Forgot your password?
typodupeerror
Security Bug Operating Systems Software Windows

Sasser Worm Takes Down UK's Coastguard 733

Posted by timothy
from the thanks-for-using-windows dept.
jonman_d writes "The Sasser worm has recently disabled the computer systems of Britain's Coastguard. Naturally, this event raises even more doubts over the reliability of Microsoft software in critical systems. Moreover, it raises questions of responsibility: if the worm writer is caught, can he be held at least partially responsible for any deaths that occured during this outage?"
This discussion has been archived. No new comments can be posted.

Sasser Worm Takes Down UK's Coastguard

Comments Filter:
  • He should be (Score:5, Insightful)

    by Heartz (562803) on Wednesday May 05, 2004 @05:32AM (#9061354) Homepage
    We must come down hard on these individuals. Virus/Worm writters write code with malicious intentions.

    It wouldn't be murder per say, but definitely manslaughter. If they catch the guy, I hope the full force of the law comes down on him.

    • Re:He should be (Score:5, Insightful)

      by rokzy (687636) on Wednesday May 05, 2004 @05:35AM (#9061369)
      but also some responsibility on the retards who didn't get a secure system - MS is officially unsuitable for this sort of thing.

      if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.
      • Re:He should be (Score:4, Insightful)

        by Anonymous Coward on Wednesday May 05, 2004 @06:00AM (#9061495)
        if the virus writer is the "terrorist" then the coast guard admin is the idiot who ignored the "we're coming to bomb $building at $time on $day in a $colour van with registration $reg" message.

        Don't forget the 'oh, and please leave the gate open or we'll have to go somewhere else'.

        Yes, it is partially Microsoft to blame as well - which twit thought it would be a good idea to have ports open by default with services listening to whatever crap other computers might send? You really have to trust your programming to allow something like that. If it's not actually necessary, why do it?
        • Re:He should be (Score:5, Insightful)

          by andy landy (306369) <aplandells@@@hotmail...com> on Wednesday May 05, 2004 @07:28AM (#9061861) Homepage
          I still don't buy the "Microsoft is responsible" talk, sure their software is buggy, but so is many other software. I've seen Linux and other Unix systems rooted, yet nobody starts claiming "It's all Linus' fault" etc.

          Okay, so the Free Software folk invariably have patches out within hours of an exploit being discovered, but this hole has already been patched too.

          The onus is on the virus writers (and Script Kiddies etc) who write malicious code and to some degree on people not maintaining their systems.

          Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled. You can still blame the burglars, but you're out of luck if you claim insurance since it's your own fault.

          It's different if there aren't any patches, and I'm well aware that Microsoft have their problems and need to be more secure, but I still stand by my judgement that they can't be held responsible for every virus outbreak that happens!
          • Re:He should be (Score:5, Insightful)

            by ichimunki (194887) on Wednesday May 05, 2004 @08:00AM (#9062008)
            There is little comparison between unlocked doors and computer worms. If my nieghbor doesn't lock his door and gets robbed, this probably doesn't mean that the robbers will now use my neighbor's house as a place from which to launch a robbery of my house. However, on the net, when someone leaves an unsecured, hacked system running, their computer increases the risks for everyone else because, whether they know it or not, they are helping the virus writers breed their nasty little piece of software.

            Whether or not my neighbor is to blame for having been robbed (which I don't believe he is), the point is: if my neighbor's computer is hacked and starts to attack mine, that's when we start to have a heightened sense of his responsibility in the matter.
          • Re:He should be (Score:3, Insightful)

            by infinite9 (319274)
            Not locking your front door doesn't give you the right to blame the door-making companies when you get burgled.

            What if the door company advertised their doors in a way that led you to believe that the door was locked when a design flaw meant it wasn't? And when the design flaw was pointed out to them, they mentioned it with a free fix on their website, but did nothing else? And a hundred thousand people were all robbed on the same night? In meatspace, people would be screaming for blood. I think the a
      • Re:He should be (Score:3, Interesting)

        by Faluzeer (583626)
        "but also some responsibility on the retards who didn't get a secure system - MS is officially unsuitable for this sort of thing."

        Hmmm

        How about any unpatched operating system is officially unsuitable for this sort of thing.

        Yes blame can and should be placed on MS for the design and security features of their software however a large portion of blame should go to the individuals and organisations that do not regularly update their systems.

        As linux takes off in the corporate world I expect there will

        • Re:He should be (Score:5, Insightful)

          by AllUsernamesAreGone (688381) on Wednesday May 05, 2004 @07:25AM (#9061850)
          The problem with patching Windows systems is that a responsible admin will not simply roll out the patches across all the systems. Microsoft is very good at giving you two problems for the price of fixing one so a lot of Windows admins do extensive testing of patches before applying them across all their systems. In another situation, I would give them the benefit of the doubt and say they were hit while testing the patch.

