Slashdot Mirror
When Will The Next Slammer Strike?
scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."
ATMs are not connected to the internet, but to the bank's private network, which, yes, runs over TCP/IP. So a computer that got infected and had access to the internal network would be enough to crash those reachable ATMs.
Brett Glass : http://www.brettglass.com
Many ATMs use a phone line to connect to the network to run the transaction so if the phone lines are down so is the ATM. Some use leased lines or other communication technologies but a POTS line does the job and is often cheapest.
Maybe those ATM's are running Microsoft's SQL Server in the backend? Seriously, I've seen pics of ATM's that got the BSOD.
Please direct all bug reports to
You do realize that you're talking about Microsoft, right? The same company that released a web browser that would execute code so insecurely that it could wipe entire hard disks - A FRICKIN' WEB BROWSER!
It is.
who can't afford 50 bucks on a virus scanner or decent firewall software
Then don't pay 50 bucks.
I saw Nimda infections up until the end of last year
Norton and McAfee both provided free available Nimda removal tools. Besides, if you can afford IIS, you can afford a virus scanner.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
It *is* free http://www.grisoft.com (AVG)
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
There are some companies that offer free services.
;
<LI>http://housecall.trendmicro.com<LI>
Free Java Based scanner, works well I've used it many times when I'm out fixing someones computer and they dont have a decent scanner.
Jesus saves, everyone else takes full damage from the fireball.
, very well, thank you.
And not only that, nonprofits and edu can get the server version of Norton Anti-Virus for FREE from techsoup.com.
So it's doubly stupid that any college got hit.
Just because something isn't technically on the Internet, doesn't mean it is on a completely walled-off pipe.
Many stand-alone ATM structures use a satellite connection from Hughes Network Systems to securely connect to their company's network. But that's the same Hughes Network Systems birds that power DirecWay and DirecPC consumer services. So, if for some reason there was a sudden surge in Internet traffic (such as a worm randomly trying to infect IP addresses without caring whether or not there is a machine capable of being infected on the other end) the ATM might not be able to get enough satellite time to complete a transaction without timing out, therefore resulting a "lost my connection" message on the ATM.
Think of it as a VPN tunnel over a network that is used partly for Internet, and partly for other things... if the Internet goes crazy, it affects those other things too.
My presumption is that they were running ATM VPN traffic over standard IP connections (basically like running an ADSL line to the site). This would affect anyone who is running a system critical service over the shared internet.
Having said that, if they were affected then it demonstrates really poor planning: Any critical service should have QoS guarantees by their provider (which should have peer QoS guarantees, and so on), so if the ATM requires a minimum of x bandwidth, then the provider will guarantee that all other traffic will be throttled to accommodate it, building more bandwidth (fibre, etc) if they cannot accommodate all of their QoS guarantees at once. It most certainly seems ridiculous to even ponder things like 911 going down because of something like this.
Let me put it another way: Many telcos share the same data lines for both voice traffic (long distance calls, etc), and Internet IP traffic: Internet traffic cannot take up so much bandwidth that it impedes the voice data, as the telco will always throttle it accordingly to ensure that voice always gets through with 100% throughput. These same sorts of guarantees hold true (or should hold true) for all other system critical type services, and it is brutal irresponsibility to do anything else. When some kid with a ping program can take down your system then it points out a pretty big flaw.
Actually, 911 service runs on the PSTN, as does a very large portion of the Internet. The two (Internet and PSTN) are very inter-twined, as are the vast majority of corporate (including bank) networks.
Remember, it was us geeks who convinced the suits that the Internet was the way to travel in the 21st century. Now it's our job to support that claim by providing them with a more reliable Internet.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
No, it demonstrates just how vulnerable a number of sites on the Internet that ought to know better are. "The Internet" stayed running just fine, though it maybe slowed down a bit in places. I certainly didn't notice any noticeable reduction in spam over it.
I'm a PC tech at my college, and for the last few years we've purchased a site license for Norton Antivirus. Students are EXPLICITLY told their first day here that they need to go to Computer/Network Service's website and download the virus scanner, AND keep it up to date. (We had some problems with the download a little while ago, but it's since been repaired and highly advertised.)
So EVERYONE has access to a program that installs easily, is FREELY downloadable, and requires only minimal maintenance (update your damn definitions once in awhile.) And yet, we still have Nimda and Klez flying around. Probably right now, there are Nimda infections running around on our network.
People can be so incredibly dense when it comes to this stuff. We even have a virus scanner sitting on the mailserver, and STILL this shit abounds.
And Klez still manages to find my email address once in awhile in some poor dope's addressbook, sending it around the world. Fabulous. School networks are a foul, foul microcosm that provide fertile breeding grounds for this shit.
The biggest problem is, you can't MAKE people take basic security precautions. Some poor stupid college freshman who can't download a goddamned virus scanner sends out a fresh batch of Nimda every day. Should there be action taken against him?
