When Will The Next Slammer Strike? 419
scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."
MS's own DBs were affected (Score:3, Funny)
Hmmm...
Re:MS's own DBs were affected (Score:3, Interesting)
Re:MS's own DBs were affected (Score:2, Interesting)
Any mission-cricial app simply shouldn't be on a MS system. They don't do what they say they do (Outlook 2000 can't even get sync over e-mail right given a dedicated in-house POP3 server) and charge you for tech support when you want to figure out how to work around their fucked-up code.
Time to hold M$ Accountable. (Score:5, Insightful)
The same MS that didn't apply their *own* patches ?!?
The problem that I have is, even though I don't run any Microsoft software, their incompetence keeps on screwing me around and costing me productivity.
I get hundreds of e-mail virii per day, owning partially to incompetent users, but also partially to incompetent Outlook programmers.
At the height of Code Red, I was getting hundreds of hits per day to my webserver.
That last worm effectively shut down portions of the Internet.
Now, here's the problem. If I'm driving down the road, and a Hyundai's brakes fail and cause it to run a red light and plow into the side of me, it'll piss me off, but it's a quirk, and shit happens.
If, every couple of months, a Hyundai's brakes fail and I get hit, pretty soon, I'll start to get very pissed off, not just with the idiots who drive Hyundais, but also with Hyundai itself.
This has gotten to be utterly ridiculous. We have to find some way of holding Microsoft accountable for their fucking ineptitude.
Re:Time to hold M$ Accountable. (Score:5, Insightful)
Investigations from the NTSB and all will force Hyundai to recall all their affected cars and fix the brake problem. Don't expect such actions against Microsoft.
Hold Users and Admins Accountable (Score:3, Informative)
While I agree Microsoft's track record is not good, no one is perfect.
Especially In this case as there WAS a fix.. just no one bothered to apply it. So cant blame the messenger this time. ( and yes they should have applied the patch unilaterally which IS unacceptable, but again many many people didn't, and are equally to blame for the massive troubles.. )
Yes there are *plenty* of other times you can blame Microsoft, but then again, you can *blame* other organizations ( OSS too ) as well for missing a hole out of potentially millions of lines of code.
Just be realistic, bashing one company isn't going to help any. ( and no I'm not a Microsoft fan, I'm just smart enough to see who is to blame. )
( oh, and I'm not saying don't crucify the writers of such things. They should all be strung up, right beside the spammers )
Re:Hold Users and Admins Accountable (Score:3, Insightful)
Re:Hold Users and Admins Accountable (Score:4, Insightful)
Especially In this case as there WAS a fix.. just no one bothered to apply it.
It's been mentioned before, but it bears repeating: some subsequent security patches remove the fix.
Further, Microsoft has a track record of releasing security patches that break or touch unrelated stuff, roll back other fixes, give Bill admin rights on your computer, or just plain hose your box. Because of this (and the volume of patches), keeping up with security on MS boxes is not a task to be taken lightly. You test and test and schedule downtime, and it still bites you. This is the root of this particular thornbush.
Re:Hold Users and Admins Accountable (Score:3, Insightful)
The problem is poor design. If you design easy to use software, it should be easy to use safely.
Re:Time to hold M$ Accountable. (Score:3, Funny)
I don't own a Hyundai, but I see no reason to call Hyundai drivers idiots.
Once I bought a Hyundai as a winter beater.
When I got it, it had just over 12,000km on it. I drove it for 13 months and put over 40,000km on it.
And even though I paid $100 for the car, I *still* felt ripped off.
Re:MS's own DBs were affected (Score:5, Informative)
This and MS's reputation for having to patch patches (sometime 2 or 3 times) is why people don't jump at the chance to apply one of those damn things. It took this incident for them to make installing a simple SQL Server hotfix less than a 25 minute job.
I also downloaded SP3 4 times and every time I tried to run setup, I got a "setupsql.exe can not be found" error. I STILL don't have SP3 on my SQL server, but it's firewalled anyway so I'm not totally naked.
with the next /.post?? (Score:2, Funny)
Next strike (Score:2, Interesting)
Could someone explain... (Score:5, Interesting)
Re:Could someone explain... (Score:5, Informative)
ATMs are not connected to the internet, but to the bank's private network, which, yes, runs over TCP/IP. So a computer that got infected and had access to the internal network would be enough to crash those reachable ATMs.
Brett Glass : http://www.brettglass.com
Re:Could someone explain... (Score:5, Informative)
Re:Could someone explain... (Score:3, Informative)
Re:Could someone explain... (Score:3, Interesting)
Possible I guess that MSSQL would be in backend (?) Oracle more likely, and ATM's w\ BSOD have got to be the touchscreen GUI, IMO
Re:Could someone explain... (Score:2, Insightful)
Sounds a lot like unfounded scaremongering by people who should know a lot better to me. 911 not only runs on a separate network (telephone != internet), but is just as busy on a Saturday (if not more so) than weekdays.
