Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

[Editor's note: Turn down the volume if you listen to the audio version of this column. Don't say we didn't warn you... ]
As read by the author

NostradamISS

As read by the author Rob Rosenberger, Vmyths co-founder
Thursday, 28 February 2002

PATRICK GRAY WORKS for ISS — or "NostradamISS" as I like to call them. Gray regularly sends "AlertCon" emails to announce his firm's "Internet threat level" predictions.

The con­stant stream of ISS "AlertCon" emails can be sum­marized in five words: "THERE MIGHT BE A WOLF!"
NostradamISS stood at AlertCon 2 as a precaution on New Year's Day 2002. "AlertCon 2 means increased vigilance/action required due to focused, patterned attacks," the company explains on its website. They dropped to AlertCon 1 on 4 January and stayed there until 11 February. "AlertCon 1 reflects the malicious, determined, global, 24x7 attacks experienced by all networks."

Or, to summarize AlertCon 1 in a single word: "normal."

ISS jumped to AlertCon 3 as a precaution on 12 February. Their website reveals it "means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, immediate action required." What would justify such a dire AlertCon?

ISS "has learned of a powerful SNMP (Simple Network Management Protocol) attack tool that may be circulating in the computer underground," Gray's email alert warned. "The circulation of this tool may lead to the widespread use of new exploits to crash or compromise vulnerable systems," he went on to say. "Nearly every operating system, router, switch, cable or DSL modem, and firewall is shipped with an SNMP service."

Or, to summarize Gray's concern in a single word:

"WOLF!"

Such is the threat posed by the devastating, critical, hideous, catastrophic, unprecedented, horrifying, deadly, macabre, serious exploit lurking deep within the bowels of SNMP. One of Gray's coworkers — an ISS comic book superhero known only as "Chris Rouland" — almost blew a gasket when he talked to a reporter about the SNMP threat. "This is the most widespread security vulnerability I can ever remember being reported," he wailed.

(Rouland has a short memory, but let's not digress.)

Gray breathed a sigh of relief in an email alert two days later. "We have lowered the AlertCon to 2 as we have not yet observed an abnormal increase in SNMP traffic," he announced. "However, the threat of the SNMP vulnerability remains very high and if an increase in activity is detected, we will increase the AlertCon accordingly."

Com­pu­ter secu­rity firms earn valuable media expo­sure when they tie them­selves to the world of physi­cal ter­rorism. The media eats it up
ISS remained vigilant at AlertCon 2 all the way through 25 February. They meticulously scanned the Internet for SNMP catastrophes, and Gray issued seven more email alerts to remind netizens of his anticipations.

On 26 February, Gray announced ISS lowered the "projected" threat level to AlertCon 1. "The threat of an exploit against the recently published SNMP vulnerability still remains," he reiterated. "However, we presently are not observing any indicators from our Global Sensor Database that the vulnerabilities are being actively exploited."

In other words, the actual Internet threat remained "normal" during higher AlertCons. Yet the return to peaceful bliss at ISS lasted for only a day.

The Internet jumped to AlertCon 2 as a precaution on 27 February "because of a vulnerability found in the PHP (Hypertext Processor) scripting language," Gray warned. Naturally, "the threat of an exploit against the recently published SNMP vulnerability still remains." ISS "anticipate[s] remaining at AlertCon 2 through Saturday, [though] it may become necessary to raise the AlertCon if we observe an increase in the PHP or SNMP related traffic."

I should note Microsoft users generally don't need to worry about these SNMP & PHP vulnerabilities. If, on the other hand, you use non-Windows products ... my condolences.


GRAY'S TEAM PREVIOUSLY ratcheted up to AlertCon 3 as a precaution on 11 September when the twin towers fell.

The firm's clairvoyant psychoticspsychics acted on premonitions surrounding Osama bin Virus. "Our monitored networks do not show any unusual activity at this time, but our [Security Operations Centers] are at a heightened state of alert as we watch for any indications that e-commerce is also being targeted," an [unnamed] ISS spokesman said."

Or, to summarize Gray's concern in five words:

"THERE MIGHT BE A WOLF!"

ISS lowered the AlertCon to 2 after Osama failed to strike at the Internet with the speed & venom of a cobra. A week later, though, they re-raised the AlertCon to 3 when the Nimda virus threatened to do what Osama did not.

Gray's team later went back to AlertCon 1 after Nimda fizzled. Again, peaceful bliss lasted for only a day. A deadly "Nimda redux threat" forced ISS to return to AlertCon 2 as a precaution ... but they again scaled back to 1 when the "Nimda redux fizzled."

"AlertCon 4" can be sum­marized in three words: "DEAD SHEEP EVERY­WHERE!"
"Fizzled" comes directly from their website. I don't make this stuff up, folks. I just report it for your amusement.

Gray's team again declared AlertCon 2 for a few days as a precaution when U.S. warplanes started to bomb Afghanistan. This leads to an obvious critique: why didn't they declare AlertCon 3? Surely Al Qaeda's high-tech cave dwellers would martyr their PCs to drive out the American infidels! Surely Osama's cyber-terrorists would take over a satellite and plunge it into the White House or remotely steer a nuclear-powered aircraft carrier into the path of another warship!

NostradamISS waited three days for boolean vengeance to erupt ... but Al Qaeda didn't retaliate with a 500-byte ping packet for every 500-pound bomb. The Internet breathed a collective sigh of relief when the AlertCon dropped to 1.

However, Gray's team returned to AlertCon 2 as a precaution when New York City received a "cyber threat." (Governor Pataki recently declared New York will partially withdraw from the Internet to thwart physical terrorism.) It stayed at AlertCon 2 for four days before dropping back to 1.

At this point you might wonder if ISS has a prediction level higher than 3. You bet! "AlertCon 4 reflects a catastrophic problem for a network or a group of networks whose survival depends on immediate, decisive action." [Emphasis added.] Gray's team went to 4 after they took part in an "unprecedented press conference" where FBI NIPC announced the imminent death of the Internet at the hands of the Code Red worm.

Or, to summarize Gray's concern in three words:

"DEAD SHEEP EVERYWHERE!"

You could almost smell the mint jelly back then. Amazingly, the Internet somehow survived despite a horrifying lack of immediate, decisive action on the part of users worldwide. Go figure.


SO WE STAND right now at AlertCon 2. I pray the Internet survives.

But I won't fret too much — because I know ISS employees will keep their eyes open for danger. Gray's team doesn't know for certain when Wile E. Coyote might show up, but they'll continue to frightenwarn RoadRunner users whenever they think it may or may not be safe to travel the information superhighway. ISS remains ever vigilant.

"WOLF!" Heh heh. Did I scare you?