[ISN] Slow Slammer response points to NIPC woes

From: InfoSec News (isnat_private)
Date: Wed Jan 29 2003 - 00:23:14 PST

  • Next message: InfoSec News: "[ISN] Security Vendor Cuts Ties With CERT"

    By Paul Roberts
    IDG News Service
    Slow response from the FBI to Saturday's outbreak of a virulent new
    computer worm may have been the result of the recent government
    reorganization creating the Department of Homeland Security and
    increased concerns about threats of cyberterrorism.
    The FBI came under scrutiny on Monday when it appeared the agency was
    asleep on its feet Saturday as the W32.Slammer worm rocketed around
    the world, infecting hundreds of thousands of systems within the first
    few hours of surfacing.
    The FBI's cyberthreat arm, the National Infrastructure Protection
    Center (NIPC), stayed silent for much of Saturday as prominent
    antivirus companies such as Internet Security Systems (ISS) and
    Network Associates's McAfee AVERT (Anti-Virus Emergency Response Team)  
    division issued alerts about the spread of the Slammer worm.
    Reporters who called the agency asking for comment during that time
    were told only that the NIPC was "monitoring the situation," but
    official statements were not forthcoming.
    It was not until 1:41 p.m. EST (6:41 p.m. GMT) on Saturday, more than
    13 hours after the initial appearance of Slammer, that the NIPC issued
    its first advisory on the worm, entitled "Worm Targets SQL
    Vulnerability," on its Web page. By that time, many organizations had
    already identified the threat and taken steps to stop its spread.
    In an Internet webcast hosted by the nonprofit SANS Institute that
    featured security experts and representatives from the federal
    government and Microsoft, Marcus Sachs, director for communication
    infrastructure protection at the White House Office of Cyberspace
    Security said that a combination of bad timing and the recent folding
    of the NIPC and other government cybersecurity departments into the
    new Department of Homeland Security may have played a role in the
    agency's lackluster response to the Slammer outbreak.
    "The worm couldn't have come at a better time," Sachs joked.
    The inauguration of the new Department was celebrated on Friday. In
    addition, NIPC staff were coordinating with other federal computer
    security personnel on what was described as an issue stemming from
    tensions with Iraq.
    As a result, most of the NIPC researchers were home when Slammer broke
    and the agency had trouble getting "the right personnel" to respond to
    the Slammer outbreak, Sachs said.
    "They're going through a transition now and I don't know where its
    going to come out," said Allan Paller, research director of the SANS
    Indecision about the NIPC's future over the past year and senior staff
    defections in recent months have taken their toll, according to
    But an NIPC spokesman denied that there was any delay in responding to
    the Slammer threat.
    "The NIPC puts out alerts and advisories when it's sure that the
    information is correct and complete," said Bill Murray, a public
    affairs officer at the NIPC.
    Murray refused to characterize the NIPC's response on Saturday as
    either fast or slow, and said that it does not intend to match
    antivirus and security companies when releasing information on
    emerging threats.
    "We believe NIPC did what it was tasked and chartered to. We analyzed
    the threat and provided accurate warnings," Murray said.
    Murray denied any knowledge of problems stemming from the transition
    to the Department of Homeland Security or from work on issues related
    to Iraq.
    The agency's response to future outbreaks would be evaluated on a case
    by case basis, Murray said.
    "We are a tool to be used just as (security companies) are a tool to
    be used," Murray said.
    But Paller sees the possibility for a wider role for the NIPC within
    the Department of Homeland Security and under strong new leadership.
    Among the possible new roles for the NIPC would be creating a
    incentive based reporting system for new vulnerabilities, marshalling
    resources within the federal government to get vulnerabilities fixed
    and creating a centralized reporting and monitoring system to
    coordinate information on virus outbreaks reported by Internet
    backbone providers, Paller said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 02:46:46 PST