The Code Red hype Hall of Shame

[InfoSec News <isn () c4i org>]

http://www.theregister.co.uk/content/55/20908.html

[I think tonight will be the last time I will be posting any
additional stories on Code Red unless it mutates into another strain
that could kick your dog, date your girlfriend and steal your car. 
All pretty unlikely, but today anything is possible.  :)   - WK]

By Thomas C Greene in Washington
Posted: 09/08/2001 at 12:25 GMT

Lemme tell ya 'bout 
The snakes, the fakes, 
The lies, the highs.... 
   --Tribe 

We've had no end of entertainment these past weeks with the Code Red
and Code Red Junior IIS worms. Vast battalions of 'security experts'
paraded themselves eagerly before the press, trotting out their finest
doomsday quotes for a shot at fifteen minutes of fame. Meanwhile,
legions of well-groomed, academically-inclined twinkies armed with
tape recorders and Masters' Degrees in journalism greedily sucked them
up, and obediently generated the most laughable headlines predicting
that Code Red would break the Internet.

Yes, it's been fun, but all good things must come to an end. Now that
the worm has slowed and the US military has reluctantly stood down
from DEFCON ONE, those amusing headlines, sadly, are drying up. So we
thought this a good moment to review the fabulous claims that our
esteemed peers have been disseminating.

But first things first.

Internet survives triple threat

While Code Red was making headlines it never deserved, two concurrent
threats to Internet stability went largely unreported. These were the
'Sircam' Outlook worm, which gobbled up a tremendous amount of
bandwidth, and an underground fire in Baltimore which obliterated a
fat swath of Internet backbone on the US East Coast.

I personally received over 200 copies of Sircam, which often included
large files -- many over 5mb, and two whoppers over 20mb.

So while Code Red was reportedly bringing Western Civilization to its
knees with its Net-destroying scans, the Internet was also fighting
off Sircam and a major backbone fracture. And it handled all three
assaults simultaneously with just the sort of resilience it was
designed to have.

Snakes and Fakes

We're still at a loss to explain how eEye Digital Security, which
discovered and publicized the .ida hole that Code Red and Code Red
Junior exploit, has managed to escape questioning by the press for its
part in the whole fiasco. Indeed, their role is tantamount to a
pharmaceutical company unintentionally releasing a disease germ.

Company staff pick apart IIS on a daily basis looking for obscure
holes which their 'Secure IIS' product can fix, and then publicize
them aggressively to market their products. It's an awkward situation:
they profit from security holes, yet they publicize security holes.
And as usual, eEye 'Chief Hacking Officer' Marc Maiffret was making a
gigantic fuss on every security list I subscribe to about the .ida
hole just weeks before Code Red appeared.

It's possible that Code Red would never have been developed if eEye
hadn't made such a big deal about the .ida hole. Of course we'll never
know if a more modest approach to putting the word out would have
altered the course of events, but the possibility certainly exists and
is worth considering.

The fact that eEye profits from the very security holes it discovers
should have been an issue in the media's Code Red coverage; but to
date only The Register has seen fit to raise it, as we did from the
beginning of our Code Red coverage, here, and again here.

For the most part Maiffret has been a media darling, explaining Code
Red to the rest of the IT press in terms which they can understand and
which neatly avoid controversy. And that's perfectly natural; he'd be
a fool to blow the whistle on himself. The disgrace here is the utter
lack of imagination and technical savvy among the IT press, who ought
to have challenged eEye's strange combination of threat discovery,
publicity seeking, and solution marketing.


--------------------------------------------------------------------------------

Next we have the Computer Emergency Response Team (CERT) Coordination
Center at Carnegie Mellon University, and the FBI's National
Infrastructure Protection Center (NIPC). While both deserve honorable
mention for not hyping the Code Red danger half as badly as the press,
they clearly emphasized the wrong aspects of the worm.

As we've pointed out several times, the .ida hole which the worm
exploits can yield system-level access to an intruder. This is a far
more important threat to Internet security than the fact that it scans
aggressively and packets Whitehouse.gov once a month. Unfortunately,
CERT and NIPC decided to push the scanning and packeting (DDoS)
threats a lot harder, probably because they realized that most media
twinks would simply fail to recognize the significance of the real
threat.

It was a bad call. While they did need to mobilize the press to
publicize the worm in hopes of reaching sleepy admins who hadn't yet
patched their machines, they let a very significant security problem
go largely unreported, while emphasizing a puff item which the press
would be more likely to run with.

