[ISN] Internet Attack's Disruptions More Serious Than Many Thought Possible

From: InfoSec News (isnat_private)
Date: Tue Jan 28 2003 - 10:40:25 PST

  • Next message: InfoSec News: "Re: [ISN] Master Key Copying Revealed"

    By Ted Bridis 
    Associated Press Writer 
    Jan 27, 2003
    WASHINGTON (AP) - The weekend attack on the Internet crippled some
    sensitive corporate and government systems, including banking
    operations and 911 centers, far more seriously than many experts
    believed possible.
    The nation's largest residential mortgage firm, Countrywide Financial
    Corp., told customers who called Monday it was still suffering from
    the attack. Its Web site, where customers usually can make payments
    and check their loans, was closed with a note about "emergency
    Police and fire dispatchers outside Seattle resorted to paper and
    pencil for hours Saturday after the virus-like attack disrupted
    operations for the 911 center that serves two suburban police
    departments and at least 14 fire departments.
    American Express Co. confirmed that customers couldn't reach its Web
    site to check credit statements and account balances during parts of
    the weekend. Perhaps most surprising, the attack prevented many
    customers of Bank of America Corp., one of the largest U.S. banks, and
    some large Canadian banks from withdrawing money from automatic teller
    machines Saturday.
    President Bush's No. 2 cyber-security adviser, Howard Schmidt,
    acknowledged Monday that what he called "collateral damage" stunned
    even experts who have warned about uncertain effects on the nation's
    most important electronic systems from mass-scale Internet
    "One would not have expected a request for bandwidth would have
    affected the ATM network," Schmidt said. "This is one of the things
    we've been talking about for a long time, getting a handle on
    interdependencies and cascading effects."
    The White House and Canadian defense officials confirmed they were
    investigating how the attack, which started about 12:30 a.m. EST
    Saturday, could have affected ATM banking and other important networks
    that should remain immune from traditional Internet outages.
    Schmidt said early reports suggested private ATM networks overlapped
    with parts of the public Internet. Such design decisions were
    criticized as "totally brain-dead" by Alex Yuriev of AOY LLC, a
    Philadelphia-based consulting firm for banks and telecommunications
    Officials were most concerned about risks that citizens might lose
    confidence in financial networks.
    "Their bread and butter is the public being able to get access to
    their accounts when and where they want them," said Ron Dick of
    Computer Sciences Corp., former head of the FBI's National
    Infrastructure Protection Center. "Even during nominal disruptions,
    the key is having a plan so you can provide assurances to your
    The virus-like attack, alternately dubbed "slammer" or "sapphire,"  
    sought out vulnerable computers to infect using a known flaw in
    popular database software from Microsoft Corp. called "SQL Server
    2000." The attacking software scanned for victim computers so randomly
    and so aggressively that it saturated many of the Internet largest
    data pipelines, slowing e-mail and Web surfing globally.
    "One thing people have always feared was that the mesh among certain
    critical infrastructure sectors would be affected, and there was some
    of that," said Eddie Schwartz, a vice president at Predictive Systems
    Inc., which runs Internet warning centers for the banking and energy
    Congestion from the Internet attack eased over the weekend and was
    almost completely normal by Monday. That left investigators poring
    over the blueprints for the Internet worm for clues about its origin
    and the identity of its author.
    Complicating the investigation was how quickly the attack spread
    across the globe, making it nearly impossible for researchers to find
    the electronic equivalent of "patient zero," the earliest infected
    "Basically within one minute, the game was over," said Johannes
    Ullrich of Boston, who runs the D-Shield network of computer monitors.  
    He watched the attack spread with alarming speed worldwide. Asia,
    especially Korea, was among the areas hardest-hit.
    Experts said blueprints of the attack software were similar to a
    program published on the Web months ago by David Litchfield of NGS
    Software Inc., a respected British security expert who discovered the
    flaw in Microsoft's database software last year.
    The attack software also was similar to computer code published weeks
    ago on a Chinese hacking Web site by a virus author known as "Lion,"  
    who publicly credited Litchfield for the idea.
    Litchfield said he deliberately published his blueprints for computer
    administrators to understand how hackers might use the program to
    attack their systems.
    "Anybody capable of writing such a worm would have found out this
    information without my sample code," Litchfield said. "Just because
    someone publishes a proof-of-concept code doesn't necessarily help the
    people we should be worried about."
    Still, Litchfield's disclosure was likely to reignite a simmering
    dispute among security researchers and technology companies about how
    much information to disclose when they discover serious
    vulnerabilities in popular software.
    "I personally would rather people not publish exploit code," said
    Steve Lipner, a top security official at Microsoft Corp.
    Litchfield responded that his warnings about the threat - plus his
    detailed example - might have frightened many professionals into
    installing software repairs. Microsoft said the number of users
    downloading its repairing patch reached 6,800 per hour Monday.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 14:42:45 PST