[ISN] The Code Red hype Hall of Shame

From: InfoSec News (isnat_private)
Date: Fri Aug 10 2001 - 01:24:26 PDT

  • Next message: InfoSec News: "[ISN] Data guardians swamped by hacking blitz"

    [I think tonight will be the last time I will be posting any
    additional stories on Code Red unless it mutates into another strain
    that could kick your dog, date your girlfriend and steal your car. 
    All pretty unlikely, but today anything is possible.  :)   - WK]
    By Thomas C Greene in Washington
    Posted: 09/08/2001 at 12:25 GMT
    Lemme tell ya 'bout 
    The snakes, the fakes, 
    The lies, the highs.... 
    We've had no end of entertainment these past weeks with the Code Red
    and Code Red Junior IIS worms. Vast battalions of 'security experts'
    paraded themselves eagerly before the press, trotting out their finest
    doomsday quotes for a shot at fifteen minutes of fame. Meanwhile,
    legions of well-groomed, academically-inclined twinkies armed with
    tape recorders and Masters' Degrees in journalism greedily sucked them
    up, and obediently generated the most laughable headlines predicting
    that Code Red would break the Internet.
    Yes, it's been fun, but all good things must come to an end. Now that
    the worm has slowed and the US military has reluctantly stood down
    from DEFCON ONE, those amusing headlines, sadly, are drying up. So we
    thought this a good moment to review the fabulous claims that our
    esteemed peers have been disseminating.
    But first things first.
    Internet survives triple threat
    While Code Red was making headlines it never deserved, two concurrent
    threats to Internet stability went largely unreported. These were the
    'Sircam' Outlook worm, which gobbled up a tremendous amount of
    bandwidth, and an underground fire in Baltimore which obliterated a
    fat swath of Internet backbone on the US East Coast.
    I personally received over 200 copies of Sircam, which often included
    large files -- many over 5mb, and two whoppers over 20mb.
    So while Code Red was reportedly bringing Western Civilization to its
    knees with its Net-destroying scans, the Internet was also fighting
    off Sircam and a major backbone fracture. And it handled all three
    assaults simultaneously with just the sort of resilience it was
    designed to have.
    Snakes and Fakes
    We're still at a loss to explain how eEye Digital Security, which
    discovered and publicized the .ida hole that Code Red and Code Red
    Junior exploit, has managed to escape questioning by the press for its
    part in the whole fiasco. Indeed, their role is tantamount to a
    pharmaceutical company unintentionally releasing a disease germ.
    Company staff pick apart IIS on a daily basis looking for obscure
    holes which their 'Secure IIS' product can fix, and then publicize
    them aggressively to market their products. It's an awkward situation:
    they profit from security holes, yet they publicize security holes.
    And as usual, eEye 'Chief Hacking Officer' Marc Maiffret was making a
    gigantic fuss on every security list I subscribe to about the .ida
    hole just weeks before Code Red appeared.
    It's possible that Code Red would never have been developed if eEye
    hadn't made such a big deal about the .ida hole. Of course we'll never
    know if a more modest approach to putting the word out would have
    altered the course of events, but the possibility certainly exists and
    is worth considering.
    The fact that eEye profits from the very security holes it discovers
    should have been an issue in the media's Code Red coverage; but to
    date only The Register has seen fit to raise it, as we did from the
    beginning of our Code Red coverage, here, and again here.
    For the most part Maiffret has been a media darling, explaining Code
    Red to the rest of the IT press in terms which they can understand and
    which neatly avoid controversy. And that's perfectly natural; he'd be
    a fool to blow the whistle on himself. The disgrace here is the utter
    lack of imagination and technical savvy among the IT press, who ought
    to have challenged eEye's strange combination of threat discovery,
    publicity seeking, and solution marketing.
    Next we have the Computer Emergency Response Team (CERT) Coordination
    Center at Carnegie Mellon University, and the FBI's National
    Infrastructure Protection Center (NIPC). While both deserve honorable
    mention for not hyping the Code Red danger half as badly as the press,
    they clearly emphasized the wrong aspects of the worm.
    As we've pointed out several times, the .ida hole which the worm
    exploits can yield system-level access to an intruder. This is a far
    more important threat to Internet security than the fact that it scans
    aggressively and packets Whitehouse.gov once a month. Unfortunately,
    CERT and NIPC decided to push the scanning and packeting (DDoS)
    threats a lot harder, probably because they realized that most media
    twinks would simply fail to recognize the significance of the real
    It was a bad call. While they did need to mobilize the press to
    publicize the worm in hopes of reaching sleepy admins who hadn't yet
    patched their machines, they let a very significant security problem
