Security lessons unlearned, don't blame the worm

Tuesday, August 19th 2003, 12:00 am
By: News On 6

An invisible force from the Internet grabbed Steve Watts' laptop and wouldn't let go. He tried to download a software file that would help fix the problem, but the Internet worm kept rebooting his computer every two minutes.

Watts' computer was disabled for two days while he was on a business trip. If the worm had been more destructive _ as experts say it easily might have been _ ``it could have been devastating to our company and would have taken weeks to recover from,'' Watts said.

Now his Boise, Idaho-based business strategy firm, Bold Approach Inc., isn't taking any chances. It is upgrading its hardware and software ``firewalls,'' which are designed to keep intruders out.

``We have not invested much in security in the past and this was a good wake-up call for us,'' Watts said.

If there's a bright side to the ``LovSan'' or ``Blaster'' Internet worm that rampaged through hundreds of thousands of computer systems last week, it's that the attack might lead companies to look more closely at their security precautions.

``I think a lot of executives will say, `My God, we're in worse shape than we thought we were. We spent all this money on firewalls and still it got inside,''' said Russ Cooper, senior researcher at TruSecure Corp. ``Unfortunately the state of affairs on the Internet is such that everybody needs to live in total paranoia.''

However, other experts are doubtful that many companies will tighten their security.

``It didn't happen with Code Red, it didn't happen with Nimda, it didn't happen with Sapphire/Slammer,'' said Marc Maiffret, co-founder of eEye Digital Security, referring to previous worms and viruses. ``I don't think it's going to happen with this one either.''

Experts saw this worm coming, warning for weeks that a crucial flaw in Microsoft Windows needed to be patched. Still, the worm wreaked havoc at companies and government agencies like the Maryland motor-vehicle department because many had failed to take proper steps to protect themselves.

A downloadable software ``patch'' that fixed the problem exploited by the worm had been available July 16, and Microsoft delivered it to home computer users who have the ``automatic updates'' feature enabled in later versions of Windows.

But that feature isn't geared for complex corporate computing systems. Technology administrators are besieged with individual patch notices every week. And many patches or other suggested solutions have to be carefully tested to see if they contain flaws of their own. Often they can cause problems when they're added to computers that have lots of other programs installed.

``That's made a lot of people a little bit wary about just blasting a patch on their whole systems,'' Maiffret said.

Perhaps to prove that many people had still failed to install the patch, someone disseminated a variant of the ``Blaster'' worm Monday. It exploited the same flaw but had a benign effect: It forced computers to download the patch if they had not already done so, according to David Perry, global director of education for Trend Micro Inc.

The patch had been designated as ``critical'' and got more publicity than the usual security warnings _ including from the Department of Homeland Security. Microsoft spokesman Sean Sundwall said it was unclear why more people did not download the patch before the worm hit.

``Most people won't go to bed without locking their front door. Most people don't leave valuables in their car without locking it,'' he said. ``Security of the computer system is somehow treated different from personal security or business security.''

Although Microsoft is ultimately to blame for flaws in its software _ which runs more than 90 percent of the world's desktop computers _ no software can be perfect. Security experts say other computer operating systems would be just as vulnerable if they were as widely used as Microsoft's.

Some companies did react quickly to the warnings, like Barton Malow Co., a large construction and design firm based in Southfield, Mich. Technical staff tested the patch within hours and used a multipurpose software delivery system from Altiris Inc. _ which generally charges about $80 per computer _ to quickly push it to almost all the firm's 1,300 computers. The worm hit only a few of Barton Malow's PCs, all at remote sites.

``We're kind of psychotic about taking care of problems like that,'' said Paul Johnson, Barton Malow's chief network engineer. ``We've seen too many of our competitors down for weeks just because of laziness or poor planning.''

The city of Seattle's technology department has avoided being hit by previous Internet worms and viruses and tried to be diligent again this time, sending the patch to almost all 10,000 computers in city agencies. But the worm struck before the patching was over, knocking 1,000 computers offline.

In part because public safety systems in Seattle don't use Windows software, the attack didn't cause serious problems. Even so, Sylvia Shiroyama, the city's acting chief technology officer, said she now realizes the city must become quicker at blocking such dangers.

``The time frame between vulnerabilities being known and hackers being able to exploit them is shortening, so we also need to be more aggressive,'' she said.