Slashdot Mirror
Windows Virus Takes Out Gov't Agencies in MD, PA
Zolzar writes "Looks like the Md. State Motor Vehicles Administration is the first government agency reporting a failure of their systems due to the recent virus." This is a more specific story about the outage. And the city of Philadelphia has suffered as well.
I keep hearing that windows 2k3 is the most secure windows, but (and I'm truly asking), what makes people say so? I'm using it at home. Evidence for: logs changes, logs every reboot and needs you to enter a reason, insists that every site (including google) has a security issue, comes with almost everything disabled, doesn't let users use shockwave et al without permission, probably some bug fixes. Evidence against: see the article above. At least it informed me afterwards that the computer unexpectedly rebooted . . .
PS: Please don't mod me for flaming, I'm really wondering what inner changes there are, other than the ones above that give the impression of security.
I know there'll be dozens of "they shouldda been using un*x" posts, but in defense of Windows, there has been a patch for this on Windows Update since July 16. Even I had enough time to test the patch on a non-production system between then and now. Every platform gets its 'sploits throughout its lifetime, it's just a matter of learning about them and applying the proper patches in a resonable amount of time... especially on mission-critical machines. (DMV computers, etc...)
Yeah, but it's not like the Department of Homeland Security put out a notice telling people they should install the patch. Oh wait, yes they did. Maybe that's why a group of us worked late on Friday 8/1 making sure the patch was installed on all of our servers and workstations.
Preaching to the choir.
:)
I remember the Klez virus kept infecting our system. I put antivirus on all the machines and wiped and cleaned them several times. Still my boss had his computer go down several times and started to suggest I was incompetent.
Turns out he got a fake email on his AOL account with the virus attached from a potential client who he has been trying to sell to for a long time. He loaded the virus from his laptop and ignored and disabled the antivirus warnings desperately trying to see what this guy was sending him. For those that don't know, Klez emails itself to any email addresses it can find.
Problem finally solved. I was not mention this matter to anyone else. Yeah Right.
> My wife's entire 1500 plus employee company was instructed today to not turn on their computers until IT came around to look at them.
Where I work they just kicked everyone with an exposed system off the network as soon as the DoHS warning came out 2-3 weeks ago, and let them back on the network when they could demonstrate that their system was fixed.
Call it "opt-in security", if you will.
Sheesh, evil *and* a jerk. -- Jade
I remember when this vuln was announced, I hit windows update that day (7/16), and lo and behold, it was a critical update... Remember how this vuln was all over the news? Remember how "the authorities" were listening in on chatrooms and saying there was a lot of talk about an exploit? I certainly remember all of this, so I say screw those who didn't patch. What's better, installing a patch that screws your system when you can blame that on MS, or not installing the patch and having no one to blame but yourself?
Shift happens. Fire it up.
Let me get this straight, patient monitoring systems are plugged into the same LAN in which doctors, admins, and what-not are free to plug in their laptops? I don't work in a hospital but even we have DMZ subnets for more sensitive parts of our network. I can't (or rather don't want to) believe that hospitals don't segment their networks the same way.
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
Formatting hard drives? Screwing up the BIOS? We'd still be lucky if that was all that happens.
The idea that scares me is a slowly spreading virus - hiding as well as it can, and remaining on systems for months or years.
I had a full description of a possible payload, and the effects it could have, but I thought better and deleted it.
All I will say, is that a virus that targeted not the computers, but the business processes of the company that uses them could do some major damage.
I've been knocking on doors for a job since I was laid off on December 24th. It seems most of the hospitals have contracted out their IT positions rather than have them in-house.
Hey when I was a contractor I walked in, did what they asked me to do, then went on to the next job site. I didn't go around asking if they had seperate LANs for sensitive equipment because...well...I was paid salary and wanted to go home after my 10 hr day. I'm sure the current contractors feel the same way.
Being a local sysadmin/network admin is different. It's your baby, you get the call at 3am when things go bad, you make sure that doesn't happen. Too bad employers don't see that and I bet you this one still doesn't see it that way.
Two roads diverged in a wood, and I - I took the one the bus load of girls just went down.
If the worm we got autostarts anything, it uses one of the sneakier methods. I didn't check the ini files, but I did check out both run and both runonce keys and there was nothing unexpected in any of them. File sizes and dates on the files that were there matched a clean system (although that's not a guarantee, I didn't run checksums). The damage to explorer, IE, and Word did survive a reboot, however, so it modifies something on the system. We had the system up for the better part of an hour on the network, watching ethereal on the switch's mirror port, and didn't see any strange traffic, so I don't know what triggers it's spread. The dial-in client that was one of the original vectors had been connected for something like 8 hours when it started scanning, and we are it's internet access so it couldn't have been (easily) infected from outside today without us seeing it (we were monitoring after central's exchange server went boom), so I strongly suspect it's got a timer or trigger to start scanning. (Maybe idle time? It started roughly half an hour after they closed for the night, hence us kicking them off and revoking their dial-in privliges instead of just calling them.) I didn't catch any actual infections in the packet dumps, only scans after the vulnerable machines had already been hit, so I don't have a network dump, but I'll hook an infected machine to the test network in the morning and try to get one. If I can talk the manager into leaving me alone for long enough I'll try to get it to infect a dummy machine I've imaged and see exactly what changes it makes. Anyways, good luck to anyone still playing with these things.
I was at the gym for the 3pm NZST news today, and Microsoft took a hammering. Only Microsoft Systems are affected... MSFT this, MSFT that - I'd like to see what Microsoft New Bliss-Land do to spin this.
