A powerful internet attackdubbed SQL Slammerthat hit computers worldwide Jan. 25 has security experts worried that too many system managers are only fixing problems as they occur, rather than keeping their defenses up to date. The problem underscores the need for school technology managers to monitor security bulletins carefully and download the latest software patches as soon as they are made available.
The wormwhich crippled tens of thousands of computers worldwide, congested the network for countless others, and even disabled Bank of America cash machinestook advantage of a vulnerability in some Microsoft Corp. software that had been discovered in July.
Microsoft had made software updates available to patch the vulnerability in its SQL Server 2000 softwareused mostly by businesses, governments, and school systemsbut many system administrators had yet to install them when the attack hit Jan. 25.
Some of those administrators were at Microsoft itself, the company acknowledged in a report in the New York Times. Some computers at the software giant were affected because appropriate Microsoft patches had not yet been installed. That irony underscored how hard it can be to ensure that all security measures are in place and up to date. But Microsoft’s internal problems were cold comfort to those affected by SQL Slammer.
“There was a lot that could have been done between July and now,” said Howard A. Schmidt, President Bush’s No. 2 cybersecurity adviser. “We make sure we have air in our tires and brakes get checked. We also need to make sure we keep computers up to date.” Network technicians worked furiously in the wake of the attack to repair damage caused by the fast-spreading worm. The problem was declared largely under control Jan. 26, though some experts were worrying about the possibility of lingering infections appearing for days afterward.
The FBI said Jan. 26 that the attack’s origin was still unknown.
As the worm infected one computer, it was programmed to seek other victims by sending out thousands of probes a second, saturating many internet data pipelines.
Unlike most viruses and worms, it spread directly through network connections and did not need eMail as a carrier. Thus, only network administrators who run the servers, not end users, could do anything to remedy the situation.
According to Keynote Systems Inc., which measures internet reliability and speed, network congestion increased download times at the largest U.S. web sites by an average of 50 percent, and some sites were completely unavailable at times.
Bruce Schneier, chief technology officer at Counterpane Internet Security, said the attack proves that relying on patches is flawed “not because it’s not effective, but [because] many [systems administrators] don’t do it.”
Two of the previous major outbreaks, Code Red and Nimda, also exploited known problems for which patches were available.
But with more than 4,000 new vulnerabilities reported last year, according to the government-funded CERT Coordination Center at Carnegie Mellon University, system administrators can have trouble keeping up.
Patches also take time to install and could disrupt other systems and applications. Schmidt said many network managers delay installing patches to fully test them first.
Russ Cooper, a security analyst at TruSecure Corp., said patches are also complicated, and applying them out of order can undo an earlier fix.
Microsoft spokesman Rick Miller said the company is working with network professionals to develop better tools, including ones that can scan systems automatically for known vulnerabilities.
A larger problem is inadequate information on which patches need to be tested and installed first, said Dan Ingevaldson at the Internet Security Systems’ X-Force research arm.
Preventing the next outbreak, security experts say, will mean rethinking security. Favored approaches range from getting vendors to make better software to paying private companies more money to handle the brunt of the work.
Microsoft, for one, has already pledged to improve its products. Just two days before the attack on its software, Microsoft Chairman Bill Gates sent out an eMail outlining such improvements as better support for “smart cards” to replace or augment computer passwords.
Company executives have also said they want to make security updates automatic so users could grant permission once and have multiple patches installed over the internet whenever needed. Network managers, however, worry that such automation could inadvertently introduce problems for other applications.
Carnegie Mellon’s Software Engineering Institute is among research centers working on improving security before software is shipped, thus lessening the need for patches, said Brian King, internet security analyst at Carnegie’s CERT center.
Security companies that stand to profit are pushing for more financial commitment.
“It is cost-effective to be proactive,” said David Perry of antivirus vendor Trend Micro.
Being proactive might have helped save computers at the Governor Mifflin School District in Shillington, Pa. “We did not have any damage, as we applied patches earlier,” said Sandra Becker, the district’s director of technology.
Becker said Governor Mifflin learned its lesson the hard way. After feeling the effects of the Code Red worm in 2001, which infected more than 250,000 systems worldwide in just nine hours, the district’s technology team made a conscientious effort to ratchet up its defenses.
Since that time, schools there have prevented similar invasions by investing in software that alerts technology staffers when patches need updating; subscribing to security notices posted by Microsoft and other software providers; using back-up servers and actively saving files offline; implementing eMail security software that prohibits the distribution of harmful executables; and integrating high-quality virus protection software that works across all servers, desktops, and laptops throughout the district, Becker said.
Microsoft SQL Server 2000 patch
CERT Coordination Center
Governor Mifflin School District