Slashdot Mirror
When Will The Next Slammer Strike?
scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."
well i assume an ATM must be hooked up to the banks NETWORK .. how else would it be able to tell how much money is in the account.. and somewhere on the network, it's probably connected to the internet--
Click here
In Soviet Russia you dant have to put up with these crappy jokes
If people at least patch their system, things like this should never happen, but Microsoft should have made that secure in the first place to prevent this from happening. Face it, if someone can create a worm somehow causing all host/computer connected to send out 300 odd bytes to any random port to any random ip every millisecond or so, the net itself will be full of noise.
Or you can just physically locate all the major routers/backbone of the net and somehow disable it, physically... yeah, you, get up and demonstrate how vurnerable the net is!
Please direct all bug reports to
In my opinion, there are two ways that people will react to the problem of exploits in computer software:
In the short term, I expect that the most recent attack will provide a huge sales boost to pre-packaged "security solutions" like firewalls, virus protection, etc. and will probably be used as an extra card that the government can play when arguing for implementing a comprehensive Internet monitoring system. Of course, both of these things are unfortunate, as neither one promotes security and the latter gives the government way too much power . . .
Long term, the best protection against exploits in computer software is a shift in attitude about where software companies should place their priorities. At present, it is more lucrative for companies to push a piece of software out the door and sell upgrades than to spend extra time developing secure software. Only a strong fiscal mandate from corporate customers will change the way software companies do business . . . and I hope that mandate comes soon.
It's just the problem of monocultures! Nothing less and nothing more...
My spirit takes a journey through my mind...
It isn't the Internet that is vulnerable, it is Microsoft products which are vulnerable. Those products in turn affect other systems due to the sheer number of computers running MS products. Start holding MS accountable for the bugs in their products and everyone benefits.
I think we ought to make virus-protection code public and government funded.
That doesn't help with new viruses, like the one this story is about.
The problem is with patching. People don't install the available security patches. This problem had been known about for half a year.
And some people refuse to install Microsoft's newer service packs, because of the changed license on them, which has some pretty gross clauses in it. I think that's almost criminal behavior by MS - "yes, we fixed the fatal bug in the software we licensed to you, but to get the patch you have to agree to some new random clauses - say, give us full access to your computer".
On the other hand, if they had that full access, I think that at least their service packs would be installed, and these attacks wouldn't be so succesful.
But I'll just stick with Linux, myself :-)
I believe posters are recognized by their sig. So I made one.
There is no excuse for *not* running virus scanners and firewalls, since these things are free and they actually work very well.
MS products are too buggy for the internet. Even when MS comes out with patches sysadmins are extremely reluctant to apply them (even at Microsoft) in fear that the patch will cause more problems (ie BSOD) than it fixes. Remember Microsoft got hit by Slammer hard because it didn't install its own patches. Was Microsoft waiting for customers to beta test thier software before they even tried it themselves??? Plus the MS SQL server is not the only MS product that Slammer can infect......when are people going to hold Microsoft accountable for its lack of security and general poor coding??
"You helped our nation celebrate its bicentennial in 17 -- 1976." --George W. Bush, to Queen Elizabeth, Wash
Could someone also explain why releasing the same virus on a weekday would have blocked access to 911?
Sounds a lot like unfounded scaremongering by people who should know a lot better to me. 911 not only runs on a separate network (telephone != internet), but is just as busy on a Saturday (if not more so) than weekdays.
In fact, sounds like the Mitnick fiasco, where any knowledge tangentially-related to the 911 system was assumed to have the power to prevent emergency calls from getting through.
How can journalists make such claims without losing their jobs?
I would think that damage would be worse if the worm just sat quietly for a few weeks (or even months), slowly corrupting data in the database. At that point, backups may not be usable; at some point either the last backup media has been recycled, or new entries to the database would be too expensive to re-enter.
A "stealth" worm, whose primary focus is remaining undetected rather than consuming huge amounts of resources would be a lot more devastating than an obvious one.
Likelihood there will be another one: very high
Likelihood that it will affect a Microsoft product: pretty high
Likelihood that it will exploit a flaw that was fixed the summer before: almost certain
As far as i'm concerned those with low maintenence co-located servers should pay more attention to security bulletins so that when when a major patch does come out they can fix it, then when something does hit their several-year-old computer it won't be thrashed to death by modern worms.
It is unclear in the article if they mean ATM as in bank ATM's, or ATM as in asynchronous transfer mode networks. I'm sure the author doesn't even know in which context ATM is used.
