- Email: [email protected]
FBI At Centre Stage Of Code Red
issue.qxd
8/16/01
11:52 AM
Page 14
feature
FBI At Centre Stage Of Code Red
“law enforcement data is available to the FBI where it is not to other agencies”
Wayne Madsen
According to Dick, the NIPC is aided in its efforts by close liaison with the Information Security Forum, the National Governors' Association, the North American Electrical Council, and the American Society of Industrial Security (ASIS). These organizations help the NIPC in establishing contact with local companies and state agencies through the FBI's INFRAGARD vulnerability and threat information sharing programme.
National Infrastructure Protection Center (NIPC) director Ron Dick took centre stage at the National Press Club as the FBI centre warned of a second wave of attacks by the Code Red worm on the evening of 31 July within the United States. The second warning followed a previous Code Red infestation that occurred between 19–23 July that affected some 250 000 computers. Most of the infected computers were US Government computers and servers operating Windows NT and Windows 2000 operating systems and Web servers running Microsoft's Internet Information Server (IIS) software version 4.0 and 5.0. Among the sites infected were Web servers operated by the Pentagon and the White House. Dick said Microsoft revealed to him that six million copies of the vulnerable software programs had been sold, but hastened to add that the figure did not account for pirated copies or users who proliferated single-license copies to other computers in their internal networks. Dick said there were two versions of Code Red discovered. The first — which he claimed was not as sophisticated as the second — infected computers around 19 July and then went dormant. The second version was expected to infect computers at 0000 Greenwich Mean Time on 1 August — or 8:00 US Eastern Standard Time — during cable television prime time news coverage throughout the United States and broadcast prime time news coverage in the Central, Mountain, and Pacific time zones. Dick stressed the point that the public's attention to the Code Red threat could not have been possible without the support of the news media. Asked if he contemplated holding such news conferences every time a worm similar to Code Red appeared on the scene, Dick said he did not want to constantly appear before cameras.
14
“Dick said he did not want to constantly appear before cameras.” Dick's 31 July news conference followed another the day before in which representatives of: • NIPC; • the Critical Infrastructure Assurance Office (CIAO); • the Federal Computer Incident Response Capability (FEDCirc); • Information technology Association of America (ITAA); • Microsoft; • the Information Technology and Telecommunications Information Sharing and Analysis Centers (ISACs); • Computer Emergency Response Team at Carnegie-Mellon University; • Information Security Solutions (ISS, Inc.) of Atlanta; • SANS Institute; • the Internet Security Alliance; all warned of the Code Red dangers. Dick said this demonstrated that government and industry could work together on critical infrastructure protection in an unprecedented way.
Domestic Dick also spoke of the benefits of keeping the NIPC within the FBI. There have been proposals, mainly from the US intelligence community, to move the NIPC to the National Security Agency. Dick said, "the NIPC is in the right place." He added, "for privacy and civil rights reasons, law enforcement data is available to the FBI where it is not to other agencies."
International The NIPC also has three liaison officers from Canada, Australia, and the United Kingdom working within its 24 hours a day, seven days a week watch centre at FBI headquarters in Washington. According to Dick, the NIPC has worked with law enforcement agencies in Japan, Singapore, the United Kingdom, Norway, Denmark, Sweden, Canada, Israel, and other countries on "investigations and capabilities development." Dick revealed that in one NIPC investigation, the centre collected evidence that equalled the digitized collection of the Library of Congress. However, he quickly added that NIPC investigations "must protect the privacy rights of American citizens".
FOIA On the question of amending the Freedom of Information Act (FOIA) to create new categories of protected information for companies that share sensitive computer vulnerability data with the government, Dick said he believes there are adequate FOIA exemptions currently in place that would cover such data. "However, if the private sector wants more assurances that their data can be protected... and it would make them feel better, then the NIPC would support such FOIA legislation," Dick added.
issue.qxd
8/16/01
11:52 AM
Page 15
feature He said the FBI would also like to see amendments to current laws that would allow federal law enforcement to use one court order to trace Internet activity through multiple domestic jurisdictions and reduction of the current $5000 computer crime damage threshold to permit the opening of cybercrime investigations at earlier stages.
Politics Asked why Code Red only seemed to be affecting computer systems in the United States and not abroad, Dick revealed that a computer model put together by the San Diego Supercomputer Center showed that Code Red was capable of replicating itself around the world. However, reports from Hong Kong, Japan, Austria, and Finland indicated that Code Red was having little or no effect on computers or servers there.
Dick said one reason for other nations' indifference might be that they "are not as technologically attuned as the United States". He also said there was no evidence that Code Red was generated by any other government. Although some infected US Government web sites flashed the message: "Hacked by Chinese!", Dick said it would be foolish for the Chinese Government to be so open about the source if they were involved. In fact, Dick said there were not even any "definitive suspects" for Code Red. He also refuted earlier reports that only English-language versions of the infected Microsoft programs were vulnerable to infection.
