From: "Alex Rubenstein"
Does anyone else, based upon the assumptions above, believe this statement to be patently incorrect (specifically, the part about 'personal information had not been at risk.') ?
Actually, the statements are correct. Remember, the worm wasn't programmed to put the database or the security of the networks at risk. Of course, the customer's information "could" have been at risk, but in hind sight, it wasn't. However, there is another possibility. BofA could have piped a portion of the public network through equipment that sustains their private network in a secure manner. However, a MS-SQL system (or a couple hundred) which contained nothing of value was infected. The load created by the system was enough to interrupt equipment along the path and effectively shut down their private network even though it didn't have direct access. Example, I can run IP through ATM switches. The overloading of the PVC could systematically destroy the integrity of the ATM network which holds other ATM traffic. This is still a secure model, although obviously not well engineered as proper ATM CoS would have limited the IP traffic. Of course, ATM would be one example. They could be tunneling IP over any number of protocols commonly used by banks. In essence, only one piece of common equipment has to be shut down to cause a problem. Jack Bates BrightNet Oklahoma