          However, this isn't another situation and, if their machines had been properly firewalled (can someone please explain to me why any ports other than those for servers running in a DMZ should be visible over the net, because I'll be damned if I can think of any) they wouldn't have been infected. Hell, if they had zonealarm running on all the boxes they'd be safe even if they don't have a decent firewalls between their LANs and the net.

          Yes, Microsoft isn't without blame (maybe if they made patches that didn't crap all over your machines life would be better) but in this case sloppy admins have struck again.
    • Re:He should be (Score:3, Interesting)

      by Willeh (768540)
      I think it would be a lot better for companies to persue options that would help prevent these kinds of things, not a short term asskicking to some scriptkiddy, when you know thousands more are willing to jump into his shoes for some "internet notoriety" or other BS.
  • by Tuxedo Jack (648130) on Wednesday May 05, 2004 @05:32AM (#9061355) Homepage
    But here in the U.S., I believe it falls under both 18 USC 1030 and some clause in the Patriot Act.
    • by Bender Unit 22 (216955) on Wednesday May 05, 2004 @05:52AM (#9061451) Journal
      and some clause in the Patriot Act
      doesn't everything? seems to me that it get stretched more than a rubber band.
  • by Interruach (680347) on Wednesday May 05, 2004 @05:34AM (#9061361) Journal
    Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.
    However, it's not just the software at fault. Whoever implemented the system was sharing a network with other people's machines in some way, without a firewall. There is fault spread out here, between microsoft, the lifegaurds IT people, and the virus writer.
    • by upside (574799) on Wednesday May 05, 2004 @05:38AM (#9061382) Journal
      My thoughts exactly. Back here in Finland a bank had to close shop in the entire country for a day because of Sasser. Instead of being worried about how they didn't update their systems I'm more worried why MS is being used on mission critical systems like banks and the coast guard.
    • by matth (22742)
      Perhaps you didn't read the article. It says the problem occurred when people brought infected computers (probably laptops) onto the network.
    • by mpe (36238) on Wednesday May 05, 2004 @08:38AM (#9062250)
      Is Microsoft Software actually certified for safety critical systems? I thought it was not warranted for that use.

      Back to the issue of using the right tool for the right job. In many situations no "Off The Shelf" ("Commercial" or otherwise) is suitable.
      From an engineering POV an Open Source System is more likely to be a good tool, even if you use some standard package/distribution as a starting point. Since you can then verify that it does what it should do and only what it should do. (A lot of malware involves use of unneeded "features".) Something which is very difficult with proprietary software since you need to take things of trust from the vendor and virtually impossible with something like Windows. Which in addition to being proprietary software contains deliberate "sphagetti code".
    • Err... Who told you that the UK coast guard is a safety critical system? Who actually told you that they do anything besides wasting public money?

      All the real work is done either by RAF or by volunteer lifeboats which do not get a single penny of government money. Frankly, I find it shamefull and disgusting that a country in the big 8 wich is also an island is incapable of even financing its lifeboat crews.

      So frankly, if someone will wipe off the coast guard completely noone will notice. Emergency service
  • by rudy_wayne (414635) on Wednesday May 05, 2004 @05:34AM (#9061363)

    Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.

    • by zakezuke (229119) on Wednesday May 05, 2004 @06:16AM (#9061583)
      Why did the the UK Coastguard allow this to happen? The Sasser worm is 100% preventable if your system is properly patched and firewalled.

      If their Coastguard's mentality is anything their American counterpart's I can think of a damn good reason why this happened. *Support contracts*. Legendary documents written in stone that require that a specific agency do all maintance and repair of their PCs. Dispite the fact that the operator is more then able to click on the reccomended patches, doing so could get you into alot of trouble. Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.

      Taking these matters on your self opens you up to a whole bunch of no fun, such as the military justice system. So one learns it's not their job... nothing will ever get done about it... and hope one's tour of duty is up reall soon before you go insane.
      • by gruhnj (195230) on Wednesday May 05, 2004 @08:28AM (#9062194)
        Your not going to trust your military's computer system to enlisted folk, and chances are the officers are not aware of preventive measures. Those who are assign such tasks to contract companies.

        I dont speak for all military, but the Army has an entire major command dedicated to nothing but computers. Formed in 99 NETCOM has actully done a fairly good job in keeping things working. As far at threat detection, patch verification, and orders to deploy, NETCOM tends to be on a 72 hour turnaround. Given that the patch was issued April 13, its way ahead of an outbreak like Sasser. Even better, they have the authority to disconnect. The orders to patch go straight to company commanders and sysAdmins who can be repremanded if their unit goes down. Even if they give the task to a contractor, they are still liable Id hate to be the company commander who sees the brigade commander over virus outbreaks. That seems to keep them in line pretty well.

