August 1, 2003 4:21 PM PDT
Waiting for the worm to turn up
The black clothes go with the security territory at the Black Hat Security Briefings; the fatalism comes from waiting for a worm writer to take advantage of a widespread Windows vulnerability.
The vulnerability, in a component of Microsoft's operating system that allows people to remotely access certain functions on a computer--such as printing and file sharing--was made public by the software giant on July 16. Nine days later, a hacking group in China and an American security researcher released code that exploits the flaw.
Security experts are now just waiting for the other shoe to fall. The fear: The DefCon hacker convention being held this weekend will be the trigger for some online vandal to write a worm.
"Oh yeah, there is a lot of awareness right now," said Marcus Sachs, cybersecurity program director for the U.S. Department of Homeland Security. "We definitely have the three watches paying attention."
The three watches are the Federal Computer Incident Response Center (FedCIRC), the National Communications System (NCS) and the National Infrastructure Protection Center (NIPC).
The Department of Homeland Security issued an alert earlier this week warning companies and government agencies to lock down their systems.
"Because of the significant percentage of Internet-connected computers running Windows operating systems and using high-speed connections (DSL or cable, for example), the potential exists for a worm or virus to propagate rapidly across the Internet carrying payloads that might exploit other known vulnerabilities in switching devices, routers or servers," the agency warned.
Microsoft personnel at the conference also carried an air of fatalism about the worm. Members of the Secure Windows Initiative said that the company was on watch. Other sources indicated that the company was taking extraordinary steps, such as requiring employees to patch their machines quickly or risk being disconnected from the corporate network.
The software giant had been hit hard by the SQL Slammer worm, a self-spreading program that took advantage of a six-month-old flaw that even Microsoft hadn't completely excised from its systems.
A security manager from a large financial firm said that the patching process was being slowed by the large number of computers that had to be fixed.
"We are making progress," he said. "But we still only have half our systems patched."
The gloomy outlook is not universal. A systems administrator for a university research institute said that his group had machines patched and had added firewall rules to limit the potential of being hit.
"If we aren't ready now, we never will be," he said.