The Untold Lesson to Learn From the Latest Virus Attacks

Tom Snyder photo by Tom Snyder on Jun 17, 2000

What do they say about an ounce of prevention? Regular readers of Websight Insight were VERY happy to have read last month’s issue.

As part of our article on e-mail hoaxes, we said:

If you ever receive an e-mail with an attachment that you are not expecting, contact the sender to make sure it’s trustworthy. There are several viruses that secretly attach themselves to e-mails. So don’t just rely on the fact that you know the sender, as they may be sending out a virus to their friends without even knowing it. The rule of thumb is this: If you have any doubt, don’t save it, open it, or run it. It will be harmless if you just delete it (and if delete just sends it to your trash bin, make sure to delete from there, too).

Two days later, the “ILOVEYOU” virus made its rounds as the exact type of virus we warned about! Several copycat viruses followed over the next few days.

Many of our readers e-mailed to thank us for the timeliness of the article as it was just that article that saved them from infection.

Some were not as fortunate. They hadn’t read the article, ended up opening the attachment, triggered the virus and did serious damage to their files. We know this to be true because our tech support department spent most of the next two days disinfecting, restoring, or reformatting client machines.

The most unfortunate, however, were the ones who had read the article, tried to follow the instructions and still got infected. How did it happen? It’s a result of the nature of these viruses, which illuminates a much larger issue: that of security, safety and Microsoft products.

What you don’t hear much about in the media is the fact that these viruses specifically target and exploit weaknesses in the Microsoft Windows operating system, Microsoft Outlook mail reader and other Microsoft applications. While the world was being brought to their knees by this virus, the Linux, UNIX and Macintosh users of the world watched safely (and smugly) from the security of their virus-proof environment. And while users of the Netscape mail reader were spared from the damage caused by the virus by simply not clicking on the attachment, many Microsoft Outlook users got clobbered just by viewing the email… which automatically happens when you select the e-mail for deletion. They didn’t need to click on the attachment, Outlook just launched the attachment all by itself!

Because of its overwhelming, and almost invincible market share, Microsoft can get away with selling products with legendary (and self-admitted) security holes, dangerous flaws, and exploitable weaknesses. On a local level, those security flaws manifest themselves in a significant vulnerability to viruses, worms and all sorts of file-damaging maladies for products like Windows, Office and Outlook.

On a larger (and more dangerous level) is the impact that Microsoft has on the future viability of the Internet as a business to consumer or business to business medium. If Windows is the Achilles heal of the PC, NT is the Achilles heel of the Internet.

Web servers are nothing more than high powered computers with an always-open high-speed Internet connection. They require an operating system and Web server software. While the overwhelming majority of mission-critical Web servers since the beginning have been Unix or Linux-based, Microsoft’s NT/IIS platform/server combination has been growing exponentially in its market share. But it’s not because of any technical superiority. Because NT’s strength (like other Microsoft products) has been its surface-level ease of use, a rudimentary set up can be stumbled through by someone with a much lower level of expertise than that possessed by the typical Linux/UNIX expert.

While an optimally configured NT server can be almost as secure as a Linux/UNIX server, finding the qualified people to administer the Linux/UNIX option is much harder (and more expensive). That forces many companies to go the NT route, hiring an NT “expert” who, while coming for less money, may not possess the necessary skills to optimally configure the server.

Of course, that doesn’t mean that ALL NT people are inferior. There are a many certified NT professionals who are very, very good. But, if you’re running NT to host an internal Web site, or a network that’s connected to the Web, yours had better be among those who are very, very good.

Here are just a couple of reasons why (things that the media won’t tell you):

  • It is as easy to find information on exploiting NT’s weaknesses to hack into or crash an NT server as it is to find out how to build a pipe bomb. Hackers and crackers specifically target NT servers for that very reason. And while an improperly set up Linux or UNIX server is “hackable” too, a properly setup box running the latest Kernel is much less vulnerable than NT. Holes in Linux are rare because they’re due to a mis-configuration, whereas NT holes are usually just part of the OS default setup, and the only way around them (besides waiting for a new release) are finding and running patches to the OS.. something that the less-qualified NT person may not know about.
  • Often you’ll hear about government sites that have been hacked. The implication is that the attackers are anarchists bent on bringing the free world to its knees. While that may be true, many attackers are simply looking for a high profile site to hack and the NT servers that many government sites use provide them with the easiest target.
  • The big buzz during the last holiday season was that someone had hacked into an e-commerce site and grabbed 30,000 credit card numbers. To call that person a hack was a compliment. Actually he just used an easy exploitation of the NT/Windows architecture to use a local copy of the Microsoft Access database to point to the Web site, open the database and save the entire database to his local PC. It was so easy that one of the hacker’s friends actually sat a CNN reporter down at his machine, talked him through a few simple steps and they were able to grab the credit card database from another NT-hosted e-commerce site.

I was contacted this week for a Microsoft marketing survey, and I could tell by the nature of several of the questions that they are moving in the direction of using NT technology to connect your house, your microwave, your thermostat, your bills and your personal records to outside access (supposedly for your convenience). If it’s that easy for hackers to get into NT servers, there’s simply no way I would ever allow that platform to expose my house or personal information to that high a risk.

You may be saying, “That’s all well and good… you’ve sufficiently dissed Microsoft. Was that your point?”

Partly. The bigger issue is this. While Microsoft products have done a good job of simplifying computers and making the technology more available to the masses, they’ve done so at the expense of security and reliability. And while blue screen errors, lockups and viruses are just an inconvenience on your PC, the inherent problems with NT present much larger consequences for your Web presence. Bad people have learned to take advantage of the weaknesses, and that manifests itself regularly in deliberate crashes, unauthorized replacement of content on your Web site, and theft of personal information.

While our front office uses Windows technology, our Web-hosting operation runs entirely on a Linux platform (administered by extremely talented Linux professionals). Our system is immune to viruses, and has a level of security that allows us to provide our hosting clients a extremely high level of confidence. We’ve experienced less than .005% downtime in the past year.

Over the years we have had a few clients who have made the decision to move their Web presence in-house. In so doing, they have made the decision to migrate it to an NT platform. Downtimes for their sites have immediately become frequent (one site was down for three weeks shortly after a move in-house). Application development costs immediately increased, and support costs (including regular emergency calls to our server department for help) went up, too.

While we are always happy to empower our clients to perform as much of the maintenance on their Web sites as they are able to and comfortable with, we always want to make sure that they are aware of the potential implications of a hosting move in-house. So if you’re thinking of setting up an in-house Web site, don’t rely solely on the Microsoft ads that make hosting a Web site look easy.

And we hope this advice is worth a pound of cure.

Share this article