The Slammer worm (also called W32/SQLSlam-A, W32/SQLSlammer, W32.SQLExp.Worm, DDOS_SQLP1434.A, and Sapphire) hit the Internet about 05:30 GMT on 25th January 2003. Within three minutes it had infected most vulnerable hosts on the Internet. It attacks Microsoft SQL servers, infecting them by sending a specially-crafted packet to UDP port 1434.
The rapid rise of Slammer is interesting. Last year, a theoretical paper "How to 0wn the Internet in Your Spare Time" described the Warhol Worm - a worm capable of attacking most vulnerable hosts on the Internet in under 15 minutes by utilising a "hit list" of vulnerable hosts with good connections. Slammer achieved the same in less than three minutes by being small and efficient. The choice of a single UDP packet was particularly interesting - this eliminated the latency involved with creating a TCP connection.
Slammer basically did nothing but spread, so the damage was the consumption of bandwidth and CPU time. The SQL servers that were infected essentially stopped being database servers until they were rebooted and patched. Many Internet users saw a slowdown, and some sites lost contact with the Internet for several hours. This mainly affected sites with an infected SQL server, but some sites with no Microsoft SQL servers were also affected. This appears to be because their ISP's router also served one or more infected sites, and was unable to cope.
Another interesting feature is how quickly Slammer traffic disappeared. Code Red and Nimda stayed with us for months, but Slammer was 90% gone by the end of the day. Partly, this was because it utilised all available bandwidth on the infected machines - if you are using a database for something important, and it stops working, you take action immediately. In contrast, Code Red did not take all the bandwidth, and it infected Microsoft's webserver, which many people used because it was there, and which is installed by default in some circumstances. However, it seems the ISPs should take the main credit: some companies did not fix their servers until after the weekend, but many ISPs took action and disconnected the infected sites, allowing the rest of the Internet to resume working. This is not unreserved praise; the confused reaction of some ISPs revealed their staff were poorly-equipped to react to an incident.
Slammer was also easy to deal with because it used an unusual protocol - almost no normal traffic uses UDP port 1434, so a simple filter blocks it with no side-effects. It also makes it easy to identify infected hosts from the traffic.
What lessons should we learn from Slammer?
- Defence in depth. Do not expose systems on the Internet unnecessarily. There are very few (no?) reasons why you need a SQL server accessible to the world.
- Apply security patches. The patch for the vulnerability that Slammer utilised was available last year from Microsoft.
- Warhol Worms are no longer "just theoretical". There will be more; they may be even faster (although that does not matter much - 3 minutes is already too fast for a human to analyse and decide on a response).
- You need good neighbours. The availability of your connection depends on the security of networks "close" to you.
- Good incident response at ISPs can make a big difference.
e-Government Mistake
A Bill that will have important effects on the development of the knowledge-based economy in Hong Kong quietly passed through Legco (Hong Kong's parliament) on 26 February. In line with the Government's policy of using information technology to improve Government services to the public, it aims to encourage more taxpayers to file tax returns through the Electronic Services Delivery (ESD) Scheme. With such a worthy aim, it may come as a surprise that Hong Kong's Professional IT bodies opposed it.
The Bill goes by the snappy name of the Inland Revenue (Amendment) (No. 2) Bill 2001 and the background leading to its introduction is similar to events in other jurisdictions. I personally think the IT bodies are right to oppose it because, although its' aim is good, it backfires, and will have the opposite effect.
An electronic signature is something that can replace a handwritten signature. A digital signature is one type of electronic signature, which is defined in the Electronic Transactions Ordinance, and a digital signature is valid in Hong Kong if it is supported by a digital certificate from a Recognised Certification Authority, such as Hongkong Post (who call their digital certificates e-Cert). Since January 2001, people have been able to submit their tax returns electronically, by using their digital signature. Unfortunately, not many people have applied for an e-Cert, and less have used them to sign their tax returns. Issues like user-friendliness, the need to renew the cert every year, and the application fee have discouraged people from using digital signatures. The low number of e-Cert users has resulted in very few e-Commerce and e-Government applications being developed. This has also been the experience in other parts of the world.
The Amendment wants to provide people with an easier way for people to submit tax returns electronically. It allows a 6-digit password to be used as an electronic signature, thereby encouraging more people to take advantage of e-Government. Passwords are simple and easy to understand.
