18 dicembre 2002 alle 21:20:32 Modificato il 18 maggio 2003 alle 13:22:52I gestori di un sito, di una comunità virtuale sono tenuti a conservare i dati sensibili che gli utenti gli affidono, come ad esempio le password personali. I "buchi" di molti sistemi operativi, i software per comunicare in chat, aprono delle porte, come anche "programmi" inviati come allegati o nascosti in mp3, immagini o salva schermi. Queste porte permettono ad estranei l' ingresso al vostro PC e la consultazione di questi dati. Con questa mail inviterei Anna ad aprire una sezione sulla sicurezza dove parlare di tutte queste problematiche. Vi mando, ad esempio una delle mail che ricevo quotidianamente per lavoro:
Subject: Alert A-02014C: worm per Windows 2000 To: sicurezza@garr.it
Il CERT ha segnalato la presenza di un worm per Windows 2000, che utilizza la porta 445/tcp, ed effettua una scansione delle macchine alla ricerca di account senza password o con password 'deboli', installandosi sulle macchine vittima dell'attacco e replicandosi su altri host sulla rete.
Allego un estratto delle soluzioni esposte nell'advisory del CERT:
Restrict or disable null sessions
Depending on the services your systems are required to provide, it may be possible for you to restrict or disable anonymous null sessions on your Windows 2000 hosts. This can be done through the HKLMSYSTEMCurrentControlSetControlLSA key with the following parameters:
Value: RestrictAnonymous Value Type: REG_DWORD Value Data: 0x1 or 0x2 (Hex) According to Microsoft Knowledge Base Article Q246261, this key can take on the following values:
0x0 = None. Rely on default permissions 0x1 = Do not allow enumeration of SAM accounts and names 0x2 = No access without explicit anonymous permissions Note that this configuration could cause problems in certain network environments. The CERT/CC encourages you to review Microsoft Knowledge Base Article Q246261 before making any of these changes to your system(s).
Windows XP sets the RestrictAnonymousSam key to 0x1 by default. Therefore, unless this setting has been altered by the system administrator, W32/Lioten should not be able to retrieve the account list via a null session on Windows XP systems.
Require strong passwords
W32/Lioten exploits the use of weak or null passwords in order to propagate, hence requiring the use of strong passwords can help keep it from infecting your systems.
Ingress/egress filtering
Ingress filtering manages the flow of traffic as it enters a network under your administrative control. In the network usage policy of many sites, external hosts are only permitted to initiate inbound traffic to machines that provide public services on specific ports. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound traffic to non-authorized services.
Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for internal systems to access NetBIOS shares across the Internet.
In the case of W32/Lioten, blocking connections to port 445/tcp from entering or leaving your network reduces the risk of external infected systems attacking hosts inside your network or vice-versa.