In fact, sounds like the Mitnick fiasco, where any knowledge tangentially-related to the 911 system was assumed to have the power to prevent emergency calls from getting through.
How can journalists make such claims without losing their jobs?
Re:Could someone explain... (Score:4, Informative)
Actually, 911 service runs on the PSTN, as does a very large portion of the Internet. The two (Internet and PSTN) are very inter-twined, as are the vast majority of corporate (including bank) networks.
Remember, it was us geeks who convinced the suits that the Internet was the way to travel in the 21st century. Now it's our job to support that claim by providing them with a more reliable Internet.
Re:Could someone explain... (Score:5, Insightful)
Just a thought *shrugs*
Re:Could someone explain... (Score:5, Informative)
I don't know about most people, but the outage affected customers of CIBC Bank in Canada, who couldn't withdraw their cash from many machines throughout Ontario (the news said Toronto only, but it affected some of my family and friends in other areas too).
Being a customer of a different bank (TD Canada Trust), I was not affected.
Re:Could someone explain... (Score:5, Informative)
Many stand-alone ATM structures use a satellite connection from Hughes Network Systems to securely connect to their company's network. But that's the same Hughes Network Systems birds that power DirecWay and DirecPC consumer services. So, if for some reason there was a sudden surge in Internet traffic (such as a worm randomly trying to infect IP addresses without caring whether or not there is a machine capable of being infected on the other end) the ATM might not be able to get enough satellite time to complete a transaction without timing out, therefore resulting a "lost my connection" message on the ATM.
Think of it as a VPN tunnel over a network that is used partly for Internet, and partly for other things... if the Internet goes crazy, it affects those other things too.
Re:Could someone explain... (Score:4, Informative)
Having said that, if they were affected then it demonstrates really poor planning: Any critical service should have QoS guarantees by their provider (which should have peer QoS guarantees, and so on), so if the ATM requires a minimum of x bandwidth, then the provider will guarantee that all other traffic will be throttled to accommodate it, building more bandwidth (fibre, etc) if they cannot accommodate all of their QoS guarantees at once. It most certainly seems ridiculous to even ponder things like 911 going down because of something like this.
Let me put it another way: Many telcos share the same data lines for both voice traffic (long distance calls, etc), and Internet IP traffic: Internet traffic cannot take up so much bandwidth that it impedes the voice data, as the telco will always throttle it accordingly to ensure that voice always gets through with 100% throughput. These same sorts of guarantees hold true (or should hold true) for all other system critical type services, and it is brutal irresponsibility to do anything else. When some kid with a ping program can take down your system then it points out a pretty big flaw.
Re:Could someone explain... (Score:3, Informative)
If an infected computer is on a dial-on-demand modem setup, the worm will spew non-stop Internet traffic, and the router will respond by firing up the Internet connection and using the phone line. If overall phone usage goes up a noticiable ammount, that could cause routing that make 911 a "can't get there from here" problem.
But wait, 911 is supposed to be a priority call that should be able to kick other less-important calls off the system to clear the way. So, most communites have nothing to worry about here... then again, if we were in the perfect world, worms wouldn't be a problem at all.
Re:Could someone explain... (Score:2)
Re:Could someone explain... (Score:5, Insightful)
The whole point of this problem can be simplified to bad code and bad base installs. I keep hearing people say it's not MS's problem. I work with a wide variety of products in the networking (L2 & L3+ WAN) and systems world. Any one of the vendors that I deal with would lose serious market share if their products were found to be vunerable to something like this and they simply patched it but didn't change the base install to be "secure".
Let's start by taking an example of a comparable product -- postgreSQL. We all know that a recent patch to this product fixed a possible remote exploit. Certainly the bug shouldn't have been there and it was something that should be patched. However, the point is that the postgreSQL base install doesn't even allow remote connections. In fact, the config file tells you that without remote connections allowed, it's still probably an liberal configuration that should be locked down more.
I'll buy that MS has a large market share and that occasionally something will get through the normal protections; however, the base installs should be locked down. Why aren't they? It's a question that is very simple to answer.
MS sold the Internet community a grand story. In this story, running a server is a simple task that anyone can do. For this story to be believed, they have to have the base install do everything out of the box without any special configuration which might require a real administrator, dba, network design specialist, etc. If the products were actually locked down like they should be (like most of the competing products are), MS would have a bigger job in support calls because 80% of the non-administrators that work with MS platforms would be ill-equiped to handle the proper configuration of the server to get it to work.
I have a product that I use on linux that was written with this kind of security in mind. The config file is riddled with lines like: die "you didn't go through your config file!". If you don't completely configure the product, it keeps dying on startup. This is how products should be released--locked down and set to die if the configuration is not explicitly setup by the admin with them being aware of the dangers to each option they set back on.