        SPC Gruhn
        TNOSC-K, Systems Management Branch
        1st Signal BDE
        "First to Communicate!"
    • by BiggerIsBetter (682164) on Wednesday May 05, 2004 @06:21AM (#9061597)
      Damn straight. Somebody needs their ass kicked over this one. Hopefully nobody dies as a result.

      When your systems are that important, it's madness to run them unsecured. There should be strong firewalls on the networks and virus scanners on every machine. If the virus finds a way in (say a managers laptop) there's no way it should be able to spread. And vulnerable systems (*cough* Windows *cough*) should be kept to a minimum.

      I know some folks say if it's behind the firewall it's safe, but as we see again and again, that's rarely the case. It's my policy to ensure *every* machine is updated as required, and the servers and Windows machines run AV software.
  • by osewa77 (603622) <naijasms.gmail@com> on Wednesday May 05, 2004 @05:39AM (#9061385) Homepage
    It's not just Linux that forms a good alternative to Windows. OPenBSD was built to be a secure OS. Where lives are involved, there is good reason to go the extra mile to use an OS which, though less convenient, has proven to be more reliable. In the current era, with all these worms, Microsoft just isn't the best alternative. On the other hand, all they needed to do was use http://windowsupdate.microsoft.com and enable Windows' built-in firewall software. Worm and Virus writers should be made to know that they are accountable when their creations do what they were (mis)designed to do "take over systems, disable them, disrupt networks?" How do you actually catch the original author of a worm, anyway?
  • Patches (Score:5, Interesting)

    by Amiga Lover (708890) on Wednesday May 05, 2004 @05:39AM (#9061386)
    OK I know there's going to be a million comments about how we should all patch vulnerabilities and there'd be no problems... and then the inevitable responses from admins who haven't done so because testing hasn't been complete and the patches are causing more problems after doing them...

    But...

    Why aren't MS patches single discrete objects? One patch for One vulnerability? That way IMHO clears the problem of a "patch" that comes up, is huge, and attempts to fix ten documented vulnerabilities (but knowing the code used in huge projects, it's possibly many dozen fixes at once).

    This kind of fine grained control is what works WELL in debian for example. To update an error in ssh, download it's patch. to update an error in an x library, update that one library. Not bundled in with loads of extra crap

    I suspect this is a marketing thing. MS can truthfully say they only had 4 patches in a year, when the patches in linux systems number "in the hundreds", when the reality is far different.

    Even MacOS seems to be partway to the debian like approach, where there may be a dozen security updates in a year fixing a small number of vulnerabilities each. It's a consistent line of updates, instead of happening in large steps over which an admin has no control.
  • by Phil Hands (2365) on Wednesday May 05, 2004 @05:39AM (#9061388) Homepage
    As reported on the BBC [bbc.co.uk], this killed their mapping systems, forcing them to revert to the paper maps that they've always used in the past.

    No safety critical systems were involved.
    • by ColaMan (37550) on Wednesday May 05, 2004 @05:54AM (#9061457) Homepage Journal
      It depends on how you look at it:

      The computer mapping system (I presume) is easier to use than the paper maps. So if someone's missing and it takes (say) an extra 5 minutes to get the map out, plot drifts and currents and say "we'll search here", and the searchplane passes overhead 4 minutes after the boat has sunk without trace... is this still safety critical? If an extra life could have been saved if you had the computer system up?
  • Just generally ... (Score:5, Insightful)

    by Quixotic Raindrop (443129) on Wednesday May 05, 2004 @05:40AM (#9061392) Journal
    ... no. To be guilty of any kind of homicide or manslaughter, your act has to have been the proximate cause [freeadvice.com] of a person's death. The writer(s) of the Sasser worm might have prevented the Coast Guard from rescuing someone in danger, but the fact that that person was in danger in the first place was not the fault of the virus writer, which would prevent even an involuntary manslaughter charge. Unless the worm caused, say, a malfuntion in the boat's bilge system, which caused the boat to take on too much water and capsize ...

    With that, are they off the hook? No way. If they are caught, there are lots of laws they could be charged with, some of which are felonies. Murder, or even manslaughter, are not among them, however. At least, not under this limited hypothetical.
    • In addition, I was fairly sure that there was a limited liability policy on software that limited damages that could be recovered from death or other injuries caused by software (this includes both the Microsoft product, since people have mentioned their potential liability, and the virus itself, if you want to extend the definition of software to viruses) to the price of the CD. In this case, since it was a virus propagating, then the price of the CD is nothing, which would limit the liability of the viru
      • Wrong (Score:3, Insightful)

        by mericet (550554)
        IANAL, but:
        Limited liability exists only when the software was voluntarily and knowingly installed (e.g. after reading a EULA and clicking OK). So you can expect full liabilty (both criminal and civil). In many jurisdications, if a virus directly caused a death they could be charged with murder.