People depend on CERT for hardcore security threat assessment; and
NIPC's new Director, Ron Dick, has his hands full restoring the
Center's credibility, after his predecessor, Michael Vatis, squandered
it in pursuit of headlines and photo-ops. Instead, they helped fuel
the Code Red hysteria, though, we sense, with some reluctance and
possibly with a touch of some very redeeming embarrassment.


--------------------------------------------------------------------------------

We also heard a great deal of FUD from Security outfit TruSecure's
'Surgeon General', Russ Cooper, who claimed hysterically to any
twinkie journo who would listen that Code-Red-infected machines would
scan so aggressively that the Internet would experience "a meltdown."

"If it does slow down as I expect it will, then you won't even be able
to get to Microsoft's site to install the patch," Cooper said. "I
expect that to happen."

Well, it didn't. Over a million users successfully downloaded the
patch, and the rest of the Internet kept humming right along.

And what has TruSecure got to sell us? Why, network security services,
of course.


--------------------------------------------------------------------------------

We mustn't forget GRC founder Steve Gibson, who warned in hyperbolic
multi-colored lettering that Code Red's "'growth line' is actually
exponential!"

We have to point out that only numbers can increase exponentially and
infinitely. Worm infections can't. Since there's a finite number of
unpatched IIS machines, the worm eventually keeps hitting
already-infected boxes with no additional effect (e.g., attacking a
machine while it's already infected doesn't cause it to scan at twice
the rate). After a while we get a diminishing return.

Gibson tried to argue that the infection's growth would be immense and
sustained. But as early as 3 August the rate of its spread had begun
to decline sharply, because the likelihood of finding a fresh (i.e.,
unpatched and uninfected) target had fallen off -- well --
'exponentially!'


--------------------------------------------------------------------------------

It didn't take long for veteran tech columnist Robert X. Cringely to
get infected with Gibson mania.

"Some experts believe nothing will happen at all but I believe that's
just plain wrong," Cringely writes.

"The information I will use to support this assertion was acquired
either from those, like Steve Gibson, who have disassembled and
examined the Code Red worm or from the officials charged with fighting
it, including sources at the CERT data security coordination center at
Carnegie-Mellon University, eEye Digital Security, in law enforcement,
and at several very large corporations."

Funny how most of those sources are enshrined here in our little Hall
of Shame....

"And what happens on the 20th, when the attack cycle begins," Cringely
asks rhetorically. "It depends on the number of infected machines and
the nature of the chosen target, but the worst case says the Internet
simply comes to a standstill and we go back to watching TV and talking
on the phone until the 28th day of the month and potentially until
every 28th day of the month thereafter."

Yeah, right.


--------------------------------------------------------------------------------

Finally -- saving the best for last -- we have well-known security
hustler Carolyn "Happy Hacker" Meinel, who actually got a most amusing
piece of Code Red flatulence published by Scientific American, which,
if anyone's wondering, is a middlebrow publication which prides itself
on its cutting-edge technical savvy.

Naturally, Meinel hits all the hot buttons, from bio-warfare analogies
to terrorism to DDoS attacks, to cyberwar with China:

"According to the official Chinese publication People's Daily, 'Soon
after the mid-air collision was an all-out offensive on Chinese Web
sites by US hackers.... By the end of April over 600 Chinese Web sites
had come under fire or totally broke down.... Many hackers'
organizations known as China Honkers Union and Hackers Union of China
promptly responded in an all-out cyberwar against their US
counterparts May 1 to 7. Clearly People's Daily was eager for China to
take credit for attacks through May 7. But it has been silent on Code
Red."

Now that's some Grade-A FUD. All that background clearly meant to get
us thinking that China had something to do with Code Red, followed by
a little caveat, which, by its placement, is calculated to suggest
that the Chinese are only being sneaky with this one, rather than
beating their chests as they normally do.

Meinel even went so far as to suggest that eEye created and released
the Code Red worm as a publicity stunt, as this editor's note
explains: "An earlier version of this story included a quoted
speculation that eEye Digital Security might have been involved in the
creation of the Code Red worm. EEye denies any such involvement. We
apologize for including that inadequately supported statement in our
report."

Yes, The Register is skeptical of eEye's peculiar role in the .ida
hole/Code Red debacle, but to suggest that they actually created and
released the worm is pure sleaze journalism -- or Classic Meinel, if
there's a difference.





-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.