Forwarded by: Richard Forno <rfornoat_private> Folks, Some interesting and well-thought article excerpts on the true meaning of Code Red....what many of us in the security profession have been saying to ourselves and any media (very few) that would listen.....how it was hyped and full of sound and fury, but signifying nothing....unfortunately the nay-sayers and Sirens of Security usually win and spread their fear, uncertaintity, and doubt to the masses. I have enclosed URLs and citations where appropriate, sending along only relevant exerpts. This is the first time in recent memory that I can remember as many news articles questioning an IT-security related event - and as such, going completely contrary to the status quo party line. Too bad there's not more of this kind of unbiased, reality-based analysis of computer security matters. -cheers, Rick incidentresponse.com / infowarrior.org (1) Internet Security: a difficult balance between hype and paranoia Adam Lawson, www.Butlergroup.com, 8/3/2001 http://www.securitynewsportal.com/article.php?sid=1331&mode=thread&order=0 All Internet users should take the responsibility for minimising the spread of viruses, and if this was done then problems such as the massive DoS attacks early last year would be greatly reduced. Security is, in fairness, a very difficult subject to tackle properly, and demands dedicated resources to be done effectively. <snip> Code Red itself, while posing a real problem, was never going to live up to the publicity it was given. It lacks the payload to be genuinely destructive, rather than just very inconvenient. <snip> If the anticlimax does not cause a false sense of security leading to complacence, the paranoia code-red generated could be useful in preventing the onslaught of a later virus, as long as people don't make the mistake of assuming that because this incident didn't get completely out of control, future problems will be equally easy to deal with. (2) Why Worms Like Code Red Are Good For You Chris Taylor, Time Magazine http://www.time.com/time/columnist/taylor/article/0,9565,169678,00.html <snip> For Microsoft, this was the kind of publicity you just can't buy. Not only did Redmond get to share a dais with the Justice Department ‹which is rather like Stalin vowing eternal friendship with Roosevelt to counter the Nazi menace ‹ but they also had their name inextricably linked with the well-being of the Internet itself. This quote from Tuesday's Wall Street Journal is typical: "the Code Red worm may disrupt the Internet on a global scale Š the FBI urged owners of business-type servers to install a patch from Microsoft's website." When the world's in trouble, in other words, Bill Gates comes riding to the rescue. <snip> Never mind that the majority of business-type servers run other companies' software, and were therefore never affected in the first place. Never mind that it was a sadly untypical security flaw in Microsoft's server software that allowed Code Red to flourish. Note also that the million-plus people drawn to Microsoft's website by that patch included many thousands who didn't need it (the worm only hits Windows NT or 2000. Windows 95, 98 and ME are unaffected). <snip> Because what we're preparing for is not the Code Reds of today, but the Code Deep Purples of tomorrow. Not half-assed worms cobbled together by so-called "script kiddies" who merely download the right pieces of code and whose intentions are basically benign. I'm talking about vast and malicious super worms. If you could create something that attacked Cisco router software, for example, you really would cause a global Internet meltdown. At most, Code Red proved you should always be wary about what Microsoft software does to your machine, like turning it into a server without your implicit knowledge. Apart from that, the whole red-alert reaction only demonstrated that there's seemingly infinite space on the Feds' faces for more egg. That's what happens when you cry wolf over a microbe, guys. (3) CODE RED A RED HERRING Wayne Madsen 30 July 2001 (NO URL - Received from POLITECH-L) <snip> But that was then, and Code Red is now. We are told that Code Red only affects web sites relying on Windows NT and Windows 2000. Of course, why would any self-respecting 24-hour cable news network want to show a housewife trying to struggle with a virus-infected home computer operating Windows 95? Better to capture viewers' attention with hordes of computer programmers and managers wrestling with downed web sites at Ford, Xerox, Charles Schwab, and Amazon.com. <snip> And that's the way the government (and apparently Microsoft) wants it. Microsoft, the humbled post-anti trust suit corporate giant, seems to be cozying up with the Feds and their cyber-security agenda as of late. At a recent Interagency Technical Forum at the National Institute of Standards and Technology (NIST), Microsoft's director of Mobile Code Security revealed that Microsoft now maintains a full-time resident office at NSA headquarters with a fully-cleared staff. <snip> Why the Code Red hoopla? Well, in a few weeks, President Bush (with Dick Cheney looming over his shoulder) will be issuing a new Executive Order on Cyber-Security. He will appoint an inter-agency Cybersecurity and Continuity of Operations Board and his current cyber-security guru Clarke stands a good chance of being selected chairman. If so, Clarke will have transcended three administrations in essentially the same executive branch job a record surpassed only by FBI Director J. Edgar Hoover. And tomorrow NIPC head Ron Dick gets a jump start on things with a press conference on cyber security at the National Press Club. Hyping Code Red is a sure fire way to ensure the conference is covered by all the talking head networks. And it does not hurt that today, while FBI Director designate Robert Mueller is fielding some questions on what the FBI will do on cyber security during his Senate conformation hearings, Code Red is a backdrop. <snip> Coming on the heels of the G8 Summit in Genoa, Code Red also bolsters one of the items on the agenda of the leaders. It was at the G8 Summit in Lyon in 1996, that the leaders first put cyber crime on their docket, a decision that was ultimately manifested in the Council of Europe's soon-to-be-enacted Cyber Crime Treaty. When enacted, the treaty will enable police agencies to reach beyond borders to seize Internet communications record traffic. The anti-globalization Genoa Social Forum got a taste of what is to come when Italian police stormed their headquarters and seized computer disks and Inte rnet traffic records. This past April, the FBI, acting on behalf of the Canadian police, seized similar records from the Independent Media Center in Seattle after the Summit of the Americas in Quebec. Not to be outdone by his peers, British Prime Minister Tony Blair who resembles Big Brother more and more every day hurried back to London to urge Parliament to pass a bill that would equate computer hacking with terrorism. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 03:16:13 PDT