Slashdot Mirror
Virus Knocks Out U.S. Visa Approval System
GillBates0 writes "According to this story and many others, the State Department's electronic system for checking every visa applicant for terrorist or criminal history failed worldwide late Tuesday because of a computer virus, leaving the U.S. government unable to issue visas. The virus crippled the department's Consular Lookout and Support System, known as CLASS, which contains, among others, names of at least 78,000 suspected terrorists. It was unclear which computer virus might have affected the system. But a separate message sent to embassies and consular offices late Tuesday warned that the Welchia virus had been detected in one facility. Welchia is an aggressive infection unleashed last month that exploits a software flaw in recent versions of Microsoft Windows."
1.) Use a firewall to block unnecessary access from the external network
2.) Patch Windows often
3.) Use anti-virus software and update the definitions often
I would have thought that the State Department would at least do these minimums (to keep its systems "safe from evil-doers"), but I guess you can't even expect that much from government work.
C:\>
As much the Slashdot community hates Windows and likes to dump on its flaws, I've realized one thing: Windows means jobs in the IT security sector. As a Network Security technician, my job is, among other things, to make sure the latest threat to Microsoft software doesn't bring down the entire infrastructure in the federal department where I work. At least twice a week, my office has a meeting where we discuss the latest Windows virus or exploit, organize a task force, and then do a system-wide deployment of the fix to some 2000+ clients. I like to think that as long as Microsoft keeps making, er, crappy software, and as long as we still have crackers writing virii and trojans, I don't have to worry about losing my job. If there was some magical "perfect" sofware that never needed fixing (note: there isn't) then we wouldn't need IT security professionals now, would we?
Why is such an important system run on Windows? This isn't an "MS sux0r5, install Linux" rant, they should use the proper systems for the job. If that tool is some open source stuff or closed source then so be it but you can't tell me that this database can only be run on Windows.
Of course "When your only tool is a hammer, every problem starts to look like a nail."
Trolling is a art,
So now even terrorists using a fake name won't be able to get into the US!
READY.
#
Seems like there's a Mastercard joke in here somewhere.
And here I was thinking about all the new "Already approved VISA platinum card!" in my inbox...
Dang, just imagine how many people that is. Have they actually researched all those people? I am just baffled by the sheer number and really wonder how they came up with that list.
Use Adsense for Charity
maybe the US government could have better IT departments...
Instead of wasting time being completely down, take the time to patch these system (either with distributed patching or even individuals taking the time to patch EACH machine -- oh the horror).
It's much better than not being able to issue Visas or do any other work while you have to keep your PC powered down until it is certified clean by IT.
security professionals would still exist to protect users from their own stupidity.
According to a CNN article, the State Department shut down the network to prevent the spread of the virus. It was down from noon until 9PM on Tuesday. Shutting down a network on purpose is different from having it "fail" due to a virus.
There is no sig, there is only Zuul.
Some day soon there will be a class action lawsuit against M$ regarless of their 'Hold Harmless Agreement' in the EULA.
And BTW, firwall WON'T in and of themselves stop this kind of attack. Sure firewalls are your first line of defense, but all it takes is someone that has a notebook that is infected from home, a business trip or somewhere ELSE to bring it as a 'trusted' device on your clean network and BOINK, you are infected internally.
What is a gov agency doing having open ports on their firewalls anyway?
Honestly issuing visa's is just way to importiant to trust to a closed OS with known security flaws, with at least one major one a month.
MS is so entrenched in the gov now that its kind of scary, that one day a order might come down to homeland security that some town is nothing but terrioriests and should be arrested, then taken to cuba. Meanwhile some hacker in the assend of the planet wiring a virus to gain entry to the gov systems is laughing his ass of at Ma and Pa being taken to a Marine base in another country.
"The word "genius" isn't applicable in football. A genius is a guy like Norman Einstein," - Joe Theisman
From the parent comment: "... Microsoft keeps making, er, crappy software
I just want to say that I appreciate the tactfulness, sensitivity, restraint, and diplomacy of that remark.
Because remember, if you use Windows, the terrorists have already won. (its a feature, not a bug)
Not allowing remote logins to something this important might be a good idea ^_^
How on earth does the government come up with a list of _78,000_ suspected terrorists? This is the type of indiscriminant prejudice that a seige mentality creates. This is a list of everyone who ever talked to anyone who ever talked to someone who might be a terrorist. In many ways these people's rights are now forfeit.
