Is the XP SP2 firewall getting a raw deal?

A current report on a new denial of service vulnerability involving Windows RDP (Remote Desktop Protocol) blaming the Windows XP SP2 (Service Pack 2) firewall has touched off firestorm of inaccurate coverage fthat gets "blindly regurgitated in the forums." George Ou sets us straight.

“A recent report on a new denial of service vulnerability involving Windows RDP (Remote Desktop Protocol) blaming the Windows XP SP2 (Service Pack 2) firewall has touched off a rash of sensationalism from other media outlets that gets blindly regurgitated in the forums. This has caused some unwarranted confusion and fear in the IT industry. The original story incorrectly blamed the XP SP2 firewall for failing to protect against the RDP flaw. This was a false characterization of the XP SP2 firewall which has a history of being mischaracterized as something that breaks a lot of applications or is somehow unreliable. This has resulted in some harm to the general public because too many windows users are refusing to protect themselves with Windows XP SP2. Larry Seltzer did a wonderfully accurate and educational assessment on XP SP2 but is drowned out by all the doom and gloom sensationalism.

When Microsoft first came out with XP SP2 last year, its new firewall feature was incorrectly blamed for breaking hundreds of applications when in fact any personal firewall installed without the proper holes drilled would have caused the exact same issues. This latest story on the RDP vulnerability seems to be yet another slam on the SP2 firewall with the incorrect accusation that it fails to protect against this new RDP denial of service vulnerability. While it's technically true that a SP2 firewall with port TCP 3389 (used by RDP) opened to anyone will result in a successful denial of service attack to an unpatched windows machine, this is the normal behavior of any stateful packet inspection firewall.… ”

You can protect all the PCs in your office or home by simply implementing a router with a basic firewall or just NAT (Network Address Translation) capability. A router for the home with a built-in switch can be purchased for less than $40. Not only does the router protect you from a vast array of attacks, it also acts as an Internet sharing device. Another easy thing to do is to turn on the Windows XP SP2 firewall make sure that the RDP service is either entirely blocked or only permitted to enter from trusted network sources. You can find more in-depth information here to turn off the RDP service entirely or configure the XP SP2 firewall. One of the nicest features of the XP SP2 firewall besides the fact that it's free with Windows is that it can easily be managed from a central location. This can be done from a legacy Windows NT 4.0 domain environment using a script or better yet from a group policy in a Windows 2000/2003 Active Directory. This allows a Microsoft network administrator to quickly configure every single windows XP computer in the company with a single login script or a single group policy.

http://blogs.zdnet.com/Ou/index.php?p=81&tag=nl.e539

Domain Hijacking

“Domain-name hijacking occurs when someone fraudulently takes control of a domain name, often by masquerading as the legitimate administrative contact for a domain name.

The e-mail addresses of administrative contacts, widely available in the WHOIS database of domain registrations, are used to verify domain-name holders.

The domain-name hijacking report, available here as a PDF, came from ICANN's Security and Stability Advisory Committee.

The report, announced Wednesday during an international meeting of the ICANN (Internet Corporation for Assigned Names and Numbers) in Luxembourg, followed at least two high-profile incidents this year of what is known as domain-name hijacking—one hitting New York-based ISP Panix and another affecting e-mail provider Hushmail Communications Corp.

The committee advises the domain-name system overseer's board of directors and constituents such as the registrars that sell domain names to individuals and business and the registries that manage domains such as .com and .net.

While the Panix and Hushmail cases were widely reported, the ICANN committee report also cited a dozen other examples of stolen domain names. The hijacks hit such high-profile names as wifi.com, commericials.com, nike.com and ebay.de.

Committee members expressed optimism that the report will lead to swift action, but it was still unclear as of late Wednesday whether ICANN's board planned to address the report's findings and recommendations at its meeting later this week.”

http://www.eweek.com/article2/0,1895,1836820,00.asp?kc=ewnws071505dtx1k0000599

Hollingsworth Rambles

“Not a Podcast?
Latlely I've been hearing a lot of chatter on the podoshpere ragging on conventional broadcasters who make their shows available as podcasts. The line of reasoning seems to be that when Mr. and Ms. Big Broadcaster post their conventional broadcasts on the Internet as downloadable mp3s, they're just posers jumping on the bandwagon.

Agreed, professional broadcasts lack the home-made charm of many current podcasts. That's probably more of a threat to the podcast producers than the podcast listeners.… ”

http://hollingsworthrambles.blogspot.com/2005/06/not-podcast.html

Does OS matter anymore for security?

by George Ou
“…It's usually taken as gospel in many IT circles to assume that Windows Security is an oxymoron; anyone who dares to suggest using Microsoft IIS 6.0 for a public web server faces serious ridicule. To see if there was any truth to this presumption that Windows Server is fundamentally insecure, I looked up these hacking statistics from www.zone-h.org for 2003 to 2004. Not only did it not show that Windows was hacked more often, but just the opposite. The Linux servers were actually getting hacked and defaced far more often than the Windows server and Apache was also being hacked and defaced more than Microsoft IIS.

While most security research comparing various operating systems and applications focus on statistics for the number of vulnerabilities and their criticality, zone-h takes a completely different approach by looking at actual server compromises. Even more significant is that these are not theoretical hacks in the laboratory but actual website defacements that were confirmed by the public. Zone-h is essentially a centralized "score board" for hackers who want bragging rights for their handy work. While the source of the data is highly despicable, there is no denying the value of such data being collected regardless of the source because of its accuracy. When a website is hacked and defaced, there is little room for interpretation for what has transpired because the proof is in the humiliating public defacement. While these particular defacements are often the work of recreational hackers who hack for sport and not the work of a professional criminal who hacks for financial gain, the techniques uses to compromise the servers are usually identical.…

At the end of the zone-h report for 2003-2004, the author concludes (accurately, in my experience) that the argument about which OS is more secure is totally irrelevant since most modern exploits are against applications and not the operating system hosting them. This is true because servers are rarely deployed wide open on the Internet without a firewall. A properly configured firewall minimizes the vulnerability footprint to only permit the ports necessary for a specific application to work, which means the application is the only thing exposed to the hacker. The zone-h report doesn't actually prove which OS is more secure, only that the OS is mostly irrelevant and the Windows server security jokes are more myth than fact.”

http://blogs.zdnet.com/Ou/?p=77&part=rss&tag=feed&subj=zdblog