[ISN] Snooping Isn't E-Mail Delay Cause

From: InfoSec News (isnat_private)
Date: Wed Sep 26 2001 - 01:39:57 PDT

  • Next message: InfoSec News: "[ISN] Police fight barrage of computer hackers"

    By Michelle Delio 
    10:25 a.m. Sep. 25, 2001 PDT  
    E-mail delivery has been particularly sluggish during the past two
    weeks. Messages have arrived at their destinations hours after being
    sent, sparking speculation that new surveillance programs by
    government intelligence agencies might be responsible for the sudden
    But in truth, most transmission delays can be traced to the recent
    spate of e-mail and server worms that primarily attack Microsoft
    products -- so much so that one prominent technology research firm
    recommended Tuesday that businesses switch to server software other
    than Microsoft's IIS until the company completely rewrites the program
    from the ground up.
    The United States and other governments have said that surveillance of
    electronic communications will play a part in their battle against
    terrorism, and President Bush warned the media on Monday that the
    methods of intelligence gathering will "remain guarded."
    "My administration will not talk about how we gather intelligence, if
    we gather intelligence and what the intelligence says," Bush told the
    media at Monday's press briefing. "That's for the protection of the
    American people."
    But despite the secrecy, blame for any of the currently bogged-down
    networks doesn't seem to be attributable to Big Brother. Security
    experts said they doubt the government would want or even be able to
    scan everyone's e-mail, and also noted that any e-mail surveillance
    would probably be undetectable to users.
    Any slowdown is more likely due to the brat pack of worms that have
    been hitting Internet servers hard, coupled with increased Internet
    use by people seeking news, according to both security experts and
    Internet service providers.
    Isolated equipment damage following the destruction of the World Trade
    Center may also be a factor.
    "At this point, speculation that any law enforcement surveillance
    system is causing Internet performance issues is just that -- pure
    speculation," said Joel Scambray, managing principal of security firm
    Foundstone. "Especially after the events of Sept. 11, from which
    several service providers are still trying to recover.
    "Couple this with the ongoing effects of the Code Red, Nimda, and
    SirCam worms, and such speculation becomes even more tenuous.
    "There is the potential that some ISPs have implemented re-routing of
    their network architectures to provide a single inspection point
    through which all mail must pass -- which could account for some
    bottlenecks -- but I have seen no reports of this," Scambray added.
    Scambray and other experts believe the slowdowns that some people have
    noticed are most probably caused by Nimda and Code Red worms, along
    with any other extraneous worms or viruses that may be making the
    Internet service providers such as Road Runner, Earthlink and Excite
    have sent alerts to their broadband customers attributing network
    slowdowns to the effects of these worms which overload networks by
    constantly searching other computers to infect.
    Meanwhile, antiviral software companies released alerts about a new
    worm on Monday. Known as the "Vote Virus," (Win32.Vote.A@mm) the worm
    arrives in an e-mail attachment. The body of the message asks people
    to open the attachment in order to cast their "Vote To Live in Peace!"
    The attachment is actually a Visual Basic script, similar to the
    "ILOVEYOU" and Anna K. viruses. Although some companies have ranked it
    as a high threat, very few infections have been reported, because most
    users understand that they shouldn't open attached .exe files.
    The worm only infects Windows operating systems through Microsoft's
    Outlook e-mail program.
    "It's not any Big Brother snooping device that's causing this
    (slowdown), but the resulting mess caused by the world using very
    exploitable software from Microsoft on public networks," said Richard
    Forno, chief technology officer for Shadowlogic and co-author of
    Incident Response and The Art Of Information Warfare.
    Only computers that run unpatched Windows 2000 and NT operating
    systems using Microsoft's IIS Web server software are vulnerable to
    infection by Code Red and Nimda. (Nimda, a worm with multiple
    infection capabilities, can also infect computers using Windows
    operating systems and Microsoft's Outlook e-mail program or
    Microsoft's Internet Explorer Web browsing software.)
    Some Linux and Mac users who run emulators -- programs that allow
    users of one operating system to run programs intended for other
    operating systems -- have also been infected by Nimda.
    Gartner, a technology research and advisory firm, released a report on
    Tuesday recommending that businesses switch to non-Microsoft Web
