Slashdot Mirror

← Back to Stories (view on slashdot.org)

Houston Courts Shut Down By Malware

Posted by timothy on from the full-employment-for-compsec-types dept.

Conficker is still at it: dstates writes "The municipal courts of Houston were shut down yesterday after a computer virus spread through the courts' computer systems. The shutdown canceled hearings and suspended arrests for minor offenses and is expected to extend through Monday. The disruption affected many city departments, the Houston Emergency Center was briefly disconnected and police temporarily stopped making some arrests for minor offenses. The infection appears to be contained to 475 of the city's more than 16,000 computers, but officials are still investigating. Gray Hat Research, a technology security company, has been brought in on an emergency contract to eradicate the infection. In 2006, the City spent $10M to install a new computer system and bring the Courts online, but the system has been beset by multiple problems. After threatening litigation, the city reached a $5 million settlement with the original vendor, Maximus, and may seek another vendor."

15 of 126 comments (clear)

  1. Oops by symbolset · · Score: 5, Funny

    It's amazing what can happen when you "lose" a few dozen pen drives with downadup at various strategic places.

    --
    Help stamp out iliturcy.
    1. Re:Oops by Z00L00K · · Score: 5, Insightful

      Especially since today almost every computer is delivered with autorun enabled.

      We have seen far too many malicious attacks due to the fact that someone thought that it has to be "user friendly". But some of that user friendliness is just plain annoying and raises the blood pressure. Just because I have a few pictures on my stick doesn't mean that I want to view them every time I stick it in.

      The problem is that "user friendly" often means "attack friendly".

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    2. Re:Oops by symbolset · · Score: 5, Funny

      10 million zombies can't be wrong.

      --
      Help stamp out iliturcy.
    3. Re:Oops by Sopor42 · · Score: 5, Informative

      Just to clarify... the process is slightly more involved if the drive in question has "more than one type of content", even if fully up to date, b/c then Windows (XP) doesn't give you the "do this every time" option. For that you have to actually access the drive properties autoplay tab, select "mixed content" then "select an action to perform" and then "take no action" and finally apply/ok.

    4. Re:Oops by INT_QRK · · Score: 4, Insightful

      This may seem a little orthogonal. However, the municipal court system is the core instrument of government power to the average citizen. So, how does it ensure that a vendor doesn't place itself in a position to now "own" the court's IT, able to covertly violate confidentiality, integrity and availability of critical court records at will? Thinks of how a well-resourced entity like a drug cartel might have incentives to subvert a court system, becoming, in essence, an "insider" to the system. Certainly at the federal level agencies like the DoD, for example, also use private vendors (albeit highly vetted), but they also conduct extensive in-house testing throughout development and across the life cycle through via certification and accreditation regimes (e.g., DIACAP: http://en.wikipedia.org/wiki/DIACAP). Municipalities lack such resources and are at the mercy to a "low bidder," esecially one that doesn't need to turn a profit from the primary customer but is able to offset that in spades by secondary and tertiary "silent partner" customers. Should we consider, perhaps extending federal IT resources down to local levels?

  2. MS Monoculture by NtroP · · Score: 4, Insightful

    The monoculture strikes again! My heart is bleeding peanut-butter right now. Having all your eggs in one basket (especially Microsoft's) is never a good idea.

    --
    "terrorism" and "pedophilia" are the root passwords to the Constitution
  3. Do courts need computers? by yog · · Score: 4, Interesting
    I thought courts were a sort of mecca for low tech methods. They use court stenographers, video taping is very limited, and it's all based on the spoken word. It's not like the prosecutor is going to talk through a Powerpoint presentation to make his/her case. Or do they allow this these days? I don't go to courtrooms very often....

    From the article:

    The $10 million effort by Maximus Inc. to bring the courtâ(TM)s activities online was immediately troublesome to judges, clerks and prosecutors and delayed court proceedings in 2006. After threatening litigation, the city reached a $5 million settlement with Maximus and may seek another vendor.

    It sounds like this whole computerization effort was poorly executed from the get-go. Many such projects have problems, since they typically pit bumbling bureaucrats against shark-like consultants.

    Anyway maybe they ought to take the database and just pull out the pending cases using ad hoc queries, and send the print-outs to the courthouse so they can get on with their work. This can't be rocket science here.

    --
    it's = "it is"; its = possessive. E.g., it's flapping its wings.
    1. Re:Do courts need computers? by John+Hasler · · Score: 4, Informative

      I thought courts were a sort of mecca for low tech methods.

      Not true, at least for US Federal as well as many state and local courts.

      They use court stenographers...

      Who have been using computers for twenty years to my certain knowledge.

      ...video taping is very limited...

      Video tape depositions are routine.

