange Trip
Shark Blog
Ron Bailey's Weblog
Cornfield Commentary
Northwest Notes
The Blog from the Core
The Talking Dog
WTF Is It Now??
Blue Streak
Smarter Harper's Index
nikita demosthenes
Bloviating Inanities
Sneakeasy's Joint
Ravenwood's Universe
The Eleven Day Empire
World Wide Rant
All American
The Rant
The Johnny Bacardi Show
The Head Heeb
Viking Pundit
Oscar Jr. Was Here
Just Some Poor Schmuck
Katy & Bruce Loebrich
But How's The Coffee?
Roscoe Ellis
Sasha Castel
Susskins Central Dispatch
Josh Heit
Aaron's Rantblog
As I was saying...
Blog O' Dob
Dr. Frank's Blogs Of War
Betsy's Page
A Knob for Brightness
Fresh Bilge
The Politburo Diktat
Drumwaster's rants
Curt's Page
The Razor
An Unsealed Room
The Legal Bean
Helloooo chapter two!
As I Was Saying...
SkeptiLog AGOG!
Tong family blog
Vox Beth
I was thinking
Judicious Asininity
This Woman's Work
Fragrant Lotus
Single Southern Guy
Jay Solo's Verbosity
Snooze Button Dreams
You Big Mouth, You!
From the Inside looking Out
Night of the Lepus
No Watermelons Allowed
From The Inside Looking Out
Lies, Damn Lies, and Statistics
Suburban Blight
The SmarterCop
Dog of Flanders
From Behind the Wall of Sleep
Beaker's Corner
Bad State of Gruntledness
Who Tends The Fires
Granny Rant
Elegance Against Ignorance
Say What?
Blown Fuse
Wait 'til Next Year
The Pryhills
The Whomping Willow
The National Debate
The Skeptician
Zach Everson
Geekward Ho
Life in New Orleans
Rotten Miracles
The Biomes Blog
See What You Share
Blog díElisson
Your Philosophy Sucks
Watauga Rambler
Socialized Medicine
Verging on Pertinence
Read My Lips
The Flannel Avenger
Butch Howard's WebLog
Castle Argghhh!
Andrew Hofer
Moron Abroad
White Pebble
Darn Floor
Pajama Pundits
Goddess Training 101
A & W
Medical Madhouse
Slowly Going Sane
The Oubliette
American Future
Right Side Redux
See The Donkey
Newbie Trucker
The Right Scale
Running Scared
Ramblings Journal
Focus On Reality
Wyatt's Torch

August 14, 2003

Master Blaster

In response to my post on Blaster and the UNC network, Emuse asks

I, too, work at a university, and while I protected my home computer from this virus, my campus computer was victimized.

I've been bitching that the campus networking administration people did not do their job in preventing this infiltration. After reading your post, I wonder if I am too harsh.

Given the notification (I think beginning July 16), IS it unrealistic to expect the campus networking gurus to have installed the necessary safeguards to keep computers from being infected? (I thought I'd read that they could block certain ports from remote access while applying the patches, and thus have prevented the virus from gaining access.)

Now, obviously I don't know the situation on Emuse's campus, but at UNC the sheer number of machines, 40,000* or so once the students return, restricts the ability of administrators to physically make sure that the virus files on each computer are up to date, never mind application and operating system patches. It is essentially an impossible task, especially in a time of budget cutbacks.

The best we can do is ensure that patches are always available over the network, and that when a vulnerability is discovered an announcement of that fact is broadcast to the faculty, staff, and student body. Typically, such announcements include the steps needed to close the hole or patch the machine, and are not only sent to each user via email, but posted at a central location on the web, with pointers to it from the most popular pages.

We've also blocked the port Blaster uses to infiltrate PC's (4444) at the campus border with the Internet, but that only stops infection attempts from outside the network. If an infected machine, say a laptop, pops up inside the network, that port blockage doesn't do a thing. With almost the entire student body returning to campus next week, the likelihood of such an event is almost certain, and, since history suggests that most student laptops gather dust rather than patches over the summer break, there should be a large number of unpatched machines available for exploit.

ITS Security will be actively watching for the 4444 port scans that infected machines will be broadcasting; once that is detected, the infected host can be blocked from the network almost immediately. However, since Blaster spreads so quickly, this will almost certainly be the computer equivalent of one step forward, two steps back. The very short amount of time it takes to detect and isolate infected machines is still sufficient for Blaster to propagate to a number of others.

The UNC network is pretty hardy. Indications are that over 1000 campus systems were infected in the first wave of Blaster attacks, and the network, while slowed, was not taken down. But again, between semesters the traffic load on the network is at its lowest point. Even without Blaster, we would expect to break all of the previous usage records next week.

With Blaster...... Well, let's just say we expect the alarm in the control center to be going off constantly. Yes, that's the Star Trek red alert. What else would you have expected? It's loud, too. I can usually hear it regardless of the fact that it has to travel through a wall and my headphones before it gets to the auditory canal.

