http://www.nandotimes.com/technology/story/736677p-5363306c.html By ANICK JESDANUN, AP Internet Writer NEW YORK (January 26, 2003 4:20 p.m. EST) - The latest virus-like attack on the Internet exposes more than a software flaw: The very strategy managers of computer networks typically adopt for security has proven inadequate. As network technicians continued Sunday to repair damages caused by the fast-spreading worm, government and private security experts worried that too many security managers are fixing problems as they occur, then moving on until the next outbreak. The worm that crippled tens of thousands of computers worldwide, congested the network for countless others and even disabled Bank of America cash machines Saturday took advantage of a vulnerability in some Microsoft Corp. software that had been discovered in July. Microsoft had made available the software updates needed to patch the vulnerability in its SQL Server 2000 software - but many system administrators had yet to install them. "There was a lot that could have been done between July and now," said Howard A. Schmidt, President Bush's No. 2 cybersecurity adviser. "We make sure we have air in our tires and brakes get checked. We also need to make sure we keep computers up-to-date." Saturday's worm sought out the flaw in SQL, a database product used mostly by businesses and governments. Once the worm found one, it infected that computer and from there continued seeking other victims by sending out thousands of probes a second, saturating many Internet data pipelines. Unlike most viruses and worms, the latest spread directly through network connections and did not need e-mail as a transmitter. Thus, only network administrators who run the servers, not end users, could have done anything to remedy the situation. According to Keynote Systems Inc., which measures Internet reliability and speed, network congestion increased download times at the largest U.S. Web sites by an average of 50 percent, and some sites were completely unavailable at times Saturday. Most services and sites were restored by Saturday evening, and security experts said Sunday that the problem was largely under control, though some worried of lingering infections when businesses reopen Monday. The FBI said Sunday that the attack's origins were still unknown. Bruce Schneier, chief technology officer at Counterpane Internet Security, said the latest attack proves that relying on patches is flawed "not because it's not effective, but many don't do it." Code Red and Nimda, two of the previous major outbreaks, also exploited known problems that had patches available. But with more than 4,000 new vulnerabilities reported last year, according to the government-funded CERT Coordination Center at Carnegie Mellon University, system administrators can have trouble keeping up. Vendors have mechanisms for notifying customers, but patches take time to install and could disrupt other systems and applications. Schmidt said many networks delay installing patches to fully test them first. Russ Cooper, a security analyst at TruSecure Corp., said patches are also complicated, and applying them out of order can undo an earlier fix. Microsoft spokesman Rick Miller said the company is working with network professionals to develop better tools, including ones to automatically scan systems for known vulnerabilities. Preventing the next outbreak, security experts say, will mean rethinking security. Favored approaches range from getting vendors to make better software to paying private companies more money to handle the brunt of the work. Microsoft, for one, has already pledged to improve its products. Just two days before the attack on its software, Microsoft chairman Bill Gates sent out an e-mail outlining such improvements as better support for "smart cards" to replace or augment computer passwords. Company executives have also said they want to make security updates automatic so users could grant permission once and have multiple patches installed over the Internet whenever needed. Network managers, however, worry that such automation could inadvertently introduce problems for other applications. Carnegie Mellon's Software Engineering Institute is among research centers working on improving security before software is shipped - lessening the need for patches, said Brian King, Internet security analyst at Carnegie's CERT center. Security companies that stand to profit are pushing for more financial commitment. "If you're paying someone to go out and be an advance tech support guy and hover in your network and hit the switches at the right time, it's going to cost money," said David Perry of anti-virus vendor Trend Micro. "But since there is a need for this, it is cost-effective to be proactive." Schneier's Counterpane has an intrusion detection service for containing damages once a threat is identified, while SecurityFocus sends out alerts to help network managers prioritize. George Kurtz, chief executive of security company Foundstone Inc., said anti-virus and firewall products are no longer enough. "Security is a journey, not a destination," he said. "It needs continuous care and feeding like a child." AP Technology Writer Ted Bridis contributed to this story from Washington. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 05:47:15 PST