        The admin is guilty of negligence, again both criminal (only in the case of gross negligence, which could be failing to patch a critical system), and civil (although as an employee, this usually only means losing

        • Re:Wrong (Score:3, Interesting)

          by dexterpexter (733748)
          Interesting. I didn't consider the not clicking on some EULA. However, wouldn't the liability still only be manslaughter. If a car directly runs over someone, but the intent was not to kill, then isn't it still manslaughter, not murder? In this case, I doubt that the virus was intended to kill. So, perhaps limited liability might not apply here. However, I have been toying with the idea of also being able to get the virus writer with the DMCA.

          The idea of the admin being responsible intrigues me. Wha
          • Re:Wrong (Score:3, Insightful)

            by mericet (550554)
            No, the car analogy is wrong. At least in the jusrisdictions I'm familiar with, as long as you commited a crime (virus writing/distributing) deliberatly, you commited all side effects of said crime. A more accurate analogy would be an accidental death caused by arson. At least in my jurisdiction, virus writing/distributing is a crime by itself.

            If they didn't have an admin. Managment would still be potentially liable (negligence of not having a competent admin), and civil liability would not be diminished.

    • Proximate cause (Score:3, Interesting)

      by ArsenneLupin (766289)
      Quoting from your link, second paragraph:

      Responsibility for injury lies with the

      last negligent act that produces the injury (after the ball rolls down the hill, a stranger picks it up, throws it through a window which breaks the glass, causing the glass to shatter and strike a person who was sitting next to the window, cutting her arm and requiring her to obtain medical treatment). In this example, although you caused the ball to roll down the hill, your act is not the proximate cause of the injury to the

  • Sasser FUn! (Score:5, Insightful)

    by ender81b (520454) <billd@@@inebraska...com> on Wednesday May 05, 2004 @05:42AM (#9061397) Homepage Journal
    Working tech desk during Sasser outbreak is fun lemme tell you. God save microsoft if they actually were responsible for tech support costs during this thing.

    I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

    I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever. Now try pulling down 50 some megs of critical updates over a freaking dialup modem. Remember - not a *single* major PC manufacturer I know of installs ANY critical updates on their home pc's they sell to the end user. Nothing. Nada. Dell, HP, Compaq, etc. I've ranted about how irresponsible and stupid this is before and i'll continue to do so now :). I've had two people call recently who - literally - just bought a brand new computer from the local best buy, plugged it into the internet and with 5 minutes got either Sasser or Blaster.

    I dearly, sincerly wish that Microsoft would actually build not only a real firewall into their products or/and shut off unneeded services to the internet. I also wish manufactures would actually ship their machines with all the critical updates installed. I also want a pony.

    This outbreak isn't as bad as blaster was but still. I'm no MS hater, I understand their product code base is massive and keeping track of all that and bug fixes takes an enormous amount of money and time but they *seriously* need to work on security. I would estimate virus cleanup and spyware sucks up 10-15% of my time at work.
    • Re:Sasser FUn! (Score:3, Interesting)

      by harikiri (211017)
      I almost can't blame the customers for doing this. Ever try just updating windows xp over broadband? Takes forever.

      What's even worse is the fact that most internet users are still stuck on dialup! According to this recent article [cbsnews.com] at CBS, 3 out of 5 internet users don't have broadband.

      The very issue of security patches, their sizes, and the problems for dialup users trying to download them was covered here [securityfocus.com] as well.

    • Re:Sasser FUn! (Score:3, Insightful)

      by Zocalo (252965)
      I figure i've taken 40 some Sasser Calls. Each call takes about 7-10 minutes to clean it off and all that. So you figure, 320 minutes or 4 hours of my time. That comes to costing my company something like $40 odd dollars. Now multiply that 40 some by the thounsands of techs just like me who have to do the same thing.

      Or try this: According to Microsoft 1.5m users downloaded the cleanup tool via Windows Update. This does not include users that cleaned off their systems via a third party tool from an AV v

  • by Peter Cooper (660482) on Wednesday May 05, 2004 @05:43AM (#9061410) Homepage Journal
    How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.

    I offer one reason why this doesn't happen too often, particularly in the UK. Way too many 'technical consultancies' for institutions like the coastguard are staffed by MCSEs with no proper computer science knowledge who just install Windows XP on every machine, set up 'Internet Connection Sharing', and leave. They wouldn't even dream of putting a non-Windows box on a network!

    Thankfully these worms and virus attacks are showing up these idiotic 'we only touch Microsoft stuff' agencies for what they're worth. Any decent technical consultant should be able to advise companies on the right hardware and software to use, independent of vendors.. so it might be Microsoft on the client end, and UNIX on the back end.. but no, the UK (at least) is filled with MCSE ridden agencies who get totally lost when they don't have a 'Start' button to click.
    • Firewalls aren't enough.

