University of WashingtonComputing & Communications Recent Computer Security Incidents Terry Gray Director, Networks & Distributed Computing 03 October 2003
University of WashingtonComputing & Communications Major Attacks Dec 2000: Hospital records release Jul 2001: Microsoft web server (Code Red) Sep 2001: Microsoft web server (Nimda) Mar 2002: SSH libraries (e.g. Slapper) Jun 2002: DNS libraries Aug 2002: The Great Spam Attack Jan 2003: Microsoft SQL (Slammer) Jul 2003: Microsoft RPC (Blaster, etc) Aug 2003: SoBig.F virus
University of WashingtonComputing & Communications January 2003: Microsoft SQL (Slammer) Allows system takeover Aggressive spread (unintended DOS?) Many vulnerable applications High impact on network routers Significant collateral damage to adjacent computers/subnets Simple port blocking damages legit traffic
University of WashingtonComputing & Communications Slammer Impact on UW Older routers failed under load Hard to identify/shutoff source during attack Some critical subnets affected for many hours Older net infrastructure hampers defense –Accelerated phase-out of older routers –Hubs/Switches/wireplant still a problem Improved locate/isolate tools
University of WashingtonComputing & Communications July 2003: Microsoft RPC (Blaster, etc.) Several variants (directed & worm attacks) Some attacks allow system takeover Windows vulnerability: all recent versions Two Microsoft patches (so far) Border blocking: –effective only temporarily –breaks popular applications –or forces deployment of VPNs
University of WashingtonComputing & Communications RPC Impact on UW Windows infection rate: over 20% (6200) Mean-Time-To-Infection: 2 minutes > 12,000 msgs handled by SecOps in Sept Lots of tools developed to detect/block/fix –real-time auto-blocking –self-service unblocking –internal patch page CD campaign for returning students
University of WashingtonComputing & Communications Security Trouble Ticket Trend
University of WashingtonComputing & Communications RPC Impact Elsewhere UNC: med center - “total infection” Uchicago: $1000 reconnect fee? Evergreen: “virtually shutdown” Several: contracts w/students, fees to fix Everywhere: enormous costs
University of WashingtonComputing & Communications SoBig.F Virus Ultra aggressive Forged addresses, bogus auto-responses JUL: 17M messages in, 48K viruses AUG: 25M messages in, 6M viruses Believed to aid spammers Phase II attack thwarted Self-terminated on Sept 10 “most widely ed virus ever”
University of WashingtonComputing & Communications Lessons Huge strategic problem for UW Huge costs and risks ahead Only decision to make: –do we pay for prevention?, or –do we pay for clean-up? Prevention requires paradigm shift –unmanaged PCs must be eliminated –lots of network upgrades & tools needed 2003 is a turning point