[ISN] Interesting Media Roundup on The Truth of CodeRed

From: InfoSec News (isnat_private)
Date: Mon Aug 06 2001 - 01:15:09 PDT

  • Next message: InfoSec News: "[ISN] Commerce rapped on infosec lapses"

    Forwarded by: Richard Forno <rfornoat_private>
    Some interesting and well-thought article excerpts on the true meaning
    of Code Red....what many of us in the security profession have been
    saying to ourselves and any media (very few) that would listen.....how
    it was hyped and full of sound and fury, but signifying
    nothing....unfortunately the nay-sayers and Sirens of Security usually
    win and spread their fear, uncertaintity, and doubt to the masses.
    I have enclosed URLs and citations where appropriate, sending along
    only relevant exerpts.
    This is the first time in recent memory that I can remember as many
    news articles questioning an IT-security related event - and as such,
    going completely contrary to the status quo party line. Too bad
    there's not more of this kind of unbiased, reality-based analysis of
    computer security matters.
    incidentresponse.com / infowarrior.org
    (1) Internet Security: a difficult balance between hype and paranoia
    Adam Lawson, www.Butlergroup.com, 8/3/2001
    All Internet users should take the responsibility for minimising the
    spread of viruses, and if this was done then problems such as the
    massive DoS attacks early last year would be greatly reduced. Security
    is, in fairness, a very difficult subject to tackle properly, and
    demands dedicated resources to be done effectively.
    Code Red itself, while posing a real problem, was never going to live
    up to the publicity it was given. It lacks the payload to be genuinely
    destructive, rather than just very inconvenient.
    If the anticlimax does not cause a false sense of security leading to
    complacence, the paranoia code-red generated could be useful in
    preventing the onslaught of a later virus, as long as people don't
    make the mistake of assuming that because this incident didn't get
    completely out of control, future problems will be equally easy to
    deal with.
    (2) Why Worms Like Code Red Are Good For You
    Chris Taylor, Time Magazine
    For Microsoft, this was the kind of publicity you just can't buy. Not
    only did Redmond get to share a dais with the Justice Department
    ‹which is rather like Stalin vowing eternal friendship with Roosevelt
    to counter the Nazi menace ‹ but they also had their name inextricably
    linked with the well-being of the Internet itself. This quote from
    Tuesday's Wall Street Journal is typical: "the Code Red worm may
    disrupt the Internet on a global scale Š the FBI urged owners of
    business-type servers to install a patch from Microsoft's website."
    When the world's in trouble, in other words, Bill Gates comes riding
    to the rescue.
    Never mind that the majority of business-type servers run other
    companies' software, and were therefore never affected in the first
    place. Never mind that it was a sadly untypical security flaw in
    Microsoft's server software that allowed Code Red to flourish. Note
    also that the million-plus people drawn to Microsoft's website by that
    patch included many thousands who didn't need it (the worm only hits
    Windows NT or 2000. Windows 95, 98 and ME are unaffected).
    Because what we're preparing for is not the Code Reds of today, but
    the Code Deep Purples of tomorrow. Not half-assed worms cobbled
    together by so-called "script kiddies" who merely download the right
    pieces of code and whose intentions are basically benign. I'm talking
    about vast and malicious super worms. If you could create something
    that attacked Cisco router software, for example, you really would
    cause a global Internet meltdown.
    At most, Code Red proved you should always be wary about what
    Microsoft software does to your machine, like turning it into a server
    without your implicit knowledge. Apart from that, the whole red-alert
    reaction only demonstrated that there's seemingly infinite space on
    the Feds' faces for more egg. That's what happens when you cry wolf
    over a microbe, guys.
    Wayne Madsen 30 July 2001
    (NO URL - Received from POLITECH-L)
    But that was then, and Code Red is now. We are told that Code Red only
    affects web sites relying on Windows NT and Windows 2000. Of course,
    why would any self-respecting 24-hour cable news network want to show
    a housewife trying to struggle with a virus-infected home computer
    operating Windows 95? Better to capture viewers' attention with hordes
    of computer programmers and managers wrestling with downed web sites
    at Ford, Xerox, Charles Schwab, and Amazon.com.
    And that's the way the government (and apparently Microsoft) wants it.
    Microsoft, the humbled post-anti trust suit corporate giant, seems to
    be cozying up with the Feds and their cyber-security agenda as of
    late. At a recent Interagency Technical Forum at the National
    Institute of Standards and Technology (NIST), Microsoft's director of
    Mobile Code Security revealed that Microsoft now maintains a full-time
    resident office at NSA headquarters with a fully-cleared staff.
    Why the Code Red hoopla? Well, in a few weeks, President Bush (with
    Dick Cheney looming over his shoulder) will be issuing a new Executive
    Order on Cyber-Security. He will appoint an inter-agency Cybersecurity
    and Continuity of Operations Board and his current cyber-security guru
    Clarke stands a good chance of being selected chairman. If so, Clarke
    will have transcended three administrations in essentially the same
    executive branch job ­ a record surpassed only by FBI Director J.
    Edgar Hoover.  And tomorrow NIPC head Ron Dick gets a jump start on
    things with a press conference on cyber security at the National Press
    Club. Hyping Code Red is a sure fire way to ensure the conference is
    covered by all the talking head networks. And it does not hurt that
    today, while FBI Director designate Robert Mueller is fielding some
    questions on what the FBI will do on cyber security during his Senate
    conformation hearings, Code Red is a backdrop.
    Coming on the heels of the G8 Summit in Genoa, Code Red also bolsters
    one of the items on the agenda of the leaders. It was at the G8 Summit
    in Lyon in 1996, that the leaders first put cyber crime on their
    docket, a decision that was ultimately manifested in the Council of
    Europe's soon-to-be-enacted Cyber Crime Treaty. When enacted, the
    treaty will enable police agencies to reach beyond borders to seize
    Internet communications record traffic. The anti-globalization Genoa
    Social Forum got a taste of what is to come when Italian police
    stormed their headquarters and seized computer disks and Inte rnet
    traffic records. This past April, the FBI, acting on behalf of the
    Canadian police, seized similar records from the Independent Media
    Center in Seattle after the Summit of the Americas in Quebec. Not to
    be outdone by his peers, British Prime Minister Tony Blair ­ who
    resembles Big Brother more and more every day ­ hurried back to London
    to urge Parliament to pass a bill that would equate computer hacking
    with terrorism.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 03:16:13 PDT