How the feds failed us when Slammer attacked

AnchorDesk

How the feds failed us when Slammer attacked

Robert Vamosi
Senior Editor, Reviews
Monday, February 3, 2003

Add your opinion

Forward in

Format for

What a mess. 247,000 computers infected worldwide. Bank of America's ATMs down. E-commerce Web sites unable to process online orders. Worse, police and fire districts unable to receive 911 calls. Even Microsoft was affected by the SQL Slammer worm, also known as Sapphire and Helkern, which broke out just over a week ago.

But despite the initial indignation and chest-beating following the Code Red and Nimda attacks of 2001 (remember the joint Microsoft/FBI press conference?), the U.S. government still lacks a clear and coherent strategy for dealing with large-scale cyberattacks.

Given the distractions of a possible war in the Middle East and a massive relocation of federal IT staff to the Persian Gulf, I believe the U.S. is even more vulnerable to cyberattacks today than it was in 2001. If a worm more powerful than Slammer were to hit tomorrow, we'd be in trouble.

AS IT TURNED OUT, the Slammer attack was relatively benign. This worm did not, for example, take advantage of buffer overruns to run malicious code or damage files on infected machines, as we've seen with other viruses. Nor did Slammer contain greetz (messages hackers send to each other through worms) or political messages for that matter.

Based on a denial-of-service vulnerability within Microsoft's SQL Resolution Service, Slammer sends data packets to vulnerable machines running SQL Server 2000. The keep-alive function in those infected machines then sends identical packets back to the SQL server that sent them. In this way, Slammer tricks two SQL servers into an endless loop of meaningless packet exchanges--over and over again--and thus prevents them from performing their normal functions.

The worm also affects PCs running Microsoft Desktop Engine (MSDE) 2000 . MSDE can be found in Microsoft software development tools such as Visual Studio .Net, Office XP Developer Edition, and Microsoft Application Center 2000. A more complete list of vulnerable third-party software is available on SQLsecurity.com. Systems running these programs may experience unusual activity on UDP port 1434.

Consisting of a mere 376 bytes of code, Slammer was amazingly compact and no-nonsense. The Slammer code appears to have been distilled from a white paper, written by David Litchfield of NGS Software, that explained three SQL vulnerabilities. Litchfield's exploit has since appeared on malicious user Web sites, and was most recently updated by Lion, the same hacker who created the Lion worm back in 2001.

Microsoft has had a patch for the vulnerability Slammer exploits available since July 2002. However, many people apparently had not applied the patch, or had applied it incorrectly. (The patch was unusually complex in that it required you to edit some files before applying the fix.) Ironically, just a few days before the attack, Microsoft released an easier-to-install service pack to resolve the problem.

Here's an interview with White House cybersecurity advisor Richard Clarke from September 2002. In it, Clarke talks to CNET's Brian Cooley about how the new national strategy to secure cyberspace will affect corporations and consumers.

Watch now

MY QUESTION IS: At the height of the attack, who was on guard to tell everyone how to deal with the crisis?

Not the U.S. government. During the early hours of the Slammer assault on Saturday, Jan. 25, the National Infrastructure Protection Center (NIPC), currently part of the FBI but soon to be relocated to the new Department of Homeland Security, was strangely silent. The first reports issued to system administrators and the media came from two private companies: Internet Security Systems and Network Associates (which owns McAfee Security).

Turns out our top NIPC officials were AWOL when the worm hit. The afternoon before the attack they were celebrating the creation of the Department of Homeland Security, so it wasn't until midday Saturday, when reports of Slammer had already begun to subside, that NIPC issued its first alert.

Marcus Sachs, director of communication for the White House Office of Cyberspace Security, admitted that the worm was badly timed. But is there ever a good time for a worm to hit? Even less reassuring was when the president's No. 2 cybersecurity expert, Howard Schmidt, admitted his consternation over the ATM outages. I would hope that someone in his position would be aware of--and somewhat prepared for--this sort of attack.

The fact is: There's no one left in Washington to run the cybersecurity show. Last Tuesday news broke that White House presidential cybersecurity adviser Richard Clarke will resign next month, after he completes the final National Strategy for Securing Cyberspace report. While his departure was rumored before Slammer, I found it curious that Clarke offered no comments during this mini-Digital Pearl Harbor. It took him until Jan. 30--five days after Slammer appeared--to send out an e-mail about the attack. In it, he called Slammer "a dumb worm that was easily and cheaply made...More sophisticated attacks against known vulnerabilities in cyberspace could be devastating."

Other federal cybersecurity leaders, like former NIPC head Ron Dick, have already left the government to work in the private sector. And many rank-and-file IT professionals aren't in their government offices these days because they're being shipped off to the Persian Gulf.

TO ADD TO ALL THIS, the process the government set up last summer for disclosing software vulnerabilities is also falling apart. NGS Software, which discovered the flaw exploited by Slammer, announced it's no longer working with the non-profit Computer Emergency Response Team Coordination Center (CERT-CC) at Carnegie Mellon University. Instead, NGS says it will work directly with the affected vendors to resolve vulnerabilities. Security experts have already started a letter-writing campaign to keep vulnerabilities public.

From the first large-scale Internet attack since the summer of 2001, I guess we've learned who's really protecting cyberspace: private companies like Network Associates and ISS. Despite all its post-Sept. 11 domestic-terrorism posturing, the U.S. government was out to lunch--or rather, dinner--when we really needed them.

Perhaps the Bush administration's latest effort to monitor the Net's health, the Global Early Warning Information System (GEWIS), will improve matters in the future. But given that Slammer was but a taste of the havoc virus writers could wreak on the Net, it's going to take a lot for the feds to regain the Internet community's trust, if indeed anyone trusted them on this issue before.

Do you trust the Department of Homeland Security to provide guidance during the next Internet security event? Why or why not? Take my QuickPoll above, and TalkBack to me below!

Special sponsor stores

Dell Home

Social Networking

Confirmed: Twitter buys Summize As was rumored, Twitter has acquired Summize, best known for its Twitter search engine... Learn more about this acquisition »
A Sneak Peek from E3 at Xbox 360's latest software upgrades Microsoft previews their next System Update featuring avatars and more social interaction through games View the ZDNet Video to lean more about the new features »
From our sponsors
Back to school

Essential for School Help get your kids A+ ready with Microsoft® Office 2007 Home and Student Edition. Get great offers »
Buying a PC? Easier formatting. Better results. Buy the latest version now »