Recent Computer Security Incidents

1
Recent Computer Security Incidents

• Terry Gray
• Director, Networks Distributed Computing
• 03 October 2003

2
Major Attacks

• Dec 2000 Hospital records release
• Jul 2001 Microsoft web server (Code Red)
• Sep 2001 Microsoft web server (Nimda)
• Mar 2002 SSH libraries (e.g. Slapper)
• Jun 2002 DNS libraries
• Aug 2002 The Great Spam Attack
• Jan 2003 Microsoft SQL (Slammer)
• Jul 2003 Microsoft RPC (Blaster, etc)
• Aug 2003 SoBig.F virus

3
January 2003 Microsoft SQL (Slammer)

• Allows system takeover
• Aggressive spread (unintended DOS?)
• Many vulnerable applications
• High impact on network routers
• Significant collateral damage to adjacent
  computers/subnets
• Simple port blocking damages legit traffic

4
Slammer Impact on UW

• Older routers failed under load
• Hard to identify/shutoff source during attack
• Some critical subnets affected for many hours
• Older net infrastructure hampers defense
• Accelerated phase-out of older routers
• Hubs/Switches/wireplant still a problem
• Improved locate/isolate tools

5
July 2003 Microsoft RPC (Blaster, etc.)

• Several variants (directed worm attacks)
• Some attacks allow system takeover
• Windows vulnerability all recent versions
• Two Microsoft patches (so far)
• Border blocking
• effective only temporarily
• breaks popular applications
• or forces deployment of VPNs

6
RPC Impact on UW

• Windows infection rate over 20 (6200)
• Mean-Time-To-Infection 2 minutes
• gt 12,000 msgs handled by SecOps in Sept
• Lots of tools developed to detect/block/fix
• real-time auto-blocking
• self-service unblocking
• internal patch page
• CD campaign for returning students

7
Security Trouble Ticket Trend
8
RPC Impact Elsewhere

• UNC med center - total infection
• Uchicago 1000 reconnect fee?
• Evergreen virtually shutdown
• Several contracts w/students, fees to fix
• Everywhere enormous costs

9
SoBig.F Virus

• Ultra aggressive
• Forged addresses, bogus auto-responses
• JUL 17M messages in, 48K viruses
• AUG 25M messages in, 6M viruses
• Believed to aid spammers
• Phase II attack thwarted
• Self-terminated on Sept 10
• most widely e-mailed virus ever

10
Lessons

• Huge strategic problem for UW
• Huge costs and risks ahead
• Only decision to make
• do we pay for prevention?, or
• do we pay for clean-up?
• Prevention requires paradigm shift
• unmanaged PCs must be eliminated
• lots of network upgrades tools needed
• 2003 is a turning point