16 March 2009

Incredible incompetency

[Disclaimer: This article is only based on information available through the Norwegian media (thus the links in Norwegian). It’s accuracy is limited to their accuracy combined with my personal understanding of the matter.]

Thursday the 12th of March, more than 1000 computers belonging to the Norwegian police were infected by the computer virus Conficker.

Stop and think! Self-updating, remote controllable, known to be malicious code running on the police’s computers. Maybe they were all innocent workstations with no important information?

I’m afraid not. According to reports, the systems for daily operations of the police departments were unavailable. Passports could not be emitted. Border controls could not check visitors passports against their registries. The unavailability of these services is probably bad, but this also means that this malicious code running on their computers had open access to information about criminal cases, filings, citizen databases, etc.

So, how did this happen?

The Conficker worm spreads through a buffer overflow error in most versions of the Windows operating system. This error was fixed in a critical patch released by Microsoft the 23rd of October 2008.

Why didn’t the police install this patch on their computers? They host their system on Windows NT 4.0. This is an operating system released by Microsoft in 1996 that had it’s last available support agreement terminated in 2004. By the end of that year, Microsoft stopped fixing known security vulnerabilities in the OS, and stopped testing it against new vulnerabilities.

Running NT 4.0 in 2009 is stupid. Using it for hosting operational systems with extremely confidential data and high availability demands is neglect.

So, how did they handle this crisis? Did they shut down all systems with suspected infection and wiped their hard drives with a fresh image that had gotten the vulnerable services secured?

According to the press, the virus continued spreading today and has made systems respond slowly. Espen Strai from Politiets data- og materielltjeneste (PDMT) [The police service for data and equipment] has explained that “the challenge is to shut down the infected PC’s and run antivirus programs while the system is still running”.

You cannot trust a computer once it has executed malware. The only option to clean it reliably is to wipe the drive and install an image that is known to be clean.

I don’t know the complete picture behind this story, nor have I read all of the vast information available in the press. But it is clear that this is a serious case of neglect and I personally hope that criminal charges will be filed against the ones responsible for keeping alive this fundamentally insecure and antiquated system.