http://www.theregister.co.uk/content/55/20908.html [I think tonight will be the last time I will be posting any additional stories on Code Red unless it mutates into another strain that could kick your dog, date your girlfriend and steal your car. All pretty unlikely, but today anything is possible. :) - WK] By Thomas C Greene in Washington Posted: 09/08/2001 at 12:25 GMT Lemme tell ya 'bout The snakes, the fakes, The lies, the highs.... --Tribe We've had no end of entertainment these past weeks with the Code Red and Code Red Junior IIS worms. Vast battalions of 'security experts' paraded themselves eagerly before the press, trotting out their finest doomsday quotes for a shot at fifteen minutes of fame. Meanwhile, legions of well-groomed, academically-inclined twinkies armed with tape recorders and Masters' Degrees in journalism greedily sucked them up, and obediently generated the most laughable headlines predicting that Code Red would break the Internet. Yes, it's been fun, but all good things must come to an end. Now that the worm has slowed and the US military has reluctantly stood down from DEFCON ONE, those amusing headlines, sadly, are drying up. So we thought this a good moment to review the fabulous claims that our esteemed peers have been disseminating. But first things first. Internet survives triple threat While Code Red was making headlines it never deserved, two concurrent threats to Internet stability went largely unreported. These were the 'Sircam' Outlook worm, which gobbled up a tremendous amount of bandwidth, and an underground fire in Baltimore which obliterated a fat swath of Internet backbone on the US East Coast. I personally received over 200 copies of Sircam, which often included large files -- many over 5mb, and two whoppers over 20mb. So while Code Red was reportedly bringing Western Civilization to its knees with its Net-destroying scans, the Internet was also fighting off Sircam and a major backbone fracture. And it handled all three assaults simultaneously with just the sort of resilience it was designed to have. Snakes and Fakes We're still at a loss to explain how eEye Digital Security, which discovered and publicized the .ida hole that Code Red and Code Red Junior exploit, has managed to escape questioning by the press for its part in the whole fiasco. Indeed, their role is tantamount to a pharmaceutical company unintentionally releasing a disease germ. Company staff pick apart IIS on a daily basis looking for obscure holes which their 'Secure IIS' product can fix, and then publicize them aggressively to market their products. It's an awkward situation: they profit from security holes, yet they publicize security holes. And as usual, eEye 'Chief Hacking Officer' Marc Maiffret was making a gigantic fuss on every security list I subscribe to about the .ida hole just weeks before Code Red appeared. It's possible that Code Red would never have been developed if eEye hadn't made such a big deal about the .ida hole. Of course we'll never know if a more modest approach to putting the word out would have altered the course of events, but the possibility certainly exists and is worth considering. The fact that eEye profits from the very security holes it discovers should have been an issue in the media's Code Red coverage; but to date only The Register has seen fit to raise it, as we did from the beginning of our Code Red coverage, here, and again here. For the most part Maiffret has been a media darling, explaining Code Red to the rest of the IT press in terms which they can understand and which neatly avoid controversy. And that's perfectly natural; he'd be a fool to blow the whistle on himself. The disgrace here is the utter lack of imagination and technical savvy among the IT press, who ought to have challenged eEye's strange combination of threat discovery, publicity seeking, and solution marketing. -------------------------------------------------------------------------------- Next we have the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University, and the FBI's National Infrastructure Protection Center (NIPC). While both deserve honorable mention for not hyping the Code Red danger half as badly as the press, they clearly emphasized the wrong aspects of the worm. As we've pointed out several times, the .ida hole which the worm exploits can yield system-level access to an intruder. This is a far more important threat to Internet security than the fact that it scans aggressively and packets Whitehouse.gov once a month. Unfortunately, CERT and NIPC decided to push the scanning and packeting (DDoS) threats a lot harder, probably because they realized that most media twinks would simply fail to recognize the significance of the real threat. It was a bad call. While they did need to mobilize the press to publicize the worm in hopes of reaching sleepy admins who hadn't yet patched their machines, they let a very significant security problem go largely unreported, while emphasizing a puff item which the press would be more likely to run with. People depend on CERT for hardcore security threat assessment; and NIPC's new Director, Ron