News from PANUG

News from PANUG - July 30, 2001
http://www.panug.org
info@panug.org

CODE RED WORM AFFECTS THE INTERNET
by Gregg Berkholtz - PANUG President

Earlier today SANS, Microsoft, the NIPC, FedCIRC, ITTA, ISS,
and ISA released a "...Public Alert about the Code Red worm...".
This alert paints the picture of a "...Very Real and Present
Threat to the Internet...". This threat is supposed to begin on
July 31st, 2001 at 5:00 PM PDT, which means you still have two
days to protect yourself.

Other than the obvious concerns of a massive denial of service
(DoS) attack across the internet, should you be worried?
If you run any version of Microsoft's web server (IIS), or if
you use Cisco hardware, YES.

So, how does Cisco come into play?
Some Cisco products, such as Cisco CallManager, Unity Server, uOne,
ICS7750, and Building Broadband Service Manager, use IIS internally.
This is a foolish move on their part, but nonetheless, you now may
need to patch your Cisco equipment too.

Other Cisco products, like their 600 series of DSL routers, are also
affected by the worm, even though they don't run IIS internally [!].
There's been a patch available for a few months now. If you don't
have it installed, now would be a good time. More info can be found
here:

http://www.cisco.com/warp/public/707/CBOS-multiple2-pub.html
and here:
http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

If you use Microsoft's IIS in anything else, I'm sorry to hear that.
Since there is no point in rewriting what CERT has already said
about IS, I will just direct you to their website for further information:
http://www.cert.org/archive/html/coderedannounce.html
http://www.cert.org/advisories/CA-2001-19.html

For those of you that run Apache web servers (like me, PANUG and
thousands of other sites) you can relax. Apache is not vulnerable
to the attack. If you'd like to switch to Apache, check out the
PANUG web site for information about a 2-day Apache training course.


LINUX JUST AS INSECURE...
by Ed Sawicki

There's a tiny number of people on the net claiming that
Linux is every bit as insecure as Windows. To prove
their point, they say things like "This week there were
32 holes in Windows software and 29 in Linux/Unix
software. There's just as many security holes with Linux
as Windows".

You may buy in to this argument if you're not aware of how
open source software is designed and debugged. With
Windows software, we hear about security problems that are
already affecting users of the software. Many of the reported
security holes in open source software are holes
discovered by "white hat" people who are looking for such
holes - which they can do because the code is open. The
goal is to find these security problems and fix them before
the kiddies on the Internet can attack your systems.

If you read these reports carefully, you'll see such
phrases as "This could allow an attacker" and
"potentially execute arbitrary code". The words "could"
and "potentially" should tell you that these are
"vulnerabilities" in the software - not security holes
that are being used to attack systems today. Plus, some
of the reported vulnerabilities are improbable - they're
unlikely ever to be exploited even if they weren't fixed.

If the source code for Windows software were ever made
public and held to the same scrutiny as open source
software, the number of vulnerabilities would be far,
far greater than the relatively small number of holes that
are being exploited now.

If you want your systems to be secure, use software that
is developed and debugged in the open. Microsoft's IIS and
Outlook are the best examples of why closed source
development just doesn't result in secure systems.