Northeast Grid outages "may" have been caused by MSBlaster worm...

by reporter 14 Replies latest social current

  • reporter
  • drwtsn32
    drwtsn32

    Yeah, and monkeys "may" be flying out of my arse.

  • reporter
  • Scully
    Scully

    It "may" not have posted the second time too.

    Love, Scully

  • reporter
    reporter

    Take this with a grain of salt, of course, but here's an article between two techies bantering on BugTraq on a CNN story reporting that the power outage may have been caused by a variant of MSBlaster...

    http://www.securityfocus.com/archive/1/333505

    To: BugTraq
    Subject: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
    Date: Aug 15 2003 6:09PM
    Author: Bernie, CTA <cta hcsin net>
    Message-ID: <[email protected]>
    In-Reply-To: <[email protected]>
    alt
    It is ridiculous to accept that a lightning strike could knock 
    out the grid, or the transmission system is over stressed. There
    are many redundant fault, limit and Voltage-Surge Protection
    safeguards and related instrumentation and switchgear installed
    at the distribution centers and sub stations along the Power
    Grid that would have tripped to prevent or otherwise divert such
    a major outage.

    I believe that the outage was caused by the MSblaster, or its
    mutation, which was besieged upon the respective vulnerability
    in certain control and monitoring systems (SCADA and otherwise)
    running MS 2000 or XP, located different points along the Grid.
    Some of these systems are accessible via the Internet, while
    others are accessible by POTS dialup, or private Frame relay and
    dedicated connectivity.

    Being an old PLC automation and control hack let me say that
    there is a very good plausibility that the recent East Coast
    power outage was due to an attack by an MBlaster variant on the
    SCADA system at the power plant master terminal, or more likely
    at several of the remote terminal units "RTU". SCADA runs under
    Win2000 / XP and the telemetry to the RTU is accessible via the
    Internet.

    From what I recall SCADA based monitoring and control systems
    were installed at many water / sewer processing, gas and oil
    processing, and hydro-electric plants.

    I also believe that yesterdays flooding of a generator sub-
    facility in Philadelphia was also due to an MBlaster variant
    attack on the SCADA or similarly Win 2000 / XP based system.

    To make things worst, the Web Interface is MS ActiveX. Now lets
    see, how can one craft an ActiveX vuln vector into the blaster?

    Oh, and for the wardrivers, SCADA can be access via wireless
    connections on the road? puts a new perspective on sniffing
    around sewer plants.

    It is also reasonable to assume that we could have a similar
    security threat regarding those system (SCADA and otherwise
    based on MS 2000 or XP) involved in the control, data
    acquisition, and maintenance of other critical infrastructure,
    such as inter/intra state GAS Distribution, Nuclear Plant
    Monitoring, Water and Sewer Processing, and city Traffic
    Control. IMO

    I think we will see a lot of finger pointing by government
    agencies, Utilities, and politicians for the Grid outage, until
    someone confess to the security dilemma and vulnerabilities in
    the systems which are involved in running this critical
    infrastructure.

    Regardless of whether the Grid outage can be attributed to the
    blaster or its variant, this is not entirely a Microsoft
    problem, as it reeks of poor System Security Engineering
    practiced by the Utility Companies, and associated equipment and
    technology suppliers.

    Nonetheless, the incident will cause lots of money to be
    earmarked by the US and Canadian Governments, to be spent in an
    attempt to solve the problem, or more specifically calm the
    public.

    This incident should be fully investigated, and regulations
    passed to ensure that the Utility companies and their suppliers
    develop and implement proper safeguards that will help prevent
    or at least significantly mitigate the effects of such a
    catastrophe.

    Conversely, I do not want to see our Government directly
    involved in yet another "business", which has such a controlling
    impact over our individual lives.

    -




    On 14 Aug 2003 at 15:18, Geoff Shively wrote:

    > Just flipped on CNN, watching the masses snake through the
    > streets of Manhattan as correspondents state that this could be
    > an affect of the blaster worm.
    >
    > Interesting but I don't see how an worm of this magnitude
    > (smaller than that of Slammer/Sapphire and others) could
    > influence DCS and SCADA systems around the US, particularly just
    > in the North East.
    >
    > Thoughts?
    >
    >
    > Cheers,
    >
    > Geoff Shively, CHO
    > PivX Solutions, LLC
    >
    -
    ****************************************************
    Bernie
    Chief Technology Architect
    Chief Security Officer
    cta hcsin net
    Euclidean Systems, Inc.
    *******************************************************
    // "There is no expedient to which a man will not go
    // to avoid the pure labor of honest thinking."
    // Honest thought, the real business capital.
    // Observe> Think> Plan> Think> Do> Think>
    *******************************************************

  • reporter
    reporter

    Simon, there's a problem with the page embed code here. In fact, all the reply and topic posting shows "Done, but with errors on page" on the bottom bar, even before typing or posting anything.

  • drwtsn32
    drwtsn32

    Perhaps some of the control systems are running 2000 or XP, but why would those machines ever be connected to the public Internet? Also, this power failure is almost exactly like the same failure that happened in 1965. http://www.cmpco.com/about/system/blackout.html I don't believe Windows '65 had this vulnerability.

  • reporter
    reporter
    Also, this power failure is almost exactly like the same failure that happened in 1965.

    True enough.

    Perhaps some of the control systems are running 2000 or XP, but why would those machines ever be connected to the public Internet?

    He says so, in these two paragraphs...

    Being an old PLC automation and control hack let me say that
    there is a very good plausibility that the recent East Coast
    power outage was due to an attack by an MBlaster variant on the
    SCADA system at the power plant master terminal, or more likely
    at several of the remote terminal units "RTU". SCADA runs under
    Win2000 / XP and the telemetry to the RTU is accessible via the
    Internet.
    From what I recall SCADA based monitoring and control systems
    were installed at many water / sewer processing, gas and oil
    processing, and hydro-electric plants.
    The "telemetry to the remote terminal units" is accessible via the Internet. Why? That's a good question. Obviously, the administrators want convenient access. But, as in all these types of situations, we trade security for convenience. That's not a good tradeoff.
  • Nathan Natas
    Nathan Natas

    Win65... I think I have that on 5 1/4" floppies in the basement somewhere... didn't it come with a web enabled version of PONG?

    I agree with Doc. The most effective firewall is this: no connection to the internet. Any sysop that would not raise holy hell over the issue of permitting an internal process control computer to also function as a web portal deserves to be night manager at Taco Bell.

    I believe that upon close examination, "LightningStrike ' 03" will be shown to be virtually indistinguishable from "LightningStrike ' 65". That "technology" has not changed much in billions and billions of years.

    "Would you like some of our green border sauce with your Super Grande Juevos Supreme Nachos?"

  • drwtsn32
    drwtsn32

    Ok, I am aware that some utilities will utilize the Internet, but no one in their right mind would ever set this up in without some sort of security (VPN, encryption, authentication, etc). In addition, this blaster worm really only causes the machine to reboot. I can't imagine someone would use a consumer operating system for such critical equipment if simply rebooting the computer would cause an outage.

    Sorry, but I don't think it's very plausible at all.

Share this

Google+
Pinterest
Reddit