Slashdot Mirror
Sasser Worm Takes Down UK's Coastguard
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
..., whose mistake caused the security hole, gets identified, can he be held at least partially responsible for any deaths that occurred during this outage?
I think it would be a lot better for companies to persue options that would help prevent these kinds of things, not a short term asskicking to some scriptkiddy, when you know thousands more are willing to jump into his shoes for some "internet notoriety" or other BS.
Will wank off Linus Torvalds for fame.
OK I know there's going to be a million comments about how we should all patch vulnerabilities and there'd be no problems... and then the inevitable responses from admins who haven't done so because testing hasn't been complete and the patches are causing more problems after doing them...
But...
Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).
This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap
I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.
Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.
On Monday, thousands of people tried to access the banking services of Deutsche Post.
Due to stricter securities setting (because of Sasser) this was not possible for hours.
If this was a car company and they produced products that could lead to accidents (we've seen this before) they'd have been taken to the cleaners by now.
Yes virus writer are wrong, wrong, wrong to keep creating this crap BUT ultimate responsibility lies with Microsoft, they allow this to happen by producing third rate crap, avoiding the real issues and putting all their efforts it seems into political manouverings and doggy business practices. They are not fixing the problems, I suggest Bill gets his house in order.
Ok, would that make the virus writer responsible? Again, no. The virus writer just tossed a ball which somebody else picked up.
Who is this somebody else? Microsoft? No, again. Although, Microsoft did pick up the ball, they didn't throw it at the victim's window themselves. They only threw it to the next "player".
That next player would be coast guard management who decided to run their system on Windows instead of the more secure Linux or OpenBSD. Would they be guilty of manslaugher? Again, no. They just tossed the ball to the next player.
The next player would be the sysadmin who failed to run windows update on his known vulnerable system (A windows system is always deemed vulnerable. Thus, "not having heard of" the worm is no defense). And he would be the final player who tossed that ball through the window.
actually a better analogy would the gun makers. Should we put gun makers in jail b/c their products are used to kill people? The fault here lies with the malicious person, not the maker of the item. Sure, faults do exist in the product, but not anything that can cause problems usually without someone with malicious intent putting things into motion. With car makers, they usually get nailed b/c they ignore a defect that gets people killed in the normal day to day operation of the vehicle. For this to apply here, the software would have to crash on its own, and cause the breakdown, which is not what happened, an outside malicious force had to act first.
What's even worse is the fact that most internet users are still stuck on dialup! According to this recent article at CBS, 3 out of 5 internet users don't have broadband.
The very issue of security patches, their sizes, and the problems for dialup users trying to download them was covered here as well.
Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
Hook, line and sinker but...
./virus.
According to Wikipedia Elk Cloner was the first virus to be caught "in the wild" i.e. outside of a research lab. It ran on Apple II systems, more than likely because MS-DOS was barely capable of running programs at the time.
Also, lets keep things in context, Sasser can install and execute itself remotely without any user interaction -- there is a big difference between that and booting from a random floppy disk or logging in as root, downloading, chmod +x virus, and executing
No trees were harmed in the posting of this message. However, a great number of electrons were terribly inconvenienced.
The danish newspaper Ingeniøren reports that the Sasser virus attack affected the danihs hospital, Herlev Sygehus. The hospital had to cancle scheduled CT-scannings because the scanners crashed. Also MR-scanners were affected, though no scannings were canceled.
"We do actually have a firewall, but aparently it hasn't been updated enough" sais radiographer Jan Bovin. "It was the scanners running Windows 2000 and XP that were affected, the MR-scanners running Linux had no problems," he sais.
The original story is here (in danish).
It appears that the consequences of the Microsoft monopoly are getting worse. Are there any linux-run hospitals?
Heathrow hasn't been spared yesterday
http://tinyurl.com/3h7fb
If I were a Linux vendor I would be all over BA and other victims pitching my stuff.... I know this is a bit wrong but hey Business is business and I am sure I would get these guys attention FAST!
