-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is this virus really being so destructive, in a DOS way of
course, because these companies or organizations really have MS SQL
2000 exposed on the Internet? I was reading the article, below,
that references these organizations that are either critical
infrastructure organizations or are organizations with mammoth
resources to protect. In either case, I can't believe that with
this much at stake they're exposing their servers that are running
their DB's to the Internet with no intermediaries. I don't mean to
crack open the MS-is-insecure can of worms, but I thought that
exposing any DB server directly to the Internet was a dangerous
proposition that orgs like this would avoid. If you're going to
serve data from your DB to the web, wouldn't you put the DB on a
different server than the web server? Or is this just a sign of the
belt-tightening-times? (No, I don't believe that.)
Please, tell me that I am misunderstanding the propagation of
this worm or that I am missing some central concept, here. This
email may come off a little snide or something, but that's just
because I've just been fighting with AT&T this morning and am still
torqued up over that. If there is something I'm missing in this
case, then this is a good opportunity for a little education for many
of us, I think!
Mr. Fetter, I think you may find responsive audiences if you
contact "The nation's largest residential mortgage firm, Countrywide
Financial Corp", "Police and fire dispatchers outside Seattle",
"American Express Co", "Bank of America Corp., one of the largest
U.S. banks, and some large Canadian banks"! ;)
Charlie Solomon
IS Director
Oregon Rail
<Mailto:clsolomon@private>
503.265.5568
Jan. 28, 2003 | WASHINGTON (AP) -- Disruptions from the weekend
attack on the Internet are shaking popular perceptions that vital
national services, including banking operations and 911 centers, are
largely immune to such attacks.
Damage in some of these areas was worse than many experts had
believed possible.
The nation's largest residential mortgage firm, Countrywide Financial
Corp., told customers who called Monday that its systems were still
suffering. Its Web site, where customers can make payments and check
their loans, was closed most of the day.
Countrywide predicted it would be early Tuesday before all its
computers were fully repaired and its systems validated for security,
spokesman Rick Simon said.
Police and fire dispatchers outside Seattle resorted to paper and
pencil for hours after the virus-like attack on the weekend disrupted
operations for the 911 center that serves two suburban police
departments and at least 14 fire departments.
American Express Co. confirmed that customers couldn't reach its Web
site to check credit statements and account balances during parts of
the weekend. The attack prevented many customers of Bank of America
Corp., one of the largest U.S. banks, and some large Canadian banks
from withdrawing money from automatic teller machines Saturday.
President Bush's No. 2 cyber-security adviser, Howard Schmidt,
acknowledged that what he called "collateral damage" stunned even the
experts who have warned about uncertain effects on the nation's most
important electronic systems from mass-scale Internet disruptions.
"This is one of the things we've been talking about for a long time,
getting a handle on interdependencies and cascading effects," he
said.
Miles McNamee, a top official with the technology industry's Internet
early warning center, said the attack was "comparable to the worst of
previous denial of service attacks."
The White House and Canadian defense officials confirmed they were
investigating how the attack, which started about 12:30 a.m. EST
Saturday, could have affected ATM banking and other important
networks that should remain immune from traditional Internet outages.
The attack, alternately dubbed "Slammer" or "Sapphire," sought
vulnerable computers to infect using a known flaw in popular database
software from Microsoft Corp. called "SQL Server 2000."
Microsoft said it has sold 1 million copies of the software, but the
flawed code was also included in some popular consumer products from
Microsoft, including the latest version of its Office XP collection
of business programs.
The attacking software scanned for victim computers so randomly and
aggressively that it saturated many of the Internet largest data
pipelines, slowing e-mail and Web surfing globally.
Congestion from the Internet attack is almost completely cleared.
That has left investigators poring over the blueprints for the
Internet worm for clues about its origin and the identity of its
author.
Complicating the investigation was how quickly the attack spread
across the globe, making it nearly impossible for researchers to find
the electronic equivalent of "patient zero," the earliest-infected
computers.
"Basically within one minute, the game was over," said Johannes
Ullrich of Boston, who runs the D-Shield network of computer
monitors.
Experts said blueprints of the attack software were similar to a
program published on the Web months ago by David Litchfield of NGS
Software Inc., a respected British security expert who last year
discovered the flaw in Microsoft's database software that made the
attack possible. NGS Software sells a program to improve security for
such databases.
The attack software also was similar to computer code published weeks
ago on a Chinese hacking Web site by a virus author known as "Lion,"
who publicly credited Litchfield for the idea.
Litchfield said he deliberately published his blueprints for computer
administrators to understand how hackers might use the program to
attack their systems.
"Anybody capable of writing such a worm would have found out this
information without my sample code," Litchfield said.
Still, Litchfield's disclosure was likely to re-ignite a dispute
about how much information to disclose serious vulnerabilities are
found in popular software.
- - - - - - - - - - - - -
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPja/cnB3c8h+pnqVEQJxtgCgqSpW421MJU3LjhOJNlS8RwwRWiIAnjnx
TvcaonsEvWQVgRhp957VnCZ6
=9gwB
-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Jan 28 2003 - 10:21:05 PST