Executive order Asked if the Code Red hype was being timed by the US Government as a precursor to President Bush's impending release
of a new Executive Order on Cyber Security, Dick emphatically said, "No," although he did admit that the NIPC was heavily involved in the drafting process of the order. Still in draft form, the order is expected to primarily deal with assigning information system security responsibilities as a primary duty of federal agency heads and establishment of a new federal interagency Cyber Security and Continuity of Operations Board. In response to a question about whether the FBI or NIPC was reading messages concerning Code Red in chat rooms, Dick said such monitoring could only take place if a Title III wiretap order were to be issued by a judge. He admitted the NIPC does monitor chat rooms during investigations but this is only done with a court order similar to those issued for telephone wiretaps.
E-COMMERCE: THE DARK SIDE
Fish, CHIPS and Worms Bill Boni At this time of year, summer is upon North America and in the hazy heat of a Midwestern morning memories can slip back to a time when life was much simpler. As a child when one talked about a ‘worm’, one was only interested in the subterranean, wriggling critters who were favourites for aiding and abetting the noble art of catching fish. Now the mention of worms in conversations around E-commerce professionals is most likely to concern the frustrations arising from the latest round of malware circulating on the Internet. In recent weeks, the world has been subjected to the multiple attacks from several highly successful computer worms. These malevolent creations have defaced hundreds of thousands of websites and exposed personal and confidential information. There has been a veritable explosion of these nasty programs and they are casting another dark pall over the bright future of E-commerce. Unless more is done to track down the perpetrators and limit their impact, they may become a threat to the Internet more broadly.
Code Red Obviously the most serious example has been the “Code Red” worm. The incredible speed and potentially destructive power of this piece of deviant code has caused great concern. One may infer a little about its origins, since it is designed to deface only English language Web servers running Microsoft’s IIS codes, and to leave the message that the site had been “hacked by Chinese”. This attribution to the increasingly visible community of
Chinese hackers may be true or it could be merely a virtual “red herring” to cover the digtital tracks of real creators. Regardless of who launched it, the worm has impacted the speed of the Internet through its propagation.
“it could be merely a virtual ‘red herring’ ” During a two day period beginning on 19 July 2001, the Code Red worm may have infected over 350 000 computers. The data in the study shows that at its maximum rate of spread more than 2000 new hosts were infected each minute. This is several orders of magnitude more than achieved by the most skilled human attackers. Compare these amazing rates of propagation to the results of the so-called USPRC (People’s Republic of China) ‘cyberwar’ that followed the downing of the US spy plane in June. After weeks of tit-for-tat exchanges between rival groups of transpacific hackers, the humans controlling the attack tools had defaced in
15
8/16/01
11:52 AM
Page 14
feature
FBI At Centre Stage Of Code Red
“law enforcement data is available to the FBI where it is not to other agencies”
Wayne Madsen
According to Dick, the NIPC is aided in its efforts by close liaison with the Information Security Forum, the National Governors' Association, the North American Electrical Council, and the American Society of Industrial Security (ASIS). These organizations help the NIPC in establishing contact with local companies and state agencies through the FBI's INFRAGARD vulnerability and threat information sharing programme.
National Infrastructure Protection Center (NIPC) director Ron Dick took centre stage at the National Press Club as the FBI centre warned of a second wave of attacks by the Code Red worm on the evening of 31 July within the United States. The second warning followed a previous Code Red infestation that occurred between 19–23 July that affected some 250 000 computers. Most of the infected computers were US Government computers and servers operating Windows NT and Windows 2000 operating systems and Web servers running Microsoft's Internet Information Server (IIS) software version 4.0 and 5.0. Among the sites infected were Web servers operated by the Pentagon and the White House. Dick said Microsoft revealed to him that six million copies of the vulnerable software programs had been sold, but hastened to add that the figure did not account for pirated copies or users who proliferated single-license copies to other computers in their internal networks. Dick said there were two versions of Code Red discovered. The first — which he claimed was not as sophisticated as the second — infected computers around 19 July and then went dormant. The second version was expected to infect computers at 0000 Greenwich Mean Time on 1 August — or 8:00 US Eastern Standard Time — during cable television prime time news coverage throughout the United States and broadcast prime time news coverage in the Central, Mountain, and Pacific time zones. Dick stressed the point that the public's attention to the Code Red threat could not have been possible without the support of the news media. Asked if he contemplated holding such news conferences every time a worm similar to Code Red appeared on the scene, Dick said he did not want to constantly appear before cameras.
14
“Dick said he did not want to constantly appear before cameras.” Dick's 31 July news conference followed another the day before in which representatives of: • NIPC; • the Critical Infrastructure Assurance Office (CIAO); • the Federal Computer Incident Response Capability (FEDCirc); • Information technology Association of America (ITAA); • Microsoft; • the Information Technology and Telecommunications Information Sharing and Analysis Centers (ISACs); • Computer Emergency Response Team at Carnegie-Mellon University; • Information Security Solutions (ISS, Inc.) of Atlanta; • SANS Institute; • the Internet Security Alliance; all warned of the Code Red dangers. Dick said this demonstrated that government and industry could work together on critical infrastructure protection in an unprecedented way.