Just a thought *shrugs*
If these occurs every 6 months becasue people stop caring after this time, then hwo is it that this worm used a vulnerability that could have been fixed 6 months ago when,a ccording yto your theory,e veryone woudl have been hyper-aware of the worm threat? Unless each new worm takes advantage of a very new vulnerability, your theory is crap.
In Soviet Russia you dant have to put up with these crappy jokes
The same MS that didn't apply their *own* patches ?!?
The problem that I have is, even though I don't run any Microsoft software, their incompetence keeps on screwing me around and costing me productivity.
I get hundreds of e-mail virii per day, owning partially to incompetent users, but also partially to incompetent Outlook programmers.
At the height of Code Red, I was getting hundreds of hits per day to my webserver.
That last worm effectively shut down portions of the Internet.
Now, here's the problem. If I'm driving down the road, and a Hyundai's brakes fail and cause it to run a red light and plow into the side of me, it'll piss me off, but it's a quirk, and shit happens.
If, every couple of months, a Hyundai's brakes fail and I get hit, pretty soon, I'll start to get very pissed off, not just with the idiots who drive Hyundais, but also with Hyundai itself.
This has gotten to be utterly ridiculous. We have to find some way of holding Microsoft accountable for their fucking ineptitude.
Fire and Meat. Yummy.
And some people refuse to install Microsoft's newer service packs, because of the changed license on them, which has some pretty gross clauses in it.
There's also the problem that a "service pack" might alter things you didn't want to change in the process of fixing any bugs.
I run a FreeBSD server for serving Windows users through Samba, and occasionally an infected Windows box drops malicious emails and exes all over my shared filesystem. You Unix zealots seem to brag about BSD not being as suspectiple. Need I remind you of Slapper, wwhich only infected Linux/Apache machines, but athe same vulnerability existed on any system running Apache. What we (or at least, I) need is a Unix-based virus scanner that can prevent the spread of viruses for all platforms.
"The lesson to be learned is not to take the comments on slashdot too literally." --Vinnie Falco, BearShare
1. Put eggs in Microsoft basket
2. ????
3. Loss
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Yes, but once people hear about "government software", the most likely reaction will be the tinfoil hat style response. Granted, the source will be public, but will Joe Undergrad or Jane TA trust the government enough to have government software on their machine while they are out protesting against the possibly imminent Iraqi war?
People don't like the government to butt into their lives (unless it directly benefits them). Unless the project was funded by the government but in the hands of another body, I don't see it going anywhere.
-Matt
Who's to blame MS for making a patches that sometimes makes things worse and most sysadmins waits awhile before installing patches
Or is it all those sysadmins who didn't install the patch because of annoying reboots and problems with the new patch?
I fought the corporate America, and the corporate America bought the law.
Most Virus products couldn't have stopped Slammer. It never wrote to disk. It needed to do something different again.
I think some more thought about how we build and patch software needs to happen.
Virus scanners are a crutch.
Hmmm, remember these 'bad' worms do nothing but spread, clogging up bandwidth, causing a massive DDoS attack on the entire internet.
So, you want to release a 'good' worm to do just that with the exception of closing the toilet seat behind it? I think not.
Thing is, we're dealing with an industry (the IT industry) that does not have the safely regulations and standards common in older sectors. There is no standard saying what steps must be taken to prevent your own systems damaging others, and no regulatory body to enforce compliance. Worms like this are creating a pressure to bring IT into line with the more, hm, predictable business areas.
Over time, IT, like other industries, will move toward public safety standards such as we see in transport, manufacturing, finance, and all those *boring* businesses. It's a necessary part of the evolution of this industry from backrooms to ubiquity, I guess.
In 20 years time we'll probably see the government fining companies that don't patch their servers to a certain standard, just like we see airports and tire makers being fined now.
This just reinforces what I've been thinking for a while now... time to move away from IT iself and into IT law/management/business...
Whence? Hence. Whither? Thither.
Death of the Internet! Film at 11!
For all the publicity it gets, and tons of anecdotes that slammer really threw some places for a loop, it does seem that the system is pretty robust.
But OFFLINE BACKUPS seem to be more and more of a must. Slammer didn't have much of a payload, but something like this could, and any system your responsible for had better have plans...
SO YOU'RE GOING TO DIE: The Comic for Dealing with Death
Is that sometimes, its safer to wait to implement Microsoft patches and take your chances with a worm/virus...
As a NT admin.. I have to look at the odds... A worm might take down my operation - Frequency is about once every 3-4 months. Whereas I KNOW that half of the security patches will screw things up, and with new patches released about every week..I usually try to wait at least 2 weeks (a month if possible) before I apply any patches from MS.
