Slashdot Mirror
Sasser Worm Takes Down UK's Coastguard
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
But here in the U.S., I believe it falls under both 18 USC 1030 and some clause in the Patriot Act.
Striking fear in the authors of godawful fanfiction, I am here, appearing in darkness, Tuxedo Jack!
The company or the people that are unable to secure their computer? There is a whole chain here, and in other cases with the law, it always seems the manufacturer gets sued. Shouldn't that be the case here? If there is a single vendor or individual that can be blamed, shouldn't they?
The difference here, possibly, being that Microsoft had patched against this and that could be seen as an equivalent to a warning or a recall. It makes you wonder though, if a worm hits on an unknown exploit, will Microsoft be responsible? In any other industry, I'd have to say yes, but I'm not so sure when it comes to software.
Anyhow, this is just another case for why any infrastructure should not be ran on a single operating system. If you have multiple kernels with multiple implementations that can all work, you'll be much safer. Linux kernels with different versions, BSDs, AIX, Solaris... Those won't have the same exploits and have different strengths and weaknesses. No worm can traverse all of that (hopefully).
That's scary.
As reported on the BBC, this killed their mapping systems, forcing them to revert to the paper maps that they've always used in the past.
No safety critical systems were involved.
Debian: GNU/Linux done the Linux way
Despite the apparent Slash-Spin of this article it should be noted that Microsoft released the patch for this vulnerablity over two weeks ago, per:
MS's Security Bulletin on April 13th (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.
It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.
- Mind
Here Here!
Doesn't even need a *nix box.
A cheap NAT router would break the direct link to the network that sasser needs to spread.
No way does anyone need a publicly addressable IP on their office workstation.
Vive la RFC 1918
"goatse? What's that? Anyone have a link?" - AC
They are. If you use Windows Update then you get some of them bundled together in service packs etc, but if you actually look through the KB you'll find specific patches for individual vulnverabilities.
Well, who is there to do it ? out coastgaurd (for you non-UK is actually called the RNLI which stands for the Royal National Lifeboat Institution)
You are misinformed; the Coastguard *is* a government agency. The RNLI is a fine charity but nothing to do with this story.
Coast Guard PCs one assumes are a standard build - all the software on the machines are the same. So testing new patches should only take a couple of days. The admins had 21 days.
Assuming the patch broke something critical and so couldn't be applied. Well the admins could have sat down and cried about it, or they could have done their job, read the security bulletin which details work arounds if the patch can't be applied.
These include activating the local firewall on each machine, blocking a variety of ports on the outer wall, or creating read only dummy files (echo dcpromo >%systemroot%\debug\dcpromo.log & attrib +r %systemroot%\debug\dcpromo.log)
Some of these workarounds could cause you pain - for instance the advice to Block LDAP TCP ports 389, 636, 3268, and 3269 at your firewall. means that if you have an AD structure over a WAN it is going to break, unless you block those ports except for the specific IP addresses of your controllers, or you have a backup controller locally (which you should have anyway) that can take the strain while you work on getting the patch installed.
All this is work, more work than setting up SUS on the LAN and going to the pub. But as admins, this is what you are paid to do.
MS had a patch for this, as soon as the exploit was used they had a clean up tool available, they offer various free patch management systems for admins to use.
Bugs and exploits occur in ALL software. It was the admins who dropped the ball on this one, not MS. There was a patch, there were workarounds available if you couldn't use the patch and XP has a piece of inbuilt software that would have prevented the worm if you had it enabled. 3 ways to fix this, and 3 weeks to do the fix in. I don't see what else MS could be expected to do.
It has become appallingly obvious that our technology has exceeded our humanity. --Albert Einstein
That's not true. The coastguard is an executive agency of the Department for Transport (DfT), whereas the RNLI is a charitable organisation. It is true that a lot of the sea based rescues are performed by RNLI volunteers but a lot of the coastal emergencies are tended by the coastguard itself. Helicopter rescues for example, don't involve the RNLI.
In other words, it is the Government's responsibility to hire competent administrators.