I also hear a lot of people complaining that people didn't install the patches, I again go to the point of the base install. If the product's base install were locked down, far less databases would have been open even if they were unpatched. Seriously, let's be reasonable, why should an SQL server open ports by default to anything except maybe 127.0.0.1. Many databases now only need one or two subnets open anyway since their database interaction goes on with an application server (often a web server) which serves as the db client for the users anyway and quite a few databases on the lower end systems (where most of the sysadmins who don't know how to lock things down are) reside on the same box as the app services.
Switch them all to open source (Score:2, Funny)
If they catch the guy... (Score:2, Funny)
Re:If they catch the guy... (Score:5, Funny)
Not just let's throw him in the Slammer. Let's throw him in Federal Pound-Me-In-The-Ass prison [*] with a cellmate who's affectionately known as... the Slammer.
"So, Mr. Worm Writer, are you enjoying your cellmate's one-eyed worm?"
[*]
Government Funding of Security/Virus Prevention (Score:3, Interesting)
I know way too many people who can't afford 50 bucks on a virus scanner or decent firewall software in College, and I saw Nimda infections up until the end of last year.
If people could get this type of thing for free - money that would ultimately ensure the safety of the net at large - I think it should be done.
Re:Government Funding of Security/Virus Prevention (Score:5, Informative)
It [kernel.org] is [freebsd.org].
who can't afford 50 bucks on a virus scanner or decent firewall software
Then don't pay [com.com] 50 bucks.
I saw Nimda infections up until the end of last year
Norton and McAfee both provided free available Nimda removal tools. Besides, if you can afford IIS, you can afford a virus scanner.
Re:Government Funding of Security/Virus Prevention (Score:3, Insightful)
Re:Government Funding of Security/Virus Prevention (Score:5, Informative)
Re:Government Funding of Security/Virus Prevention (Score:4, Insightful)
I think we ought to make virus-protection code public and government funded.
That doesn't help with new viruses, like the one this story is about.
The problem is with patching. People don't install the available security patches. This problem had been known about for half a year.
And some people refuse to install Microsoft's newer service packs, because of the changed license on them, which has some pretty gross clauses in it. I think that's almost criminal behavior by MS - "yes, we fixed the fatal bug in the software we licensed to you, but to get the patch you have to agree to some new random clauses - say, give us full access to your computer".
On the other hand, if they had that full access, I think that at least their service packs would be installed, and these attacks wouldn't be so succesful.
But I'll just stick with Linux, myself :-)
Re:Government Funding of Security/Virus Prevention (Score:2, Interesting)
Yes (Score:3, Informative)
And not only that, nonprofits and edu can get the server version of Norton Anti-Virus for FREE from techsoup.com.
So it's doubly stupid that any college got hit.
Re:Government Funding of Security/Virus Prevention (Score:3, Insightful)
There's also the problem that a "service pack" might alter things you didn't want to change in the process of fixing any bugs.
Re:Government Funding of Security/Virus Prevention (Score:4, Informative)
<LI>http://housecall.trendmicro.com<LI>
Free Java Based scanner, works well I've used it many times when I'm out fixing someones computer and they dont have a decent scanner.
Re:Government Funding of Security/Virus Prevention (Score:2)
I think that your right in that College students should be given virus and firewall software for free, but I think that it should be the responsibility of the network that they connect to the internet through. Most likely the school they attend. Perhaps ISP's should be picking up a bit of the bill for "internet only virus" scanners.
Re:Government Funding of Security/Virus Prevention (Score:3, Insightful)
People don't like the government to butt into their lives (unless it directly benefits them). Unless the project was funded by the government but in the hands of another body, I don't see it going anywhere.
-Matt
Re:Government Funding of Security/Virus Prevention (Score:3, Insightful)
I think some more thought about how we build and patch software needs to happen.
Virus scanners are a crutch.
Re:Government Funding of Security/Virus Prevention (Score:3, Informative)
So EVERYONE has access to a program that installs easily, is FREELY downloadable, and requires only minimal maintenance (update your damn definitions once in awhile.) And yet, we still have Nimda and Klez flying around. Probably right now, there are Nimda infections running around on our network.
People can be so incredibly dense when it comes to this stuff. We even have a virus scanner sitting on the mailserver, and STILL this shit abounds.
And Klez still manages to find my email address once in awhile in some poor dope's addressbook, sending it around the world. Fabulous. School networks are a foul, foul microcosm that provide fertile breeding grounds for this shit.
The biggest problem is, you can't MAKE people take basic security precautions. Some poor stupid college freshman who can't download a goddamned virus scanner sends out a fresh batch of Nimda every day. Should there be action taken against him?
