Ok, this is the sort of thing that really bugs me.

<RANT ON> I do a fair bit of security consulting for our customers - mostly at the network infrastructure level. I used to be constantly amazed by the volume and severity of security problems being exploited on the net, but now, like most people in the security business who've been doing this for more than a few weeks, I've begun to grow jaded and cynical about the whole thing.

See, news stories like this provoke people into doing what they should have been doing all along; the danger from a few chinese crackers is probably minimal compared to the danger posed by the legions of script kiddies out there, every day, performing "blind penetration testing" on every node that will respond to a ping or TCP port.

The excuses that these customers offer are laughable, considering that they are responsible for several hundred to several thousand nodes and multi-million dollar businesses. They range from "Oh, well, we moved Telnet to port 1234, where no one will find it" to "We're just not important enough to be a target." The sad reality is that EVERYONE is a target - random scanning tools have seen to that - and that EACH AND EVERY time a system is compromised, it weakens the security posture of the rest of the Internet. Those excuses and that attitude is what makes massive Distributed Denial-of-Service attacks possible - and very difficult to defend against.

I realize most of the readers here are more clueful than most, and that largely, I'm preaching to the choir here. Having said all that, here's my public service announcement for the week:

• Get on a security mailing list. There are dozens available. If you don't have the time or inclination to deal with the volume of mail on a list like Bugtraq, at least get on a "highlights" list like Securiteam or SANS.
  
  
• Install the patches that apply to your operating system AS SOON AS YOU POSSIBLY CAN. This is the big one. If you do nothing but this, it will still help a great deal.
  
  
• Follow simple rules for good security when developing applications. I'm not perfect; no-one is, but I try to be as diligent as possible when developing my own apps or making suggestions to others. At least, check the mailing list archives and Usenet for known vulnerabilities before installing unknown quantitys, like some cheesy CGI messaging system written by an anonymous author. Remember the damage that can be inflicted even by something as seemingly innocuous as a Finger server.
  
  
• Read the SANS top-ten list of security vulnerabilties, and plug them. All of them.
  
  
• Get a firewall. Then, make sure it's configured properly - don't guess, don't think - BE SURE. Hire outside help if you need to, or run a vulnerability scan against it yourself. A badly configured firewall is worse than none at all.
  
  
• Odds are your routers have packet filtering capabilties. Use 'em. If you prevent things like directed broadcasts and spoofed addresses from coming from your network, you reduce the risk to everyone else even if one of your hosts is compromised.
  
  
• Passwords. Use 'em but don't re-use 'em.
  
  

</RANT OFF> Sorry for the soapbox. I just had to vent. Good luck, everybody!

---

Things should be as simple as possible, but not simpler. - Einstein