Internet Attack's Disruptions More Serious Than Many Thought Possible

[InfoSec News <isn () c4i org>]

http://ap.tbo.com/ap/breaking/MGAPX0P2HBD.html

By Ted Bridis 
Associated Press Writer 
Jan 27, 2003

WASHINGTON (AP) - The weekend attack on the Internet crippled some
sensitive corporate and government systems, including banking
operations and 911 centers, far more seriously than many experts
believed possible.

The nation's largest residential mortgage firm, Countrywide Financial
Corp., told customers who called Monday it was still suffering from
the attack. Its Web site, where customers usually can make payments
and check their loans, was closed with a note about "emergency
maintenance."

Police and fire dispatchers outside Seattle resorted to paper and
pencil for hours Saturday after the virus-like attack disrupted
operations for the 911 center that serves two suburban police
departments and at least 14 fire departments.

American Express Co. confirmed that customers couldn't reach its Web
site to check credit statements and account balances during parts of
the weekend. Perhaps most surprising, the attack prevented many
customers of Bank of America Corp., one of the largest U.S. banks, and
some large Canadian banks from withdrawing money from automatic teller
machines Saturday.

President Bush's No. 2 cyber-security adviser, Howard Schmidt,
acknowledged Monday that what he called "collateral damage" stunned
even experts who have warned about uncertain effects on the nation's
most important electronic systems from mass-scale Internet
disruptions.

"One would not have expected a request for bandwidth would have
affected the ATM network," Schmidt said. "This is one of the things
we've been talking about for a long time, getting a handle on
interdependencies and cascading effects."

The White House and Canadian defense officials confirmed they were
investigating how the attack, which started about 12:30 a.m. EST
Saturday, could have affected ATM banking and other important networks
that should remain immune from traditional Internet outages.

Schmidt said early reports suggested private ATM networks overlapped
with parts of the public Internet. Such design decisions were
criticized as "totally brain-dead" by Alex Yuriev of AOY LLC, a
Philadelphia-based consulting firm for banks and telecommunications
companies.

Officials were most concerned about risks that citizens might lose
confidence in financial networks.

"Their bread and butter is the public being able to get access to
their accounts when and where they want them," said Ron Dick of
Computer Sciences Corp., former head of the FBI's National
Infrastructure Protection Center. "Even during nominal disruptions,
the key is having a plan so you can provide assurances to your
customers."

The virus-like attack, alternately dubbed "slammer" or "sapphire,"  
sought out vulnerable computers to infect using a known flaw in
popular database software from Microsoft Corp. called "SQL Server
2000." The attacking software scanned for victim computers so randomly
and so aggressively that it saturated many of the Internet largest
data pipelines, slowing e-mail and Web surfing globally.

"One thing people have always feared was that the mesh among certain
critical infrastructure sectors would be affected, and there was some
of that," said Eddie Schwartz, a vice president at Predictive Systems
Inc., which runs Internet warning centers for the banking and energy
industries.

Congestion from the Internet attack eased over the weekend and was
almost completely normal by Monday. That left investigators poring
over the blueprints for the Internet worm for clues about its origin
and the identity of its author.

Complicating the investigation was how quickly the attack spread
across the globe, making it nearly impossible for researchers to find
the electronic equivalent of "patient zero," the earliest infected
computers.

"Basically within one minute, the game was over," said Johannes
Ullrich of Boston, who runs the D-Shield network of computer monitors.  
He watched the attack spread with alarming speed worldwide. Asia,
especially Korea, was among the areas hardest-hit.

Experts said blueprints of the attack software were similar to a
program published on the Web months ago by David Litchfield of NGS
Software Inc., a respected British security expert who discovered the
flaw in Microsoft's database software last year.

The attack software also was similar to computer code published weeks
ago on a Chinese hacking Web site by a virus author known as "Lion,"  
who publicly credited Litchfield for the idea.

Litchfield said he deliberately published his blueprints for computer
administrators to understand how hackers might use the program to
attack their systems.

"Anybody capable of writing such a worm would have found out this
information without my sample code," Litchfield said. "Just because
someone publishes a proof-of-concept code doesn't necessarily help the
people we should be worried about."

Still, Litchfield's disclosure was likely to reignite a simmering
dispute among security researchers and technology companies about how
much information to disclose when they discover serious
vulnerabilities in popular software.

"I personally would rather people not publish exploit code," said
Steve Lipner, a top security official at Microsoft Corp.

Litchfield responded that his warnings about the threat - plus his
detailed example - might have frightened many professionals into
installing software repairs. Microsoft said the number of users
downloading its repairing patch reached 6,800 per hour Monday.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.