Domestic Dick also spoke of the benefits of keeping the NIPC within the FBI. There have been proposals, mainly from the US intelligence community, to move the NIPC to the National Security Agency. Dick said, "the NIPC is in the right place." He added, "for privacy and civil rights reasons, law enforcement data is available to the FBI where it is not to other agencies."
International The NIPC also has three liaison officers from Canada, Australia, and the United Kingdom working within its 24 hours a day, seven days a week watch centre at FBI headquarters in Washington. According to Dick, the NIPC has worked with law enforcement agencies in Japan, Singapore, the United Kingdom, Norway, Denmark, Sweden, Canada, Israel, and other countries on "investigations and capabilities development." Dick revealed that in one NIPC investigation, the centre collected evidence that equalled the digitized collection of the Library of Congress. However, he quickly added that NIPC investigations "must protect the privacy rights of American citizens".
FOIA On the question of amending the Freedom of Information Act (FOIA) to create new categories of protected information for companies that share sensitive computer vulnerability data with the government, Dick said he believes there are adequate FOIA exemptions currently in place that would cover such data. "However, if the private sector wants more assurances that their data can be protected... and it would make them feel better, then the NIPC would support such FOIA legislation," Dick added.
issue.qxd
8/16/01
11:52 AM
Page 15
feature He said the FBI would also like to see amendments to current laws that would allow federal law enforcement to use one court order to trace Internet activity through multiple domestic jurisdictions and reduction of the current $5000 computer crime damage threshold to permit the opening of cybercrime investigations at earlier stages.
Politics Asked why Code Red only seemed to be affecting computer systems in the United States and not abroad, Dick revealed that a computer model put together by the San Diego Supercomputer Center showed that Code Red was capable of replicating itself around the world. However, reports from Hong Kong, Japan, Austria, and Finland indicated that Code Red was having little or no effect on computers or servers there.
Dick said one reason for other nations' indifference might be that they "are not as technologically attuned as the United States". He also said there was no evidence that Code Red was generated by any other government. Although some infected US Government web sites flashed the message: "Hacked by Chinese!", Dick said it would be foolish for the Chinese Government to be so open about the source if they were involved. In fact, Dick said there were not even any "definitive suspects" for Code Red. He also refuted earlier reports that only English-language versions of the infected Microsoft programs were vulnerable to infection.
Executive order Asked if the Code Red hype was being timed by the US Government as a precursor to President Bush's impending release
of a new Executive Order on Cyber Security, Dick emphatically said, "No," although he did admit that the NIPC was heavily involved in the drafting process of the order. Still in draft form, the order is expected to primarily deal with assigning information system security responsibilities as a primary duty of federal agency heads and establishment of a new federal interagency Cyber Security and Continuity of Operations Board. In response to a question about whether the FBI or NIPC was reading messages concerning Code Red in chat rooms, Dick said such monitoring could only take place if a Title III wiretap order were to be issued by a judge. He admitted the NIPC does monitor chat rooms during investigations but this is only done with a court order similar to those issued for telephone wiretaps.
E-COMMERCE: THE DARK SIDE
Fish, CHIPS and Worms Bill Boni At this time of year, summer is upon North America and in the hazy heat of a Midwestern morning memories can slip back to a time when life was much simpler. As a child when one talked about a ‘worm’, one was only interested in the subterranean, wriggling critters who were favourites for aiding and abetting the noble art of catching fish. Now the mention of worms in conversations around E-commerce professionals is most likely to concern the frustrations arising from the latest round of malware circulating on the Internet. In recent weeks, the world has been subjected to the multiple attacks from several highly successful computer worms. These malevolent creations have defaced hundreds of thousands of websites and exposed personal and confidential information. There has been a veritable explosion of these nasty programs and they are casting another dark pall over the bright future of E-commerce. Unless more is done to track down the perpetrators and limit their impact, they may become a threat to the Internet more broadly.
Code Red Obviously the most serious example has been the “Code Red” worm. The incredible speed and potentially destructive power of this piece of deviant code has caused great concern. One may infer a little about its origins, since it is designed to deface only English language Web servers running Microsoft’s IIS codes, and to leave the message that the site had been “hacked by Chinese”. This attribution to the increasingly visible community of
Chinese hackers may be true or it could be merely a virtual “red herring” to cover the digtital tracks of real creators. Regardless of who launched it, the worm has impacted the speed of the Internet through its propagation.
“it could be merely a virtual ‘red herring’ ” During a two day period beginning on 19 July 2001, the Code Red worm may have infected over 350 000 computers. The data in the study shows that at its maximum rate of spread more than 2000 new hosts were infected each minute. This is several orders of magnitude more than achieved by the most skilled human attackers. Compare these amazing rates of propagation to the results of the so-called USPRC (People’s Republic of China) ‘cyberwar’ that followed the downing of the US spy plane in June. After weeks of tit-for-tat exchanges between rival groups of transpacific hackers, the humans controlling the attack tools had defaced in
15