New Dangers Exposed in the Wake of Slammer

Security experts and government officials agree that the unprecedented disruption of services by the SQL Slammer worm last week exposed the inherent flaws in the Internet.

Security experts and government officials agree that the unprecedented disruption of services by the SQL Slammer worm last week exposed the inherent flaws in the Internet and the domino effect that a few unprotected servers can have on the rest of the network.

Unleashed early on Saturday, Jan. 25, the worm hit data centers, snarling the Internet and slowing e-mail. It also ran rampant through networks at several major financial institutions, whose systems were vulnerable due to uninstalled patches.

"People should have been doing something with the patch and should have had other firewall rules in place," said Pete Allor, manager of X-Force threat intelligence services at Internet Security Systems Inc., in Atlanta. "It was a wildfire. If you allow everyone to hit your box, someone will get you."

Slammer exploited a known hole in Microsoft Corp.s SQL Server 2000 for which fixes have been available since last summer. Slammer spread quickly to more than 200,000 machines running the database software, overloading several of the Internets root Domain Name System servers. Much of the disruptive traffic had waned by Saturday evening, although many systems were down into Monday.

"In Vancouver, we lost ATM machines and [point-of-sale] terminals in large numbers for a couple of hours starting at 11 a.m. on Saturday," said Eric Byres, research manager at British Columbia Institute of Technology. "This is one of the first times weve seen an attack like this affect critical infrastructure."

Despite the damage and headaches caused by the worm, White House officials said Slammer should not be considered cyber-terrorism.

"Wed rather characterize terrorism as something that kills people," said Marcus Sachs, director of communications infrastructure protection in the Office of Cyberspace Security, in Washington. "There was no lasting damage done to the infrastructure. Wed like to see the term cyber-terror dropped."

Distancing Slammer from cyber-terror represents a major shift in philosophy for White House security officials, who for years have warned that Internet attacks could bring down financial networks, utilities and other vital systems.

Slammer found its way into machines that control the ATM network at Bank of America Corp., in Charlotte, N.C., and into the internal network at J.P. Morgan Chase & Co., in New York, where it caused major network slowdowns and nearly halted e-mail traffic. Such infections show the danger of connecting sensitive services to the Internet and prove that even companies with the means and manpower to protect their networks dont always do so, experts say.

"Business folks were so scared that they applied the SQL 2000 patch to SQL 7 machines and caused more grief for themselves," said a J.P. Morgan Chase employee, who asked to remain anonymous. "It was traced to someone in the business group in London plugging in their laptop. Maybe now [management] will realize just because fixes are available doesnt mean theyre applied."

Therein lies the challenge for administrators as well as government officials and software vendors: getting enterprises to apply patches on a consistent and timely basis. Security specialists say the problem is more than just overworked administrators; management should bear some blame.

"It comes down to enterprises having to take that responsibility seriously. Expecting people to apply six patches a day becomes a full-time job for someone," said Raleigh Burns, security administrator at St. Elizabeth Medical Center, in Edgewood, Ky. "Everyone doesnt have the budget and people to do that."

Vendors, meanwhile, say the industry owes it to customers to do a better job of securing their own products.

"Im certainly not blaming the victims. Customers like stability and dont like to apply patches very often," said Mary Ann Davidson, chief security officer at Oracle Corp., in Redwood Shores, Calif. "The industry needs to provide better tools to harden systems. The difference between something being theoretically possible and being exploited is the blink of an eye."

Faced with mounting criticism that their initial SQL Server 2000 fix was confusing and difficult to install, Microsoft officials agreed that patches are not the ultimate solution.

"Getting patches out is important, but we need to work with customers to help them, too," said Steve Lipner, director of the Microsoft Security Response Center, in Redmond, Wash. "The secure-by-design aspect is what were doing to chase those things out."

Signatures within the worms source code indicate that a hacker group known as the Honker Union of China may be responsible for the code, according to security experts who have analyzed the code. As of press time, no one had yet claimed responsibility for Slammer.

"Were 100 percent certain this was based on the CNHonker code," said Chris Rouland, director of the X-Force research team at ISS. "But that doesnt mean they released it."

  • Read more articles by Dennis Fisher
  • Read more security stories