      Someone always manages to bring an infected laptop inside the firewall.

      Those 'technical consultancies' need to include keeping the systems patched in that TCO they love to rant about so much.
    • How hard is it to have a BSD or Linux box acting as an el-cheapo firewall between the Internet and your internal network? I have a $200 laptop which has done just that task for several years now. I can never be bothered to patch my (Windows) machines, but they never have trouble because they can only talk within each other and not get attacked from the outside. Jeez, even if you paid someone to install it, you could have the whole job done for $1000 with old hardware and a copy of FreeBSD.

      If you're talkin
  • by Meijer (237978) on Wednesday May 05, 2004 @05:44AM (#9061416)
    On Monday, thousands of people tried to access the banking services of Deutsche Post.
    Due to stricter securities setting (because of Sasser) this was not possible for hours.
  • Devil's advocate (Score:5, Insightful)

    by pleitner (95644) on Wednesday May 05, 2004 @05:46AM (#9061424)
    While I fully agree that the authors of virus/worms etc must be held accountable for their actions, surely there are other parties that are also liable for any issues that arrise from a virus/worm infestation.

    The obvious one is the good old Microsoft. This has been beaten to death so many times that I am not going to delve into it...

    The other group to consider is the people who have been infected. They have partially brought any problems upon themselves. This happens because of many things including the choice they made to run the system was vulnerable, the choice to not patch promptly (if a patch was available), the choice to not better secure their critical systems, etc.

    Blaming the virus/worm authors and the author of the vulnerable software is easy (and absolutely right), but people really need to start looking beyond that and realise that it is really their decisions that are the core issue. If you don't want to be vulnerable to Windows virii/worms then don't run Windows. If you need to run Windows, secure it. If is a critical app, pay some serious attention to it...

    Basically, I am advocating a bit of responsibility for ones own destiny...
  • by baadfood (690464) on Wednesday May 05, 2004 @05:48AM (#9061432)
    Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault. I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make - I dont think the OS choice is relevent. Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.
    • by FreeUser (11483) on Wednesday May 05, 2004 @08:00AM (#9062013)
      Seriously, whoever was responsible for designing and implementing the system the coast guard uses is at fault.

      I find this propensity for blaming the victim to be very disturbing. Microsoft has been fraudulantly representing their system as both stable and secure, just as they have been fraudulantly representing their system as less expensive than their competitors' products (GNU/Linux, OS X, *BSD, etc). This is a matter of public record ... one need only peruse their website and their past marketing of Windows, coupled with their slanderous misrepresentations of competitors such as Linux.

      Now, one can argue that the technical staff of the coast guard should have known better (so too should every victim of every fraud perpetrated), but the fact that they didn't is hardly negligence on their part, when their vendor misrepresents their product's security on a daily basis.

      I can't belive that people who put together systems that perform life critical functions cannot be held liable for the choices they make

      I dont think the OS choice is relevent.

      Clearly the data do not support this. Mac OS X is demonstrably more secure than windows, both systematically through an architectural analsys, and through historical emperical data (number of exploits, timeliness of patches, effectiveness of patches, etc.). Ditto for the various flavors of BSD, ditto for Linux, ditto for IBM's various mainframe operating systems, and the list goes on.

      Clearly, as the underlying architect and definition of a system's security design, policy, and implimentation, the operating system is the single most relevant design choice one can make.

      Its the setting up of a system that is exposed to the internet. Systems on which peoplses lives depend have no business being connected to unsecure systems - they should be dealing ONLY with the data needed to perform their task.

      That is unrealistic. Systems which are networked together can save lives. A ship is in trouble and automatically reports its position for rescue, allowing the crew to get on with the more immediate task of not drowning. A hospital computer notes a patient's decline and automatically notifies other systems, which notify the appropriate physicians and medical staff. Proper implimentation is critical, of course, but the "cut the cable" solution is nonsensical, particularly when reasonably secure alternatives such as Linux, Mac OS X, and *BSD exist and are well proven.

      The worm writer, and Microsoft's fraudulant representation of their operating system as stable and secure, are the primary culprits in this fiasco. It is time we stopped blaming their victims, and held the perpetrators responsible instead.
    • To be fair to the coast guard although there computer system was inoperative they did have a perfectly workable backup solution in place which they were able to use to exactly the same end result as they would have achieved using the computers.