Dick, has his hands full restoring the Center's credibility, after his predecessor, Michael Vatis, squandered it in pursuit of headlines and photo-ops. Instead, they helped fuel the Code Red hysteria, though, we sense, with some reluctance and possibly with a touch of some very redeeming embarrassment. -------------------------------------------------------------------------------- We also heard a great deal of FUD from Security outfit TruSecure's 'Surgeon General', Russ Cooper, who claimed hysterically to any twinkie journo who would listen that Code-Red-infected machines would scan so aggressively that the Internet would experience "a meltdown." "If it does slow down as I expect it will, then you won't even be able to get to Microsoft's site to install the patch," Cooper said. "I expect that to happen." Well, it didn't. Over a million users successfully downloaded the patch, and the rest of the Internet kept humming right along. And what has TruSecure got to sell us? Why, network security services, of course. -------------------------------------------------------------------------------- We mustn't forget GRC founder Steve Gibson, who warned in hyperbolic multi-colored lettering that Code Red's "'growth line' is actually exponential!" We have to point out that only numbers can increase exponentially and infinitely. Worm infections can't. Since there's a finite number of unpatched IIS machines, the worm eventually keeps hitting already-infected boxes with no additional effect (e.g., attacking a machine while it's already infected doesn't cause it to scan at twice the rate). After a while we get a diminishing return. Gibson tried to argue that the infection's growth would be immense and sustained. But as early as 3 August the rate of its spread had begun to decline sharply, because the likelihood of finding a fresh (i.e., unpatched and uninfected) target had fallen off -- well -- 'exponentially!' -------------------------------------------------------------------------------- It didn't take long for veteran tech columnist Robert X. Cringely to get infected with Gibson mania. "Some experts believe nothing will happen at all but I believe that's just plain wrong," Cringely writes. "The information I will use to support this assertion was acquired either from those, like Steve Gibson, who have disassembled and examined the Code Red worm or from the officials charged with fighting it, including sources at the CERT data security coordination center at Carnegie-Mellon University, eEye Digital Security, in law enforcement, and at several very large corporations." Funny how most of those sources are enshrined here in our little Hall of Shame.... "And what happens on the 20th, when the attack cycle begins," Cringely asks rhetorically. "It depends on the number of infected machines and the nature of the chosen target, but the worst case says the Internet simply comes to a standstill and we go back to watching TV and talking on the phone until the 28th day of the month and potentially until every 28th day of the month thereafter." Yeah, right. -------------------------------------------------------------------------------- Finally -- saving the best for last -- we have well-known security hustler Carolyn "Happy Hacker" Meinel, who actually got a most amusing piece of Code Red flatulence published by Scientific American, which, if anyone's wondering, is a middlebrow publication which prides itself on its cutting-edge technical savvy. Naturally, Meinel hits all the hot buttons, from bio-warfare analogies to terrorism to DDoS attacks, to cyberwar with China: "According to the official Chinese publication People's Daily, 'Soon after the mid-air collision was an all-out offensive on Chinese Web sites by US hackers.... By the end of April over 600 Chinese Web sites had come under fire or totally broke down.... Many hackers' organizations known as China Honkers Union and Hackers Union of China promptly responded in an all-out cyberwar against their US counterparts May 1 to 7. Clearly People's Daily was eager for China to take credit for attacks through May 7. But it has been silent on Code Red." Now that's some Grade-A FUD. All that background clearly meant to get us thinking that China had something to do with Code Red, followed by a little caveat, which, by its placement, is calculated to suggest that the Chinese are only being sneaky with this one, rather than beating their chests as they normally do. Meinel even went so far as to suggest that eEye created and released the Code Red worm as a publicity stunt, as this editor's note explains: "An earlier version of this story included a quoted speculation that eEye Digital Security might have been involved in the creation of the Code Red worm. EEye denies any such involvement. We apologize for including that inadequately supported statement in our report." Yes, The Register is skeptical of eEye's peculiar role in the .ida hole/Code Red debacle, but to suggest that they actually created and released the worm is pure sleaze journalism -- or Classic Meinel, if there's a difference. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:41:10 PDT