Passwords are also horribly weak - a 6-digit number can only have one million different values, and one million is hardly a large number to today's computers. People also tend to mismanage their passwords, weakening the security still further: they write them down, or choose an "obvious" password, or use the same password on more than one system. But how much security is really needed to protect your tax return? There is no such thing as a perfect security system. Each system needs to be evaluated in terms of the risks involved. The worst-case scenario is that, after a fair amount of effort, an attacker could submit an invalid tax return for a victim. The incident would be discovered when the victim submitted their real return, and, after a certain amount of inconvenience, the situation would be resolved. There would be no tangible benefit to the attacker, therefore, minimal security is required, and the proposed system provides that.
But the Amendment is not proposing an isolated system; it will have effects on the adoption of e-Government and e-Commerce in the region. It will be detrimental to the promotion of e-Government, e-Commerce law, promotion of IT usage, improving the competitiveness of the community and bridging the digital divide.
This password scheme will make it easier to submit a tax return, but when you want to use another e-Government service you will need to apply to be a registered user of that service, and choose a DIFFERENT password. If you want to use a third service, you will need a third password. Using passwords will make individual e-Government services more accessible, but they will be damaging to the progress of e-Government overall. The commercial sector will, to some extent, follow the Government lead, so allowing a password to be a signature for tax returns will encourage companies to use similar methods, and the progress of e-Commerce overall will be damaged.
The IRD Amendment also sets the precedent that a “shared secret” can be used for non-repudiation. A “shared secret” is a code known by both the authorised user and any other third party. Non-repudiation means that it is not possible to later claim that the signature is invalid. Logically, this makes no sense: a number that is known to both the taxpayer and the IRD when attached to a tax return cannot "prove" that the taxpayer intended to make that tax return. In the context of a tax return, it does not matter much - if someone later claims that they did not make the return, then they are guilty of not making a tax return instead. In the context of the wider society, the precedent is dangerous: lazy system designers can use it to justify bad designs and judges could be persuaded by arguments based on it.
The IRD Amendment will be counter-productive in the promotion of IT usage and bridging the digital divide. It is easy to forget that promotion of IT Usage is not an end in itself. If it was, we could simply set up many more video game centres - the customers are certainly IT users. The intention, surely, is to leverage IT to achieve other improvements. The efforts to promote IT must therefore be directed. Thus, when recycling second-hand PC's to be used by disadvantaged individuals, the donation request specified a minimum system requirement - it was recognised that providing people with DOS or Windows 3.1 and teaching them to use it would not help them in today's technology environment.
By the same token, we should not be leading IT users into the dead-end of password overload. There are many technologies that could be used as electronic signatures, the evaluation must be made on the merits of the technology in question, and we should promote the best available technology. Today, this is digital signatures.
With this in mind, it would be better to explore how to promote the long-term benefit of digital signatures for ordinary users. How about an educational campaign focusing on reducing password overload?
The Amendment will hurt the competitiveness of Hong Kong. Digital signatures are difficult to understand and difficult to start using. The benefits are seen as more parties are dealt with. You can use a digital signature to sign a document to send to anyone - the recipient can use the Certificate to prove who signed it. A marketplace does not exist until everyone can freely trade with everyone else, so digital signatures enable an electronic marketplace by enabling trading between parties with no pre-existing relationship. A territory that has a significant population that understands and can use digital signatures for business, because they already use them in their private lives, will be able to enter the global electronic marketplace quicker and more smoothly.
The Government is also contradicting its own advice and the advice of the United Nations. Several times during the Public Comment period on the Electronic Transactions Ordinance in late 1999, the ITBB gave formal reasons why the use of Digital Signature technology and not the use of Passwords, PINs etc. was the preferred approach. The ITBB said, "digital signature-based technology is the only technically mature technology that provides the security service of ensuring integrity and non-repudiation in an open network environment". The ETO did remain technologically neutral, allowing the use of other technologies when they became more mature, but there have been no technological advances in password security. Quite the opposite, passwords are increasingly seen as a weak link in security.
The "UNCITRAL Model Law on Electronic Signatures with Guide to Enactment 2001" from the United Nations sets out the "best practice" for electronic signature laws. The IRD's proposed system fails to meet the requirements specified for an electronic signature to be considered reliable.
The ETO is a very good piece of legislation, but there has been a failure in following it up with effective promotion of digital signatures in HK. This Bill only addresses the symptoms, but not the root cause of the problem. I hope that professional societies in other parts of the world can be more persuasive in advising their Governments to avoid technological dead-ends.