It's only 10 AM, and I've sent well over 100 emails so far this morning in seven different conversations. My fingers are angry with me. So what am I doing? Typing this post, of course, while I watch for more replies. <G>

First, an interesting article this morning on SlashDot; Pavlovich Jurisdictional Challenge Denied. Not exactly the latest Grisham thriller, granted, but it's important. The Sixth District Court of Appeals has apparently been taking a nap for the last ten years, judging from statement like this: "At the time Pavlovich posted DeCSS on the Internet, he was a leader in the "open source" movement, the purpose of which was to make as much material as possible available over the Internet." Oh, where can we go with this one?

The Slashdot link is to the write-up, including a brief commentary from Pavlovich's lawyer, and includes links to some coverage and to the ruling itself. As always, the link is provided in Slashdot's "no comments" format.

Bob Thompson has a few comments today on Code Red and related items. While I highly respect Bob's computer expertise, on this one I have to say he's dead wrong.

First of all, "spending all our time hunkered down behind our computerized shields under constant attack from viruses, worms and other nasties" is not the future of computing; it's the present and the recent past. Yes, Code Red is a bit more, shall we say, energetic than past threats, but there's nothing really special about it. The Morris Worm took down the fledgling Internet on November 3rd, 1988. We're still here. Melissa threatened the world's email servers in March of 1999; we're still here. Computers are extremely powerful tools, and like any such, there have always been and always will be people - and I use the term loosely - who find it amusing to use those tools to cause problems for others. With each new attack, we learn how to counter it, maybe even figure out in the process how to prevent nastier versions of the same attack, and we move on. Code Red is illustrating something that was already known about cable networks; they aren't secure, internally or externally. Regular users use cable networks, and regular users are not particularly good, just now, at protecting themselves. On top of that, cable networks are shared resources, so your neighbor's problem quickly becomes your problem. This is a flaw in cable networks, this isn't the first time that flaw has been noted, and it's a problem that's been slowly improving with time. This, too, shall pass, and in the end perhaps cable companies will be smarter about isolating their users from one another.

Second, "Red China" most likely has nothing to do with Code Red. No one knows exactly where it came from; the original version had a "Hacked by Chinese!" banner in the defacement pages it placed on infected servers, but that doesn't mean diddly. "Hacked by Chinese!" has been a pretty common message for a while now, and by no means all of the crackers using it have been residents of Red China. Rather few of them have, as a matter of fact. I've been following the discussion of Code Red in bugtraq and the SecurityFocus Incidents lists pretty closely, and no one has suggested that this is some sort of attack by the PRC government. I have heard some reporters spouting nonsense about it being an attach by Chinese hackers, but the only explanation I heard came from the name "Code Red" for the worm - which is rediculous on the face of it. First, *we* call it "Red China" because it's a color associated with the communist revolution. They don't call it Red China. Second, "Code Red" is the name given to it by the analysts from eEye Digital Security who first disassembled Code Red, and they gave it the name based on the new Cherry Mountain Dew they were drinking at the time.

Is it possible that Code Red is a deliberate attack by the Chinese or another foreign government on the infrastructure of the US? Sure. Of course, the fact that this "weapon" has confirmed infections in every nation on the planet makes it seem to have been a pretty stupid attack, and the fact that there's no evidence of any critical damage - the hardest-hit networks are those purely consumer-level cable networks - makes it ineffective, as well. No, this is almost certainly yet another misguided burst of creativity by yet another cracker.

Finally, the comparison to Ebola is also inappropriate an inaccurate. Computer viruses and worms don't really work that way; in order to work as Bob has suggested, the hypothetical doomsday virus would need to be completely innocuous during the infection stage. That would require something like a signed security patch, announced through the official channels, that no one would suspect - something which would be extremely difficult, even with Microsoft's notoriously lax standards. Essentially, the attacker would need to successfully trojan every server without detection, and that just can't happen. No matter who supplied the patch, there are too many people who examine every effect of the patch. Within hours of every release of a major software patch - which would be anything that affected the core OS of any system - there are lists of the changes made, from registry keys to changed files to differences in system operation. I can't imagine a virus or logic bomb sneaking through that, and even if one did, I don't see it being the end of the world - those same people would most likely have fixes and workarounds within hours. I've seen it happen.