If the US government actually cared about human lives, it would be spending this type of attention on automobile safety (50k dead a year in US) or malaria (>1 million dead a year worldwide) or cancer (half a million dead in US per year). Compare this to "terrorism" which has claimed maybe 5000 lives in the past 30 years.
Instead we spend more on a "war on terror" in a year than has been spent in the entire history of cancer research.
-braddock
You don't put users and the servers inside the same firewall... do you?
Sorry -- I cannot think of a clever sig.
Not trying to bash Microsoft but....
I assumed that ppl who run critical services were not from that class of "Internet guys who just want to check their email and browse the web, and don't even know what a patch is".
So, my question is: Why in hell does anybody uses a system that has a track record of so many bugs, virus, crashes, etc ?
I see this more and more: A "breakthrough" is made by some stupid CEO in a companny and in a matter of weeks everything is run under windows. Why ? because it integrates better... "we now have single sign on... for virus too: they just get in one computer and can spread around easily"!!!!
Damn stupid morons...
Evidently, the virus was patched/cleaned pretty quickly, and there was no real security risk, as in national security, because when the system is down, they simply do not issue visas. Most places they probably just told people to come back tomorrow.
First high level government agencies and departments suffer "apparent" virus attacks while running MS Windows...
Eventually MS will start pushing their Trusted Computing bullshit as the ultimate solution for blocking attacks on their own flawed products.
Oh and it will keep those nasty terrorist guys out too! Did we (MS) mention terrorists. Oh we did ok...
So who's responsible for IT security there? If they've outsourced IT security to Microsoft or Symantec, then it is well past time to fire them and put some linux or unix-based (low-cost high-availability) servers up. Ask any Linux sysadmin how they survived the last two months worth of email virus bombardments. Then ask a Microscrap Exchange administrator. Do some simple math on the time and therefore money involved with maintenance of these systems. Why is no-one outraged about the tax dollars being wasted on cleanup of Microsoft-platform based email viruses?
http://tinyurl.com/4ny52
Not allowing remote logins to a national database used to approve visas all over the U.S. which is located in one spot? Do you see the problem?
Ultimate control hinders flexibility. If you want to fill out your application for a visa, send it by mail which will be handled by hundreds of people, to receive your visa which will be mailed to you, again handled by hundreds of people, rather than create a network which will allow someone to remotely access the information that they need in an environment more trusted than the U.S. mail system?
This is not your mom-n-pop accounting database, this is used all over the world. Eliminating remote access is not really an option.
.. As long as any half-*ss kid can write 'applications' for the OS by point-and-click on Visual Basic, Windows will be the OS of choise. Too many companies are making money of cutting and pasting together apps.
It isn't the OS that counts, it's the applications that run on it. If it gets the job done, nobody will give a rats ass what OS is beneath.
To Terminate, or not to Terminate, that's the question - SCSIROB
...why governments like Germany, etc, etc, are switching to either Linux or Unix. Windows is just one big gaping security hole. Windows is insecure. It has evolved from a single-user simple desktop on top of DOS to what we have today without much thought to security except for an easily circumvented login.
Unix (whatever your favorite flavor - Linux, Solaris, HPUX, even OSX etc, was designed from the ground up to work in a networked environment. That at least gives you a fighting chance of maintaining some level of security provided you or your MIS department set the system up right (like... dont use a default root password).
If Microsoft wants to save their market share, they should start looking into a Unix-type OS. Either port BSD (they have anyway in their TCPIP stacks) or buy someone out (um, SCO maybe - or maybe I'm psychic?).
Stop trying to push a derivitive of WinNT which came from MS OS/2 launched back in the late 80's.
Sorry to rant on so much and restate the obvious, but geez. How many times before people wise up. Every time some script kiddie throws together some crap and unleashes it, corporations and governments get clobbered.
Jail time for virus authors isnt going to solve the problem, it's time to attack it at the source: Windows.