Artificial intelligence is no match for natural stupidity
I work in a small insurance brokers without its own internal IT department, and as token geek I get the job of patching workstations since our external IT support guys can't find their own collective arse with both hands and a map.
/. - I patched twenty odd workstations individually, manually, over two days. (Manually, because our IT experts have set up our system in such a way that the automatic update service doesn't work.)
As soon as the last batch of updates were released - starting about half an hour after I read about the updates on
Which is why it's f*cking galling that I checked our server's update history this morning and there are sixteen critical updates still waiting to be loaded, because the IT guys say we don't need them and, y'know, we shouldn't worry about it.
Aaagh!
>which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send
oh pleeze are you saying Microsoft opened secret ports about which they didn't know? the organization didn't have a security policy that mandated closing unnecessary services or they did not follow the policy (if it's really "unneccessary services" that screwed them up).
until a year ago Linux would ship with a bunch of services running by default, which woudn't usually matter (just remember sendmail's default - open relay). but any reasonable sysadmin (or organization) would either stop those services or block them on the firewall level.
Damn straight. Somebody needs their ass kicked over this one. Hopefully nobody dies as a result.
When your systems are that important, it's madness to run them unsecured. There should be strong firewalls on the networks and virus scanners on every machine. If the virus finds a way in (say a managers laptop) there's no way it should be able to spread. And vulnerable systems (*cough* Windows *cough*) should be kept to a minimum.
I know some folks say if it's behind the firewall it's safe, but as we see again and again, that's rarely the case. It's my policy to ensure *every* machine is updated as required, and the servers and Windows machines run AV software.
Forget thrust, drag, lift and weight. Airplanes fly because of money.
How about :-
Don't have any services running on any ports unless the computer owner has explicitly asked for them.
Here's a question. Suppose I buy a new computer and I want to connect it to the internet over dialup to activate my copy of Windows XP. I now have to hunt around a bunch of menus to turn on the inbuilt firewall before I can do this. Then I have to download some megabytes of patches to make it safe. At a per bit cost that's ridiculous.
That's just not acceptable.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
Interesting. I didn't consider the not clicking on some EULA. However, wouldn't the liability still only be manslaughter. If a car directly runs over someone, but the intent was not to kill, then isn't it still manslaughter, not murder? In this case, I doubt that the virus was intended to kill. So, perhaps limited liability might not apply here. However, I have been toying with the idea of also being able to get the virus writer with the DMCA.
The idea of the admin being responsible intrigues me. What if they don't have a system administrator? Can one still argue legally that since the average user is not technologically savvy and that they bought a product with the idea that it performed its function (especially in the case that the company claims it is secure), then could they argue that it is not their responsibility to make sure that the internal workings of the system work? I mean, you and I know better, but can an ignorant user rightfully claim that it is the software writer's responsibility to provide the service they paid for, without requiring the end user to pay for experts to monitor their system?
You and I know that is bunk, but I wonder how that would hold up legally...
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Although I think they've denied it in public, Delta Airlines was also brought down over the weekend by this worm. I have a friend who came to Church panting, out of breath because he was late and had to rush. He works at Delta and said he had been there since Saturday patching and cleaning machines. Right after services he was going back.
The system effected was one that calculates passenger and cargo weight so it can be distribuited evenly through out the aircraft. It's one of those systems that's easy to forget. It's not like air traffic control or reservations or something people would consider "critical".
It's scary but ironic that a small forgotten local sub-system can bring down a billion dollar corporation and inconvience tens of thousands of people. It was local to Atlanta, used at the ticket counter and for flights leaving Atlanta but, bring down the hub and the entire operation is effected.
I agree that it isn't appropriate, but we in the U.S. have seen the application of the DMCA extend beyond its original intentions to be used to prosecute anyone who violates not only copy protection, but basically any sort of protection scheme. The DMCA has grown beyond simple copyright legislation, unfortunately, and that is why I suggested it.