The second possibility is a worm, something that infects systems without human intervention. Couldn't that spread slowly, triggered by some outside factor (the date, a TCP/IP connection, whatever?

No, and I'll tell you why. I monitor the Incidents mailing list. You would not believe the stuff that comes through there. Messages saying "I'm getting this odd pattern, anyone else see anything like this" are extremely common. Scans spaced out over days are spotted and tracked by these people. Anything that's in any way abnormal would be seen, would be tracked, and IDS signatures would be available by the end of the day to allow more admins to watch for the attack. No matter how slow the spread, I would bet serious money on its growth and danger being spotted by the end of the week.

Why? Because a worm by its very nature does not look like normal traffic. In order to exploit some hole, it has to act in an abnormal manner - and that is what gets spotted. Even if it did find a hole that could be exploited while staying "under the radar", in order to spread it has to upload itself to the target host - and that is another signature that can be spotted. That one can't be hidden, either - there are only so many ways it can be transmitted, and the data transfer will be noticed and tracked.

There will be worms. There will be viruses. With every moderately successful worm or virus, there will be a public outcry about the end of the Internet drawing near. But they will always be wrong. Attacks grow ever more sophisticated, but the first attack is always a "canary" which warns of that which is to come. The moment the first attack is seen and recognized by a competent security administrator, the entire security community begins a race to see who can find a cure the fastest. It's very rare that the cure isn't found and released within hours - sometimes, it's within minutes. Slower spread doesn't help virii and worms; it just makes them easier to kill.

Oh, one last little tip for Linux web surfers out there. If you're using KDE, and you hate pop-up windows as much as I do, then you'll want to do this.

Open Konqueror, click the "Settings" menu, select "Configure Konqueror". Out of the categories on the left, select "Browser". The third tab is "JavaScript", and at the bottom is a checkbox labelled "disable window.open()". Click on that - and never see another X10 Wireless Camera ad again...

Tuesday, August 7 - More Code Red, Server Updates

I almost forgot about it yesterday... I was going to be spending the weekend working on the server, right? Right.

Well, before I started ripping hardware, I decided to explore the problem more carefully. I have some RAM-test tools (sequential read/write, RAM dump tests, and others I don't pretend to understand as well) so I tested THOR to see what came up.

Nothing, that's what.

OK. One of the symptoms that I'd been able to reproduce was an inability to compile anything; it always failed, usually within the first file or two of the make. So, I pulled down the latest kernel, configured it, and started the make. Kernel compilation is pretty hardware-intensive; if you've got a problem, that'll probably find it. The compile succeeded.

So what was the problem? I don't know. Perhaps a SIMM module is going bad, but is currently only having intermittent problems. Maybe the power supply - but I doubt it, it's a high-quality supply that has more than enough capacity for the system. (300W supply in a Pentium-120 system with two hard drives and a CD.) Maybe the gremlins were just having a little fun with me. Regardless, I'll be keeping a close eye on THOR - but in the meantime, there's nothing I can do until I have a symptom to chase down.

Yesterday was an... interesting day at work. I have several NT and Windows 2000 servers, some of which are running IIS. Now, before you think you know where I'm going, I've got a well-planned security procedure that includes frequent patching; none of my servers have been vulnerable to Code Red since the patch was originally released.

However. It seems the internal IT organization isn't that prepared.

I spent much of my afternoon dealing with IT, and I have to say I wasn't impressed. At all. Heads will roll, I understand, and I'd be willing to help chop at this point.

I did learn something interesting, though. Engineering has a web server that they were working on, with the intention of turning it over to me as a turn-key solution. (I hate that, by the way, but I occaisionally have to put up with it.) For some reason, they decided to put IIS on Terminal Server. Apparently, the Option Pack will install on the system, but it won't accept patches. So even though Engineering had "patched" the server, the patch failed. They left it up anyway. So now I have someone else, not just IT, to yell at.