I'd love to see this stuff government-mandated. I really would. But I just don't know how possible it is in today's climate. I'd be overjoyed to see some semblance of security restriction imposed upon companies like Microsoft, that wave a patch around saying "Our ass is covered! We didnt' do it!" when 1) they didn't patch their OWN systems 2) the patch breaks everything else.
But will it HAPPEN? Does government have the understanding of technological matters to make this happen without impinging more on our freedoms than they already do? I'm not feeling too reassured right now.
Re:Government Funding of Security/Virus Prevention (Score:2)
Re:Government Funding of Security/Virus Prevention (Score:5, Insightful)
Have I stepped out of Slashdot and into some kind of paralell universe where open source doesn't exist?
The schematics for my firewall and all public daemons ARE available, some of them even "at my front door".
So there are twice as many [netcraft.com] Apache vulnerabilities as IIS vulnerabilities? And don't give me that "there are more Windows users ... " excuse. If you want to affect the WWW at large, you attack that which comprises more than half the entire WWW, that being Apache. Were your logic correct, there would be a plethora of Apache vulnerabilities. The fact remains that a quality codebase, rather than a small userbase, defines the relative security of a product.
Nice troll, though. It looked really sincere.
Re:Government Funding of Security/Virus Prevention (Score:3, Informative)
There are also a number of firms that park domains who have thousands of generic pages running IIS.
The monthly Netcraft survey analizes the results, and accounts for statistical oddities, like the months where one particular provider was waffling back and forth between Apache/IIS and causing a large skew in the numbers.
The fact remains, however, that Apache had a foothold long before IIS was unleashed to the Internet, has had a wider base of testers and more high-end applications than IIS. Whether or not the Netcraft numbers are accurate to within 2% or 5%, they do reflect an accurate picture of the state of the web, closer than any other survey has ever been, and as such are the most respected source of statistical web server data. But by all means, if you can show me a better source than Netcraft who disclose their methods, I'm all ears.
This is nothing yet (Score:5, Interesting)
The scariest thing is actually that this kind of damage is being done by a worm that doesn't actually do anything except spread itself (as far as I know, anyway).
Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)
Re:This is nothing yet (Score:5, Insightful)
I would think that damage would be worse if the worm just sat quietly for a few weeks (or even months), slowly corrupting data in the database. At that point, backups may not be usable; at some point either the last backup media has been recycled, or new entries to the database would be too expensive to re-enter.
A "stealth" worm, whose primary focus is remaining undetected rather than consuming huge amounts of resources would be a lot more devastating than an obvious one.
Did you see the invisible gorilla? (Score:3, Interesting)
(On the other hand, writing a stealth worm is probably harder than it looks. Some sites carefully scrutinize their network traffic, and it only takes one of them to spot you. But would they tell anyone else?)
Re:Stealth worm (Score:5, Funny)
Cancelling a meeting decreases your productivity? Whoa.
Re:This is nothing yet (Score:2)
On the contrary, in addition to spreading itself, it launches spoofed keepalive packets to SQL Servers which then bounce around between the servers indefinitely.
That's how it managed to have such an impact on the Internet.
Re:This is nothing yet (Score:2)
Holy cow! Even SYMANTEC agrees?!?!? (Score:2, Funny)
Wow, even SARC's director thinks a worm attack is likely? If someone that unbiased thinks so, I'd better upgrade my antivirus software now!
I'm glad there's a "Post Anonymously" option--I only wish the "Post Posthumously" option were still there.
Release Good worms to do the patching.. (Score:3, Funny)
Incompetent people. (Score:3, Insightful)
Or you can just physically locate all the major routers/backbone of the net and somehow disable it, physically... yeah, you, get up and demonstrate how vurnerable the net is!
Re:Incompetent people. (Score:2, Informative)
When Will The Next Slammer Strike? (Score:5, Funny)
Re:When Will The Next Slammer Strike? (Score:2, Funny)
Two ways of "solving" this problem . . . (Score:5, Insightful)
In my opinion, there are two ways that people will react to the problem of exploits in computer software:
In the short term, I expect that the most recent attack will provide a huge sales boost to pre-packaged "security solutions" like firewalls, virus protection, etc. and will probably be used as an extra card that the government can play when arguing for implementing a comprehensive Internet monitoring system. Of course, both of these things are unfortunate, as neither one promotes security and the latter gives the government way too much power . . .
Long term, the best protection against exploits in computer software is a shift in attitude about where software companies should place their priorities. At present, it is more lucrative for companies to push a piece of software out the door and sell upgrades than to spend extra time developing secure software. Only a strong fiscal mandate from corporate customers will change the way software companies do business . . . and I hope that mandate comes soon.