It would be a lot harder for stuff like this to happen if they would:
- develop cross-platform applications
- use a variety of platforms
That doesn't replace having an adequate system in place for testing and installing the latest patches. It does, however, guarantee that slipping up and missing one patch won't stop you cold. It may slow your enterprise down, but stuff will still get done."Weapons should be hardy rather than decorative" - Miyamoto Musashi
I think that goes for OS's too
What? They cracked the slashdot users file?
Some day soon there will be a class action lawsuit against M$ regarless of their 'Hold Harmless Agreement' in the EULA.
Actually, Business Week had an article about that a couple days ago, which I submitted last night (it was rejected). The author closed with (paraphrasing) "Maybe it's time some big customers refused to buy software without some sort of guarantee."
These last few worms and e-mail viruses seem to have become the collective last straw. The unwashed masses are finally beginning to grouse about buggy software-- the tide is slowly beginning to turn against onerous "no liability" EULAs coupled to expensive software that is critical to business.
A few years ago, Microsoft was very quick to whine that any delay in the release of Windows 98 forced on them by the government would hurt the U.S. economy and/or bring about the end of the world as we know it. Well, what about all these businesses who have to eat the costs of cleanup and lost productivity every time there's another Windows worm? Nooooo, that doesn't hurt the economy at all, does it?
~Philly
The software is bad enough; but the patch process is ridiculous.
If you could patch non-kernel portions of the OS without rebooting, it would be a lot easier on the average Windows admin who has to argue for downtime with the internal customers.
And while you're at it, let's not install every application in the OS every time.
Hot Damn! It's the Soggy Bottom Boys!
There's probably a joke here. Anyone know where?
http://www.switch2firefox.com/
Immediate term bashing aside
The reason open source is supposed to be better is that when lots more people (like 15% market share worth) run linux, then there will be more resources being used to update and error check open source software - theoretically. Comparing Linux with a small market share to windows with a large market share in terms of bugs is not appropriate, and considering the paid resources available (but maybe not used?) to Microsoft, it is amazing that open source even compares.
Not to knock Volunteers at all, but if every company who used open source in a major way paid for 1-2 full time programmers, which is a relatively small expense, maybe Linux would have an even better security track record. Microsoft can't get much bigger, and their software maintenance model has still proven itself unworthy.
Sheesh, I heard about this on The Truckin' Bozo show last nite. When a truck driving show beats Slashdot to the news, it's the dawn of a new age.
-- Liberalism is a mental disorder.
Call it what it is: A Microsoft Windows virus. Maybe if the media keeps pointing out what us /.ers already know, the general public will get it through their heads that their choice of OS makes a difference.
Nice theory but, you miss a major point. If a software program were to stay in it's current form, i.e. no new features only bug fixes then your theory would hold true. This is almost never the case though. Software is continously evolving. Security holes and bugs are being fixed but when new features are added you have a good chance of introducing new ones, and the cycle continues.
May the source be with you!
The English visa is a an import of the 19th century French word le vise, which derives from the Latin plural past participle of videre to see. In Latin, visa roughly translates to "things seen".
Crudely, a visa indicates that the bearer's documents have been seen by the issuing country. As the issuance of a visa requires the examination of several papers and databases, visa is always plural. Moreover, as the French treat it as a singular form, and English imported it from the French, the Latin is of little consequence here.
Sources: TF Hoad, ed, Concise Oxford Dictionary of English Etymology (Oxford:Oxford University Press,1986)
Murder means work too. Are you willing to die a few years early so detectives, attorneys, and judges can have jobs?
I would really much rather design and build secure network systems than apply bandages to existing hopeless systems. If a system is available that resists viruses (like BSD or Linux), that might be a good place to start...
Oh, wait, I do have that job! And I bet I am having more fun than you. One thing is certain, my employer is not flushing as much money down the toilet as yours.
One day my job will be obsolete, but it will be because of self-healing, learning software, not software that was written 'perfectly.' Until that happens, however, we might spend our time trying to do things properly, and learning from our mistakes.
Nobody would support houses of mud and straw in the Northeast US just to keep a bunch of mud-slathering straw harvesters in jobs every time it rained. My house of stone, concrete, and wood requires maintenance on my part, and it has provided plenty of skilled, high-paying work to the local tradespeople in my city, as well as opportunities for me to learn valuable skills. Because of its construction, it also provides a safe place to sleep and run electrical wiring. But oh, the unemployed mud mixers! But when you think about it, who really wants to mix mud and straw for a living?