I don't believe that it should be used in such as way, but if it is used to go after the "good" guys, then why not the bad as well?
Lately, it seems, the DMCA is trying to become the all-encompasing way to prosecute anyone who peeks somewhere they "shouldn't." This wouldn't work if someone explicitly opened the virus and it infected the system. However, if the virus sat there and hammered at holes in the software until it wormed its way in, then I don't see why they couldn't use the DMCA against that, as well.
I wasn't really suggesting it so much as putting it out there as a thought open for discussion...
*-*-*-*-*-*-*-*
"We are Linux. Resistance is measured in Ohms."
Slow Down the Security Patch Cycle?
This case would seem to support the reasons made in the computerworld article about slowing down the security patch release cycle.
If your gun exploded in your hand you'd sue the manufacturer.
Actually, there'd probably be people pointing fingers at everyone else. Was the problem with the gun, or the bullet? Maybe the problem was caused because you didn't keep the gun in proper care. Maybe the gun was old and out of date.
if the gun exploded in someones hand then that would be a result of a defect, and something that is not caused by a malicious user. Slam Microsoft all you want, nothing wrong with that, but realize this specific incident would not have happened with out a malicious user.
The analogy is still wrong.
Say a gun manufacturer manufactures a gun that will work for most people most of the time, and failures only involve reloading, no actual damages. This same gun, through poor engineering, has a weakness in the barrel that can only be affected by a certain type of ammunition. The manufacturer doesn't consider this important because nobody manufactures that type of ammunition, it's worthless ammo.
So someone handcrafts the ammunition that will exploit the flaw, sneaks into your house and loads your gun with it, then escapes without leaving any trace other than the ammo in the gun.
Now the gun blows up in your hand. Who's at fault?
Even stretched to the limits as the analogy is, there's one primary difference between this analogy and the actual topic. For guns there aren't thousands of individuals building ammunition specifically designed to ruin the guns and possibly hurt the people firing them. For computers, there are. If this were to happen for real with a gun manufacturer, the manufacturer would be acquitted of all charges, because he had a reasonable expectation that what became an engineering flaw through exploit would not ever be a problem. Not so with the OS producer. They have a reasonable expectation that their OS will be attacked, and the more market share they have, the more this expectation resembles waiting for the sun to rise, i.e. you *know* it'll happen.
The OS producer must bear some responsibility for it, for the same reason a car manufacturer must bear some responsibility for injuries sustained in a car accident due to safety systems not well-engineered. Even then, we tend to forgive the car manufacturer, because accidents aren't supposed to happen, and there's usually some idiot at fault.
I'm all for pointing at Windows and saying it sucks any day of the week, but I'm not so sanguine to blame microsoft for the script kiddie that wrote the virus. It's grey area, there. And let's not forget that our beloved GPL disclaims all warranties as well...
Like what I said? You might like my music
If someone breaks into my house, I am not suing the person who built my house.
Even if the lock and indeed the whole of the front door is pathetic, has known vulnerabilities and the maker still touts it as secure with the well-known chairman of the company that built the house (door, lock and all) having announced a big push for increased security almost two years ago? How is the buyer of that house supposed to know that his front door is made of a material that looks like steel and feels like steel but offer about as much protection from burglars as Aerogel?
Microsoft claims Windows is secure. It isn't.
Money for nothing, pix for free
Hmmm
How about any unpatched operating system is officially unsuitable for this sort of thing.
Yes blame can and should be placed on MS for the design and security features of their software however a large portion of blame should go to the individuals and organisations that do not regularly update their systems.
As linux takes off in the corporate world I expect there will be an increase in worms targetting that operating system, let's just hope that individuals and organisations learn the lessons and keep the systems patched or the problems will keep occurring regardless of the operating system being used.
Me: phew, almost our entire university network down, just by one stupid virus. Luckily I'm using Linux.
The other guy: What the hell is Linux???
int main(void) {while(1) fork(); return 0;}
Not to skip the M$ Bashing, but....
