The Blame Game - I won't go there. - Robert Hensing's Blog - Site Home

So I'm getting some 'interesting' and frankly un-expected comments on my most recent 'Anatomy of . . . ' posts where I delve into examples of a hack involving certain vulnerabilities (one of which wasn't even in one of our products I'd like to point out).

Look folks - my intent with these blogs is not to place blame and I'm not in the habbit of blaming the victims for getting attacked as the finger can be pointed at either us or them (or the miscreants who commit the crimes but why does no one ever think to blame them when all is said and done?! Think about it . . . ).

If I had to - I'd gladly take the blame on behalf of Microsoft over customers any day and will gladly fall on my sword.

My intent with this blog is to simply share knowledge about how these attacks are occuring, why they are occurring, what IR teams at other organizations can look for and what security practitioners should be doing to secure systems in a way that most people can understand interspersed with some humorous wit and colorful commentary strewn throughout.

My team always tries to get to root cause on each and every case because by demystifying how these intrusions occur for our customers they will start to see how easy it really is to take basic precautions to avoid getting hacked. Patterns will emerge. Sure we have hundreds of pages of guidance on this that or the other but it's really quite easy to avoid getting hacked when you come right down to it at the end of the day:
Patches, passwords and ports.
If you can manage all 3 of those in your environment - you'll do just fine and need not worry (excessively <G>).

I want to make clear here that I do not enjoy, nor am I proud of the fact that our customers are getting hacked in droves.
I don't take pleasure in pointing out how easy it would have been for them, in retrospect to avoid getting hacked (with these last two blogs either a firewall or a software update would have prevented it).
That said I certainly do enjoy the hell out of my job - I like hunting the hunters and being a good guy and I think my team is quite good at it and I'm proud to be a part of it offering the service we do for our customers.

With every hacking case we get - we close the case with a series of recommendations on how to not get hacked going forward and I will continue to share those assesments with you in each post - but please don't take offense at the casual way in which I mention the recommendations (which are all documented best practices anyways). I realize some organizations struggle with passwords. I realize some organizations struggle with patches. If these are sensitive topics for you - don't take it out on me. I'm just the messenger (perhaps more like the ghost of Christmas future showing you via my blog what's in store for you if you don't resolve your struggles and soon <G>).

And finally - I'd like to point out that Windows 2000 was not an operating system designed with security in mind and it is the reason a disproportionate number of hacking cases are for Windows 2000 when used by people who are not security focused. Think about some of the features of Windows 2000 out of the box.

It allows for blank admin passwords and they can and will be used against you.
It does not require strong passwords during setup should you decide to put one on the admin account ('password' or 'dog' are okay to use during setup)
no firewall
everything's on by default

You may have seen mention in my post a hint about WS2003 and how you'll likely see me post very little about hax0r3d WS2003 boxes.
There is a non-marketting reason for that (I am NOT a marketting guy and I'm not working a bit harder so Initech can ship a few more widgets).
WS2003 is a 'secure by default' operating system (our first, followed by XP SP2) that received code review and myriad defense in depth improvements.

Think about some of the features of WS2003 out of the box (some of these you may not have known about - but have been quietly helping to protect customers for years now):

It allows you to set a blank admin password during setup BUT . . . if you do, you get yelled at and then you can't authenticate to the server using that account on the network (i.e. can't access the admin shares using 'administrator' with no password. It's a security policy and it's enforced by default - so actually a blank admin password is better than having a password like 'password' for example.
Speaking of lame passwords like 'password' - should you decide to create a password for the administrator account during setup - you will be forced to choose a better one (i.e. one that meets password complexity requirements). You won't be able to use 'password' for example.
Built-in firewall - not on by default - but change is coming.
Everything's off by default - you won't find IIS or a myriad of other services listening by default that increase your exposure needlessly
Stack smashing protection - the majority of the OS has been compiled with the /GS compiler flag to place stack cookies around important functions

In the coming months we'll be releasing WS2003 SP1 with even more creamy goodness to help protect our customers (more on that I'm sure will come later).

In the mean time - you need to realize - we are fighting back for our customers without placing blame (oh and occasionally we help law enforcement arrest the bad guys - so maybe just a little well-deserved blame aimed at those who break the law <G>).