A good indication of where UNC is at during any point in the upcoming siege is the control center's message board, which I think is available from outside the UNC network.

I haven't really answered Emuse's question, but it is possible to prevent all of the above from happening. It's very simple, really.

Everyone just needs to replace their Windows PC with a Mac or Linux based computer. Since sysadmins don't have the power to require that, and probably shouldn't when it comes right down to it, outbreaks like this will continue until the cost of fighting them exceeds the cost of switching away from a Windows environment.

Given the current state of the State budget, that particular tipping point may be closer than one would otherwise think.

*This is a lowball estimate. It's possible that 40,000 is just the number of Windows systems on campus, not the total number.

Posted by Bigwig at August 14, 2003 01:33 PM | TrackBack
First time visitor to House Hraka? Wondering if everything we produce could possibly be as brilliant/stupid/evil/pedantic/insipid/inspired as the post you just read? Check out the Hraka Essentials, the (mostly) reader-selected guide to Hraka's best posts, and decide for yourself.

you can write a WHS script that will look for and update OS patches and anti-virus software and configure the scheduler to kick it off at pre determind times. Thats what I did when I had a job

There is very little in a client machine that you need to touch the machine for with the employment of WSH scripts. Why do you think that off shore contracting is such a big fad.

Posted by: Rick DeMent at August 14, 2003 02:48 PM

Oh one other thing, Linux and MAC's are good against viruses precisely because they are not as common as windows. Do you really think any hacker worth their salt can't infect those machines as well? Client machines are vulnerable because they are used and maintained my users. Users would not lock down their Linux machines either.

Posted by: Rick DeMent at August 14, 2003 02:52 PM

I think we can expect universities to have better security, however, given the culture, it is almost certain not to happen. Universities exist primarily through students. Much of the grunt work gets done by students, on the theory that this is an excellant teaching method. Works nicely in theory, until a disaster occurs and there are no students around.
I have seem similar problems with organizations which rely in volunteers to do critical tasks. What happens when there are no volunteers? Quite simply, the work doesn't get done. The organization then scales back its operations to match the size of the voluteer staff (the Smithsonian Institution is an excellant example of this behavior).
Any organization foolish enough to rely on unpaid labor to maintain itself deserves the implosion which will eventually occur.

Posted by: Roderick Coates at August 14, 2003 04:41 PM

Well, Rick, OSX takes some coaxing to let you log-in as root, and even the pseudoadministrator/main user account has to "ramp up" with a password to get root access (for updates, etc)...

So it's a lot harder to proeprly infect the system. (On the other hand, I certainly don't fault MS for their decision regarding user power for their home OSes - it makes sense for the market.)

Linux, well, sorta. As long as you get people in the habit of not doing everything as root, it's harder to infect the system. Of course, people dumb enough to run random email attachments might well be dumb enough to log in as root first too, but it'd be a little harder.

I don't think there's really much to an OS-change magic bullet, nope.

Posted by: Sigivald at August 14, 2003 07:37 PM


Sure I agree with you regarding the root password issue, the OS is set up to be more secure. One of the biggest headaches I have as a windows Sys Admin is plugging up the backdoor paths to sensitive areas of the system. But they can be plugged

I donít know if those realities really change my point though. Good hackers can hack nix boxes, there are just fewer people who have those skills, Kids come out of the womb hacking MS, and while it's design does lend itself to easier hacking, its popularity make hacking easier because default configurations are well known and everyone uses it.

I agree with your point about universities though. The same goes for corporations that open their systems up to attack because some VP can't figure out how to use their system. This has happened to me personally where I was told to make the system less safe because I could not get a VP to learn how to decrypt files.

Posted by: Rick DeMent at August 15, 2003 09:54 AM

One point to make, AFTER blaster had hit the campus, my university managed to have an "automated login script" (sorry, not sure of the tech specs, but that's a pretty accurate description of the application) in place, wherein when you logged in, the patch would automatically download, and two other scripts would run to clean up any computers already infected.

I maintain that they could have done this PRO-actively, rather than RE-actively.

That said, my laptop wasn't configured (for some reason) to login in the manner required for the automatic vodoo to work. (I only use my laptop to connect to the campus network, so I know *I* wasn't the source of the virus), but your point that there are too many "unknowns" in such a large environment is still relevant.

So, I think they probably could have lessened the incidence of infection, although probably not have avoided all occurrences. Perhaps I can be excused for my initial harsh reaction based on experience with their propensity to spend more time assigning blame in intra-department turf battles than they do in actually overseeing the *functions* they are responsible for. But that's a subject for another post.

Posted by: cj at August 15, 2003 05:11 PM

For clarification, the cj aug 15 comment is the Emuse that is referenced in the original post.

Posted by: cj at August 15, 2003 05:21 PM

it gives me 60 seconds and restart my computer as i log on internet

Posted by: sajj at May 6, 2004 08:48 AM
Post a comment Note: Comments with more than two dashes per line will be blocked as spam.

Remember personal info?