Shouldn't there be a bit better security in an essential service such as that? Why are people allowed to bring insecure machines in, and plug them into the network? Shouldn't they have 24/7 administration? Shouldn't someone have seen a report about Sasser, and patched their machines? We're not talking about Mom & Pop ISP here, we're talking about a branch of a nations military. Why are people coming in with laptops from home, and being allowed on the same network with an essential infrastructure? Haven't their admins read any books on secure networking? What about firewalls between the essential infrastructure machines, and the compromisable network? The way the story sounds, people take their laptops home, browse the Internet, and come to work and plug in pretty much anywhere. I suppose there's more than one CCSP on staff saying "hey boss, told you so" err, maybe "Sir, remember those security recommendations I made last year? May we implement those now?"
Serious? Seriousness is well above my pay grade.
> Helicopter rescues for example, don't involve
> the RNLI.
Helicopter rescues quite often involve the RNLI. The RNLI however do not (AFAIK) have any helicopters. Helicopters from the coastguard or RAF frequently cooperate with the RNLI in effecting rescues.
John
Usual problems with sys admins having to patch thousands of machines (yes there are tools out there to help).
But also caused with the massive MS Windows monoculture (cf market dominance).
It's times like this that running 3 O/S's at work for the users desktop helps. But then i get stuffed by patching and trying to find tools that cover all my bases....(or run three tools!).
From Microsofts Website,
Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13
I work for the US Army. We knew about this way before the patch came out just by monitoring bugtrack. Less than 72 hours from the bug being confirmed by our service CERT, we firewalled access to this kind of thing. The patch was confirmed for deployment almost 48 hours after the patch became available. If it was not deployed 96 hours after the order, we shut the node down until we can confirm its patched and ready to rejoin the network. The impact of Sasser on our networks? Almost ZERO.
All of our responce is coordinated by the US Army CERT (ACERT). Where did the British Coast Guard equivelent do? Is there such a thing? This is preventable, especially given the time from patch to exploit. Its not like this sprang up overnight. Even then, dont they have a team that monitors this stuff and has authority to order massive disconnet? It seems that MS is not at fault, the British CG CERT failed them here. If they did try to prevent this, what failed them? Anitvirus? Admins who failed to patch? Lack of informing them downrange?
SPC Gruhn
TNOSC-K, Systems Management Branch
1st SIG BDE
"First to Communicate!"
Don't blame the script kiddies for this. They are just kids, after all ..... kids are by nature explorers and experimentalists, and this is pretty much hard-coded into the human firmware.
..... an unfortunate consequence, not one that could reasonably have been foreseen by the "perpetrators" {all manner of crap already gets blown around railway lines, what difference does anyone suppose a coin will make?} but one that should have been taken into account by the implementors of the system. If the train makers can't be sure that a coin on the tracks won't derail their trains, then the trains are no good. What if a bird eats a berry, then shits the seed out and it lands on the track and that derails a train? Do you blame the bird? Blame the owner of the hedge the berry was growing on? Or do you blame the person who designed a train so badly that an object on the track would throw it off altogether?
It's like placing a coin on a railway track to see what happens to the Queen's face when a train runs over it, and ending up derailing the train
This is an excellent opportunity to sow seeds of change. Open people's minds to the possibility that there might be an alternative to Windows. Ask questions. Did they know there were vulnerabilities? Well, did they not look at the source code? [the what?] The source code -- you know, the human-readable form of the code that can be examined and modified. What scrutiny did you subject the source code to? [but that's a secret!] What -- you bought a locked box that you knew you weren't going to be allowed to look inside, and you didn't get even the tiniest little bit suspicious that somebody might be trying to hide something from you?
Every piece of food you buy is clearly labelled with a list of the ingredients. {this was actually used in an anti-drug propaganda advertisement in the mid-1990s, till some bright spark suggested that surely legal drugs would be properly labelled and the problems caused by not knowing what was in pills and powders were merely a side-effect of prohibition}. The analogy between Microsoft and Tom Lehrer's Old Dope Peddler is a strong one. Give out free samples {educational licence discount}, get people hooked {file format lock-in}, watch the little puppets dance to your tune.
