Home page logo

isn logo Information Security News mailing list archives

Snooping Isn't E-Mail Delay Cause
From: InfoSec News <isn () c4i org>
Date: Wed, 26 Sep 2001 03:39:57 -0500 (CDT)


By Michelle Delio 
10:25 a.m. Sep. 25, 2001 PDT  

E-mail delivery has been particularly sluggish during the past two
weeks. Messages have arrived at their destinations hours after being
sent, sparking speculation that new surveillance programs by
government intelligence agencies might be responsible for the sudden

But in truth, most transmission delays can be traced to the recent
spate of e-mail and server worms that primarily attack Microsoft
products -- so much so that one prominent technology research firm
recommended Tuesday that businesses switch to server software other
than Microsoft's IIS until the company completely rewrites the program
from the ground up.

The United States and other governments have said that surveillance of
electronic communications will play a part in their battle against
terrorism, and President Bush warned the media on Monday that the
methods of intelligence gathering will "remain guarded."

"My administration will not talk about how we gather intelligence, if
we gather intelligence and what the intelligence says," Bush told the
media at Monday's press briefing. "That's for the protection of the
American people."

But despite the secrecy, blame for any of the currently bogged-down
networks doesn't seem to be attributable to Big Brother. Security
experts said they doubt the government would want or even be able to
scan everyone's e-mail, and also noted that any e-mail surveillance
would probably be undetectable to users.

Any slowdown is more likely due to the brat pack of worms that have
been hitting Internet servers hard, coupled with increased Internet
use by people seeking news, according to both security experts and
Internet service providers.

Isolated equipment damage following the destruction of the World Trade
Center may also be a factor.

"At this point, speculation that any law enforcement surveillance
system is causing Internet performance issues is just that -- pure
speculation," said Joel Scambray, managing principal of security firm
Foundstone. "Especially after the events of Sept. 11, from which
several service providers are still trying to recover.

"Couple this with the ongoing effects of the Code Red, Nimda, and
SirCam worms, and such speculation becomes even more tenuous.

"There is the potential that some ISPs have implemented re-routing of
their network architectures to provide a single inspection point
through which all mail must pass -- which could account for some
bottlenecks -- but I have seen no reports of this," Scambray added.

Scambray and other experts believe the slowdowns that some people have
noticed are most probably caused by Nimda and Code Red worms, along
with any other extraneous worms or viruses that may be making the

Internet service providers such as Road Runner, Earthlink and Excite
have sent alerts to their broadband customers attributing network
slowdowns to the effects of these worms which overload networks by
constantly searching other computers to infect.

Meanwhile, antiviral software companies released alerts about a new
worm on Monday. Known as the "Vote Virus," (Win32.Vote.A () mm) the worm
arrives in an e-mail attachment. The body of the message asks people
to open the attachment in order to cast their "Vote To Live in Peace!"

The attachment is actually a Visual Basic script, similar to the
"ILOVEYOU" and Anna K. viruses. Although some companies have ranked it
as a high threat, very few infections have been reported, because most
users understand that they shouldn't open attached .exe files.

The worm only infects Windows operating systems through Microsoft's
Outlook e-mail program.

"It's not any Big Brother snooping device that's causing this
(slowdown), but the resulting mess caused by the world using very
exploitable software from Microsoft on public networks," said Richard
Forno, chief technology officer for Shadowlogic and co-author of
Incident Response and The Art Of Information Warfare.

Only computers that run unpatched Windows 2000 and NT operating
systems using Microsoft's IIS Web server software are vulnerable to
infection by Code Red and Nimda. (Nimda, a worm with multiple
infection capabilities, can also infect computers using Windows
operating systems and Microsoft's Outlook e-mail program or
Microsoft's Internet Explorer Web browsing software.)

Some Linux and Mac users who run emulators -- programs that allow
users of one operating system to run programs intended for other
operating systems -- have also been infected by Nimda.

Gartner, a technology research and advisory firm, released a report on
Tuesday recommending that businesses switch to non-Microsoft Web
server (IIS) software in the wake of this summer's worm attacks.

