From: Mike Hunter (mhunter_at_uclink.berkeley.edu)
Date: Fri Sep 12 2003 - 16:03:25 PDT
On Sep 12, "Greg Merritt" wrote:
> At 12:49 PM -0700 9/12/03, Alexander Brown wrote:
> >I would be cautious with this approach; we have had multiple reports in
> >EECS of compromised XP systems that were unpatched, but "running the
> >firewall since before they were ever put on the network". I cannot
> >attest to the accuracy of the reports, but the fact that there have been
> >multiple reports makes me nervous about recommending this as a solution.
> >
> >--alex
>
>
> I find that sometimes users believe that a certain security
> element will protect them from all things nasty -- e.g., "I had
> Norton Antivirus installed years ago, I can't get that worm thing,
> can I?" or "I have a firewall so my computer's safe from everything,
> right?"
>
> Just chiming in and stating the obvious here, I guess, but
> users need to have all bases covered and stay up-to-date...
I'm reminded of a point that I wanted to bring up earlier in the
discussion, but here I am typing in reply to your letter, so here goes.
A coworker had his/her computer cracked despite his/her personal firewall.
It was a simple welchia infection. He/she had an unpatched windows
system. His/her anti-virus software logged the infection as having taken
place at 5:34 PM, right when the computer was powered down for the end of
the working day. The implication is this: When windows powers off, first
it shuts down user-installed services/programs (such as a personal
firewall), then it shuts down the operating system itself. In the time
between the personal firewall shutting down and the OS Networking layer
going away, the computer was left vulnerable to infection.
Disclaimer: That's informed speculation, not proven fact.
Unless what I described above is factually incorrect, the scenario
described is something people need to consider very carefully when they
move to relying on a personal firewall instead of patching.
Mike
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Fri Sep 12 2003 - 16:06:00 PDT