Slashdot Mirror
Virus Knocks Out U.S. Visa Approval System
GillBates0 writes "According to this story and many others, the State Department's electronic system for checking every visa applicant for terrorist or criminal history failed worldwide late Tuesday because of a computer virus, leaving the U.S. government unable to issue visas. The virus crippled the department's Consular Lookout and Support System, known as CLASS, which contains, among others, names of at least 78,000 suspected terrorists. It was unclear which computer virus might have affected the system. But a separate message sent to embassies and consular offices late Tuesday warned that the Welchia virus had been detected in one facility. Welchia is an aggressive infection unleashed last month that exploits a software flaw in recent versions of Microsoft Windows."
As much the Slashdot community hates Windows and likes to dump on its flaws, I've realized one thing: Windows means jobs in the IT security sector. As a Network Security technician, my job is, among other things, to make sure the latest threat to Microsoft software doesn't bring down the entire infrastructure in the federal department where I work. At least twice a week, my office has a meeting where we discuss the latest Windows virus or exploit, organize a task force, and then do a system-wide deployment of the fix to some 2000+ clients. I like to think that as long as Microsoft keeps making, er, crappy software, and as long as we still have crackers writing virii and trojans, I don't have to worry about losing my job. If there was some magical "perfect" sofware that never needed fixing (note: there isn't) then we wouldn't need IT security professionals now, would we?
So now even terrorists using a fake name won't be able to get into the US!
READY.
#
Seems like there's a Mastercard joke in here somewhere.
And here I was thinking about all the new "Already approved VISA platinum card!" in my inbox...
According to a CNN article, the State Department shut down the network to prevent the spread of the virus. It was down from noon until 9PM on Tuesday. Shutting down a network on purpose is different from having it "fail" due to a virus.
There is no sig, there is only Zuul.
Some day soon there will be a class action lawsuit against M$ regarless of their 'Hold Harmless Agreement' in the EULA.
And BTW, firwall WON'T in and of themselves stop this kind of attack. Sure firewalls are your first line of defense, but all it takes is someone that has a notebook that is infected from home, a business trip or somewhere ELSE to bring it as a 'trusted' device on your clean network and BOINK, you are infected internally.
From the parent comment: "... Microsoft keeps making, er, crappy software
I just want to say that I appreciate the tactfulness, sensitivity, restraint, and diplomacy of that remark.
At what point will the government and public at large decide that "enough is enough?" Do people have to die before someone takes this seriously?
Day after day, example after example, the world is inundated with successful attacks.
We can say, "Well, people are stupid... They should know not to click on attachments," The reality is though, that "1 in 7" users have problems with the power button.
There is no future security in blaming the end user. It's high time that we look at the systems that allow this type of invasion, replace where necessary, and train the users accordingly.
The talk of cost becomes irrelevant when recovery costs are totalled. Just wait for the first wrongful death suit revolving around an insecure system failure.
If we insist that users are accountable, we must also demand that the corporate citizens are accountable.
4.) vi is better than e-macs
5.) In Soviet Russia, you attack Virus!
6.) People should patch their boxes bec.#J^@ATDT[NO CARRIER]
7.) Don't use FreeBSD because it's dead/dying.
8.) Apple is awesome. But I can't afford one.
9.) Imagine a Beowolf cluster of those!
10.) Patents, RIAA, Spooks, Windoze, Verisign, Politician, Spalling Checkirs; all bad.
11.) Ogg, Apple, *nix, RMS, EFF; all good.
12.) ???
13.) Profit!
PS. Mod's, go away. I'm just having fun. Don't put it up or down you fu%#d2DHATDT[NO CARRIER]
Evidently, the virus was patched/cleaned pretty quickly, and there was no real security risk, as in national security, because when the system is down, they simply do not issue visas. Most places they probably just told people to come back tomorrow.
How? They just do a grep for names without vowels.
So who's responsible for IT security there? If they've outsourced IT security to Microsoft or Symantec, then it is well past time to fire them and put some linux or unix-based (low-cost high-availability) servers up. Ask any Linux sysadmin how they survived the last two months worth of email virus bombardments. Then ask a Microscrap Exchange administrator. Do some simple math on the time and therefore money involved with maintenance of these systems. Why is no-one outraged about the tax dollars being wasted on cleanup of Microsoft-platform based email viruses?
http://tinyurl.com/4ny52
>> 1.) Use a firewall to block unnecessary access from the external network
Really this doesn't work as well as you'd think. If you have laptop users on your network, which nearly everyone does, its analagous to wearing a plastic bubble suit but having unprotected sex with strangers every weekday morning.
My office has about 60 users in it and is protected by PIX firewalls and techdata's email virus scanner. We have about 20 Windows servers in our server room (this doesn't include the many dozens of servers running Linux or Solaris, or the machines at one of our 3 colo sites), and we patch them all about once a month. Office workstations are forced to patch themselves weekly through a distributed Windowsupdate. So yeah, this should be pretty safe, right?
