Slashdot Mirror

← Back to Stories (view on slashdot.org)

Time Bomb May Have Destroyed 800 Norfolk City PCs' Data

Posted by timothy on from the philadelphia-experiment dept.

krebsonsecurity writes "The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date, according to krebsonsecurity.com. 'We don't believe it came in from the Internet. We don't know how it got into our system,' the city's IT director said. 'We speculate it could have been a time bomb waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.'"

12 of 256 comments (clear)

  1. Just so you get the pronunciation right... by Overzeetop · · Score: 5, Funny

    It's Naw-Fuck.

    And it's nowhere near as embarrassing as how we pronounce Buena Vista.

    --
    Is it just my observation, or are there way too many stupid people in the world?
    1. Re:Just so you get the pronunciation right... by Overzeetop · · Score: 4, Informative

      Byoo'-nah Vis'-tah

      The locals have taken the whole diphthong pronunciation (when two vowels go walking...) to an extreme.

      We also have Staunton, which is pronounced Stan-tun (short a sound).

      --
      Is it just my observation, or are there way too many stupid people in the world?
    2. Re:Just so you get the pronunciation right... by xaxa · · Score: 4, Funny

      It's Naw-Fuck.

      In proper Norfolk... well, I'll let Wikipedia explain: More cutting, perhaps, was the pejorative medical slang term "Normal for Norfolk", referencing the county's supposedly high rate of incest. In truth, Norfolk's incest rate is no higher than the rest of England. The term is now discredited, and its use is discouraged by the profession.

      (Sorry, did you want an on-topic comment?)

  2. It happened on Patch Tuesday. by gimmebeer · · Score: 4, Interesting

    I wonder if there is any correlation between the number of PCs that crashed and the number of PCs set to automatically download and install patches...

  3. Re:Essentially destroyed? by v1 · · Score: 4, Insightful

    if they were running backups, they wouldn't be scratching their heads and behaving completely ignorant of what exactly it was or when it was put in. They obviously lost everything, which I'm sorry but I find some darwinism/justice in that. If you don't even have a backup to look at to see what it was sitting on the hard drive waiting to blow up, you're just beyond help. Maybe better luck next time.

    But too many out there simply must learn their lessons the hard way. That will never change.

    --
    I work for the Department of Redundancy Department.
  4. No explaination by HotNeedleOfInquiry · · Score: 4, Insightful

    As to why they couldn't just boot to linux or a recovery CD and salvage the data....

    --
    "Eve of Destruction", it's not just for old hippies anymore...
    1. Re:No explaination by wiredog · · Score: 4, Informative

      Explanation here.

      --

      Best Slashdot Co
  5. Norfolk's IT is fail. by castironpigeon · · Score: 5, Insightful

    So the data is wiped because the System32 folder is fucked up? Uh-huh... guess they have to throw out all those computers and order new ones. Looks like the data's gone forever.

    --
    mmmm...forbidden donut
  6. Re:Essentially destroyed? by MightyMartian · · Score: 4, Insightful

    We've instituted offsite backups, both over the tubes and physically taking images of our servers (all virtualized of course) offsite to a bank safety deposit box. If, for whatever reason, the whole damned building explodes tomorrow, we've got the data sitting on servers in two other geographically distant locations. But if we can't get to those, we have the VM images, so as long as we can get our hands on a server capable of running Linux KVM, we could be up and running in short order (I estimate 3-4 hours, including host OS installation).

    The days when a physical or digital attack can fuck the whole organization are gone. There are enough traditional and newer backup schemes out there that even long downtimes aren't necessary.

    --
    The world's burning. Moped Jesus spotted on I50. Details at 11.
  7. Destroying Evidence by Reason58 · · Score: 5, Insightful
    From the article:

    IT specialists for the city found that the system serving as the distribution point for the malware within the city’s network was a print server that handles printing jobs for Norfolk City Hall. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server. “Obviously, our first reaction was to shut it down and restore services, and at least initially we weren’t concerned about capturing [the malware] or setting it aside,” Cluff said.

    Obviously, your reaction was wrong in every way. When a system is compromised you physically unplug it from the network and keep it powered on so that you can run forensics on it. Good work destroying any evidence you might have had about not only who performed this attack, but what weakness in your security they exploited to accomplish it. All that just to get a print server of all things back online as fast as possible.

  8. Re:Essentially destroyed? by Lumpy · · Score: 4, Insightful

    You got it. it's also a great example of how incompetent most City's IT staff are, Hey municipalities... you get what you pay for. How's those $25,000 a year IT staff working out for ya?

    --
    Do not look at laser with remaining good eye.
  9. Remind me the next time I write malware... by davidwr · · Score: 4, Informative

    * Check every few seconds to see if network goes down
    * Write a bogus entry in the log files that points to some oddball behavior, like a disk-read error or something
    * If network is down freeze screen so it looks like computer just locked up
    * Ignore all input
    * Wipe key parts of disk so forensic recovery is impossible or at least very difficult
    * Wipe key parts of memory so forensic recovery is impossible or at least very difficult
    * Wipe key parts of cache so forensic recovery is impossible or at least very difficult
    * Force or fake a BSOD screen so a casual user will think his computer crashed and blame any resulting data loss on the crash

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.