Automated patch deployment systems (Score:4, Insightful)
Also, companies with hundreds or thousands of machines to administer will probably start buying large-scale third-party automated patch deployment systems. A system like Everguard [dvpm.com] or Patchlink [patchlink.com] or Bigfix [bigfix.com] will let you know where there are unpatched vulnerabilities on your network, help you patch them, and check that they've been patched.
Most of these systems are cross-platform and at least one uses a linux-based [linuxjournal.com] server.
WFT has Linux got to do with this. (Score:2, Funny)
This is like stating the folks at a ballgame that bought popcorn, instead of the Hotdogs everyone got food poison from were affected as well due to restroom crowding. Shesh
Monocultures (Score:2, Insightful)
Internet not vulnerable (Score:2, Insightful)
Analysis of the Slammer/Sapphire worm (Score:5, Informative)
Re:Analysis of the Slammer/Sapphire worm (Score:4, Interesting)
Microsoft products aren't for internet use (Score:5, Insightful)
Scary stuff, kids (Score:5, Interesting)
This worm required rougly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.
I read that and my jaw just dropped.
This worm, from what I've read (these aren't my conclusions; I'm not that smart), did two very interesting things. The first is that it used one UDP to spread: no waiting around for the three-way TCP handshake, no hanging waiting for a reply, just send and move on to the next one. From what I understand, that's pretty new. Second, it caused most of its damage not by trashing filesystems or anything like that, but just by spewing *huge* amounts of traffic.
The first is interesting because as a tactic, it'll almost certainly be copied. The second is interesting because it probably won't be copied.
Well worth your time; it's fascinating -- and frightening -- reading. Get it here:
http://www.caida.org/analysis/security/sapphire [caida.org]
I'm curious... (Score:3, Interesting)
Just my two cents though.
Now or Never (Score:3, Interesting)
Likelihoods (Score:5, Insightful)
Likelihood that it will affect a Microsoft product: pretty high
Likelihood that it will exploit a flaw that was fixed the summer before: almost certain
As far as i'm concerned those with low maintenence co-located servers should pay more attention to security bulletins so that when when a major patch does come out they can fix it, then when something does hit their several-year-old computer it won't be thrashed to death by modern worms.
Evolution ? (Score:2)
I am certain that there is a proportional relationship to the size of the impact of a worm and the time till the next big virus/worm outbreak. Basically after a worm strikes people suddenly become a lot more security conscious but this wears of after about 6 months (which is why we get roughly 1 or 2 of these events a year).
I also can't help thinking that a massive attack capable of bringing about a "virtual net shutdown" (something that hasn't really happened yet) would cause so much trouble that security would become such a focus that measures would be taken to ensure that worms can't flourish on the net (mandatory use of firewalls ?, OS's that update themselves ?).
When Will The Next Slammer Strike? (Score:3, Funny)
We are lucky.... (Score:2)
If efforts continues to go on disconver who was, instead of solving the real problem (widespread common vulnerabilities in zillons of interconnected computers) the next worm probably will be called properly "warhol worm".
You need only one capable worm writer that get pissed off or tired of life or whatever, and losses could be huge.
Any database access (Score:5, Insightful)
If you really must allow remote SQL access do it over a VPN, that's what they are there for.
If on the other hand you are providing data for your web site then either lockdown the db software to only accept connections on localhost or even better just don't allow it through your router/firewall.
It's about time these security alert companies put some sort of "a sysadmin of the following competence level would have prevented this from being an issue".
Many people didn't know they had a database... (Score:5, Informative)
To be fair, Linux distros used to default install Apache and leave it up and running by default. I don't know of any that do that by default any more - Linux distro developers learn from their mistakes.
How often SHOULD one update? (Score:4, Insightful)
Of course patches should be made available asap, but I'm talking about more routine items.
IMHO, a comprehensive service pack, that rolls up all fixes to a certain date, and is tested, is the best. This needs to be done semi-to-annual for current products.
But what are some other view on how often should you take a working system and update it?
The eggbasket is pretty full already (Score:3, Insightful)
2. ????
3. Loss
Overkill (Score:2)
appears to be a kinda weak way to pick on
microsoft today. Now, don't get me wrong...
I LOVE trashing microsoft. It brings the worse
linux and windows fanboys out to raise pure hell
defending their favorite OS and/or decision in
what to run on their hard earned hardware. You
get to read tons of emotion filled posts with
little to no fact checking, then read the replies
from clueful people that tear those posts apart.
This story just feels kinda cheap is all. Like
beating a stable full of dead horses. It also only
serves to whip up the fanboys and make them that
much more zealous in their defense of their pet
OS's, and increasingly silly in their replies.
If the goal is enlightenment for the masses, we
are missing the mark.
Hrm (Score:2, Insightful)
Or is it all those sysadmins who didn't install the patch because of annoying reboots and problems with the new patch?