Fire in the hands of the village idiot is no tool, but a weapon of mass destruction
My assumption was that they were talking about ATM (Asynchronous Transfer Mode). Many ATM networks were significantly hurt by this because routers and switches that utilize SVCs kept building and rebuilding circuits.
The whole point of this problem can be simplified to bad code and bad base installs. I keep hearing people say it's not MS's problem. I work with a wide variety of products in the networking (L2 & L3+ WAN) and systems world. Any one of the vendors that I deal with would lose serious market share if their products were found to be vunerable to something like this and they simply patched it but didn't change the base install to be "secure".
Let's start by taking an example of a comparable product -- postgreSQL. We all know that a recent patch to this product fixed a possible remote exploit. Certainly the bug shouldn't have been there and it was something that should be patched. However, the point is that the postgreSQL base install doesn't even allow remote connections. In fact, the config file tells you that without remote connections allowed, it's still probably an liberal configuration that should be locked down more.
I'll buy that MS has a large market share and that occasionally something will get through the normal protections; however, the base installs should be locked down. Why aren't they? It's a question that is very simple to answer.
MS sold the Internet community a grand story. In this story, running a server is a simple task that anyone can do. For this story to be believed, they have to have the base install do everything out of the box without any special configuration which might require a real administrator, dba, network design specialist, etc. If the products were actually locked down like they should be (like most of the competing products are), MS would have a bigger job in support calls because 80% of the non-administrators that work with MS platforms would be ill-equiped to handle the proper configuration of the server to get it to work.
I have a product that I use on linux that was written with this kind of security in mind. The config file is riddled with lines like: die "you didn't go through your config file!". If you don't completely configure the product, it keeps dying on startup. This is how products should be released--locked down and set to die if the configuration is not explicitly setup by the admin with them being aware of the dangers to each option they set back on.
I also hear a lot of people complaining that people didn't install the patches, I again go to the point of the base install. If the product's base install were locked down, far less databases would have been open even if they were unpatched. Seriously, let's be reasonable, why should an SQL server open ports by default to anything except maybe 127.0.0.1. Many databases now only need one or two subnets open anyway since their database interaction goes on with an application server (often a web server) which serves as the db client for the users anyway and quite a few databases on the lower end systems (where most of the sysadmins who don't know how to lock things down are) reside on the same box as the app services.
"Banking services, which encrypt their data traffic over the public Internet, might have ground to a halt."
Sheesh. If you use VPNs over the internet, you're getting WAN connectivity and 95+% reliability on the cheap. But it's a trade off.
Get your own free personal location tracker
Have I stepped out of Slashdot and into some kind of paralell universe where open source doesn't exist?
The schematics for my firewall and all public daemons ARE available, some of them even "at my front door".
So there are twice as many Apache vulnerabilities as IIS vulnerabilities? And don't give me that "there are more Windows users ... " excuse. If you want to affect the WWW at large, you attack that which comprises more than half the entire WWW, that being Apache. Were your logic correct, there would be a plethora of Apache vulnerabilities. The fact remains that a quality codebase, rather than a small userbase, defines the relative security of a product.
Nice troll, though. It looked really sincere.
BD Phone Home!
Shameless plug. Like you weren't expecting it.
Following the IIS and SQL server worms, Exchange Server could be the next target. I predict this will happen within the next 6 months. The patches are probably out already but as per the last two worms, many Windows admins will fail to install the patches no matter how easy/difficult/risky they are to implement. As email is the current "killer" app on the net for business, this will create the greatest amount of havoc that we've seen to date.
If corporations are really interested in protecting themselves, they should stop slashing IT budgets and downsizing engineers. Security goes downhill fast when the techies are too busy to keep servers patched, and nobody is watching for idiots sticking database servers outside the corporate firewall.
Every company with an internet-enabled IT infrastructure needs to have a dedicated sysadmin AND a dedicated security admin. If a company can't afford two full-time geeks to keep things secure, then they need to outsource server hosting to a secure facility.
If the consequences could have been avoided by simple and reasonable practices that everyone else in the industry but Microsoft follow, then it doesn't matter if the worm writer was a criminal or not. What you are saying is that the tyre blew out because some kid threw a stone in the car's path. Firestone is still responsible, not the kid.
In the 1970's there was a widely reported case, where a Ford Pinto was hit in the back, and the gas tank exploded, killing the people in the car. Ford was sued and lost, about $100 million, IIRC, in damages. The case was not about who was right or wrong in the accident, maybe that driver who hit the Pinto was driving dangerously, but the Pinto should be designed to not explode, even if hit with criminal recklessness.