Well about 3 times per week some user brings in a laptop, plugs it in to the LAN, and we get some new worm running around the office LAN.
Some day soon there will be a class action lawsuit against M$ regarless of their 'Hold Harmless Agreement' in the EULA.
Actually, Business Week had an article about that a couple days ago, which I submitted last night (it was rejected). The author closed with (paraphrasing) "Maybe it's time some big customers refused to buy software without some sort of guarantee."
These last few worms and e-mail viruses seem to have become the collective last straw. The unwashed masses are finally beginning to grouse about buggy software-- the tide is slowly beginning to turn against onerous "no liability" EULAs coupled to expensive software that is critical to business.
A few years ago, Microsoft was very quick to whine that any delay in the release of Windows 98 forced on them by the government would hurt the U.S. economy and/or bring about the end of the world as we know it. Well, what about all these businesses who have to eat the costs of cleanup and lost productivity every time there's another Windows worm? Nooooo, that doesn't hurt the economy at all, does it?
~Philly
1.) Use a firewall to block unnecessary access from the external network
They probably do. Then a user VPNs in with an infected machine against policy, or brings a laptop in and plugs it in. This happens at my work, too.
2.) Patch Windows often
Define "often", please. It could be once a month, once a quarter. I'm sure they have change control plans.
3.) Use anti-virus software and update the definitions often
See above.
I would have thought that the State Department would at least do these minimums (to keep its systems "safe from evil-doers"), but I guess you can't even expect that much from government work.
No, it's just that it's easier to assume that you are smarter than them and assume you know their network and systems.
Dacels Jewelers can't be trusted.
How on earth does the government come up with a list of _78,000_ suspected terrorists? This is the type of indiscriminant prejudice that a seige mentality creates.
Ohp - now it's 78,001.
>> Instead we spend more on a "war on terror" in a year than has been spent in the entire history of cancer research.
Not even remotely true, unless you only count the money spent by the federal government. There are billions spent every day on cancer research by companies big and small, dwarfing what is spent chasing terrorists.
It's like that year at the Oscars when all those wealthy actors stood up and complained that the US doesn't spend enough on the arts.
Anyway, read the Preamble.... "in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity"
No mention of curing cancer, or PBS documentaries, or midnight basketball, or time off from work to take your dog to the vet. Those things are all reasonable, but they're not the primary responsibility of government.
Note, too, the difference in wording: "PROVIDE for the common defense, PROMOTE the general welfare."
But systems are not equally buggy. I discuss this here. No design and no development method is perfect. However, it is incontrovertible that some designs and some development methods yield software that fails less often; that fails less severely; and that fails more recoverably. We can inspect systems' behavior and say that for particular purposes, certain software is better than others. We can say this on the basis of technical facts, not merely marketing claims and promises of "support" and "warranty". We can also say it on the basis of historical evidence -- some systems have failed more often and more severely than others.
A Microsoft Exchange mail server stores users' mail in a binary database, in a proprietary format. A Postfix or Qmail mail server stores users' mail in text files in a simple directory structure. We can make a reasonable (and correct!) prediction that in case of failure, it is easier to recover the content of mail from a Postfix or Qmail system than from Exchange. And, indeed, this is borne out by the experience of administrators: a maildir can get into an inconsistent state, but it's much easier to recover it than to recover an Exchange mail database.
(Note that I'm not describing frequency of failure, but rather severity. We can also make predictions about the former, of course ....)
Security holes are, from an engineering standpoint, simply another kind of failure. We can look at design choices such as privilege separation and chrooting -- applications of the Principle of Least Privilege -- and say that some systems will fail worse than others. A program that can't access files outside of /home/myprog cannot scribble on the kernel in /boot/vmlinuz. A Web server that runs as Administrator on Windows 2000 has opportunities to fail worse than a Web server that runs as www-data on Solaris.
Simply put, there exist objective facts about security design, just as there exist objective facts about, say, civil engineering. Why doesn't the city construct water mains out of balsa wood and bridges out of papier-mache? It simply doesn't work very well. :)
Congratulations, you win the MS/Godwin award for the first spurious comparison between an arcane, difficult OpenSSH exploit requiring manual application on a per-computer basis and detailed expertise, and a Windows plug-it-in-and-watch-it-die automatic worm vulnerability. I knew someone would rush to claim equivalency between such radically different apples and oranges but am surprised it's getting modded inside of a dozen first posts.
Simply put, there exist objective facts about security design, just as there exist objective facts about, say, civil engineering. Why doesn't the city construct water mains out of balsa wood and bridges out of papier-mache? It simply doesn't work very well. :)
You bring up a good point here. Civil Engineers are licensed professionals who are held legally accountable to follow certain well known design standards. Software Engineers on the other hand are unlicensed and expected to ensure that their designs are not well known to anyone other than their employers.
Time is what keeps everything from happening all at once.