Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Will The Next Slammer Strike?

Posted by timothy on from the not-to-pick-on-anyone dept.

scubacuda writes "Business Week has an article on how the Slammer worm demonstrates just 'how vulnerable the Internet remains': MS's own DBs were affected, telephone/ATM/etc were knocked out, and if the worm had occurred only 48 hours later (preventing investor's trading, 911 calls, banking services), there could have been a 'virtual Net shutdown.' Vincent Weafer, director of the computer-security outfit Symantec's Anti-Virus Response Center (SARC), says that the likelihood that a Slammer-style worm will hit at a more vulnerable moment is high."

11 of 408 comments (clear)

  1. Two ways of "solving" this problem . . . by aaronhurd · · Score: 5, Insightful

    In my opinion, there are two ways that people will react to the problem of exploits in computer software:

    In the short term, I expect that the most recent attack will provide a huge sales boost to pre-packaged "security solutions" like firewalls, virus protection, etc. and will probably be used as an extra card that the government can play when arguing for implementing a comprehensive Internet monitoring system. Of course, both of these things are unfortunate, as neither one promotes security and the latter gives the government way too much power . . .

    Long term, the best protection against exploits in computer software is a shift in attitude about where software companies should place their priorities. At present, it is more lucrative for companies to push a piece of software out the door and sell upgrades than to spend extra time developing secure software. Only a strong fiscal mandate from corporate customers will change the way software companies do business . . . and I hope that mandate comes soon.

  2. Microsoft products aren't for internet use by bkontr · · Score: 5, Insightful

    MS products are too buggy for the internet. Even when MS comes out with patches sysadmins are extremely reluctant to apply them (even at Microsoft) in fear that the patch will cause more problems (ie BSOD) than it fixes. Remember Microsoft got hit by Slammer hard because it didn't install its own patches. Was Microsoft waiting for customers to beta test thier software before they even tried it themselves??? Plus the MS SQL server is not the only MS product that Slammer can infect......when are people going to hold Microsoft accountable for its lack of security and general poor coding??

    --


    "You helped our nation celebrate its bicentennial in 17 -- 1976." --George W. Bush, to Queen Elizabeth, Wash
  3. Re:This is nothing yet by travail_jgd · · Score: 4, Insightful
    Damage would be much worse if these things started cleaning hard drives after the action (yeah yeah, backups - just like all your databases always have the latest patches, right?)

    I would think that damage would be worse if the worm just sat quietly for a few weeks (or even months), slowly corrupting data in the database. At that point, backups may not be usable; at some point either the last backup media has been recycled, or new entries to the database would be too expensive to re-enter.

    A "stealth" worm, whose primary focus is remaining undetected rather than consuming huge amounts of resources would be a lot more devastating than an obvious one.
  4. Likelihoods by Neophytus · · Score: 4, Insightful

    Likelihood there will be another one: very high
    Likelihood that it will affect a Microsoft product: pretty high
    Likelihood that it will exploit a flaw that was fixed the summer before: almost certain

    As far as i'm concerned those with low maintenence co-located servers should pay more attention to security bulletins so that when when a major patch does come out they can fix it, then when something does hit their several-year-old computer it won't be thrashed to death by modern worms.

  5. Re:Could someone explain... by DJayC · · Score: 5, Insightful

    It is unclear in the article if they mean ATM as in bank ATM's, or ATM as in asynchronous transfer mode networks. I'm sure the author doesn't even know in which context ATM is used.

    Just a thought *shrugs*

  6. Time to hold M$ Accountable. by BigBlockMopar · · Score: 5, Insightful

    The same MS that didn't apply their *own* patches ?!?

    The problem that I have is, even though I don't run any Microsoft software, their incompetence keeps on screwing me around and costing me productivity.

    I get hundreds of e-mail virii per day, owning partially to incompetent users, but also partially to incompetent Outlook programmers.

    At the height of Code Red, I was getting hundreds of hits per day to my webserver.

    That last worm effectively shut down portions of the Internet.

    Now, here's the problem. If I'm driving down the road, and a Hyundai's brakes fail and cause it to run a red light and plow into the side of me, it'll piss me off, but it's a quirk, and shit happens.

    If, every couple of months, a Hyundai's brakes fail and I get hit, pretty soon, I'll start to get very pissed off, not just with the idiots who drive Hyundais, but also with Hyundai itself.

    This has gotten to be utterly ridiculous. We have to find some way of holding Microsoft accountable for their fucking ineptitude.

    --
    Fire and Meat. Yummy.
    1. Re:Time to hold M$ Accountable. by ejaw5 · · Score: 4, Insightful

      That's a great analogy..I'll add this though:
      Investigations from the NTSB and all will force Hyundai to recall all their affected cars and fix the brake problem. Don't expect such actions against Microsoft.

      --

      $cat /dev/random > Sig
  7. Regulation by kahei · · Score: 4, Insightful


    Thing is, we're dealing with an industry (the IT industry) that does not have the safely regulations and standards common in older sectors. There is no standard saying what steps must be taken to prevent your own systems damaging others, and no regulatory body to enforce compliance. Worms like this are creating a pressure to bring IT into line with the more, hm, predictable business areas.

