Chey Cobb web site

 

Index for Chey Cobb
Articles and books by Chey Cobb
Hobbies of Chey Cobb's
Pictures from Chey Cobb
Contact for Chey Cobb

   
 
Chey Cobb
  
   

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 
 

Newsscan Computer Security Column
Stephen Cobb, CISSP and Chey Cobb, CISSP

Can You Survive Without the Internet?

Could your company survive without the Internet? This is not a rhetorical question. In the wake of last weekend's "Slammer" attack, corporations may have to contemplate getting by without the Internet. That sounds like hyperbole until realize how much trouble was caused by just 376 bytes of worm code.


The basic facts have been widely reported. Late last Friday, or early Saturday in Asia, a worm was released onto the Internet targeting a vulnerability in Microsoft Corp's SQL Server 2000 (a database program). Activity generated by the worm's probing for systems to infect brought Internet traffic to its knees, at least in parts of Asia. Weekend Web surfers in North America experienced everything from momentary delays to complete lack of access. American Express customers couldn't check their accounts online. Web operations were paralyzed for two days at Countrywide, the country's biggest residential mortgage provider. The Atlanta Journal-Constitution couldn't print Sunday's first edition on time. Some 911 emergency services were forced to revert to manual dispatching. On top of that, some weekend shoppers found their Bank of America cash cards couldn't produce "cash back" at supermarkets. For some, even plain old cash at ATM machines was unavailable.


A lot of technical staff at companies that rely on SQL Server and related code spent the weekend at work, removing the worm from infected systems and patching them to prevent reinfection. Even so, some employees couldn't get to their data on Monday morning, including some employees at Microsoft itself. An internal memo, issued over the weekend and leaked to the press on Tuesday, made it clear that Microsoft had failed to apply to many of its own systems the very patches it had urged customers to install to avoid this problem in the first place. Unfortunately, all the talk about Microsoft and SQL Server has tended to obscure two of the scariest parts of the story:

  1. Our society is a lot more dependent on the Internet and "immature" systems than anyone has so far been prepared to admit.
  2. The Internet exists at the whim of those who know how to destroy it.


In this column and the next we will address these points in the above order, starting with the issue of dependency. Over the last few months, Bank of America has spent millions of dollars on a television advertising campaign touting the ubiquity of its ATM machines. Imagine that you just switched your account to Bank of America because of those ads, only to find that access to your money is denied, by 376 bytes of rogue computer code released onto the Internet.


In our admittedly unscientific sampling of consumer opinion at the coffee shop we found universal disbelief that such a thing could happen. Sadly, it comes as no surprise to us. As security experts, we have made it our business to know a lot about network infrastructure (after all, that's where a lot of data is most vulnerable). People who know more than we do about that infrastructure have been warning us for years about excessive inter-dependencies, lack of redundancy, single points of failure, and so on (they have also pointed out that 90% of all military communications are handled by commercial carriers, but that's another column).


There have also been plenty of warnings about excessive reliance on immature code, i.e. software which is not deployed through a production process that includes thorough pre-production testing and a proper maintenance cycle (companies that had installed the patches for SQL Server before the weekend were not infected, although they may still have been affected by the traffic overload which the worm created). Now the public has very concrete proof that the experts were right. Now we know we cannot rely on our bank to provide 24/7 access to our money. Hopefully, companies will now set about beefing up their networks, providing redundant channels and managing their code (funded by some of the huge costs savings they reaped by shifting data and voice from private lines to the Internet).


Fortunately, the advice of network experts can also help the consumer. Redundancy is the best strategy to avoid being denied access to your cash by an ATM system failure. Just make sure you have debit card accounts at more than one bank! In the next column we will explain why we think the Internet exists at the whim of those who know how to destroy it.

 

  


©2003 Chey Cobb. All rights reserved.
chey@patriot.net
FAQs Contact Us