The Coastguard is responsible for coordinating various organizations (RNLI,RAF, RN etc.) in search and rescue operations in the UK. It is a agency of the department of transport. They monitor the emergency broadcast channels for the UK and a large section of the Atlantic ocean and often further a field. Throughout the UK they have a number of rescue teams who often get involved with more than just maritime emergencies. The RNLI as you stated is a charity, staffed almost completely by unpaid volunteers. If a ship at sea needed assistance, HM Coastguard would be contacted and possibly send the nearest RNLI lifeboat to assist.
In the example of the grandparent, you type
apt-get update && apt-get -u upgrade
It tells you exactly what software has updates and offers to install them. It does the rest for you. Should you want to install one at a time because of potential/expected problems with upgrading them, type apt-get install package-name.
It's not tough.
-N
I've nothing to say here...
I really got the impression that the reporter was trying desperately to make this into a dramatic news story whereas the coastguard person was fairly level-headed about it. Even she stated that every employee has a backup laptop that is not connected to the Internet as a contingency plan in just these circumstances. Plus, they can also rely on paper maps if necessary.
Yes, we all know Windows has security holes (just like any other piece of software) and that Microsoft could do a whole lot more to make their software more secure - however, the fact is that using good firewalling and educating users properly is the best way of stopping 99.9% of all known worms and viruses.
Microsoft must take some of the blame but so should the salesmen and IT people for possibly not deploying the right platform in the first place and then, post deployment, not ensuring it's secure.
Gentoo Linux - another day, another USE flag.
Microsoft will send you an update on CD for free. There was a link posted here a while back, or try googling for it.
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
Perhaps you didn't read the article. It says the problem occurred when people brought infected computers (probably laptops) onto the network.
If it's not running, it can't be exploited!
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
I tried that update cd (figured if nothing else it would be useful to take to friends houses who have dialup and need patches). The cd took no less then three months to get to my house! The post mark was like 4 days before I received it so it was in proccessing for 3 months. In that time several news security patches had come out....
If they can't get the CD out in a few days, it's worthless. For instance, sasser? That CD would have been useless... as I still wouldn't have it.
Is Microsoft Software actually certified for safety critical systems?
Depends on what version of Windows they were running. Windows NT 4 (SP3) is the only version of Windows to have been evaluated against ITSEC criteria. It's unlikely they'd be running a certified product, however, as the second you apply a new Service Pack to the machine, it's no longer certified. Every evaluation I've been part of has been where a vendor has wanted to sell something to the Ministry Of Defence, and have needed to obtain certification under ITSEC or Common Criteria in order to do that.
I'm on 56k at home and I just don't get this argument. Am I missing something?
Every now and then I get a little globe appear in my system tray telling me that new updates are ready to download. I even get to review what these updates are.
A day or two later I get another one saying they are ready install. I've never had any problems. I've always assumed that windows update resumes whenever I reconnect. Am I wrong?
Oh yeah, the CD is useless as a rapid response option. The only use of it is to take off the top 200Mb of your download, hence saving you some of the dialup costs. once the CD is installed, you must get the latest stuff, hopefully just a few mb, from win update.
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
Just a note for the nun-British: in the UK, the Coastguard are not a part of the millitary.
Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.
I dont speak for all military, but the Army has an entire major command dedicated to nothing but computers. Formed in 99 NETCOM has actully done a fairly good job in keeping things working. As far at threat detection, patch verification, and orders to deploy, NETCOM tends to be on a 72 hour turnaround. Given that the patch was issued April 13, its way ahead of an outbreak like Sasser. Even better, they have the authority to disconnect. The orders to patch go straight to company commanders and sysAdmins who can be repremanded if their unit goes down. Even if they give the task to a contractor, they are still liable Id hate to be the company commander who sees the brigade commander over virus outbreaks. That seems to keep them in line pretty well.
SPC Gruhn
TNOSC-K, Systems Management Branch
1st Signal BDE
"First to Communicate!"
I suspect if everyone started using Linux and Macs, then we'll start seeing more viruses and worms written for them. For the most part, if you regularly keep your MS system updated and patched, these worms and viruses aren't really a problem.
Yesterday at my local Super Stop & Shop grocery store, all 6 of the self-checkout lanes were down, and all of the human checkout lanes were directing people to the service desk, where one poor woman was hand-imprinting who knows how many hundreds of credit card transactions per hour.
Why?