    server (IIS) software in the wake of this summer's worm attacks.
    The report stated that "viruses and worms will continue to attack IIS
    until Microsoft has released a completely rewritten, thoroughly and
    publicly tested, new release of IIS.... This move should include any
    Microsoft .NET Web services, which requires the use of IIS."
    Gartner officials believe this rewriting will not occur before the end
    of 2002 at the earliest. Microsoft officials have repeatedly said that
    Windows XP (some versions of the new OS include IIS) and .Net will be
    carefully tested for security exploits.
    Besides worms, Net speed may have been affected because of the
    physical effects of the Sept. 11 attacks, William Knowles, a senior
    analyst at C4I.org, a private computer security and intelligence
    group, said.
    "Several of the big providers had equipment in the World Trade Center
    basement and microwave antennas on the roof. And providers around the
    WTC area were forced to shut down operations because the dust and
    debris were clogging the air-conditioning intakes for cooling the
    servers," Knowles said.
    Problems on these small areas of large service providers' networks
    could affect the rest of the Internet.
    If the government were snooping, they'd most likely be intercepting
    electronic communications with the intelligence-gathering systems
    known as Carnivore and Echelon.
    The United States has admitted that Carnivore exists and has even
    released the details on how the system works, but will not comment on
    Carnivore, also known as DCS1000, is akin to a phone wiretap, and uses
    a commercial "packetsniffer" program to grab data.
    Information that moves across the Internet is processed in small
    chunks called "packets." Packetsniffers can capture those chunks of
    data as they are transmitted. Malicious hackers and intelligence
    agencies use packetsniffers to intercept data; network administrators
    use them to analyze network performance.
    But sniffers do not noticeably affect network performance since the
    data passes right "through" sniffers. Data isn't physically grabbed
    from the Internet, processed and then re-released.
    "I don't really believe that Carnivore would be the cause for any
    network traffic slowdown unless it -- as a sniffer -- is sucking and
    processing every single bit of data on every single ISP, which is a
    nearly impossible thing to do undetected," said Forno, who has acted
    as an adviser to the Department of Defense on information warfare.
    "Not to mention that the processing power required to do this would be
    extraordinary, if not existing only in fantasy."
    Forno also said he thinks Carnivore isn't very effective.
    "All Carnivore will do is keep honest folks honest," Forno said.
    "Power users who value their online privacy and cyber-criminals with
    half a clue already know how to get around it."
    Forno said that scanning by Echelon is also unlikely to be responsible
    for any slowdowns. Echelon gathers information from phone calls, faxes
    and e-mail primarily through a global satellite-based
    telecommunications network, using the same sort of packetsniffer
    protocol as Carnivore does.
    Some believe that Echelon -- operated by the United States, Britain,
    Australia and New Zealand - also isn't as capable or scary as some
    news reports have indicated.
    Last year, a European parliament committee conducted a year-long
    investigation to find out exactly how extensive and effective the
    Echelon system is.
    The committee came to the conclusion that while Echelon is effective,
    it can intercept "only a very limited proportion" of the ever-growing
    amount of electronic communications that moves across the Internet and
    through phone lines.
    "Echelon is an over-hyped intelligence program that's been in place
    for over 50 years," Forno said. "The media and conspiracy theorists
    love to make Echelon out to be this all-encompassing new spook
    project. Simply put, it's nothing new."
    The U.S. government seems to agree.
    Attorney General John Ashcroft told Congress on Monday that laws have
    not kept up with advances in technology, and law enforcement officers
    are armed with "antique weapons" in the battle against terrorism.
    He urged Congress to pass a package of new laws that would give law
    enforcement officers expanded powers to tap telephones, conduct
    searches, seize assets and detain suspected terrorists.
    Many lawmakers agreed with Ashcroft that some tougher measures were
    needed, but also said they did not want to trample civil liberties in
    the process.
    "Past experience has taught us that today's weapons against terrorism
    may be tomorrow's weapon against law-abiding Americans,"
    Representative John Conyers of Michigan said in response to Ashcroft's
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Sep 26 2001 - 03:53:00 PDT