      OK so it was a worm which took down the systems this time which is something you can protect against but at the end of the day you shouldn't rely on any computer system without a manual backup process ( if it is possible to implement one ) which can take over for saf
  • by Alioth (221270) <no@spam> on Wednesday May 05, 2004 @05:53AM (#9061455) Journal
    Windows is a consumer operating system (despite labels like Windows XP Professional). It has no business being installed on any critical system. This just goes to demonstrate further that you can't cut corners and make false economies by installing consumer operating systems where they are not appropriate.
  • by mindmaster064 (690036) on Wednesday May 05, 2004 @06:00AM (#9061493) Homepage
    Despite the apparent Slash-Spin of this article it should be noted that Microsoft released the patch for this vulnerablity over two weeks ago, per:

    MS's Security Bulletin on April 13th [microsoft.com] (this is a week before Sasser "hit".) Microsoft did their job, but can the UK Coastguard do theirs? Apparently not... It is so easy to point the finger at the provider or some anonymous joe on the Internet, but it is so hard to take responsibilty for your own lack of action. It's the UK Coastguard's job to apply their patches in a timely fashion so that the services they render can be reliably delivered.

    It's possible to get these notices emailed to you as soon as they're available. These people should be fired, er wait.. in UK... sacked.

    - Mind
    • Slow Down the Security Patch Cycle? [slashdot.org]

      This case would seem to support the reasons made in the computerworld article about slowing down the security patch release cycle.
    • It's easier said than done, though.

      Does anyone really trust MS Updates anymore? There've been to many horror stories of Updates breaking other stuff for 100% of Windows Admins to trust Windows Update immediately.

      Plus there are the basic "rules" about never installing something on a production machine until you're sure it doesn't break anything, combined with never installing anything until someone else has dicovered all of the bugs.
      Put these together, and it becomes hard to risk putting patches on anym

  • by thesp (307649) on Wednesday May 05, 2004 @06:02AM (#9061512)
    The one consistent question that keeps being raised in my mind whenever I hear about mission critical systems being brought down by worms/viruses is: Why were these systems ever connected to the wider world in the first place? Mapping systems? Baggage loading computers? Surely these don't need to talk outside anything but a single discrete group of computers. My fear is that people tend to put web browsers, email clients etc on any system these days, for convenience, which is quite bad for security. Here in my office we have two networks, with two machines on the desk (on a KVM switch), one for external email, internet etc, and one for internal work (it's called COREnet). We've had problems with the former, but the critical, internal stuff has gone on quite happily on the latter, untroubled by worms. Oh, and software patches and antivirus are available centrally on COREnet, so the boxes on the internal network aren't just left to chance should something come on via zipdisk/cd. And our company rolls on....
  • Morons! (Score:5, Insightful)

    by Pan T. Hose (707794) on Wednesday May 05, 2004 @06:07AM (#9061537) Homepage Journal

    From the article [independent.co.uk]:

    The Sasser worm, which exploits a flaw in Microsoft's Windows software, disrupted work at the Marine and Coastguard Agency, forcing staff to use pencil and paper to find ships and locate distress calls on maps. [...]

    Anyone with an infected machine should visit Microsoft's website to download a software "patch" to fix their system.

    No! Anyone with an infected machine should stop visiting Microsoft's website and never use Windows in such a critical environment as the Marine and Coastguard Agency for God's sake!

  • by erik_norgaard (692400) on Wednesday May 05, 2004 @06:11AM (#9061556) Homepage

    The danish newspaper Ingeniøren [www.ing.dk] reports that the Sasser virus attack affected the danihs hospital, Herlev Sygehus. The hospital had to cancle scheduled CT-scannings because the scanners crashed. Also MR-scanners were affected, though no scannings were canceled.

    "We do actually have a firewall, but aparently it hasn't been updated enough" sais radiographer Jan Bovin. "It was the scanners running Windows 2000 and XP that were affected, the MR-scanners running Linux had no problems," he sais.

    The original story is here [www.ing.dk] (in danish).

    It appears that the consequences of the Microsoft monopoly are getting worse. Are there any linux-run hospitals?

  • by OlivierB (709839) on Wednesday May 05, 2004 @06:14AM (#9061568)
    Heathrow hasn't been spared yesterday

    http://tinyurl.com/3h7fb

    If I were a Linux vendor I would be all over BA and other victims pitching my stuff.... I know this is a bit wrong but hey Business is business and I am sure I would get these guys attention FAST!
  • Sasser Frazzed (Score:4, Interesting)

    by zenmojodaddy (754377) on Wednesday May 05, 2004 @06:17AM (#9061585)
    I work in a small insurance brokers without its own internal IT department, and as token geek I get the job of patching workstations since our external IT support guys can't find their own collective arse with both hands and a map.

    As soon as the last batch of updates were released - starting about half an hour after I read about the updates on /. - I patched twenty odd workstations individually, manually, over two days. (Manually, because our IT experts have set up our system in such a way that the automatic update service doesn't work.)

    Which is why it's f*cking galling that I checked our server's update history this morning and there are sixteen critical updates still waiting to be loaded, because the IT guys say we don't need them and, y'know, we shouldn't worry about it.