Apparently the system that reads my credit card number around four times a week for the past year has been running unpatched and unfirewalled.
Coool! Thanks, Stop & Shop IT!
No, they should be fired because they didn't keep up with the patches necessary. All software is 'faulty' and requires patches and updates. For as much hue and cry there is for Unix or Open source software, even these systems need patching from time to time, and some of the software used there has had HUGE problems if it wasn't patched.
Sendmail anyone?? BIND??? and wasn't there an Apache Chunk Handling Vulnerabilty a couple of years ago?
Microsoft software is used heavily in the world, but the problem is that for years, no training existed that *focused* on WHY we patch our software..there was no emphasis on patching. Add to that the fact that with the economy being the way it is, companies are doing more work with less people.
No one wants to work 12-14 hours a day; least of all sysadmins. We all have our own lives..families...other obligations too. Yet all too frequently, we're expected to patch and update the servers and desktops, the anti-virus software (don't deploy things without testing them first, of course), ancilliary software and etc. while keeping up with upgrade projects, daily problems, and keeping on top of technological advances as well. Yet, the boss goes home at 5. We're like residents in a med program--overworked, but unlike them, we never get to stop being that way.
In America today you can murder land for private profit. You can leave the corpse for all to see, and nobody calls the c
The sysadmins are not without blame nor are the netadmins, but the honest fact is people in the British Coastguard Agency took laptops home, plugged them into the internet and exposed them to hazards that they were not configured for. Then they returned to work and plugged those exposed laptops into their network carrying traffic for their critical application; and critical in this context means protecting life, limb and major property.
I'm going to make a guess here but I'd say that those people "borrowing" government laptops for personal use aren't joe or jane able-bodied-seaman types but people with brass on their shoulders, intelligent people who almost know enough and so are truely dangerous. Additionaly when the Leutenant who writes your evaluation, plugs in his laptop and the network gets swamped with worm traffic, do you blame him or say that an "internet exxposed" computer in the office helpped.
Microsoft has lower the bar so low in the quest for ease of use, that is't easy to change configurations without knoweldge of the theories behind their actions or understanding of the possible results. Sys-admins test microsoft- certified patch to make sure they don't break things while the users on the network willingly install known-spyware; it's just insanity.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Well, the reason that a Windows admin is more busy with such stuff is twofold:
- More bugs
- Have to keep fixing things that are not being used at all, but that can't just be uninstalled/disabled.
For example, on my (FreeBSD in this case) Open Source OS based server, I can simply ignore patches for web browsers, mail clients, and generally any gui based program since they are not installed or at least not functioning, and definitely not listenign to the outside world without me havign set it up that way very explicitly.
I do have to watch a very specific shortlist of products that need to be kept uptodate, and I'll get a message on my phone in case a critical bug in one of those products is published in any of the known ways.
Having this shortlist of products (FreeBSD core, openssl, openssh, Apache, PHP) makes it very managable, and in the end I don't have to update things that often.
It would also really help a lot if MS patches didn't break so much and so often. I can remember virtually every case where a FreeBSD patch managed to messup my system over the last 8 years, and the last one goes back to the 3.x era some years ago. It seldom happens, and its in fact so exceptional that I can run the risk of it happening on my production servers. The risk and consequences are waaay smaller then the much more likely breakins that would result if I dont apply the patches.
At any rate, it doesn't take much time, and it is very clear what I have to watch and patch to keep secure. That is one of the main problems with Windows, even when you are a competant admin, you have so many things to watch, and keep discovering new things all the time.
Yes, I do believe that MS can be blamed for that problem. Such a system is not suitable for anything other then connecting to an isolated and trusted local area network. THe fact that windows uses IP for many LAN orriented services makes the problem a lot worse.
The funniest (saddest) part is that he's telling the truth. When the ACLU sued to challenge the Patriot Act, the very existence of their lawsuit was covered up by order of the Patriot Act!!!
"Who told you that the UK coast guard is a safety critical system? Who actually told you that they do anything besides wasting public money?"
If you actually believe that then you either are poorly informed, or are trolling.
Take a look at their website to see what they do. As someone who spends significant amounts of time off the coast of the UK on a boat, I am quite glad they are only a VHF call away.