Regulation (Score:5, Insightful)
Thing is, we're dealing with an industry (the IT industry) that does not have the safely regulations and standards common in older sectors. There is no standard saying what steps must be taken to prevent your own systems damaging others, and no regulatory body to enforce compliance. Worms like this are creating a pressure to bring IT into line with the more, hm, predictable business areas.
Over time, IT, like other industries, will move toward public safety standards such as we see in transport, manufacturing, finance, and all those *boring* businesses. It's a necessary part of the evolution of this industry from backrooms to ubiquity, I guess.
In 20 years time we'll probably see the government fining companies that don't patch their servers to a certain standard, just like we see airports and tire makers being fined now.
This just reinforces what I've been thinking for a while now... time to move away from IT iself and into IT law/management/business...
Film at 11! (Score:3, Insightful)
For all the publicity it gets, and tons of anecdotes that slammer really threw some places for a loop, it does seem that the system is pretty robust.
But OFFLINE BACKUPS seem to be more and more of a must. Slammer didn't have much of a payload, but something like this could, and any system your responsible for had better have plans...
But the weekend is the best time for a worm (Score:5, Interesting)
If it WAS let out during business hours, whould it have gotten so far? would it have caused much dammage at all?
Re:But the weekend is the best time for a worm (Score:3, Informative)
I thought the whole reason worm writers release their creations in the weekend is so they have the best chance to spread before systadmins wake up and realise what is happening.
Actually, the worm "armed" it's attack before it "struck". It infected a large number of machines silently, without much noise, and at the given time, it opened up the fire hoses on the Net..
I haven't heard much mention about this anywhere, but if you graph the attacks (if you had properly configured Snort, for example) you can see the attack curve rise to it's maximum in just under 20 minutes.
From the article... (Score:3, Insightful)
Sheesh. If you use VPNs over the internet, you're getting WAN connectivity and 95+% reliability on the cheap. But it's a trade off.
Not "the Internet" that's vulnerable (Score:3, Informative)
No, it demonstrates just how vulnerable a number of sites on the Internet that ought to know better are. "The Internet" stayed running just fine, though it maybe slowed down a bit in places. I certainly didn't notice any noticeable reduction in spam over it.
patches and rips (Score:5, Interesting)
My offtopic question is: why doesn't this happen with Linux ? (or does it happen with Linux?)
I don't use Linux and I'm not a bonafide geek (I've never had 'root' access, which seems to be one of the key requirements --- that may change now that I use Mac OS X), and I've always wondered why using fixes, new functions, patches, whatever, written by numerous different people hasn't turned Linux or other open source into a non-functioning morass of code. I read Eric Raymond's The Cathedral & the Bazaar [oreilly.com] but I didn't really feel like he answered the question, other than refering to the gospel of Linus "with enough eyes, any bug is shallow."
Isn't an operating system more complicated (or at least more fundamental) than an application? Why doesn't (or how often) does fixing one bug in Linux create two new ones?
blog-O-rama [annmariabell.com]
Patches-why linux's are stable while ms's aren't (Score:3, Informative)
Like other posters said, this does happen with Linux, but not as much. There are reasons why.
Many good Open Source projects will usually separate their releases into to branches: stable and experimental. For example, in the Linux kernel, if the second number is even (x.2.x or x.4.x), then it is a "stable" release. If the second number is odd (x.3.x or x.5.x), then it is an experimental release.
Most of the time new features are only put in the experimental release. There are features officially classified as experimental in the stable release, but you can only use them (or even see them) if you check the "prompt for development or incomplete drivers" option. There have been mishaps where a feature was added in the middle of a stable release and caused problems. One such example is the changes to the virtual memory system in about 2.4.4.
Another reason this doesn't happen as often is many of the serious open source programmers do everything they can to prevent/fix bugs and are paranoid about security. Microsoft doesn't seem to care. When I run win98, there are always system crashes, settings being changed when I don't want them to, unstable programs (which are supposedly being made by professional companies) making other programs/the whole system unstable.
In Linux, these problems are virtually nonexistant. I haven't seen many programs which will bring Linux down, and most of those don't crash the kernel. A buggy SVGAlib[1] program will either screw up the video or screw up the keyboard and disable virtual console switching[2]. XFree86 doesn't have this problem. Most buggy programs in X don't seem to affect it at all--there are problems such as X crashing with huge font sizes, but the main system was running fine. I just had to restart X. A misconfigured X may screw up the display, but most of the time I can use Ctrl-Alt-Backspace to kill X, display restores, and I fix the problem. Also, when Ctrl-Alt-Delete still works, it will properly shutdown the system--unlike Windows.
Linux/open source has problems, but Microsoft has many more. In my twenty some years of using computers, I haven't seen anyone produce crappy software as Microsoft--except for script kiddies and the low end of shareware programmers.
