Expert Says Windows XP Aids Vandals June 4, 2001 - The Internet is sustaining a growing plague of attacks that overwhelm Web sites by flooding them with data, and an Internet security expert is warning Microsoft that the planned consumer rollout of its Windows XP operating system for personal computers could make the global network even more vulnerable. The software, which Microsoft plans to begin selling in the fall, adds some powerful Internet-connection capabilities that the security expert has urged the company to remove before putting the product on the market. The new features, he says, makes server computers more susceptible to a type of Web intrusion known as a distributed denial of service attack, in which attackers remotely commandeer hundreds of personal computers connected to the Internet and use them to release a disabling deluge of data against a specific Web site. Such attacks gained visibility last year when popular commercial Web sites like Amazon, CNN, Yahoo and eBay were briefly knocked out of service by streams of hostile data. The attacks have continued this year, with the victims including Microsoft's corporate Web site and its MSN.com service. And a recent study by the San Diego Supercomputer Center indicates that this method of attack, whose blueprint is readily available in the computer underground, is alarmingly on the rise. The security expert, Steven Gibson, said he feared that widespread use of Windows XP in its current form would create a powerful network communications standard that attackers could widely exploit, particularly as more consumers use high-speed phone lines or cable modems and keep their computers almost continuously connected to the Internet. "Nothing more than the whim of a 13-year-old hacker is required to knock any user, site or server right off of the Internet," said Mr. Gibson, who warned Microsoft after a denial- of-service attack recently disabled his company's Web site for 17 hours. He said the attacker in fact identified himself as a 13-year-old who had decided to cripple the company's site after reading derisive comments about young hackers that he believed Mr. Gibson had made. Microsoft executives responded that they respected Mr. Gibson's opinions but that the network security features of Windows XP were strong enough to deter widespread attacks of the kind he feared. Mr. Gibson, a longtime software designer, heads the Gibson Research Corporation in Laguna Hills, Calif., a publisher of Internet security software. His Web site, grc.com, provides a colorful account of the attack, which began on Friday evening, May 4 and continued into the next day. He said that he and his Internet service provider were finally able to stop the attack by filtering out the malicious packets of data, which they determined were coming from various unsecured Windows-based PC's on the Intenet that the hacker had commandeered without their owners' knowledge. Newer versions of Windows, including Windows 2000, designed for office PC's, and Windows XP have enhanced programming to link computers to the Internet. That software can potentially give mischievous or malicious programmers greater flexibility to send out torrents of fake data streams with false addresses. Mr. Gibson said the identifying characteristics of the data that had enabled him to filter out the packets would be far more difficult to detect in the newer versions of Microsoft's operating systems. "When those insecure and maliciously potent Windows XP machines are mated to high-bandwidth Internet connections," he wrote on his Web site, "we are going to experience an escalation of Internet terrorism the likes of which has never been seen before." Microsoft argues that Mr. Gibson is misplacing the blame. "We had an exchange with him two or three weeks ago," said Steve Lipner, manager of Microsoft's Security Response Center. "We feel he's focused on mechanism rather than effect. The more fundamental issue is whether I can get hostile code running on your machine. If I can't, then there isn't a problem." Mr. Lipner said the enhanced security features also included in the new versions of Windows would make the machines more difficult for attackers to remotely commandeer. Some other security experts questioned whether the remedies Mr. Gibson is seeking from Microsoft would solve the problems. Peter G. Neumann of SRI International, a research firm in Silicon Valley, said that the network vulnerabilities go far deeper than the enhanced communication features of Windows XP. "This is just one more example of how flaky our computer-communication infrastructures are," Mr. Neumann said. He asserted that more robust hardware and software must be designed from the ground up with defense against denial of service and other attacks in mind, instead of dealing with the issues as an afterthought. Few would dispute, however, that there is a growing Internet security threat, particularly as more users have high-speed network connections that encourage them to keep their computers almost continuously online, whether they know it or not. In three weeks of observation in February, researchers at the San Diego Supercomputer Center at the University of California at San Diego, recorded nearly 13,000 attacks against 5,000 Web sites. At any one time, there were some 40 attacks under way. The attacks tended to be brief, with 90 percent lasting less than an hour. But 2 percent of the attacks spanned a period of days, or even weeks, said the authors of the report. And the researchers noted that they believed their methods probably missed many variants of denial of service attacks, and so the estimates were conservative — perhaps only half of the actual total. "So-called denial of service attacks are a growing problem, and are particularly difficult to fight," said Stefan R. Savage, an author of the report and professor of computer science at the University of California at San Diego. "It undoubtedly has grown," he said. "Nobody had heard of denial of service attacks three or four years ago." A distributed denial of service attack involves a network intruder's breaking into a wide number of machines connected to the Internet and then directing them to send streams of data packets at a target computer. The owners of the hostage computers most likely will not know that their machines are being subverted. Such an attack floods the target system with millions or even billions of messages that tie up its resources, keeping legitimate users from gaining access to the site. Strategies for countering such attacks are limited, Mr. Savage said. He said he was skeptical about the proposed Microsoft approach, which involves improving Internet security and its many machines worldwide to prevent their being used as zombies. "Ultimately, I'm pessimistic about that approach," he said. "There are hundreds of millions of machines out there, and getting everyone to secure them is a hopeless task." Another approach involves automating the steps that Mr. Gibson took during the May 4 attack: figuring out which incoming packets of data are linked to the attack and filtering them out. That approach is being tried by a company Mr. Savage co-founded, Asta Networks, and also by companies like Mazu Networks in Cambridge, Mass. But those approaches succeed or fail on the quality of the filter used to distinguish the digital babies from the bath water, and Mr. Savage described it as a daunting task. "Unfortunately, there's nothing in these packets that says, `Hi, I'm a bad packet.' " By JOHN MARKOFF and JOHN SCHWARTZ Copyright 2001 The New York Times Company http://www.nytimes.com/2001/06/04/technology/04FLAW.html?pagewanted=print janet paterson: an akinetic rigid subtype, albeit perky, parky . pd: 54/41/37 cd: 54/44/43 tel: 613 256 8340 email: [log in to unmask] . snail mail: 375 Country Street, Apt 301, Almonte, Ontario, Canada, K0A 1A0 . a new voice: the nnnewsletter: http://groups.yahoo.com/group/janet313/ . a new voice: the wwweb site: http://www.geocities.com/janet313/ . ---------------------------------------------------------------------- To sign-off Parkinsn send a message to: mailto:[log in to unmask] In the body of the message put: signoff parkinsn