Internet Attack's Disruptions More Serious Than Many Thought Possible

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Ted Bridis <tbridis () ap org>
Organization: The Associated Press
Reply-To: tbridis () ap org
Date: Mon, 27 Jan 2003 21:05:30 -0500
To: dave () farber net
Subject: Internet Attack's Disruptions More Serious Than Many Thought
Possible

http://ap.tbo.com/ap/breaking/MGAWJE75HBD.html

Jan 27, 2003

By Ted Bridis
Associated Press Writer

WASHINGTON (AP) - The weekend attack on the Internet crippled some sensitive
corporate and government systems, including banking operations and 911
centers, far more seriously than many experts believed possible.

The nation's largest residential mortgage firm, Countrywide Financial Corp.,
told customers who called Monday it was still suffering from the attack. Its
Web site, where customers usually can make payments and check their loans,
was closed most of Monday with a note about "emergency maintenance."

Police and fire dispatchers outside Seattle resorted to paper and pencil for
hours Saturday after the virus-like attack disrupted operations for the 911
center that serves two suburban police departments and at least 14 fire
departments. 

American Express Co. confirmed that customers couldn't reach its Web site to
check credit statements and account balances during parts of the weekend.
Perhaps most surprising, the attack prevented many customers of Bank of
America Corp., one of the largest U.S. banks, and some large Canadian banks
from withdrawing money from automatic teller machines Saturday.

The surprising disruptions shook popular perceptions that vital services
were largely immune to such attacks.

President Bush's No. 2 cyber-security adviser, Howard Schmidt, acknowledged
Monday that what he called "collateral damage" stunned even experts who have
warned about uncertain effects on the nation's most important electronic
systems from mass-scale Internet disruptions.

"One would not have expected a request for bandwidth would have affected the
ATM network," Schmidt said. "This is one of the things we've been talking
about for a long time, getting a handle on interdependencies and cascading
effects." 

Miles McNamee, a top official with the technology industry's Internet
early-warning center, said the attack was "comparable to the worst of
previous denial of service attacks and if so, marks another
multibillion-dollar hit to the global Internet community."

The White House and Canadian defense officials confirmed they were
investigating how the attack, which started about 12:30 a.m. EST Saturday,
could have affected ATM banking and other important networks that should
remain immune from traditional Internet outages.

Schmidt said early reports suggested private ATM networks overlapped with
parts of the public Internet. Such design decisions were criticized as
"totally brain-dead" by Alex Yuriev of AOY LLC, a Philadelphia-based
consulting firm for banks and telecommunications companies.

Officials were most concerned about risks that citizens might lose
confidence in financial networks.

"Their bread and butter is the public being able to get access to their
accounts when and where they want them," said Ron Dick of Computer Sciences
Corp., former head of the FBI's National Infrastructure Protection Center.

The virus-like attack, alternately dubbed "Slammer" or "Sapphire," sought
vulnerable computers to infect using a known flaw in popular database
software from Microsoft Corp. called "SQL Server 2000." Microsoft said it
has sold 1 million copies of the software.

The attacking software scanned for victim computers so randomly and so
aggressively that it saturated many of the Internet largest data pipelines,
slowing e-mail and Web surfing globally.

Congestion from the Internet attack eased over the weekend and was almost
completely cleared Monday. That left investigators poring over the
blueprints for the Internet worm for clues about its origin and the identity
of its author. 

Complicating the investigation was how quickly the attack spread across the
globe, making it nearly impossible for researchers to find the electronic
equivalent of "patient zero," the earliest-infected computers.

"Basically within one minute, the game was over," said Johannes Ullrich of
Boston, who runs the D-Shield network of computer monitors. He watched the
attack spread with alarming speed worldwide. Asia, especially Korea, was
among areas hardest-hit.

Experts said blueprints of the attack software were similar to a program
published on the Web months ago by David Litchfield of NGS Software Inc., a
respected British security expert who last year discovered the flaw in
Microsoft's database software that made the attack possible. NGS Software
sells a program to improve security for such databases.

The attack software also was similar to computer code published weeks ago on
a Chinese hacking Web site by a virus author known as "Lion," who publicly
credited Litchfield for the idea.

Litchfield said he deliberately published his blueprints for computer
administrators to understand how hackers might use the program to attack
their systems. 

"Anybody capable of writing such a worm would have found out this
information without my sample code," Litchfield said. "Just because someone
publishes a proof-of-concept code doesn't necessarily help the people we
should be worried about."

Still, Litchfield's disclosure was likely to reignite a simmering dispute
among security researchers and technology companies about how much
information to disclose when they discover serious vulnerabilities in
popular software. 

"I personally would rather people not publish exploit code," said Steve
Lipner, a top security official at Microsoft Corp.

Litchfield responded that his warnings about the threat - plus his detailed
example - might have frightened many professionals into installing software
repairs. Microsoft said the number of users downloading its repairing patch
reached 6,800 per hour Monday.



------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To unsubscribe or update your address, click
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/