I'd love to see this stuff government-mandated. I really would. But I just don't know how possible it is in today's climate. I'd be overjoyed to see some semblance of security restriction imposed upon companies like Microsoft, that wave a patch around saying "Our ass is covered! We didnt' do it!" when 1) they didn't patch their OWN systems 2) the patch breaks everything else.
But will it HAPPEN? Does government have the understanding of technological matters to make this happen without impinging more on our freedoms than they already do? I'm not feeling too reassured right now.
Angry IT woman in big clompy boots. And talking lint!.
Yes. ATMs as in bank ATMs. Cash machines.
I don't know about most people, but the outage affected customers of CIBC Bank in Canada, who couldn't withdraw their cash from many machines throughout Ontario (the news said Toronto only, but it affected some of my family and friends in other areas too).
Being a customer of a different bank (TD Canada Trust), I was not affected.
You can accomplish anything you set your mind to. The impossible just takes a little longer.
When a Linux security patch is released, it typically is primarily oriented towards fixing the security hole, or security holes, affected.
It's also usually tested on a few dozen machines before it is published.
When Microsoft releases a security patch, they also include code to fix visual effects they noticed went a bit wrong with some companion software, some tweaks to various settings that users have been complaining about, and I've even seen a couple that included a new feature or two. I wouldn't put added Easter eggs past them. Basically, Microsoft, like many companies, issues security patches that patch a lot more than security.
I also suspect that Microsoft's infamous spagetti code has a certain amount of relevance here - they have deliberately intertwined their code, such that parts that are conceptually distinct are dependent on each other. The code that is a security hole in one could potentially be correct and required by the other.
That's not quite true. The PTSN has a limited capacity, and those limits assume that not everybody will pick up the phone all at once. On 9/11/01, in parts of the country far away from Washington and NYC, there was no major failure of any local telephone equipment, yet there were many calls that could not be completed because there was a higher volume of phone calls than the system could handle.
If an infected computer is on a dial-on-demand modem setup, the worm will spew non-stop Internet traffic, and the router will respond by firing up the Internet connection and using the phone line. If overall phone usage goes up a noticiable ammount, that could cause routing that make 911 a "can't get there from here" problem.
But wait, 911 is supposed to be a priority call that should be able to kick other less-important calls off the system to clear the way. So, most communites have nothing to worry about here... then again, if we were in the perfect world, worms wouldn't be a problem at all.
I thought the whole reason worm writers release their creations in the weekend is so they have the best chance to spread before systadmins wake up and realise what is happening.
Actually, the worm "armed" it's attack before it "struck". It infected a large number of machines silently, without much noise, and at the given time, it opened up the fire hoses on the Net..
I haven't heard much mention about this anywhere, but if you graph the attacks (if you had properly configured Snort, for example) you can see the attack curve rise to it's maximum in just under 20 minutes.
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
They are the ones that *propagate* this crap. This includes most any other 'known' virus/worm/trojan.
While I agree Microsoft's track record is not good, no one is perfect.
Especially In this case as there WAS a fix.. just no one bothered to apply it. So cant blame the messenger this time. ( and yes they should have applied the patch unilaterally which IS unacceptable, but again many many people didn't, and are equally to blame for the massive troubles.. )
Yes there are *plenty* of other times you can blame Microsoft, but then again, you can *blame* other organizations ( OSS too ) as well for missing a hole out of potentially millions of lines of code.
Just be realistic, bashing one company isn't going to help any. ( and no I'm not a Microsoft fan, I'm just smart enough to see who is to blame. )
( oh, and I'm not saying don't crucify the writers of such things. They should all be strung up, right beside the spammers )
---- Booth was a patriot ----
They (MS) know better than anyone that applying an SQL Server hotfix is a royal pain in the ass. They just modified the initial Slammer vulnerability patch so that it has an installer. Before that you had to stop the server, backup the files, copy the new files manually into their respective directories, and then run a couple of queries in the query analyzer.
This and MS's reputation for having to patch patches (sometime 2 or 3 times) is why people don't jump at the chance to apply one of those damn things. It took this incident for them to make installing a simple SQL Server hotfix less than a 25 minute job.
I also downloaded SP3 4 times and every time I tried to run setup, I got a "setupsql.exe can not be found" error. I STILL don't have SP3 on my SQL server, but it's firewalled anyway so I'm not totally naked.
Dissolve... Resolve... Evolve...
In the 1970's there was a widely reported case, where a Ford Pinto was hit in the back, and the gas tank exploded
the Pinto should be designed to not explode, even if hit with criminal recklessness.
The Pinto exploded because the gas tank was outside the frame, thus unprotected. A county in Texas is suing Ford because they lost 20 officers in collisions with said officer's police cruisers. Some of these collisions were in excess of 50 mph.