Oh, and while we're on the topic, there seems to be some confusion over the different versions of Code Red. There are two, or really, three. There's Code Red v1, Code Red v2, and Code Red II. CRv1 and CRv2 are very similar; the only difference between them is that CRv1 defaces web pages, while CRv2 doesn't and also has a better IP generation scheme; CRv2 attacks more efficiently, basically, and is slightly harder to detect since it doesn't modify any web pages.

Code Red II uses the same attack code as CRv1 and CRv2, such that it's plainly apparent that it's a derivative program. The payload is much different and much nastier, however, since it leaves a copy of cmd.exe accessible on the web server. This means that anyone can attack a Code Red II-infected server and execute commands at the system level; that's good enough to read or write to almost any file, format drives, run applications, and so on. Basically, if you have a web server which was infected by Code Red II, you only have one safe option; scrub to bare metal and reinstall.

And that's it for me this morning. I have to go yell at some engineers now...

Monday, August 6 - No Longer Unemployed...

OK, so I was only unemployed for the weekend, but still. <g>

First off, the Red Code worm is back, sort of; the attack signature is much the same, with Xs instead of Zs, but the attack method is different. Instead of scanning random IPs, this variant only scans IPs in the same Class A network (the left-most number group of the IP address) with a preference for the same Class B (the second number group.) This has both good and bad points; on the one hand, if you Class A doesn't have any infected hosts, you aren't in danger. So the black-hat who's unleashed this version has to manually attack at least one IIS server in each Class A, all 253 of them. (10.x.x.x, 172.x.x.x, and 162.x.x.x are not routable networks, remember?)

On the other hand, networks tend to be clustered together; corporations and ISPs and IPPs all use sequential ranges of IP addresses. Logically, if one company's IIS server is vulnerable, its other servers likely are as well. So even though each virus infection point has a limited number of hosts it can attack, it will statistically be more likely to find hosts to infect.

Another side effect is that, since the 24.x.x.x network was hit early, the major cable networks in the US are being thoroughly hammered with RCII scans, resulting in severely overloaded networks - and severely degraded performance.

Finally, and the worst news of all, RCII has a much more damaging payload than the original Code Red; RCII will allow anyone to obtain remote shell access. For those who might not already know, that's *bad*.

There is one small glimmer of good news; according to initial reports on BugTraq, this variant doesn't successfully infect NT4 systems, which means only Windows 2000 systems can be compromised. Still, there are enough Windows 2000 systems out there to cause some serious problems. If you or someone you know is running an unpatched IIS server, smack them for me. No, there is no excuse. None.

While we're discussing computer security, let's talk about viruses for a minute. Right now, there's a very nasty virus going around, SirCam. SirCam is yet another Microsoft virus (though not specifically an Outlook virus, it should be noted) which will randomly email documents from your hard drive to any email address it can find. Could be rather embarrassing.

Of course, the SirCam virus spreads because people open the attachment. My first thought was disgust; how long have we all been telling people to be careful about that? Then I got to thinking, and I realized we could be in real trouble in a very short time.

First, let's look back. A few years ago, we started telling people not to open attachments unless they were from someone they knew. Melissa, ILOVEYOU and now SirCam bit us on that one; the email arrives from someone we know. So, people open it, thinking they're fine since, after all, they know where the message is from.

So, we changed the advice. Never open an attachment unless you were expecting it. We can't just say "don't open attachments"; we rely on them for many things. But we can be safe by telling people to be careful; tell people before you send them an attachment, and never open an attachment unless you already know it's coming. Fine. Excellent advice.

Anybody want to bet how long it'll be before a virus comes out which sends two emails to every target - the second bearing a virus-loaded attachment, the first simply saying "Hey, I'm sending you a document to take a look at. Tell me what you think"? While we're at it, how many of you out there would probably open the attachment?

Now that is scary.