Today, November 2, 2008, is the 20th anniversary of “Black Thursday” – a significant, defining moment in Internet and information security history. On this day in 1988, the Robert Morris Jr. worm was unleashed on the Internet. Sometimes called the Great Worm, this was the first time that the world had proof of what we all knew to be true: significant damage could occur if a malicious party exploited known vulnerabilities across the network en masse. As silly as it sounds now, prior to that date we always talked about how a worm “could” happen; now we fret about “when.”
RTM’s worm brought significant change to the Internet world. The damage it caused (possibly upwards of $100M) and media attention it received ultimately provided the foundation for much of what we know as modern-day, non-military Information Security. For the first time ever, the Internet became well-known to the mainstream media. DARPA provided funds to form CERT at Carnegie Mellon, which also directly or indirectly resulted in most clueful organizations establishing their own information security or security incident response teams. Many of the security standards we take for granted are based on early work done at CERT. I’ll save the debate about whether the worm was ultimately good or bad for our community as a whole for some later post.
Personally, this date also marks the start of my career in Information Security. I was in the Computer Science system support group at the University of Colorado at the time, and vividly remember sleeping on my office floor for the last half of that week. Our primary production systems – mostly VAX 11/780’s, 11/750’s, and Sun 3’s – were all infected. Lacking any formal incident coordination and communication infrastructure, we reached out to our friends at UC Berkeley and the University of Utah to collaborate on how to contain and mitigate the situation. We provided data to the teams working on dissecting the worm, some of which ultimately led to Donn Seeley’s USENIX paper which is still regarded as the most complete and accurate technical analysis.
It’s great to reminisce about history, but where are we 20 years later? Although I’m not currently planning on sleeping on my office floor tonight, ironically today I am again worried about the potential for a worm to spread uncontrolled due to lack of patching. Specifically, the Microsoft MS08-067 vulnerability that was released out-of-cycle 11 days ago represents a significant threat to almost every Windows system out there. In the last week, I’ve heard all the same arguments against patching that we did 20 years ago — too much effort, too much risk to availability, not enough threat.
It’s true that overall we have better mitigating controls in place than we did 20 years ago — most organizations have a firewall, virus protection, an incident response plan, and maybe even IDS/IPS. The bottom line, though, is that none of this eliminates the need for patching serious vulnerabilities. As an industry, we MUST patch known serious vulnerabilities, and it takes the same amount of time to patch them now as it does later. It’s just a question of whether you want to suffer the pain and embarassment of looking like a fool in between doing it “now” vs. “later.”
I admit to being an “old dog” (and certainly, this particular anniversary rubs that in) but personally, I’d rather make the effort to apply a patch than look like a fool. Any day.
![[Slashdot]](/wp-content/plugins/slashdot.ico)
![[Digg]](/wp-content/plugins/digg.ico)
![[Reddit]](/wp-content/plugins/reddit.ico)
![[del.icio.us]](/wp-content/plugins/delicious.gif)
![[Technorati]](/wp-content/plugins/technorati.ico)
![[StumbleUpon]](/wp-content/plugins/stumbleupon.ico)
), we know that by using aircrack in conjunction with packet injection/replay attacks WEP keys can be cracked within a couple minutes [EDIT: According to German researchers, WEP can now be cracked in an average of 20 seconds on an 802.11g network].
