Houston Courts Shut Down By Malware

Conficker is still at it: dstates writes "The municipal courts of Houston were shut down yesterday after a computer virus spread through the courts' computer systems. The shutdown canceled hearings and suspended arrests for minor offenses and is expected to extend through Monday. The disruption affected many city departments, the Houston Emergency Center was briefly disconnected and police temporarily stopped making some arrests for minor offenses. The infection appears to be contained to 475 of the city's more than 16,000 computers, but officials are still investigating. Gray Hat Research, a technology security company, has been brought in on an emergency contract to eradicate the infection. In 2006, the City spent $10M to install a new computer system and bring the Courts online, but the system has been beset by multiple problems. After threatening litigation, the city reached a $5 million settlement with the original vendor, Maximus, and may seek another vendor."

no arrests for minor offenses!

[Anonymous Coward]

is smoking weed a minor offense in Houston?

Freedom from ridiculous laws

[Anonymous Coward]

suspended arrests for minor offenses and is expected to extend through Monday

Wow, so for all of 2-3 days, Americans living in Houston can actually live without fear of being arrested for things that we shouldn't be paying law enforcement tax payers' money to enforce? Hurry up and smoke your marijuana, Texans! Quick now, before the law gets back on its feet and decides to poke its head into your private, personal business.

MS Monoculture

[NtroP]

The monoculture strikes again! My heart is bleeding peanut-butter right now. Having all your eggs in one basket (especially Microsoft's) is never a good idea.

Re:Oops

[Z00L00K]

Especially since today almost every computer is delivered with autorun enabled.

We have seen far too many malicious attacks due to the fact that someone thought that it has to be "user friendly". But some of that user friendliness is just plain annoying and raises the blood pressure. Just because I have a few pictures on my stick doesn't mean that I want to view them every time I stick it in.

The problem is that "user friendly" often means "attack friendly".

Which OS was infested? I bet I can guess.

[StuartHankins]

I wonder, what operating system(s) were compromised by this infection?

Could it be -- say it isn't -- yet another outbreak of infestations on Windows machines?

If people haven't learned by this point not to trust Windows machines with anything critical, they deserve what they get. It's no longer a matter of ignorance as these things have been widely documented for decades.

Re:Easy fix to this. Use OS X.

[iammani]

Social engineering can work on *any* OS (even the OS certified by NSA) . It is the user that needs to fixed.

Re:Oops

[INT_QRK]

This may seem a little orthogonal. However, the municipal court system is the core instrument of government power to the average citizen. So, how does it ensure that a vendor doesn't place itself in a position to now "own" the court's IT, able to covertly violate confidentiality, integrity and availability of critical court records at will? Thinks of how a well-resourced entity like a drug cartel might have incentives to subvert a court system, becoming, in essence, an "insider" to the system. Certainly at the federal level agencies like the DoD, for example, also use private vendors (albeit highly vetted), but they also conduct extensive in-house testing throughout development and across the life cycle through via certification and accreditation regimes (e.g., DIACAP: http://en.wikipedia.org/wiki/DIACAP [wikipedia.org]). Municipalities lack such resources and are at the mercy to a "low bidder," esecially one that doesn't need to turn a profit from the primary customer but is able to offset that in spades by secondary and tertiary "silent partner" customers. Should we consider, perhaps extending federal IT resources down to local levels?

Inside Job!

[Darkk]

They can have the best firewalls and anti-virus e-mail scanner on the planet but it takes ONE person with an infected laptop to plug it into the internal network and do it's dirty work without them knowing it in time.

It's possible they have been infected for months and didn't know it until things started to act funny.

To have that many PCs infected didn't surprise me as they didn't bother to take proper security precautions and audits. System admins didn't routinely check for viruses on their servers and didn't check their logs for anything out of the ordinary is asking for trouble.

I guess the system admins there figured, "Well, long as nobody is complaining about anything we're golden." It's possible they have a very small IT staff and outsource the security details to the vendor who they bought the system from who they are putting the blame on?

We have a security firewall appliance at work that does just about everything but I don't rely on it 100% to make sure it's doing it's job. I go through the logs daily and test it. Just have to be proactive on finding problems and fix it before anybody else notices it.

Re:Oops

[John Hasler]

After all, look at what a superb record the Federal agencies themselves have established.

No, thanks. All the necessary standards and information are already public. Centralization doesn't scale.

Re:Dear Houston,

[Faylone]

You never need it. NEVER.

Re:Cool

[techno-vampire]

But then there's all the other installation methods including RPC.

If you're going to roll out a large-scale installation, you do the install on one box, get everything tweaked just the way you need it, then ghost it to the rest of the boxes. I'd think it was clear by now that turning off autorun should be one of the tweaks you do by reflex before ghosting.

Re:Inside Job!

[Darkness404]

Yes, thats true and a good sysadmin should be checking the logs, but reporting threats that aren't a major issue can make a computer-illiterate CEO think that it was your fault for the security breaches, a major outbreak of malware though is very easy to blame on "hackers", "pirates" and anything else you want to lay the blame on.

Re:City Employees Surfing at Work

[Darkness404]

Ok, so if these computers were used solely for official business, there wouldn't be this big of an issue. Lower paid workers tend not to have computers or internet at home, so they use work systems for "surfing." No internet access and email should only be via highly filtered webmail. USB, DVD drives and floppies locked off with zero access.

I can see this being a major no-go with the employees. What happens when they need to legitimately look up something on the web for their job? No CDs or USB drives can also be a major problem, what happens when the e-mail server is down for maintenance and someone needs to send a file? Etc.

The most logical solution would be Linux. Sure, no system is 100% secure, but show me a single major virus/worm outbreak on Linux that an ordinary (as in, not administrator) would be able to be infected with. The fact is, for all intents and purposes, Linux is ultra-secure, the virus in your inbox isn't going to run on it normally (now, if you wanted to run it in WINE, recompile it, etc it might) nor is plugging in an infected USB drive going to do anything. Yes, user error on Linux does occur, but unless the secretary is constantly in the Terminal, theres not much she can really mess up even if she desperately wants a puppy screensaver and the Simpsons as her mouse cursor.

Yes, some might say that Linux doesn't have all the business stuff yet, however, this being the government and being paid with by our tax dollars, surely they can use some of that 700 billion stimulus package to pay some coders to write what they want (and then of course release the source). But seriously, this would not have happened if Houston had been using Linux as the OS of choice.