February 26, 2001, 10:53 AM — LIKE MANY OF YOU, I have to juggle a lot of balls, and I don't have time to do all the reading necessary to stay current with industry trends. I do try to regularly browse various news sites to find out what's happening in the "real world," but I have to confess that I don't subscribe to many security newsletters because I don't have time to read them even when they're delivered by e-mail. In fact, I've been battling inbox overflow for several months and finally started to set aside a few hours each week just to figure out which messages need follow-up. At the rate I'm going, I should be caught up sometime in the year 2037, but only because, if I'm still alive, I'll be so old that I'll need less sleep.
For the last few weeks, I've been doing the trade show circuit, fighting deadline monsters, and nursing a broken toe, so my daily reading has slipped even more than usual. It wasn't until the days that some folks refer to as "the weekend" rolled around that I had the time to read about my current favorite for Nervy Hack of the Year. I'm referring to the recent DDoS (distributed denial of service) attack on Network Associates, when the hostile code piggybacked on a BugTraq mailing list.
I can't tell you how good it felt to be a slacker when I heard about this. Ordinarily, a sick combination of Catholic guilt and Puritan work ethic makes me feel as if I should be checking out exotic and varied information sources during every available waking moment. Then something like this comes along and makes me want to go back to the good old days of receiving information solely by the printed page. After all, the only chance I'll have of catching a virus that way is if the mail carrier sneezes on me.
For those of you who, like me, missed the initial reports of the "BugHaq," I'll tell you how it unfolded.
On January 31, a DDoS assault was launched against Network Associates' DNS server. The attack lasted for nearly 90 minutes, and, although users had difficulty connecting to Network Associates' Web servers, the site never went completely offline. This attack followed two related incidents involving Microsoft's DNS records the week before and revelations of holes in Berkeley Internet Name Domain (BIND), the most widely used implementation of DNS.
But what makes the latest assault so chilling is that the "zombies" -- most DDoS assaults rely upon co-opting the systems of innocent third parties as a way to foil any tracing of the attack -- were subscribers to BugTraq's security mailing list.
Although it's still not known how many of BugTraq's 37,000 subscribers were used as "human shields," it is certain that the attackers planted a Trojan horse in an attachment that described a DNS security hole which attackers might exploit.
This scenario could be repeated in the future because BugTraq moderator and SecurityFocus.com CTO Elias Levy indicates that he's going to stick to a hands-off policy regarding the source code that passes through his list.
Although I sympathize with Levy's predicament, I find his position rather troubling because BugTraq is actually publishing the code by sending it out as an attachment. In essence, BugTraq's newsletter is what lawyers would call a "proximate cause" of the attack; it could not have happened if Levy or his agent were vetting the code before including it in the newsletter. And that attack probably wouldn't have happened on such a large scale if the code had been available as a link to a Webb site for those who wanted to examine it, instead of as an attachment shipped willy-nilly to every subscriber, regardless of who wanted it.
Before you hit that Send button to tell me what an idiot I am, let me toss out a few more thoughts. First, I am not saying that BugTraq or Elias Levy are awful or menaces to society; if anything, I'm more inclined to defer judgment. I realize that having a knowledgeable person pore over every line of source code is a formidable, and perhaps impossible, standard. Levy's lawyers are probably telling him that the hands-off, at-your-own-risk policy might be the only way to go. In fact, I'd rather have open dissemination of information than rampant secrecy; obscuring security flaws only gives them an atmosphere in which to spread -- not unlike what happens in a damp, mildewy basement.
There is no "risk-free" answer to the conundrum of disseminating valuable security information while keeping subscribers insulated from dangerous situations. Either you put your head in the sand and pretend that it's somebody else's problem, or you take an active approach and get a few bruises in the process.