As for your economic 'theory,' read this, In short, it says that as an employee of the government, if you are talking about the US, you are advocating the continuous waste of my tax money so that you can remain employed. Please put that on your resume when you are out of work and apply for a job working for me!
Sorry human rights and the right to fair treatment below to EVERYBODY, regardless of citizenship.
We have accepted standards of treatment for people we are actively at war with. People who have no apparent hostile intent should get treated at least as well.
While I agree with you that there needs to be an accepted standard of treatment for terrorist actions, similar to the Geneva Accord for wartime, the sad fact is that such a standard does not, at this time, exist.
And these people aren't being treated unfairly; we're not letting them come to the United States without explaining terrorist connections. The United States doesn't belong to the world, it belongs to us, and we can say who we do and do not want to let in.
While I do feel that there should be some oversight over who gets put on this list and how they are selected, that the list should be made publicly available, and that there should be an appeal process to be taken off the list if necessary, none of those is an inalienable right.
I don't have a right to come into your home at any time I like. I can knock on your door and ask if I can come into your home. But if we don't really know each other, and you've seen me in the neighborhood a couple times with some known violent criminals, you would certainly think twice about inviting me in.
I don't see how the United States implementing a similar policy is any different.
I am disrespectful to dirt! Can you see that I am serious?!
I've about reached this point with the Swen worm. Since this past Saturday, about 80% of my email--home and office--is either the fake MS support announcement or message errors that tell me that my address was faked in trying to send Swen (got to be faked--I only run KMail on Linux). As my home email is dial-up (the pains of rural life) this is a real burden. Honest to God, are people really THAT STUPID? Until Microsloth can get it act together, we need to start blocking IE, Outlook, and Windows in general. Maybe then people would wise up and either fix there PCs or run a reliable OS.
"Love is a familiar; Love is a devil: there is no evil angel but Love." --William Shakespeare ('Love's Labors Lost')
Why dont the govt just demand better software? They are such a huge player that there would be a new market created just to sell secure software.
I dont buy this bullsh*t people keeps spreading that its impossible. It aint, just as you can build secure bridges and houses you can make software that is much more secure than todays crap.
There hasnt been a strong enough market for secure software and its up to the consumers and govts to start demand better software.
Even open source could use a kick in the but to get their act togheter.
Compare vsftpd to some other random ftpd and youll get my drift. Security is about design and not about being bugfree.
HTTP/1.1 400
need I remind anyone that the 9/11 Terrorists all had Visa or Bogus Visa information. One of them even got stopped for a speeding ticket and had a bogus driver's license. Apparently they can forge or fake Visa information. So they don't need to go through our Visa system when they can steal a Visa or produce a fake one good enough to get through our system.
Either they need to patch their Windows servers and install a software firewall and keep their AntiVirus programs updated, or they need to get off of Windows and move to Linux or something that the Windows viruses won't run on.
How do we know that the virus didn't do something like pass certain Visa applications through without a security check? How do we know that Terrorists aren't using viruses to cause damage and bypass security in Visa checks? I heard that North Korea spends $3M USD a year to create viruses and trojans to attack various countries and systems. I wonder what other countries and organizations do this?
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
not allowing laptops isnt an option. some users need mobile connectivity as part of their work.
That's why firewalls are an overrated security device.
Any decently-large organization should assume that evil systems will make it onto the local network. Maybe a laptop is trojaned while it's at home. Maybe the janitor is bribed to leave a PDA in an unused jack behind a shelf. Or most likely, a regular employee wants to escalate her priviledges to make mischief (most "hacks" are insider jobs)
However the attack comes, you should be ready for it, by not giving locally-created network packets any special level of trust.
I've got Norton doing an update once daily on my home machine, and I still got the Blaster virus thanks to my not patching soon enough.
That's why virus-scanners are overrated as a security mechanism.
It's like protecting banks by checking a list of known criminals before letting someone in. Everyone gets to rob a bank at least once! Any determined attacker (as opposed to a random prankster) can have a custom, unrecognizable virus made before assaulting you.
Better than virus-scanning would be to change the unsafe behavior that exposes you to running untrusted code. Of course, that wouldn't help against Blaster much, because it's not a virus!.
Worms are different, and virus-scanners are even less well-suited to handle them.