If you hit a car hard enough, it will pop the gas tank. It doesn't matter what you do - you can still detonate the gas tank. Every major manufacturer has know since 1972 that the safest place for a fuel tank is inside the frame just forward of the rear axle. This won't save you every time, but it does constitute reasonable diligence.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
While some Asynchronous Transfer Mode networks were undoubtedly affected, the worm did in fact put many automatic teller machines out of commission. This was widely reported in the mainstream media (after all, most people don't know that ATM has more than one meaning...)
http://www.washingtonpost.com/wp-dyn/articles/A43
Like other posters said, this does happen with Linux, but not as much. There are reasons why.
Many good Open Source projects will usually separate their releases into to branches: stable and experimental. For example, in the Linux kernel, if the second number is even (x.2.x or x.4.x), then it is a "stable" release. If the second number is odd (x.3.x or x.5.x), then it is an experimental release.
Most of the time new features are only put in the experimental release. There are features officially classified as experimental in the stable release, but you can only use them (or even see them) if you check the "prompt for development or incomplete drivers" option. There have been mishaps where a feature was added in the middle of a stable release and caused problems. One such example is the changes to the virtual memory system in about 2.4.4.
Another reason this doesn't happen as often is many of the serious open source programmers do everything they can to prevent/fix bugs and are paranoid about security. Microsoft doesn't seem to care. When I run win98, there are always system crashes, settings being changed when I don't want them to, unstable programs (which are supposedly being made by professional companies) making other programs/the whole system unstable.
In Linux, these problems are virtually nonexistant. I haven't seen many programs which will bring Linux down, and most of those don't crash the kernel. A buggy SVGAlib[1] program will either screw up the video or screw up the keyboard and disable virtual console switching[2]. XFree86 doesn't have this problem. Most buggy programs in X don't seem to affect it at all--there are problems such as X crashing with huge font sizes, but the main system was running fine. I just had to restart X. A misconfigured X may screw up the display, but most of the time I can use Ctrl-Alt-Backspace to kill X, display restores, and I fix the problem. Also, when Ctrl-Alt-Delete still works, it will properly shutdown the system--unlike Windows.
Linux/open source has problems, but Microsoft has many more. In my twenty some years of using computers, I haven't seen anyone produce crappy software as Microsoft--except for script kiddies and the low end of shareware programmers.
They do have project leaders and others who verify the patches. Open source projects don't accept just any old patch--there is a process of reviewing and testing submitted patches. This also varies from project to project. Some maintainters will just slap in anything, but the maintainers of very good and stable projects will try to understand what the patch is doing before even testing it out. It is a very long and arduous process to get a patch for a new feature into something like the Linux kernel. There are plenty of such patches floating around. For example, Openwall Linux is a kernel patch that adds security features. From what it sounds, it may never get into the official kernel...
An OS is the most fundamental part of the software. Any bug in the OS will often cause major problems everywhere. As to an OS being more complicated, it depends on the system and what you choose to define as the OS. Some people consider only the kernel/core part as the OS, and others include "essential" libraries--the definition of essential can vary greatly. Still some others include basic utility programs part of the OS.
Any change in a project can cause a new bug, but as I said, they review and test the patches, so this doesn't happen as much as you seem to think it would. The problem with Microsoft bug fixes is they don't seem to test their changes very well, and they often bundle new (and possibly unwanted) features/modifications with these fixes. These features/ mods may have bugs or cause other problems. The high-end open source projects shy away from this practice. That is why they have a different branch marked experimental (or unstable)-- people who want to test (or use) the bleeding edge features can do so without affecting the stable branch.
Footnotes:
[1] SVGAlib is a library which allows a program to draw graphics on the screen with a virtual console. This library is dangerous because it requires the program to run as root (often suid root, which means any user will have root access with the program until the program drops privileges). The framebuffer is slightly safer because it is a kernel driver and you don't have to run it as root. Both of these can easily leave the video card in a messed up state if the program doesn't use them properly.
[2] The virtual console is a part of the Linux kernel which handles the video display. In Linux there are multiple of these virtual consoles, and one can switch between them freely using the Alt key plus the arrows/function keys. Alt+F1 will switch to virtual console # 1. Alt+2 #2, and so on. A problem arises if a program sets raw keyboard mode (such as many SVGAlib/framebuffer programs do) as this disables the kernel from recognizing an Alt+function key as a request to change consoles.
There are also a number of firms that park domains who have thousands of generic pages running IIS.
The monthly Netcraft survey analizes the results, and accounts for statistical oddities, like the months where one particular provider was waffling back and forth between Apache/IIS and causing a large skew in the numbers.
The fact remains, however, that Apache had a foothold long before IIS was unleashed to the Internet, has had a wider base of testers and more high-end applications than IIS. Whether or not the Netcraft numbers are accurate to within 2% or 5%, they do reflect an accurate picture of the state of the web, closer than any other survey has ever been, and as such are the most respected source of statistical web server data. But by all means, if you can show me a better source than Netcraft who disclose their methods, I'm all ears.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
If it WAS let out during business hours, whould it have gotten so far? would it have caused much dammage at all? Considering how quickly it could spread, I should say so.
It's not the size of your .sig that matters, it's how you use it.