    Aaagh!
  • Delta Airlines (Score:5, Interesting)

    by DeanFox (729620) * <spam DOT myname AT gmail DOT com> on Wednesday May 05, 2004 @06:34AM (#9061659)

    Although I think they've denied it in public, Delta Airlines was also brought down over the weekend by this worm. I have a friend who came to Church panting, out of breath because he was late and had to rush. He works at Delta and said he had been there since Saturday patching and cleaning machines. Right after services he was going back.

    The system effected was one that calculates passenger and cargo weight so it can be distribuited evenly through out the aircraft. It's one of those systems that's easy to forget. It's not like air traffic control or reservations or something people would consider "critical".

    It's scary but ironic that a small forgotten local sub-system can bring down a billion dollar corporation and inconvience tens of thousands of people. It was local to Atlanta, used at the ticket counter and for flights leaving Atlanta but, bring down the hub and the entire operation is effected.

  • Overexagerrated (Score:5, Informative)

    by pandrijeczko (588093) on Wednesday May 05, 2004 @06:51AM (#9061719)
    Being in the UK myself, I saw this news report on the TV yesterday with a reporter interviewing an employee of the coastguard.

    I really got the impression that the reporter was trying desperately to make this into a dramatic news story whereas the coastguard person was fairly level-headed about it. Even she stated that every employee has a backup laptop that is not connected to the Internet as a contingency plan in just these circumstances. Plus, they can also rely on paper maps if necessary.

    Yes, we all know Windows has security holes (just like any other piece of software) and that Microsoft could do a whole lot more to make their software more secure - however, the fact is that using good firewalling and educating users properly is the best way of stopping 99.9% of all known worms and viruses.

    Microsoft must take some of the blame but so should the salesmen and IT people for possibly not deploying the right platform in the first place and then, post deployment, not ensuring it's secure.

  • by Spoing (152917) on Wednesday May 05, 2004 @07:25AM (#9061848) Homepage
    If you're using Windows, take a page from Linux/*BSD and other *nix hardening;

    If it's not running, it can't be exploited!

    1. Isolate each system and check it before bringing it on the network or exposing it to the Internet (and do the latter rarely).
    2. Do external port scans *without* the use of a firewall to see what might be running that is hidden.
    3. Use dependency checkers when encountering unknown software or libraries. (Under Windows, Dependency Walker is your friend.)
    4. Turn it off and remove it if you don't need it, can't trust it, or it seems suspect.
    5. Find trustworthy software and use that instead; popularity isn't trustworthyness.
    6. Isolate systems at the router; it should be difficult to dammage any machine (misconfigured or not) from most any other random machine.
    7. Your systems should be secure even without a firewall. Are they?
  • Network security? (Score:3, Interesting)

    by JWSmythe (446288) <jwsmythe@jwsm[ ]e.com ['yth' in gap]> on Wednesday May 05, 2004 @07:25AM (#9061851) Homepage Journal
    Not to skip the M$ Bashing, but....

    Shouldn't there be a bit better security in an essential service such as that? Why are people allowed to bring insecure machines in, and plug them into the network? Shouldn't they have 24/7 administration? Shouldn't someone have seen a report about Sasser, and patched their machines? We're not talking about Mom & Pop ISP here, we're talking about a branch of a nations military. Why are people coming in with laptops from home, and being allowed on the same network with an essential infrastructure? Haven't their admins read any books on secure networking? What about firewalls between the essential infrastructure machines, and the compromisable network? The way the story sounds, people take their laptops home, browse the Internet, and come to work and plug in pretty much anywhere. I suppose there's more than one CCSP on staff saying "hey boss, told you so" err, maybe "Sir, remember those security recommendations I made last year? May we implement those now?"

  • monoculture problems (Score:3, Interesting)

    by martin (1336) <maxsec.gmail@com> on Wednesday May 05, 2004 @07:31AM (#9061871) Journal
    Usual problems with sys admins having to patch thousands of machines (yes there are tools out there to help).

    But also caused with the massive MS Windows monoculture (cf market dominance).

    It's times like this that running 3 O/S's at work for the users desktop helps. But then i get stuffed by patching and trying to find tools that cover all my bases....(or run three tools!).
  • Natja (Score:3, Insightful)

    by Graymalkin (13732) * on Wednesday May 05, 2004 @07:40AM (#9061904)
    I would have thought after MSBlaster ripped through the Windows world that people would have learned to keep Windows away from any and all open internet connections. While competent admins ought to keep their systems patched I find it difficult to understand why networks aren't properly firewalled. If you want to be cheap about it you can just have a single firewall at external connections. A little fancier set-up would be transparent packet filters to segment portions of the network from one another. Keeping everything off the network that wasn't intended to be there would nip many of these sorts of worms in the bud.