    go largely unreported, while emphasizing a puff item which the press
    would be more likely to run with.
    People depend on CERT for hardcore security threat assessment; and
    NIPC's new Director, Ron Dick, has his hands full restoring the
    Center's credibility, after his predecessor, Michael Vatis, squandered
    it in pursuit of headlines and photo-ops. Instead, they helped fuel
    the Code Red hysteria, though, we sense, with some reluctance and
    possibly with a touch of some very redeeming embarrassment.
    We also heard a great deal of FUD from Security outfit TruSecure's
    'Surgeon General', Russ Cooper, who claimed hysterically to any
    twinkie journo who would listen that Code-Red-infected machines would
    scan so aggressively that the Internet would experience "a meltdown."
    "If it does slow down as I expect it will, then you won't even be able
    to get to Microsoft's site to install the patch," Cooper said. "I
    expect that to happen."
    Well, it didn't. Over a million users successfully downloaded the
    patch, and the rest of the Internet kept humming right along.
    And what has TruSecure got to sell us? Why, network security services,
    of course.
    We mustn't forget GRC founder Steve Gibson, who warned in hyperbolic
    multi-colored lettering that Code Red's "'growth line' is actually
    We have to point out that only numbers can increase exponentially and
    infinitely. Worm infections can't. Since there's a finite number of
    unpatched IIS machines, the worm eventually keeps hitting
    already-infected boxes with no additional effect (e.g., attacking a
    machine while it's already infected doesn't cause it to scan at twice
    the rate). After a while we get a diminishing return.
    Gibson tried to argue that the infection's growth would be immense and
    sustained. But as early as 3 August the rate of its spread had begun
    to decline sharply, because the likelihood of finding a fresh (i.e.,
    unpatched and uninfected) target had fallen off -- well --
    It didn't take long for veteran tech columnist Robert X. Cringely to
    get infected with Gibson mania.
    "Some experts believe nothing will happen at all but I believe that's
    just plain wrong," Cringely writes.
    "The information I will use to support this assertion was acquired
    either from those, like Steve Gibson, who have disassembled and
    examined the Code Red worm or from the officials charged with fighting
    it, including sources at the CERT data security coordination center at
    Carnegie-Mellon University, eEye Digital Security, in law enforcement,
    and at several very large corporations."
    Funny how most of those sources are enshrined here in our little Hall
    of Shame....
    "And what happens on the 20th, when the attack cycle begins," Cringely
    asks rhetorically. "It depends on the number of infected machines and
    the nature of the chosen target, but the worst case says the Internet
    simply comes to a standstill and we go back to watching TV and talking
    on the phone until the 28th day of the month and potentially until
    every 28th day of the month thereafter."
    Yeah, right.
    Finally -- saving the best for last -- we have well-known security
    hustler Carolyn "Happy Hacker" Meinel, who actually got a most amusing
    piece of Code Red flatulence published by Scientific American, which,
    if anyone's wondering, is a middlebrow publication which prides itself
    on its cutting-edge technical savvy.
    Naturally, Meinel hits all the hot buttons, from bio-warfare analogies
    to terrorism to DDoS attacks, to cyberwar with China:
    "According to the official Chinese publication People's Daily, 'Soon
    after the mid-air collision was an all-out offensive on Chinese Web
    sites by US hackers.... By the end of April over 600 Chinese Web sites
    had come under fire or totally broke down.... Many hackers'
    organizations known as China Honkers Union and Hackers Union of China
    promptly responded in an all-out cyberwar against their US
    counterparts May 1 to 7. Clearly People's Daily was eager for China to
    take credit for attacks through May 7. But it has been silent on Code
    Now that's some Grade-A FUD. All that background clearly meant to get
    us thinking that China had something to do with Code Red, followed by
    a little caveat, which, by its placement, is calculated to suggest
    that the Chinese are only being sneaky with this one, rather than
    beating their chests as they normally do.
    Meinel even went so far as to suggest that eEye created and released
    the Code Red worm as a publicity stunt, as this editor's note
    explains: "An earlier version of this story included a quoted
    speculation that eEye Digital Security might have been involved in the
    creation of the Code Red worm. EEye denies any such involvement. We
    apologize for including that inadequately supported statement in our
    Yes, The Register is skeptical of eEye's peculiar role in the .ida
    hole/Code Red debacle, but to suggest that they actually created and
    released the worm is pure sleaze journalism -- or Classic Meinel, if
    there's a difference.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:41:10 PDT