George Ou's farcical firewall flamewar (and trick or TRICK)

Oh yes, it's IT Blogwatch, in which ZDNet's George Ou flames Computerworld -- but gets egg on his face. Not to mention what we did last night at Blogwatcher Towers...

Robert McMillan started the ball rolling with this:

Hackers have published code that could let an attacker disable Windows Firewall on certain Windows XP machines. The code, which was posted on the Internet early Sunday morning, could be used to disable Windows Firewall on a fully patched Windows XP PC running Windows' Internet Connection Service (ICS). This service allows Windows users to essentially turn theirs PCs into routers and share their Internet connections with other computers on a LAN. It is typically used by home and small-business users.

The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc. ... Users can avoid the attack by disabling ICS, Reguly said. But this will also kill the shared Internet connection.

Martin McKeay picks it up and runs:

Simply sending a malicious packet to the vulnerable computer will turn off the firewall, lowering what is hopefully only one of many lines of defense on the computer.  I say hopefully, because I hope anyone who knows enough about Windows to turn on and use the ICS service also knows enough to also install anti-virus and anti-spyware.  Better yet, I hope that anyone who's using Internet Connection Sharing to allow multiple computers to use one Internet connection will learn enough to go out and buy a $40 router with a firewall built in.
...
ICS is off by default, the average user isn't going to know enough about Windows to go looking for it and a user who knows enough to understand the use of ICS should also understand that it's a service with serious security concerns, even discounting the current vulnerability.  So the only users who are going to be affected are the ones who wander through their Network Connections windows clicking things to see what they do and people who know just enough to get themselves into trouble, but not enough to make themselves safe.

But then -- oh dear -- George Ou finds the capslock key:

it would be crazy to disable ICS yourself which disables the XP Firewall because you're afraid and internal PC might attack your XP NAT box.  The bottom line is DON'T DISABLE ICS! ... ComputerWorld, please do some fact checking before giving this kind of advice ... PLEASE FIX YOUR ARTICLE!

...unleashing a torrent of comment criticism, including these gems:

teeks99stuff: WAY too sensationalized. There's nothing overly deadly about the solution they propose ... If you disable ICS, that protects your firewall from an internal attack. This inherently prevents you from sharing your connection. This will leave your firewall up to defend your computer. I think you're the one who needs to check their facts and get the story straight.

Spikey_Mike: Since when did ICS become a firewall?? George, are you done slashing your throat?

jragosta: Just because George says that turning off ICS disables the firewall doesn't make it so. In fact, given his posting history, you can pretty safely bet that anything he posts is wrong.

zkiwi: So George ... What would you have people affected do? Would you have them not shut down what is affected until Microsoft come up with a patch? ... what is the recommended "other method" of internet connection? Would you be prepared to enlighten the masses?

wessonjoe: the assumption that ICS and winXP firewall are more useful alive than dead is flawed ... the extreme bias of george towards all things microsoft shines very brightly here :)

bportlock: George - what's up with you? The slightest hint of criticism of anything to with Microsoft and you come out all guns blazing and firing salvos in all directions ... Nobody should be using ICS anymore. Do you seriously think he should have said nothing at all?

Martin McKeay later adds:

It's pretty obvious that there was a serious miscommunication happening here. George somehow misread the article and assumed that Tyler was suggesting that users disable the Windows Firewall/Internet Connection Sharing service, which would have the affect of disabling the firewall as well, exactly as George suggests ... I don't want to flame George, but he was wrong, combative and sensationalist. Even when he was shown to be wrong, rather than apologize and admit to his mistake, he furthers his attack on the Computerworld article and Tyler Reguly.

Tyler Reguly and Andrew Storms have a series of posts with more detail:

The exploit requires Internet Connection Sharing to be enabled and requires that the attacker be on the shared interface ... Mitigation:
1) Disable Internet Connection Sharing.
2) Block UDP port 53 (DNS) on the computer that is sharing the internet, manually set the DNS Server to your ISPs DNS address
...
I’ve received some feedback that my recommendations may be confusing to those outside of the Security Research field ... Disable Internet Connection Sharing ... is perfectly valid and does not carry the risk that has been suggested by George OU at ZDNet. The confusion is somewhat understandable: Microsoft’s naming of parent and child services adds some ambiguity to the mix. Internet Connection Sharing (the child) is not the Windows Firewall/Internet Connection Sharing service (the parent) that George is referring to ... Block port 53 on the computer. This is also a valid option. The pseudo DNS server resides on the computer running Internet Connection Sharing (child). If I were to block access to this DNS server, the exploit could no longer reach it ... I just want everyone to know that this isn't the sort of thing that we'd post to the blog without thorough investigation. Many hours of research went into this
...
With the introduction of Windows XP Service Pack 2, users were blessed with some new firewall and Internet connection sharing (ICS) features. Its important to note that even though these two features interact and share some Windows API Firewall code, they are configured separately ... Our friends at ZDNet seem to think that disabling Internet Connection Sharing turns off the Windows firewall ... Lets have a look ... In three steps, I’ve turned off ICS and did NOT disable my Windows firewall.

Buffer overflow:

Around the Net

• 4sysops: The hypervisor of Windows Server Longhorn
• Freedom to Tinker: Diebold’s Motherboard Flaw: Implications
• IT Compliance: Consumers Want Identity Theft Protection Through Homeowner Insurance
• Lorraine Kisselburgh: Technologies of Identification: Geospatial Systems and Locational Privacy
• DrunkenData: SNIA wants to Manage All Your Data
• Michael Arrington: Breaking News: Condé Nast/Wired Acquires Reddit
• Alice LaPlante: The Internet Governance Forum: Will Theory Lead To Action?
• Rob Hof: Google Gobbles JotSpot
• Jeff Jaffe: Open Source is driving the virtual world

Around Computerworld

• Alex Scoble: Extremetech: Why gaming sucks on Linux
• Alex Scoble: My boss starts blogging: Good cooking tips
• Preston Gralla: Vonage's Halloween scare: Frightening third-quarter numbers
• David Haskin: Wi-Fi as an addictive drug
• Martin MC Brown: T1000 web performance results initial thoughts
• Shark Tank: Trick -- no treat
• Martin McKeay: Knowing enough to get you in trouble
• Jeff Boles: ILM and GFNS, relationships in the enterprise built on data management problems
• Jeff Boles: Got a messy desk? That's your problem: tying together global file namespaces and meaningful metadata...
• Douglas Schweitzer: Unauthorized use of Webmail is tough to combat!

And finally... what we did last night at Blogwatcher Towers [and I woulda godaway widit, if it weren't for dem pesky kids]

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richij.com.