They do have project leaders and others who verify the patches. Open source projects don't accept just any old patch--there is a process of reviewing and testing submitted patches. This also varies from project to project. Some maintainters will just slap in anything, but the maintainers of very good and stable projects will try to understand what the patch is doing before even testing it out. It is a very long and arduous process to get a patch for a new feature into something like the Linux kernel. There are plenty of such patches floating around. For example, Openwall Linux [openwall.com] is a kernel patch that adds security features. From what it sounds, it may never get into the official kernel...
An OS is the most fundamental part of the software. Any bug in the OS will often cause major problems everywhere. As to an OS being more complicated, it depends on the system and what you choose to define as the OS. Some people consider only the kernel/core part as the OS, and others include "essential" libraries--the definition of essential can vary greatly. Still some others include basic utility programs part of the OS.
Any change in a project can cause a new bug, but as I said, they review and test the patches, so this doesn't happen as much as you seem to think it would. The problem with Microsoft bug fixes is they don't seem to test their changes very well, and they often bundle new (and possibly unwanted) features/modifications with these fixes. These features/ mods may have bugs or cause other problems. The high-end open source projects shy away from this practice. That is why they have a different branch marked experimental (or unstable)-- people who want to test (or use) the bleeding edge features can do so without affecting the stable branch.
Footnotes:
[1] SVGAlib is a library which allows a program to draw graphics on the screen with a virtual console. This library is dangerous because it requires the program to run as root (often suid root, which means any user will have root access with the program until the program drops privileges). The framebuffer is slightly safer because it is a kernel driver and you don't have to run it as root. Both of these can easily leave the video card in a messed up state if the program doesn't use them properly.
[2] The virtual console is a part of the Linux kernel which handles the video display. In Linux there are multiple of these virtual consoles, and one can switch between them freely using the Alt key plus the arrows/function keys. Alt+F1 will switch to virtual console # 1. Alt+2 #2, and so on. A problem arises if a program sets raw keyboard mode (such as many SVGAlib/framebuffer programs do) as this disables the kernel from recognizing an Alt+function key as a request to change consoles.
Re:patches and rips (Score:5, Insightful)
1) Linux the kernel is distinctly independent from the applications that it runs and from the vast majority of device drivers that it hosts. This is most likely the single most important factor. For example, fixing Apache does not require tampering with the kernel, which is turn does not require tampering with the web browser, which in turn does not require tampering with the task manager, which in turn does not require tampering with the database server. With Windows, changing one area touches every single other part of the entire system, including some very large applications (because they are integrated with the kernel).
2) Security releases are fast, furious, and focused. Only the affected pieces are replaced. When OpenSSL was compromised by Slapper, only OpenSSL was fixed. The fix didn't have to touch a hundred completely unrelated areas as happens when your entire kit and kaboodle (Windows) is tied together by spaghetti clusters. The fixes are released immediately after the vulnerability is discovered, and the full scope of the fix is detailed (parts are not hidden, as is the case with Windows). And the fixes, if anything was missed the first time, continue until the problem is erradicated.
3) Full disclosure. The vulnerability is fully disclosed to the user base ASAP, and details provided to allow us to confirm the vulnerability. Since the vulnerable parts of the system are separate and distinct, fixing the individual parts can occur on a continuous basis. That is, not every affected component has to be fixed before other fixed pieces can be distributed.
Not being a security type person, these are only things I can think of off the top of my head based on my own limited experience.
Worm indicates massive back-end udp exposures? (Score:5, Interesting)
I find it very difficult to believe major corporation firewalls would allow UDP 1434 inside from Internet. Some, maybe - but few.
So: I rule our direct penetration from the Internet for most corporate environments.
2. Worm was memory resident only. Reboot cleared it.
Most user PC's would be rendered useless by the worm. CPU and local Network saturation would do that. So I doubt that people got infected and THEN VPN'ed into work. They would reboot, clear the worm, possibly get re-infected - but I doubt
if they would be able to bring an already infected machine into work via VPN.
Note: If split tunneling was allowed then it is quite possible for an already conencted home PC to act as a vector into a company - my guess
is that this is NOT common.
So: I rule out employee remote access as a primary vector.
3. This leaves me with back-end connectivity across private "trusted" comm channels. ( i.e. Frame )
I know this was a vector in at least one case - and the circumstances ( misconfigured ACL's that were overly generous in what UDP traffic they
allowed from "trusted" business partners ) is something that I suspect is very common in large organizations.
The speed which this thing moved ( see: http://isc.sans.org/port1434start.gif ) and the actual vectors I saw make me very suspicious that
the large organizations of the world are massively linked by misconfigured routers/firewall that allow way too much UDP traffic flow between
trusted partners - affectively a "fuse" linking the worlds computing infrastructures.
