Re: Internet Attack's Disruptions More Serious Than Many Thought Possible

[InfoSec News <isn () c4i org>]

Forwarded from: B.K. DeLong <bkdelong () pobox com>

[Edited only so subscribers content filters won't throw a sh*tfit over 
a few select words. :)  - WK]


At 02:38 AM 1/29/2003 -0600, you wrote:
> Forwarded from: H C <keydet89 () yahoo com>
>
> I'm concerned that the wrong impression is being given w/ articles
> like this.

I don't normally respond to posts on ISN but frankly, I think you're going 
overboard.

> I understand that the AP's readership is much, much broader than
> SF's, but I don't see that as an excuse for describing a worm attack
> as "virus-like".  Perhaps a better idea than an incorrect analogy
> would be to actually put a brief statement in regarding the
> differences between a virus and a worm.  After all, the security
> people here have to deal w/ both users and managers who now have
> this misconception, on top of an already weak understanding of
> security in general.

In the 8th Grade, I did a science fair project on computer viruses. I
included in that category trojan horses and worms. Granted I was
programming viruses on my Apple IIe in BASIC....but things haven't
changed too much.

In my opinion, the rate at which the Slammer worm spread could be
described as "viral" similarly to the rate of a "viral" marketing
campaign or a "viral" epidemic. The fact that Slammer has all the
characteristics of a worm just allows the security community to
pigeon-hole it a little more then the general "virus"descriptor.

> Confusion on terminology is only going to weaken consumer confidence
> at large.  Why not arm the consumer with correct information, rather
> than muddling the issue w/ incorrect data?

Consumer Confidence? You think consumers would have more confidence in
Microsoft and companies running software using MS SQL if Slammer had
been described as a worm instead of a virus?! What, are you an MS
investor or something?

> Regarding the disclosure issue...MS released/disclosed a patch on 24
> July 02...a fact conveniently missing from the article.  Rather than
> an issue of how much is too much to disclose, why not address the
> real issue...the products in question should never have been exposed
> to the Internet.  The issue was only an exploitable vulnerability if
> it could be executed...and as yet, there hasn't been a valid
> business case presented for exposing that port for that application
> to the Internet.

Regardless of MS's earlier disclosure of the bug and subsequent patch
release, they sure did a crappy job at making sure customers KNEW
about the hole and so did the companies that have the software
integrated into their products

(see http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0045.html).

When you're MS, fixing the bug is only part of the solution - you need
to make extra effort to get the word out as a part of PROactive
security and not the result of reactive damage control for a major
worm outbreak.

> While Mr. Bridis did state later in his article that congestion was
> an issue, his early statements regarding corporate and gov't systems
> (banking, 911, etc) does not clearly state whether the inability to
> reach the systems described was due to infection of those systems by
> the worm, or was due to the resulting congestion on the 'Net.  The
> way the article states these issues, there seems to be confusion.
> Several folks I've spoken with came away from reading this article
> w/ the understanding that the systems were infected by the worm.

OK, I will concede that such a clarification may have been useful
however regardless of WHY said servers were unreachable....they were
still unreachable. Which goes to show that while you can have your
sh*t together but on the Internet, it only takes a handful of your
larger neighbors with outdated, insecure systems to f*ck up the whole
net.

The AP has a worldwide audience, a majority of which is your average,
newspaper-reading joe. Bridis' article (which doesn't need my defense
as it stands very well on its own) was perfectly legitimate when it
used "virus-like" to describe the Slammer worm whose effects raced
around the Internet at the speed of a viral epidemic.

Instead of nitpicking on Bridis' article, may I suggest you go after
the rest of the reporters who have no clue what they're writing about.
Ted has consistently and continues to write articles that cover
technology issues better than anyone else whose audience is the
general public.

--
B.K. DeLong
bkdelong () pobox com
617.877.3271

http://ocw.mit.edu                        Work.
http://www.brain-stream.com               Play.
http://www.the-leaky-cauldron.org        Potter.
http://www.attrition.org                       Security.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.