The report stated that "viruses and worms will continue to attack IIS
until Microsoft has released a completely rewritten, thoroughly and
publicly tested, new release of IIS.... This move should include any
Microsoft .NET Web services, which requires the use of IIS."

Gartner officials believe this rewriting will not occur before the end
of 2002 at the earliest. Microsoft officials have repeatedly said that
Windows XP (some versions of the new OS include IIS) and .Net will be
carefully tested for security exploits.

Besides worms, Net speed may have been affected because of the
physical effects of the Sept. 11 attacks, William Knowles, a senior
analyst at C4I.org, a private computer security and intelligence
group, said.

"Several of the big providers had equipment in the World Trade Center
basement and microwave antennas on the roof. And providers around the
WTC area were forced to shut down operations because the dust and
debris were clogging the air-conditioning intakes for cooling the
servers," Knowles said.

Problems on these small areas of large service providers' networks
could affect the rest of the Internet.

If the government were snooping, they'd most likely be intercepting
electronic communications with the intelligence-gathering systems
known as Carnivore and Echelon.

The United States has admitted that Carnivore exists and has even
released the details on how the system works, but will not comment on

Carnivore, also known as DCS1000, is akin to a phone wiretap, and uses
a commercial "packetsniffer" program to grab data.

Information that moves across the Internet is processed in small
chunks called "packets." Packetsniffers can capture those chunks of
data as they are transmitted. Malicious hackers and intelligence
agencies use packetsniffers to intercept data; network administrators
use them to analyze network performance.

But sniffers do not noticeably affect network performance since the
data passes right "through" sniffers. Data isn't physically grabbed
from the Internet, processed and then re-released.

"I don't really believe that Carnivore would be the cause for any
network traffic slowdown unless it -- as a sniffer -- is sucking and
processing every single bit of data on every single ISP, which is a
nearly impossible thing to do undetected," said Forno, who has acted
as an adviser to the Department of Defense on information warfare.
"Not to mention that the processing power required to do this would be
extraordinary, if not existing only in fantasy."

Forno also said he thinks Carnivore isn't very effective.

"All Carnivore will do is keep honest folks honest," Forno said.
"Power users who value their online privacy and cyber-criminals with
half a clue already know how to get around it."

Forno said that scanning by Echelon is also unlikely to be responsible
for any slowdowns. Echelon gathers information from phone calls, faxes
and e-mail primarily through a global satellite-based
telecommunications network, using the same sort of packetsniffer
protocol as Carnivore does.

Some believe that Echelon -- operated by the United States, Britain,
Australia and New Zealand - also isn't as capable or scary as some
news reports have indicated.

Last year, a European parliament committee conducted a year-long
investigation to find out exactly how extensive and effective the
Echelon system is.

The committee came to the conclusion that while Echelon is effective,
it can intercept "only a very limited proportion" of the ever-growing
amount of electronic communications that moves across the Internet and
through phone lines.

"Echelon is an over-hyped intelligence program that's been in place
for over 50 years," Forno said. "The media and conspiracy theorists
love to make Echelon out to be this all-encompassing new spook
project. Simply put, it's nothing new."

The U.S. government seems to agree.

Attorney General John Ashcroft told Congress on Monday that laws have
not kept up with advances in technology, and law enforcement officers
are armed with "antique weapons" in the battle against terrorism.

He urged Congress to pass a package of new laws that would give law
enforcement officers expanded powers to tap telephones, conduct
searches, seize assets and detain suspected terrorists.

Many lawmakers agreed with Ashcroft that some tougher measures were
needed, but also said they did not want to trample civil liberties in
the process.

"Past experience has taught us that today's weapons against terrorism
may be tomorrow's weapon against law-abiding Americans,"
Representative John Conyers of Michigan said in response to Ashcroft's


ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.

  By Date           By Thread  

Current thread:
  • Snooping Isn't E-Mail Delay Cause InfoSec News (Sep 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]