COLUMBIA, S.C. – The latest global hack attack may be remembered for snarling ATM services for the nation's largest bank, but it also slowed Internet banking to a crawl and even a halt at times for hundreds of credit unions over the weekend. The so-called "SQL Slammer" worm exploited a known vulnerability, first exposed last summer, in tens of thousands of unprotected Microsoft-powered servers (including apparently at Microsoft itself). The virus-like data worm, believed to have originated in Asia, took most of tech-heavy Korea offline for a while and affected Internet traffic at tens of thousands of American businesses and thousands of ATMs. CUNA Network Services said that, despite its own safeguards being in place, many of its client credit unions' Web sites were affected by the slowdown of major Internet "backbone" networks. Meanwhile, the credit union industry's largest ATM network said it experienced no problems from the Slammer worm. "From what we can determine, there's been no problem," said Gene Polito, president of EFT services for California-based CO-OP Network, which administers 15,000 surcharge-free ATMs and handles 51 million monthly transactions for 1,165 member credit unions. But Bank of America said about 13,000 of its ATMs refused to dispense cash for a while over the weekend, and nationally, the damage in lost electronic commerce was estimated in the tens of millions. And because Microsoft SQL servers are so widely used "both within and outside the credit union industry, there was definitely a strong potential for widespread problems," said Dan Jorna, general manager of USERS' DataSafe online operations. "We've seen estimates that the virus affected some 160,000 to 200,000 sites across the country, most at mid-sized to large companies," Jorna said. This was done with a line of code only a few sentences long. The little piece of data generated massive amounts of network packets, overloading servers and routers and slowing down network traffic, even snarling five of the 13 "name servers" that form the routing heart of the Internet. It was that systemic traffic jam that apparently affected credit unions served by CUNA Network Services, despite the fact that the organization had all the updated maintenance and patches in place, said Doug Benzine, CNS senior vice president. "While there was no impact in terms of data compromise or destruction on SQL databases, credit unions and their members would have experienced slow or no response from their credit union Web sites hosted in our data center. This condition lasted approximately 10 hours," Benzine said That's because one of the major networks affected was one used by CUNA Network Services to host those Web sites. "That network returned to normal operation at around 10 o'clock on the morning of the 25th, and CNS hosting services resumed at the same time," Benzine said. He added, "We have no way of knowing yet why certain backbone network providers seemed to be impacted more severely than others. We expect to understand this better in the near future, and it will certainly impact our bandwidth provider selection processes." Reports of the attack sent IT teams scrambling around credit union land. "We at HFS corporate are having to verify that all servers across the enterprise and all desktops and laptops that are running SQL have the proper fixes. So while it did not affect business operations for us, it is eating up some internal resources this week," said Dan Paslay, IT manager at Harland Financial Solutions, where properly patched firewalls had apparently blocked the virus-like worm. USERS, meanwhile, called in members of its "critical incident response team" over the weekend to check its servers and firewalls. They found there were many attempted Slammer attacks but none were successful, Jorna said. "None of USERS' data centers was affected," he said. "We also don't have any reports of in-house or online clients having been affected either, although it's possible they might have had an issue and resolved it internally without our intervention." Speaking of issues to be resolved internally, Microsoft acknowledged that some of its own units had not installed the Microsoft-issued patch for the flaw, which was discovered and reported last July. A Microsoft spokesman in Seattle acknowledged to the national media that some of its owner servers had been left unprotected because staffers there "didn't get around to it when they should have." Of course, it can be hard to keep up. Microsoft products, and the company itself, is a big target for hackers and attackers, with vulnerabilities and subsequent patches coming out all the time. And it's easy to point fingers, said one Internet security specialist. "I don't think apathy has set in at all," said Rick Fleming of Texas-based Digital Defense. "The system administrators and operators do care about the health and well-being of their systems. "I just don't think they have the time to research and apply every single patch that comes along." Because they feel overwhelmed, Fleming said, "many administrators play a `wait-and-see' game before applying new patches. While risky, they feel it's better to wait than to apply a patch and disrupt their customers' access." Fleming said none of his company's credit union clients were directly affected, since the patches were in place and the particular ports used by the worm to enter servers were blocked by firewalls. USERS also has had the proper patch installed in its data centers and internal networks through two server software updates now, Jorna said, and he had some observations about how to keep up. He said USERS relies on its relationship with TruSecure, a leading Internet security vendor, to stay current as it protects 350 client credit unions, about half of them served online through its data centers, and its own internal systems. He said as far as he knew, no TruSecure clients who have been following that firm's recommendations were directly hit by the worm. Committing to that kind of ongoing protection routine is essential, Jorna said. "One group that may be especially vulnerable is credit unions that outsource the management of their Internet connection and their local-area network to a third party," the USERS data center chief said. "If you only occasionally use such a supplier, say to upgrade your network on a one-time basis, then you probably don't have the kind of relationship where the supplier will keep you informed, pro-actively, about new security risks and fixes. "If on the other hand, you have a subscription service with a third-party provider like that (of USERS' with TruSecure), you're probably receiving security alerts and other notices regularly. "I would suggest that any credit union that doesn't have such a service give serious thought to adding it." -

[email protected]