Also, companies with hundreds or thousands of machines to administer will probably start buying large-scale third-party automated patch deployment systems. A system like Everguard or Patchlink or Bigfix will let you know where there are unpatched vulnerabilities on your network, help you patch them, and check that they've been patched.
Most of these systems are cross-platform and at least one uses a linux-based server.
I play Nerd-Folk!
It's it more important that MS SQL server shouldent be exposed to the internet directly in the first place. There are no public SQl servers than I can think of and no reason for them besides maybe some open testing and compatability public labs. Port filtering isn't a panecea but it's the second line of defence (after egress filtering by everybody) there is no reason that a SSH port forward or a VPN cant be used hell a GRE tunnel with no encryption instead of having it open and on the internet. This is also the case for many other packages how many MySQL ports I have seen open it's disgusting.
No sir I dont like it.
Especially In this case as there WAS a fix.. just no one bothered to apply it.
It's been mentioned before, but it bears repeating: some subsequent security patches remove the fix.
Further, Microsoft has a track record of releasing security patches that break or touch unrelated stuff, roll back other fixes, give Bill admin rights on your computer, or just plain hose your box. Because of this (and the volume of patches), keeping up with security on MS boxes is not a task to be taken lightly. You test and test and schedule downtime, and it still bites you. This is the root of this particular thornbush.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
There is a difference, though. When people hand money over to Microsoft in exchange for a product, that is not only an economic transaction, that is a legal transaction, as well.
A lot of states require, for example, a minimum amount of time for a customer to be able to return defective merchandise. When the company sells you a product, the company is agreeing to several legal responsibilities.
When I give you a gift, I am not held legally responsible for that gift (unless the gift is illegal or stolen in the first place).
With OSS software, there is no exchange of money with the author, so there is a lot less legal groundwork to work with.
Places like RedHat, though, would be in a difficult situation, since they are selling a product.
Your point about fixing the bug is an interesting one. Suppose Ford had discovered that there was a problem with the interaction between their tires and their vehicles, and then announced that they would replace the tires in a minor PR release somewhere. Suppose they required you to drive the vehicle to its originating factory (most likely Louisville, KY for Explorers) to be replaced.
I think the government could argue that Ford did not do the appropriate thing to rectify a known problem.
I am not too familiar with the MS SQL fix, but apparently it was not only difficult to install, but it was also broken by a later patch. That moves some of the responsibility from the sysadmin back onto Microsoft at that point, I would think.
So in the end, I think it would be best to hold companies accountable for mistakes they knowingly should have fixed, and made those fixes easy to work with (within reason).
(And, for factual clarification - most later simulations of the Ford/Firestone tire incidents leads to the conclusion that while the tires blew out more often than normal, and that the Explorer, like almost any SUV, tends to roll over more often than a car, most of the incidents were probably a result of driver error in correcting from a blown tire. Most drivers apparently slammed on the brakes and jerked the steering wheel, which will cause an SUV to roll even without a blown tire).
- (c) 2018 Hank Zimmerman
There are several reasons why Linux is not so adversely affected by security patches:
1) Linux the kernel is distinctly independent from the applications that it runs and from the vast majority of device drivers that it hosts. This is most likely the single most important factor. For example, fixing Apache does not require tampering with the kernel, which is turn does not require tampering with the web browser, which in turn does not require tampering with the task manager, which in turn does not require tampering with the database server. With Windows, changing one area touches every single other part of the entire system, including some very large applications (because they are integrated with the kernel).
2) Security releases are fast, furious, and focused. Only the affected pieces are replaced. When OpenSSL was compromised by Slapper, only OpenSSL was fixed. The fix didn't have to touch a hundred completely unrelated areas as happens when your entire kit and kaboodle (Windows) is tied together by spaghetti clusters. The fixes are released immediately after the vulnerability is discovered, and the full scope of the fix is detailed (parts are not hidden, as is the case with Windows). And the fixes, if anything was missed the first time, continue until the problem is erradicated.
3) Full disclosure. The vulnerability is fully disclosed to the user base ASAP, and details provided to allow us to confirm the vulnerability. Since the vulnerable parts of the system are separate and distinct, fixing the individual parts can occur on a continuous basis. That is, not every affected component has to be fixed before other fixed pieces can be distributed.
Not being a security type person, these are only things I can think of off the top of my head based on my own limited experience.
Please shut up. If you make a product easy to setup and administer, don't be suprised when incompetents or people are aren't dedicated IT dorks are responsible for things.
The problem is poor design. If you design easy to use software, it should be easy to use safely.
Conformity is the jailer of freedom and enemy of growth. -JFK