I've just checked their NZ home page and they are soliciting for feedback on customer feelings towards MSFT today, and have some obvious customer advice in big, bright colours. Microsoft US doesn't seem to care in comparision.
The feedback form has three cute faces with various different states from happy to angry on them. Perhaps you may want to give them some feedback to ;)
Has anyone compiled a list to see something like how much M$ has cost the world due to insecure software?
I would guess it's a couple billion dollars by now. Why does no one care?
Hahaha... you have faith.
/etc filesystem and thought unplugging the machine would fix it. (So all the databases were f-ed up too)
Back in the day, I was called to a hospital in the middle of nowhere that stored everything (patient records, accounting, etc) on a single IBM AIX box.
Someone who was supposed to be an admin blasted the
The last backup had been made approximately 3 years before and the system had been upgraded several times. Nobody knew what version the system was actually on, and the one contractor who did was climbing a mountain somewhere. (This is happening at 2AM saturday) It was also in "Trusted" mode.
To make a long story short, we eventually got in and got everything up on Sunday night.
Lesson #5675: Never underestimate the incompetence of hostpital IT staff. (Particularly small hospitals).
I saw this exact same problem today at one of my client's sites. I do work for a few small businesses, and one of them had this exact same problem, it wasn't msblast (that process wasn't running, and nothing was found by virus scan or the symantec remover) but we showed the exact same problems, the only fix we found (In nearly 8 hours of trying) was to complete reformat and reinstall...)
Hopefully someone will find out what this new virus is and create a removal tool for it, however I think this one might be pretty nasty, it completely hosed word/outlook and norton av on one system and trashed the windows installer service on another causing office and norton av to think they weren't installed, and making it impossible to reinstall them.
We also did not see it scanning, and it seemed to be infecting slowly (the client has 30+ machines all win2k, and after 8 hours only 3 had been infected, those 3 were pulled from the net then but they had many hours to infect the rest of the hosts on the network and didn't).
Any info on this new strain would be greatly appreciated.
It's not a new problem. Nor is any amount of wishful thinking is going to fix the problem, Microsoft's products just aren't engineered for security. It's a problem that would take years to fix. Bill Gates himself made allusions to the U.S. Apollo space program of the 1960's which was $25 billion over 10 years. However, for the time being, the security issue is treated like a PR problem and the customers are taking the lumps.
A this point the problem is sociological or psychological. Like any other cult, Microsoft provides a sense of purpose and belonging to it supporters. Note that neither a technical background nor even an analytical way of thinking is a prerequisite, thus fulfilling even the unconditional acceptance aspect of a cult.
As much as IT staff and, especially IT manangers, admire the personal wealth of Bill Gates, they just need to be able to let go of Windows and move on.
Move on, either to Macintosh or Linux or QNX or BSD or Novell there are many choice. There will be some up front costs, but even without the viruses and worms these upfront costs will be offset by the number of maintenance hours saved.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
MEDICAL DATA CAPTURE STUFF NEEDS TO BE VALIDATED AGAINST FDA REQUIREMENTS. THIS IS *HARD* AND YOU DON'T GET IT BY ACCIDENT.
Ask anyone who's worked on a validated or 21CFR11-compliant system.
I can't breathe on our systems without exhaustive revalidation procedures and that's the way it should be.
It's very easy to poke fun at sectors you have no experience of, but rest assured all the checks and balances you think should be there, ARE. And then some.
I know /. is the place to bash the microsofties, but don't let it get to your head. Remember, anything with the name Microsoft gets instant press, outside the techies the public thinks "apache" is the old movie name for a First Nations tribe.
.exe. Even then you get guys like this story highlights:
I regularly do security audits of all kinds of systems. When I walk in to a microsoft shop I can immediately tell how it goes. If the sysop says "I don't trust the patches, I test them, but they're not deployed unless there's a REAL problem" It won't go well, those guys usually don't update virus files either. On the other hand if the sysop is using patch management practices he can often go out in real time and check the current status of a server, workstation, and active version of the virus definition file in realtime (they usually have good WRITTEN policies on unauthorized (untested) soft/hardware with sanctioned backup). I haven't found malware in any of the latter cases.
I've yet to find a good *.nix shop. They often have good processes and procedures that SHOULD avoid problems, but the truth is it's easier to sign a piece of paper that says sourcecode was patched and applied than to actually do it. Things look great on paper. Check the source or decompile sendmail (one of my favorite targets) and it's another story. I'm still finding the same hole T.Morris used years ago on active servers. The excuse is always the same, "that was the way it came, shouldn't that have been fixed in the distro by now?" (i.e. too lazy to look, just signed the paper). Many don't even check SANS or CERT regularly. At least windows will notify you when critical updates are available, and all you have to do to apply it is run the
"I'm unaware of the [Microsoft] patch being available," said David Hugel, the deputy chief administrator of the MVA. "I've talked to our IT people and we weekly update the virus protection we do have, and this just happened to fall between those points when we had updated it and we didn't have the [new] update available yet."
(How did this guy get his position or experience? Even "end-users" successfully use critical update with relatively NO technical experience or fiscal responsibility.)
Any sysadmin that can't keep a system patched, or falsifies patch records should be punished up to and including dismissal as far as I'm concerned.
Incidently, just so you know my audit document is the CERT advisories on securing systems. If you want a great basic book try OReillys "Practical Unix and Internet Security"
Has anyone figured out yet that as far as I'm concerned the problem is NOT theoretical design differences in OSs as much as the incompetance of the people running them?
It doesn't matter what you wrap your emotions around, Reality is a brick wall specifically designed to scramble eggs