      ...and it's all based on the spoken word.

      Actually it's mostly based on the written word. It is the court record that matters, and that means what the stenographer keyed into her computer in addition to the orders signed by the judge and the documents filed by the parties.

      It's not like the prosecutor is going to talk through a Powerpoint presentation to make his/her case.

      Yes, as a matter of fact, it can be rather like that. And many Federal courts require that filings be made in electronic form. Here is a link .

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  4. Re:Easy fix to this. Use OS X. by iammani · · Score: 4, Insightful

    Social engineering can work on *any* OS (even the OS certified by NSA) . It is the user that needs to fixed.

  5. The Evil Empire Strikes Again by CNothing · · Score: 5, Funny

    It's as if a thousand bureaucrats cried out "Houston, we have a problem" in terror, and were suddenly silenced.

  6. Re:Dear Houston, by cloakable · · Score: 4, Funny

    It's more of a gaping hole, it seems

    --
    No tyrant thrives when every subject says no.
  7. Re:Which OS was infested? I bet I can guess. by painehope · · Score: 5, Informative

    Windows, of course. It's what every single computer that I've seen in any court, jail, or police station in Houston (and Harris County, which Houston is in) runs.

    And I've seen more than a few...

    Interestingly, courts are pretty technical down here. The employees are still as dumb, but if you're in Houston City Jail, you don't even see a judge or talk to anyone in person (other than Johnny Law). The pre-trial personnel speak to you via a telephone or a speaker in the wall of the room, you don't even see their faces in the newer city jail. Both jails the judges are linked in on a high-resolution screen, whether it's your actual court (for City, not County) or just a probable cause arraignment (which, not surprisingly, never releases anyone, no matter how ridiculous the evidence is).

    Harris County is technical in the court, but if you're just talking to your lawyer in the court holding cell, you don't even see the inside of a courtroom.

    Of course, Fort Bend County (where I live) is so non-technical it's hilarious. I was jammed up in their system over Thanksgiving (no bonds or releases on holidays - I was in there for a damn class C misdemeanor, and sat 3 days), and got a visit from my father. The moron cops actually used their network closet as a holding tank for prisoners awaiting room in visitation. I was alone in there at one point, staring at a dusty Cisco router that was at least ten years old, plus what could only have been their video system (which looked even older). I was so tempted to just rearrange cables...until I thought about how long it might take them to find someone to fix it, and how that might effect my release (which was scheduled for the next day).

    Of course, the plus side to my county is that judges actually see you face-to-face, and will release you if it's a bullshit case. Much preferable to a high-tech system with no justice at all.

    --
    PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
  8. City Employees Surfing at Work by Anonymous Coward · · Score: 4, Interesting

    Ok, so if these computers were used solely for official business, there wouldn't be this big of an issue. Lower paid workers tend not to have computers or internet at home, so they use work systems for "surfing." No internet access and email should only be via highly filtered webmail. USB, DVD drives and floppies locked off with zero access.

    I used to work in Telecom. Our biggest malware/virus issues were at E911 centers even when the computers were on a dedicated network without any non-911 access. The nationwide 911 system doesn't use IP, so the problems didn't come from outside each 911 center. Those folks were paid $8/hr by cities and were under constant virus and malware attack from workers bringing programs in on diskettes, CDs and USB drives.

    The other problem is the lack of understanding that many municipalities have over computer system maintenance. Many localities are smart and cautious, while many others treat work systems like home systems and hope for the best. Some have decided to provide free municiple wifi internet access with the same network their police and emergency services use for remote access. fools.

  9. See . . . by sunspot42 · · Score: 5, Funny

    After threatening litigation, the city reached a $5 million settlement with the original vendor, Maximus, and may seek another vendor."

    That's what happens when you buy your network from a vendor just because you liked their SimCity games.

  10. Inside Job! by Darkk · · Score: 4, Insightful

    They can have the best firewalls and anti-virus e-mail scanner on the planet but it takes ONE person with an infected laptop to plug it into the internal network and do it's dirty work without them knowing it in time.

    It's possible they have been infected for months and didn't know it until things started to act funny.

    To have that many PCs infected didn't surprise me as they didn't bother to take proper security precautions and audits. System admins didn't routinely check for viruses on their servers and didn't check their logs for anything out of the ordinary is asking for trouble.

    I guess the system admins there figured, "Well, long as nobody is complaining about anything we're golden." It's possible they have a very small IT staff and outsource the security details to the vendor who they bought the system from who they are putting the blame on?

    We have a security firewall appliance at work that does just about everything but I don't rely on it 100% to make sure it's doing it's job. I go through the logs daily and test it. Just have to be proactive on finding problems and fix it before anybody else notices it.