[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Blackout responsibility?

To: <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] Blackout responsibility?
From: "Drew Copley" <dcopley@eeye.com>
Date: Fri, 15 Aug 2003 13:30:21 -0700



> -----Original Message-----
> 
> ....and if blaster actually *did* have something to do with 
> the blackout, 
> what are the chances that the company officials will give the 
> real reason?  
> i mean, they would be lucky that a relatively benign worm got 
> to their 
> systems.  it could have been far worse.


A natural thought, however the odds are against such a cover up in the
long run, because what Ben Franklin said is generally correct:

"Three can keep a secret, if two of them are dead"

The other probability going against this is that utility companies are
not military or intelligence organizations where they might have
experience in keeping secrets. 

The only probability working for this, I would guess, is that if an
utility worker did discover this to be the case... They might not be
believed. Unless they had hard evidence beyond just their own word.

But, mechanically, of course, the strongest probabilities are against
that the worm caused this damage. There are many things far more likely
to have caused this damage and not the blaster nor the variants I have
seen do anything which is extraordinary for worms to do. 

You are right, they are lucky, and I am sure that many of their systems
did get infected. Such institutions generally have been found in the
past to be poorly equipped to handle their own infrastructure security.
Code Red, Slammer, Blaster... All have exploited wide open holes, they
have all be relatively benign compared to previous worms such as CIH
(which may be classified as a worm because it did rather effectively
spread through file transfers)... Further, while the DDoS timed fuse
concept is a potentially dangerous one for a worm, both Code Red and
Blaster have been too loud to really pull it off well... And in their
exposure, they left a wake of patched systems, which prevented a worm
with a far more malicious and stealthy payload to appear.

This probability remains rather high for future vulnerabilities of this
nature (not too high, but a bit). This is because really simple
relatively benign worms are more common, and therefore have a higher
probability of appearing first. 

Personally, I think one of the worst worms has been Sircam which would
take confidential information and send it out to the world... But, worms
like CIH (and numerous other destructive worms, some of which 29a has
pioneered) have shown that the power companies, and indeed, the world,
have been quite lucky. (ref:
http://news.spamcop.net/pipermail/spamcop-list/2001-July/016840.html )





> 
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: RE: [Full-Disclosure] MS should point windowsupdate.com to 127.0.0.1
Next by Date: RE: [Full-Disclosure] east coast powergrid / SCADA [OT?]
Prev by thread: Re: [Full-Disclosure] Blackout responsibility?
Next by thread: [Full-Disclosure] Loss of windowsupdate.com breaks SUS?
Index(es):
- Date
- Thread