[ISN] Hackers could be planning major attack, says White House

From: InfoSec News (isnat_private)
Date: Wed Nov 13 2002 - 23:41:34 PST

  • Next message: InfoSec News: "[ISN] Microsoft confident in security push"

    By Shane Harris
    November 12, 2002 
    A new computer worm infecting a popular World Wide Web technology is
    proof that computer hackers have grown more sophisticated and could be
    preparing a significant attack, according to a senior White House
    Marcus Sachs, director of communication and infrastructure protection
    at the White House Office of Cyberspace Security, said hackers driven
    to "the back streets and back alleys of the Internet" by intense law
    enforcement scrutiny following the Sept. 11 attacks have quietly been
    building new threats. The new worm, widely known as Slapper, is a
    prime example of their abilities, he said.
    Officials believe millions of devices are vulnerable to Slapper, which
    is a computer code that burrows into a server, the program that
    provides the files that constitute Web pages. It enters through a
    well-known weakness in the Secure Socket Layer (SSL) that connects
    servers to the Internet. Once inside, the worm forces the server to
    seek out other infected machines, forming an army of so-called
    "zombies" that could bombard Web sites with bogus requests for
    information, causing a massive traffic jam on the Internet.
    The attack method, known as a distributed denial-of-service attack,
    has been used to disrupt service on sites such as Yahoo! and eBay.  
    Attacks last year by other worms, such as Code Red and Nimda, caused
    billions of dollars in damage and targeted some government Web sites,
    including a White House server.
    The Slapper worm was identified two months ago, but federal officials
    still are concerned that many infected or at-risk organizations and
    individuals havenít taken adequate steps to protect themselves. The
    FBIís National Infrastructure Protection Center has found four
    variants of the worm, and notes that rates of new infection have
    declined. However, the agency also has warned that between 25,000 and
    30,000 servers have already been infected. A steady buildup of
    infections preceded the Code Red and Nimda attacks.
    Sachs said Slapper represents a "double barrel" feat of hacker
    engineering, because it targets two well-known devices that have long
    been considered quite secure. The Apache server the worm attacks and
    the hole in the SSL connection through which it enters are open source
    products, meaning their design is publicly available. Sachs said there
    has been a longstanding myth that open source technologies are safer
    than proprietary systems because their design can be improved by
    anyone who wants to examine them. The Slapper worm is helping to
    dispel that notion, he said.
    The SSL vulnerability exists on a number of products, but Slapper is
    infecting only Apache servers that use the device.
    Computer security experts believe Slapper is an evolution of previous
    worms and viruses because it includes some of the capabilities of its
    predecessors. It allows a remote attacker to hijack and command the
    infected system, and it may cause network disruption when the zombie
    systems communicate with one another, according to the Computer
    Emergency Response Team Coordination Center, a federally funded
    security research organization run by Carnegie Mellon University in
    Some believe Slapper is a sign of threats to come. "These types of
    worms have the potential of becoming the much bigger problem out
    there," said Vincent Weafer, senior director of the Symantec Anti
    Virus Research Center in Santa Monica, Calif., who worked with the FBI
    to investigate Code Red and other worms.
    Advisories from the center and the FBI list a number of steps to
    protect systems against Slapper.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Nov 14 2002 - 02:37:02 PST