Securius Newsletter

January 13, 2000
Volume 1, Number 2
http://www.securius.com

Where to Find the Y2K Bugs

By Seth Ross
In the wake of the Year 2000 rollover, which didn't cause the end of civilization as we know it, many are wondering what happened to the Y2K infopocalypse we were promised. Some question whether the $100 billion or so spent in the US was worthwhile; others wonder if the whole Y2K bug was a barrelful of hype.

Don't believe the counter-hype/conventional wisdom about the smooth and uneventful Y2K rollover. There were tens of thousands of Y2K incidents, some of them quite serious. Perhaps not as serious as planes falling from the sky, or nuclear plants going critical, but endemic glitches, bugs, date errors, etc.

Why haven't you heard about them? Well, why *would* you hear about them? Y2K incidents are similar to computer security incidents - they make the victims look bad. The overwhelming instinct is to cover up these kinds of problems as quickly as possible with minimal public disclosure.

Imagine that you are a corporate IT manager dealing with a severe post-rollover Y2K problem. You're not going to call the New York Times or issue a press release. ("Well, we thought we knew what we're doing.") You're going to fix the problem as expeditiously as possible and hope that word doesn't leak.

This is part of what computer security expert M. E. Kabay calls "the problem of ascertainment." Most computer break-ins - like many calendar problems - are undetected. We know they're undetected because some are discovered long after they occur. Even if they are detected, many problems are dealt with discretely for fear of bad publicity. Kabay guesses that only 10% of computer crimes are detected, and of those, only 10% are reported.

Consider for a moment the tremendous increase of computer crime over the past several years, fueled in part by widespread Internet connectivity and the availability of automated cracking tools. Then check out these computer crime stats displayed on the FBI's web site:

Both investigative cases and successful prosecutions have increased significantly. Pending cases have increased 115% from the beginning of FY 1997, from 260 to 559. In FY 1997, there was a 110% increase in informations and indictments (from 10 to 21), 950% increase in arrests (from 4 to 42), and an 88% increase in convictions (from 16 to 30).

These numbers are underwhelming, given the tens of millions of Americans on the net and the amount of online crime and mischief that goes on every day. Clearly, the FBI isn't casting a very wide net. If an organization with the resources of the FBI can't develop a solid profile of computer crime stats, who can?

This raises an even sharper question: How can one assess the risk of computer crime or calendar problems if there's no way to ascertain their scope and severity? How can one develop a computer security plan (and budget) if one doesn't know what the risk of loss is?

The bottom line: Treat Y2K and computer crime statistics with skepticism. The total scope and severity of rollover problems are unknowable - they're not even guessable.

Given the problem of ascertainment, how can one ensure computer security at all?

While it may be difficult or impossible to really know what's happening in the larger world, you can take steps to ascertain what's happening on your local hosts and local network.

Port scanning software programs are one ruthless way to discover the security posture of your network (see the next section). But there are also host-based tools you can run that report on the status of individual personal computers and workstations.

If you run UNIX or Linux workstations, you've undoubtably run commands like ps, uptime, and netstat to inspect what's happening. You've probably also installed a log-watching program like Swatch and perhaps even a filesystem integrity checker like Tripwire.

If you're running Windows, perhaps you've noticed these simple built-in utilities:

  • Dr. Watson (C:\Windows\Drwatson.exe) - Provides you with a snapshot of what's happening on your system. Pick the "Advanced" option and click on the "Tasks" tab to see what processes are running on your computer. Learn to recognize common tasks (and thus uncommon or potentially malicious tasks).
  • Winipcfg (C:\Windows\Winipcfg.exe) - Displays information about your Ethernet adapter (including address) and host (including name and IP address).
  • netstat (C:\Windows\Netstat.exe) - This simple command- line utility displays current TCP/IP connections (it has to be run at a DOS prompt). The "-a" flag shows all connections and listening ports. Here is an excerpt of typical netstat output:
   C:\WINDOWS>netstat -a
     
   Active Connections
     
   Proto  Local Address          Foreign Address        State
   TCP    austerity:1393         s3.red.CERT.ORG:80     CLOSE_WAIT
   TCP    austerity:1396         www.ISI.EDU:ftp        CLOSE_WAIT
   TCP    austerity:1409         example.com:22         ESTABLISHED
   TCP    austerity:nbsession    SROSS:0                LISTENING
   TCP    austerity:1451         smtp.example.com:pop3  TIME_WAIT
   UDP    austerity:nbname       *:*
   UDP    austerity:nbdatagram   *:*

Run these tools on a regular basis to monitor what's running on your computers. Become familiar with the tasks and processes your systems run and be on the look-out for signs of anything unusual.



Subscribe to the Securius Newsletter
Please enter your email address:



Securius.com is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.