For my part, I have pledged never again to work with Windows, ever. At all. The only repair I will ever again do to a Windows box is to install Linux on it -- barring that, I will simply unplug the power cable, leave it unplugged and consider that an improvement. The time has already come when I would sooner forego a computer altogether than touch Windows.
Je fume. Tu fumes. Nous fûmes!
Microsoft.nl can't cope. This is the error message I just got when I tried to get to their website. Perhaps they haven't patched?
m mandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream) +723) +194f ic(Int32 siteID, Int32 redirectID) in c:\data\project\ms-cmo\redirect\redirecthome\redir ecthttphandler.cs:225R equest(HttpContext context) in c:\data\project\ms-cmo\redirect\redirecthome\redir ecthttphandler.cs:158t pApplication+IExecutionStep.Execute() +179S tep step, Boolean& completedSynchronously) +87
.NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.969
Server Error in '/' Application.
-
Procedure or function TrafficInsert has too many arguments specified.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Procedure or function TrafficInsert has too many arguments specified.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SqlException: Procedure or function TrafficInsert has too many arguments specified.]
System.Data.SqlClient.SqlCommand.ExecuteReader(Co
System.Data.SqlClient.SqlCommand.ExecuteNonQuery(
Microsoft.Nl.Redirect.RedirectHttpHandler.LogTraf
Microsoft.Nl.Redirect.RedirectHttpHandler.Process
System.Web.CallHandlerExecutionStep.System.Web.Ht
System.Web.HttpApplication.ExecuteStep(IExecution
-
Version Information: Microsoft
read my
Weight and Balance is an extremely critical factor for flight safety. Even the largest airliners must have carefully controlled weight-distribution to avoid the CofG going 'out of bounds' during various stages of flight (including different trim and fuel states).
Some examples from the British AAIB archives:
12 Jan 1999: Fokker F27-600 crash nr Guernsey.(load moved)
18 Sep 1996 Boeing 737-4Q8, G-BSNW (Uncommanded roll due to incorrect fuel balance).
18 June 1972 Trident G-ARPI crash after takeoff at Heathrow (Weight and Balance as a contributory factor).
Ripping an new rectum in the fabric of spacetime.
Too many people get hit with these worms, have their systems fall completely, just to recover, update Windows and carry on as normal. Then, in another year or so, the next major worm comes out and they have to do it all over again.
There's too many people who use 'doze simply because it's "easy" and, probably mostly, "because everyone else is doing it..." I mean, if seeing these virus warnings on the news isn't enough to make people think "hmmm, when's the last *nix/Mac virus I heard about" and maybe actually look into it, I don't know what will work.
Maybe when Bill Gates finally grows the horns and starts talking in toungues, people will get the hint.
This sounds like the argument "Well, our tires do tend to blow-out at high speeds but why should we be held responsible? The EULA which comes with our tires specifically says that we are not liable for any damages and you agreed to our EULA by using our tires."
Nevertheless some guy wrote this:
My reply to that (unposted) was that it would be very difficult for a worm/virus to propagate under Linux. Specially if all "servers" are switched off. Simply because Linux is the opposite of Windows - there is no homogeneity
With Linux we have:
- Different Kernel versions (2.2,2.4,2.6), patched versions, hardened versions
- Different commercial and free distributions (Red Hat, Mandrake, Gentoo, Debian, Slackware).
