[ISN] Agencies thwart SQL worm

From: InfoSec News (isnat_private)
Date: Wed Jan 29 2003 - 00:34:53 PST

  • Next message: InfoSec News: "[ISN] $1 Million hacking contest in danger"

    By Rutrell Yasin 
    Jan. 27, 2003
    Several federal agencies were able to stave off a fast-moving Internet
    worm that wreaked havoc on networks worldwide over the weekend.
    Known as the SQL Slammer, the worm caused high central processing unit
    usages on servers, either slowing or shutting down servers by
    exploiting known vulnerabilities.
    The vulnerabilities in this case are in Microsoft Corp.'s SQL Server
    2000 database software and were discovered in July 2002. Microsoft
    issued a patch to plug the security flaws in October.
    Although the worm doesn't carry a malicious payload that wipes out
    files, SQL Slammer is a self-propagating worm that exhausts network
    bandwidth, causing performance degradation across the Internet.
    SQL Slammer took a few hours to spread across Asia, Europe and North
    America on Jan. 25 as spikes in network traffic affected businesses
    and government agencies, interrupting the performance of airline
    travel systems and blocking access to automated teller machines.
    Basically "the attack was over and done with in a matter of hours,"  
    said Vincent Weafer, senior director of Symantec Corp.'s security
    response center. It took about five to eight hours for the attack to
    spread. This illustrates the critical need for agencies and businesses
    to have a pre-defined plan to deal with fast-spreading worms, Weafer
    Proper preparation paid off for the Department of Veteran Affairs.  
    "Our new security operations center (SOC), a 24-by-7-by-365 activity
    under the VA Central Incident Response Capability was on top of it
    from the beginning," according to Bruce Brody, chief security officer
    for the VA.
    Brody said that throughout the course of the incident, the VA was in
    constant contact with the Federal Computer Incident Response Center,
    the focal point for computer security issues impacting civilian
    FedCIRC first released an advisory concerning the SQL Slammer worm on
    July 29, 2002. FedCIRC reissued the advisory as an informational
    notice on its Web site (www.fedcirc.gov) Jan. 25, shortly after 8 a.m,
    according to a General Services Administration spokesperson.
    "The VA SOC orchestrated a number of activities throughout the
    weekend, including several teleconferences with all of the VA regions
    and put out the necessary patches and tools," Brody said.
    "Our telecommunications provider assisted by closing the ports that
    the worm used to enter and exit the enterprise. While remediation
    activities and cleanup continue, we believe we withstood the brunt of
    incident with minimal disruption to our enterprise."
    A major Defense Department network deployed throughout North America
    and Asia was also able to thwart disruption of network services by
    having the right configuration management and control tools in place,
    said Carl Wright, vice president of federal operations at Securify
    Inc., a developer of configuration management software.
    Although traffic on the network tripled as the worm utilized
    bandwidth, no machines were infected because DOD was able to take a
    proactive stance by having the information it needed to ensure that
    all firewalls and virtual private networks are properly configured,
    Wright added.
    Using tools that help automate the process of ensuring that systems
    are properly configured in addition to keeping up to date with patches
    can help thwart the majority of such attacks, experts said.
    "Only about one to 2 percent of attacks are unknown; 98 percent are
    due to problems that we are already aware of," said Marcus Sachs,
    director of communication infrastructure protection in the White House
    Office of Cyberspace Security, during a SANS Institute Webcast.
    The worm affected a few computers at the National Oceanic and
    Atmospheric Administration, said Thomas Pyke Jr., the chief
    information officer at the Commerce Department. He has asked the
    department's operating units to certify that their systems have the
    appropriate software patches installed and to make sure that the
    firewalls at the edges of the network are configured to prevent
    incoming attacks and keep the worm from going outside.
    Commerce is eager to use the GSA patch dissemination system, Pyke
    said, adding that the department also takes advantage of services
    provided by FedCIRC.
    Colleen O'Hara and Judi Hasson contributed to this report.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 02:46:49 PST