That's it. Wacky and overly-speculative perhaps but I would be interested in getting some anonymous feedback about the successful attack vecors
other people saw in the propagation of the worm - particularly people in large organizations that have large "private" comm networks.
When will companies spend money on security? (Score:3, Insightful)
Every company with an internet-enabled IT infrastructure needs to have a dedicated sysadmin AND a dedicated security admin. If a company can't afford two full-time geeks to keep things secure, then they need to outsource server hosting to a secure facility.
Microsoft Responsible..... (Score:4, Interesting)
Re:Microsoft Responsible..... (Score:5, Interesting)
I disagree completely on the fact that holding Microsoft responsible would be a chilling precedent that would effectively squelch software development, because all software has bugs.
Would you contribute to Open Source projects if you knew that any bug you write, no matter how obscure and unintentional, might become a liability to you? Would getting your name in the changelog of the kernel be worth putting your financial future at risk?
Oh, and it doesn't matter who discovers the bug. Even if it's discovered before its exploited and you issue a patch for it (as Microsoft did in this case, I might add), you think the software author should still be held liable? Even thought you did your part and fixed the bug? Isn't it the sysadmin's fault at that point?
Re:Microsoft Responsible..... (Score:3, Funny)
But seriously, you're absolutely correct that the surest way to kill the tech industry is to promote endless litigation and ambulance chasing instead of trying to build real solutions to the security problems (on all platforms) and punish the vandals.
OpenSource is differnt.... (Score:3, Interesting)
Re:Microsoft Responsible..... (Score:3, Insightful)
A lot of states require, for example, a minimum amount of time for a customer to be able to return defective merchandise. When the company sells you a product, the company is agreeing to several legal responsibilities.
When I give you a gift, I am not held legally responsible for that gift (unless the gift is illegal or stolen in the first place).
With OSS software, there is no exchange of money with the author, so there is a lot less legal groundwork to work with.
Places like RedHat, though, would be in a difficult situation, since they are selling a product.
Your point about fixing the bug is an interesting one. Suppose Ford had discovered that there was a problem with the interaction between their tires and their vehicles, and then announced that they would replace the tires in a minor PR release somewhere. Suppose they required you to drive the vehicle to its originating factory (most likely Louisville, KY for Explorers) to be replaced.
I think the government could argue that Ford did not do the appropriate thing to rectify a known problem.
I am not too familiar with the MS SQL fix, but apparently it was not only difficult to install, but it was also broken by a later patch. That moves some of the responsibility from the sysadmin back onto Microsoft at that point, I would think.
So in the end, I think it would be best to hold companies accountable for mistakes they knowingly should have fixed, and made those fixes easy to work with (within reason).
(And, for factual clarification - most later simulations of the Ford/Firestone tire incidents leads to the conclusion that while the tires blew out more often than normal, and that the Explorer, like almost any SUV, tends to roll over more often than a car, most of the incidents were probably a result of driver error in correcting from a blown tire. Most drivers apparently slammed on the brakes and jerked the steering wheel, which will cause an SUV to roll even without a blown tire).
Re:Microsoft Responsible..... (Score:3, Insightful)
If the consequences could have been avoided by simple and reasonable practices that everyone else in the industry but Microsoft follow, then it doesn't matter if the worm writer was a criminal or not. What you are saying is that the tyre blew out because some kid threw a stone in the car's path. Firestone is still responsible, not the kid.
In the 1970's there was a widely reported case, where a Ford Pinto was hit in the back, and the gas tank exploded, killing the people in the car. Ford was sued and lost, about $100 million, IIRC, in damages. The case was not about who was right or wrong in the accident, maybe that driver who hit the Pinto was driving dangerously, but the Pinto should be designed to not explode, even if hit with criminal recklessness.
Re:Microsoft Responsible..... (Score:3, Informative)
In the 1970's there was a widely reported case, where a Ford Pinto was hit in the back, and the gas tank exploded
the Pinto should be designed to not explode, even if hit with criminal recklessness.
The Pinto exploded because the gas tank was outside the frame, thus unprotected. A county in Texas is suing Ford because they lost 20 officers in collisions with said officer's police cruisers. Some of these collisions were in excess of 50 mph.
If you hit a car hard enough, it will pop the gas tank. It doesn't matter what you do - you can still detonate the gas tank. Every major manufacturer has know since 1972 [consumerlawpage.com] that the safest place for a fuel tank is inside the frame just forward of the rear axle. This won't save you every time, but it does constitute reasonable diligence.
We're lucky it's still only software (Score:4, Funny)
How fast... (Score:5, Interesting)
how about a slammer-cleaning worm... (Score:5, Interesting)
Bring on the white-hat worms that actually fix problems, rather than cause them.
Sure - ethics must be a problem, but there must be some slightly-un-ethical white hats out there ready to give this a go?