- Different packaging managers (rpm,apt,yum,portage,or none build from source code)
- Different set of libraries (XFree w/wo Nvidia acceleration,gcc, all with different versions)
- Different Window-Managers (none just console,fvwm,FluxBox,Gnome,KDE,Enlightenment)
- Different mail-client - if we are assuming a mail-enabled virus here - (mutt,pine,sylpheed,evolution,kmail,web browser-clients)
And that is a small list of the differences between my Linux and someone else's. Soon we might have even different alternatives to X-window itself. Of course most seem to have Mozilla, so some common denominator is emerging. But I think most people don't use the email client (and address book).Any biologist would reinstate that if you have a species which is highly homogeneous (and the analogy here is Windows-XP) it is in great danger of being wiped out to extiction by some common plague (worm/viruses). The thing most people hate about Linux - is what protects it from widespread attack (dependencies,lack of homogeneity)
Linux makes you more security-aware anyway. It endorses/teaches that practice instead of you just setting your (often innefectual) "Windows-Update" on auto. Ok there is no such thing as a 100% secure system, but there is something at least 10x more secure than Windows: Linux
For how much longer are you Window users going to put up with all this?
Err... Who told you that the UK coast guard is a safety critical system? Who actually told you that they do anything besides wasting public money?
All the real work is done either by RAF or by volunteer lifeboats which do not get a single penny of government money. Frankly, I find it shamefull and disgusting that a country in the big 8 wich is also an island is incapable of even financing its lifeboat crews.
So frankly, if someone will wipe off the coast guard completely noone will notice. Emergency services have direct lines to the RAF anyway, and most of the lifeboat crewes are listening on the SOS frequencies as well.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
As someone who might at some time need the coastguard ( I boat a lot ) I say hang 'em high, both the virus writter and the idiot who didn't patch, and while your at it, the moron who specced the system.
Its not the fact that MS is any worse than linux software for bugs etc. BUT it is more at risk from virus attack so, all things being equal, the lower risk strategy is to pick Linux or similar in such a mission critical application.
A bit off topic, but a week or so ago there was a reality tv prog showing the coastguard/RNLI (RNLI is our volunteer rescue service for those not in the UK ) and some stupid moronic woman was hogging the rescue and calling channel 'for a laugh' these people should be removed from the gene pool too. ****RANT OVER****
I wasn't meaning to imply that MS shouldn't be blamed for the problem. Just trying to point out that even with a good patching solution, even the best ones will fail if the system admin doesn't apply them.
MS should bear the blunt of the blame. For as much revenue that is generated by their products you would expect them to have a better product by investing into it. By no means though is MS the sole bearer of the blame. The organization that chooses to use the OS and the administrators that don't keep up with the OS maintenance also share some of this responsibility.
Why does Microsoft ship OS software with so many ports open in the first place? Most people who buy computers are not all that computer savvy, and have no idea what a port is. But the security people want these same computer-halfliterates to close those ports.
If you know what a port is, then it is just as easy to open a closed one then to close an opened one.
What we need is an on-computer port-monitor service that scans every port on the machine while it is not otherwise busy. It should report to the user any opening of any non-solicited port, and identify the source program that asked for that port to be opened. Of course, the port-monitor should be configurable by the savvy user to skip over ports that the user may want to use.
Just my 2 cents.
no no no...
this isn't microsoft's fault. they aren't purposely trying to create an insecure platform. WHY would a company that wants to make money even consider that? why don't you try building a product the scope of windows, and make sure its 100% airtight?
it also isn't the fault of system admins. despite the grumblings of many /. users, microsoft makes legitimate server software, and using it is not necessarily a bad thing. it has its strengths and weakness just like *nix and linux.
how 'bout we blame the real culprit, THE VIRUS WRITER. you make it seems as if microsoft was paying this pimple-faced kid to make this thing. this guy/gal created this worm of their own volition. it was their CHOICE. to blame MS and sys admins is like giving this person a free pass. place the blame where it belongs--on the malicious little shit who wrote and distributed it. when they sat down to make sasser, they weren't doing it for noble reasons, they were doing it to be dicks.
--They say only a fool looks at the finger pointing to the sky...
The company is one of Swedens largest insurance companies, it's called "IF" and I think I'll change to a company that has their shit more in order.
You are not entitled to your opinion. You are entitled to your informed opinion. -- Harlan Ellison