Snooping Isn't E-Mail Delay Cause

September 25, 2001

E-mail delivery has been particularly sluggish during the past two weeks. Messages have arrived at their destinations hours after being sent, sparking speculation that new surveillance programs by government intelligence agencies might be responsible for the sudden slowdown.

But in truth, most transmission delays can be traced to the recent spate of e-mail and server worms that primarily attack Microsoft products -- so much so that one prominent technology research firm recommended Tuesday that businesses switch to server software other than Microsoft's IIS until the company completely rewrites the program from the ground up.

The United States and other governments have said that surveillance of electronic communications will play a part in their battle against terrorism, and President Bush warned the media on Monday that the methods of intelligence gathering will "remain guarded."

"My administration will not talk about how we gather intelligence, if we gather intelligence and what the intelligence says," Bush told the media at Monday's press briefing. "That's for the protection of the American people."

But despite the secrecy, blame for any of the currently bogged-down networks doesn't seem to be attributable to Big Brother. Security experts said they doubt the government would want or even be able to scan everyone's e-mail, and also noted that any e-mail surveillance would probably be undetectable to users.

Any slowdown is more likely due to the brat pack of worms that have been hitting Internet servers hard, coupled with increased Internet use by people seeking news, according to both security experts and Internet service providers.

Isolated equipment damage following the destruction of the World Trade Center may also be a factor.

"At this point, speculation that any law enforcement surveillance system is causing Internet performance issues is just that -- pure speculation," said Joel Scambray, managing principal of security firm Foundstone. "Especially after the events of Sept. 11, from which several service providers are still trying to recover.

"Couple this with the ongoing effects of the Code Red, Nimda, and SirCam worms, and such speculation becomes even more tenuous.

"There is the potential that some ISPs have implemented re-routing of their network architectures to provide a single inspection point through which all mail must pass -- which could account for some bottlenecks -- but I have seen no reports of this," Scambray added.

Scambray and other experts believe the slowdowns that some people have noticed are most probably caused by Nimda and Code Red worms, along with any other extraneous worms or viruses that may be making the rounds.

Internet service providers such as Road Runner, Earthlink and Excite have sent alerts to their broadband customers attributing network slowdowns to the effects of these worms which overload networks by constantly searching other computers to infect.

Meanwhile, antiviral software companies released alerts about a new worm on Monday. Known as the "Vote Virus," (Win32.Vote.A@mm) the worm arrives in an e-mail attachment. The body of the message asks people to open the attachment in order to cast their "Vote To Live in Peace!"

The attachment is actually a Visual Basic script, similar to the "ILOVEYOU" and Anna K. viruses. Although some companies have ranked it as a high threat, very few infections have been reported, because most users understand that they shouldn't open attached .exe files.

The worm only infects Windows operating systems through Microsoft's Outlook e-mail program.

"It's not any Big Brother snooping device that's causing this (slowdown), but the resulting mess caused by the world using very exploitable software from Microsoft on public networks," said Richard Forno, chief technology officer for Shadowlogic and co-author of Incident Response and The Art Of Information Warfare.

Only computers that run unpatched Windows 2000 and NT operating systems using Microsoft's IIS Web server software are vulnerable to infection by Code Red and Nimda. (Nimda, a worm with multiple infection capabilities, can also infect computers using Windows operating systems and Microsoft's Outlook e-mail program or Microsoft's Internet Explorer Web browsing software.)

Some Linux and Mac users who run emulators -- programs that allow users of one operating system to run programs intended for other operating systems -- have also been infected by Nimda.

Gartner, a technology research and advisory firm, released a report on Tuesday recommending that businesses switch to non-Microsoft Web server (IIS) software in the wake of this summer's worm attacks.

The report stated that "viruses and worms will continue to attack IIS until Microsoft has released a completely rewritten, thoroughly and publicly tested, new release of IIS.... This move should include any Microsoft .NET Web services, which requires the use of IIS."

Gartner officials believe this rewriting will not occur before the end of 2002 at the earliest. Microsoft officials have repeatedly said that Windows XP (some versions of the new OS include IIS) and .Net will be carefully tested for security exploits.

Besides worms, Net speed may have been affected because of the physical effects of the Sept. 11 attacks, William Knowles, a senior analyst at C4I.org, a private computer security and intelligence group, said.

"Several of the big providers had equipment in the World Trade Center basement and microwave antennas on the roof. And providers around the WTC area were forced to shut down operations because the dust and debris were clogging the air-conditioning intakes for cooling the servers," Knowles said.

Problems on these small areas of large service providers' networks could affect the rest of the Internet.

If the government were snooping, they'd most likely be intercepting electronic communications with the intelligence-gathering systems known as Carnivore and Echelon.

The United States has admitted that Carnivore exists and has even released the details on how the system works, but will not comment on Echelon.

Carnivore, also known as DCS1000, is akin to a phone wiretap, and uses a commercial "packetsniffer" program to grab data.

Information that moves across the Internet is processed in small chunks called "packets." Packetsniffers can capture those chunks of data as they are transmitted. Malicious hackers and intelligence agencies use packetsniffers to intercept data; network administrators use them to analyze network performance.

But sniffers do not noticeably affect network performance since the data passes right "through" sniffers. Data isn't physically grabbed from the Internet, processed and then re-released.

"I don't really believe that Carnivore would be the cause for any network traffic slowdown unless it -- as a sniffer -- is sucking and processing every single bit of data on every single ISP, which is a nearly impossible thing to do undetected," said Forno, who has acted as an adviser to the Department of Defense on information warfare. "Not to mention that the processing power required to do this would be extraordinary, if not existing only in fantasy."

Forno also said he thinks Carnivore isn't very effective.

"All Carnivore will do is keep honest folks honest," Forno said. "Power users who value their online privacy and cyber-criminals with half a clue already know how to get around it."

Forno said that scanning by Echelon is also unlikely to be responsible for any slowdowns. Echelon gathers information from phone calls, faxes and e-mail primarily through a global satellite-based telecommunications network, using the same sort of packetsniffer protocol as Carnivore does.

Some believe that Echelon -- operated by the United States, Britain, Australia and New Zealand –- also isn't as capable or scary as some news reports have indicated.

Last year, a European parliament committee conducted a year-long investigation to find out exactly how extensive and effective the Echelon system is.

The committee came to the conclusion that while Echelon is effective, it can intercept "only a very limited proportion" of the ever-growing amount of electronic communications that moves across the Internet and through phone lines.

"Echelon is an over-hyped intelligence program that's been in place for over 50 years," Forno said. "The media and conspiracy theorists love to make Echelon out to be this all-encompassing new spook project. Simply put, it's nothing new."

The U.S. government seems to agree.

Attorney General John Ashcroft told Congress on Monday that laws have not kept up with advances in technology, and law enforcement officers are armed with "antique weapons" in the battle against terrorism.

He urged Congress to pass a package of new laws that would give law enforcement officers expanded powers to tap telephones, conduct searches, seize assets and detain suspected terrorists.

Many lawmakers agreed with Ashcroft that some tougher measures were needed, but also said they did not want to trample civil liberties in the process.

"Past experience has taught us that today's weapons against terrorism may be tomorrow's weapon against law-abiding Americans," Representative John Conyers of Michigan said in response to Ashcroft's proposal.