    Over time, IT, like other industries, will move toward public safety standards such as we see in transport, manufacturing, finance, and all those *boring* businesses. It's a necessary part of the evolution of this industry from backrooms to ubiquity, I guess.

    In 20 years time we'll probably see the government fining companies that don't patch their servers to a certain standard, just like we see airports and tire makers being fined now.

    This just reinforces what I've been thinking for a while now... time to move away from IT iself and into IT law/management/business...

    --
    Whence? Hence. Whither? Thither.
  8. Re:Could someone explain... by Anonymous Coward · · Score: 5, Insightful

    My assumption was that they were talking about ATM (Asynchronous Transfer Mode). Many ATM networks were significantly hurt by this because routers and switches that utilize SVCs kept building and rebuilding circuits.

    The whole point of this problem can be simplified to bad code and bad base installs. I keep hearing people say it's not MS's problem. I work with a wide variety of products in the networking (L2 & L3+ WAN) and systems world. Any one of the vendors that I deal with would lose serious market share if their products were found to be vunerable to something like this and they simply patched it but didn't change the base install to be "secure".

    Let's start by taking an example of a comparable product -- postgreSQL. We all know that a recent patch to this product fixed a possible remote exploit. Certainly the bug shouldn't have been there and it was something that should be patched. However, the point is that the postgreSQL base install doesn't even allow remote connections. In fact, the config file tells you that without remote connections allowed, it's still probably an liberal configuration that should be locked down more.

    I'll buy that MS has a large market share and that occasionally something will get through the normal protections; however, the base installs should be locked down. Why aren't they? It's a question that is very simple to answer.

    MS sold the Internet community a grand story. In this story, running a server is a simple task that anyone can do. For this story to be believed, they have to have the base install do everything out of the box without any special configuration which might require a real administrator, dba, network design specialist, etc. If the products were actually locked down like they should be (like most of the competing products are), MS would have a bigger job in support calls because 80% of the non-administrators that work with MS platforms would be ill-equiped to handle the proper configuration of the server to get it to work.

    I have a product that I use on linux that was written with this kind of security in mind. The config file is riddled with lines like: die "you didn't go through your config file!". If you don't completely configure the product, it keeps dying on startup. This is how products should be released--locked down and set to die if the configuration is not explicitly setup by the admin with them being aware of the dangers to each option they set back on.

    I also hear a lot of people complaining that people didn't install the patches, I again go to the point of the base install. If the product's base install were locked down, far less databases would have been open even if they were unpatched. Seriously, let's be reasonable, why should an SQL server open ports by default to anything except maybe 127.0.0.1. Many databases now only need one or two subnets open anyway since their database interaction goes on with an application server (often a web server) which serves as the db client for the users anyway and quite a few databases on the lower end systems (where most of the sysadmins who don't know how to lock things down are) reside on the same box as the app services.

  9. Re:Government Funding of Security/Virus Prevention by Blkdeath · · Score: 4, Insightful
    Public source code for software that is designed to protect isn't a great idea IMO. Would you want your home security system, complete with sensor locations, schematics, etc. posted in a book on your front porch?

    Have I stepped out of Slashdot and into some kind of paralell universe where open source doesn't exist?

    The schematics for my firewall and all public daemons ARE available, some of them even "at my front door".

    Publicly available anti-virus and firewall software would be great (source code witheld), but then you run into the same problem MS has. Huge user base = greater draw to those looking to undermine the software = more security issues.

    So there are twice as many Apache vulnerabilities as IIS vulnerabilities? And don't give me that "there are more Windows users ... " excuse. If you want to affect the WWW at large, you attack that which comprises more than half the entire WWW, that being Apache. Were your logic correct, there would be a plethora of Apache vulnerabilities. The fact remains that a quality codebase, rather than a small userbase, defines the relative security of a product.

    Nice troll, though. It looked really sincere.

    --
    BD Phone Home!

    Shameless plug. Like you weren't expecting it.

  10. Re:patches and rips by StormReaver · · Score: 4, Insightful

    There are several reasons why Linux is not so adversely affected by security patches:

    1) Linux the kernel is distinctly independent from the applications that it runs and from the vast majority of device drivers that it hosts. This is most likely the single most important factor. For example, fixing Apache does not require tampering with the kernel, which is turn does not require tampering with the web browser, which in turn does not require tampering with the task manager, which in turn does not require tampering with the database server. With Windows, changing one area touches every single other part of the entire system, including some very large applications (because they are integrated with the kernel).

    2) Security releases are fast, furious, and focused. Only the affected pieces are replaced. When OpenSSL was compromised by Slapper, only OpenSSL was fixed. The fix didn't have to touch a hundred completely unrelated areas as happens when your entire kit and kaboodle (Windows) is tied together by spaghetti clusters. The fixes are released immediately after the vulnerability is discovered, and the full scope of the fix is detailed (parts are not hidden, as is the case with Windows). And the fixes, if anything was missed the first time, continue until the problem is erradicated.

    3) Full disclosure. The vulnerability is fully disclosed to the user base ASAP, and details provided to allow us to confirm the vulnerability. Since the vulnerable parts of the system are separate and distinct, fixing the individual parts can occur on a continuous basis. That is, not every affected component has to be fixed before other fixed pieces can be distributed.

    Not being a security type person, these are only things I can think of off the top of my head based on my own limited experience.