Security Experts On Alert for Large-Scale Hacker Assault

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
The security industry is on alert that an upswing in hacker activity could be signaling thecoming of a broad-scale attack that could potentially affect millions of networks.

The increased hacker activity is pinpointing a vulnerability in Microsoft Corp.'s Windowsoperating system. A problem with the Windows RPC Interface Buffer Overrun was firstdisclosed on July 16. Security experts say hackers started experimenting with thevulnerability almost immediately, and the rate of system probes and online chatter about thevulnerability has been skyrocketing.

''We're very concerned,'' says Dan Ingevaldson, an engineering manager with Altanta-basedInternet Security Systems, Inc. ''Administrators have a window of time to fix their systems,but that window is getting smaller... We think there's a risk here to the entire Internet.''

There's enough of a wide-scale risk that the Department of Homeland Security (DHS) is onalert. David Wray, a DHS spokesman, says his people have been monitoring the situation andare in direct contact with the security community, as well as with industry.

''We're seeing an Internet-wide increase in probing that could be a search for vulnerablecomputers,'' says Wray. ''It could be a precursor and it bears continued watching... Itcertainly could be serious. It could lead to the distribution of destructive, malicious codeand it could cause considerable disruption.''

But Wray and security experts agree that the situation could be defused if IT managers andindividual consumers immediately download and install the patch that Microsoft has issuedfor the RPC vulnerability.

The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP machines, isa serious one.

Qualys, Inc., a security auditing and vulnerability management company based in RedwoodShores, Calif., has rated the Windows flaw as the most critical one out there right now.Gerhard Eschelbeck, CTO of Qualys, says it involves the most prominent protocol used in theWindows environment and leverages highly exposed ports

Ingevaldson notes that the vulnerability is unique in that it affects both servers anddesktops, expanding the reach of any exploit that takes advantage of it.

''We haven't seen much of that before this,'' says Ingevaldson. ''It's the first majorvulnerability that crosses the line between desktops and servers. It's a core component ofthe operating system.''

And Ingevaldson says there's a lot of potential for damage here.

''Look at SQL Slammer,'' he adds. ''That affected between 100,000 and 300,000 machines.There's a lot more Windows XP and 2000 out there. There's a very large pool of vulnerablemachines. Millions potentially.''

And that kind of potential is drawing a sizable amount of attention from the hackercommunity.

Chris Belthoff, a senior security analyst with Sophos, Inc., a security and anti-viruscompany based in Lynnfield, Mass., says there hasn't been an increase in virus or wormactivity yet, but they are seeing a major increase in system probes. Hackers are poking intocomputers and networks around the world to see what systems are in place and whatvulnerabilities haven't been patched.

The hackers have been experimenting with the exploit, says Ingevaldson, who has seen severalversions of the same tool that is being used to prod at the vulnerability.

And Qualys' Eschelbeck says they have been monitoring online chatter about the vulnerabilityin the hacker community. ''There's a lot of creativity being put in right now to make theexploit more powerful... and hit on a wider scale,'' he says. ''It's a strong indicator thatthings are in the making.''

Most agree that the exploit would come in the form of a worm, since the vulnerabilitydoesn't lend itself to a Denial-of-Service attack.

What security experts aren't agreeing on is if the probes and increased hacker activity iscoming from one person or an organized group. The Department of Homeland Security isreporting that there's no evidence at this point that it's an organized attack or that it'sa matter of international terrorism.

But Sophos' Belthoff says it does ring of an organized effort.

''My guess is that it's a number of people,'' he says. ''It's not just an individual persondoing all these probes to assess vulnerability levels. The probes are distributed. Thenormal level is pretty high and this is way above that.''

Belthoff adds, ''It's a race against time and the potential for a new, big worm outbreak.''