    I think the bigger issue here is why systems like this, even relatively non-critical ones like the UK Coast Guard's mapping system, are running Windows. I would think that an organization like the CG would be able to get their vendors to develop applications for whatever OS they were running. Agencies set some criteria and contractors meet said criteria. If they were running say Linux I don't think it is far fetched to believe that some contractor would be able to develop the required mapping software for it. The CG might be running COTS software that runs only on Windows but I don't find that likely. I'd welcome an answer however.

    Windows is known to be an extremely insecure system despite Microsoft's claims. While Service Pack 2 might magically fix all sorts of problems it is not available to end-users yet. Those magical fixes don't mean much to the here and now. It looks as if Windows' vulnerabilities are costing companies quite a bit of money and eating into their bottom line. I would have thought by now Windows would be on its way out the door in many organizations since their competition such as it is can do many of the same tasks either cheaper or more reliably.
  • by gruhnj (195230) on Wednesday May 05, 2004 @07:48AM (#9061939)
    From Microsofts Website,

    Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13

    I work for the US Army. We knew about this way before the patch came out just by monitoring bugtrack. Less than 72 hours from the bug being confirmed by our service CERT, we firewalled access to this kind of thing. The patch was confirmed for deployment almost 48 hours after the patch became available. If it was not deployed 96 hours after the order, we shut the node down until we can confirm its patched and ready to rejoin the network. The impact of Sasser on our networks? Almost ZERO.

    All of our responce is coordinated by the US Army CERT (ACERT). Where did the British Coast Guard equivelent do? Is there such a thing? This is preventable, especially given the time from patch to exploit. Its not like this sprang up overnight. Even then, dont they have a team that monitors this stuff and has authority to order massive disconnet? It seems that MS is not at fault, the British CG CERT failed them here. If they did try to prevent this, what failed them? Anitvirus? Admins who failed to patch? Lack of informing them downrange?

    SPC Gruhn
    TNOSC-K, Systems Management Branch
    1st SIG BDE
    "First to Communicate!"
  • by ajs318 (655362) <sd_resp2NO@SPAMearthshod.co.uk> on Wednesday May 05, 2004 @08:15AM (#9062116)
    Don't blame the script kiddies for this. They are just kids, after all ..... kids are by nature explorers and experimentalists, and this is pretty much hard-coded into the human firmware.

    It's like placing a coin on a railway track to see what happens to the Queen's face when a train runs over it, and ending up derailing the train ..... an unfortunate consequence, not one that could reasonably have been foreseen by the "perpetrators" {all manner of crap already gets blown around railway lines, what difference does anyone suppose a coin will make?} but one that should have been taken into account by the implementors of the system. If the train makers can't be sure that a coin on the tracks won't derail their trains, then the trains are no good. What if a bird eats a berry, then shits the seed out and it lands on the track and that derails a train? Do you blame the bird? Blame the owner of the hedge the berry was growing on? Or do you blame the person who designed a train so badly that an object on the track would throw it off altogether?


    This is an excellent opportunity to sow seeds of change. Open people's minds to the possibility that there might be an alternative to Windows. Ask questions. Did they know there were vulnerabilities? Well, did they not look at the source code? [the what?] The source code -- you know, the human-readable form of the code that can be examined and modified. What scrutiny did you subject the source code to? [but that's a secret!] What -- you bought a locked box that you knew you weren't going to be allowed to look inside, and you didn't get even the tiniest little bit suspicious that somebody might be trying to hide something from you?

    Every piece of food you buy is clearly labelled with a list of the ingredients. {this was actually used in an anti-drug propaganda advertisement in the mid-1990s, till some bright spark suggested that surely legal drugs would be properly labelled and the problems caused by not knowing what was in pills and powders were merely a side-effect of prohibition}. The analogy between Microsoft and Tom Lehrer's Old Dope Peddler [aol.com] is a strong one. Give out free samples {educational licence discount}, get people hooked {file format lock-in}, watch the little puppets dance to your tune.

    For my part, I have pledged never again to work with Windows, ever. At all. The only repair I will ever again do to a Windows box is to install Linux on it -- barring that, I will simply unplug the power cable, leave it unplugged and consider that an improvement. The time has already come when I would sooner forego a computer altogether than touch Windows.
  • by fsck! (98098) <jacob,elder&gmail,com> on Wednesday May 05, 2004 @10:09AM (#9062977) Homepage
    Yesterday at my local Super Stop & Shop grocery store, all 6 of the self-checkout lanes were down, and all of the human checkout lanes were directing people to the service desk, where one poor woman was hand-imprinting who knows how many hundreds of credit card transactions per hour.

    Why?

    Apparently the system that reads my credit card number around four times a week for the past year has been running unpatched and unfirewalled.

    Coool! Thanks, Stop & Shop IT!

The meta-Turing test counts a thing as intelligent if it seeks to devise and apply Turing tests to objects of its own creation. -- Lew Mammel, Jr.

Working...