Windoze is good for gaming, that's all.
Something as serious as hospital equipment needs a secure, reliable OS. One that has a UNIX basis.
Conficker infected critical hospital equipment
Summary
The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of hospitals recently, a security expert said at the RSA Conference.
Topics
SAN FRANCISCO--The Conficker worm infected several hundred machines and critical medical equipment in an undisclosed number of hospitals recently, a security expert said on Thursday in a panel at the RSA security conference.
"It was not widespread, but it raises the awareness of what we would do if there were millions" of computers infected at hospitals or in critical infrastructure locations, Marcus Sachs told CNET News.com after the session. Sachs is the director of the SANS Internet Storm Center and a former White House cybersecurity official.
It is unclear how the devices, which control things like heart monitors and MRI machines, and the PCs got infected, he said. The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.
- See also: Conficker's estimated cost? $9.1 billion
- RSA Conference '09: Government's approach to network security [video]
- IT security still has 'perilous gaps of risk'
The situation illustrates the dangers of connecting critical networks, like in hospitals and in SCADA (Supervisory Control and Data Acquisition) systems used by utilities and other critical infrastructure providers, with networks connected to the Internet, he said during the panel "Securing Critical Infrastructures: Infrastructure Exposed."
"We haven't found any nukes yet that are infected with Conficker or that are trying things like Twitter," he quipped. But "that is within the probable as we take shortcuts," he said.
"We're seeing a huge uptick in probing for SCADA systems," said Jerry Dixon, director of analysis and vice president of government relations at research firm Team Cymru. For years, the SCADA systems were separated from the public networks, but that's not the case anymore, he said.
Utilities move to remote access and other Internet-based technologies so workers can have access to the control systems when they are not at the plant and to cut costs, Sachs said. Workers have been known to access control systems using BlackBerrys for no reason other than that they can, he said.
Asked after the panel if cyberattacks had led to any utility outages, Michael Assante, chief security officer of the North American Electrical Reliability Corporation (NERC), said "none in North America."
"There is no evidence of computer compromise that led to a disruption of service," he said. "We're not immune to it; it's not hypothetical."
Government officials maintained that an electricity blackout in 2003 in the northeastern United States was not caused by the Blaster Internet worm that was circulating at the time as was suspected, but officials also were never able to reveal why it happened.
This article was first published on CNET News.
Just In
Well, are you sure your name is not really inActive Man?
As in it is easy to see what part of your anatomy is inactive
As in it is easy to see what part of your anatomy is inactive
I may actually agree with him...
The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.
I mean, if you're going to let your systems go that long without patching, updating, apparently without an updated AV engine, AND connected to the internet... you might as well use something that no one wants to exploit, even if they could.
The computers are older machines running Windows NT and Windows 2000 in a local area network that was not supposed to have access to the Internet, however, the network was connected to one that has direct Internet access and so they were infected, he said.
I mean, if you're going to let your systems go that long without patching, updating, apparently without an updated AV engine, AND connected to the internet... you might as well use something that no one wants to exploit, even if they could.
Would you care to debate? But please be more specific.
It's the same old story
Same old song and dannnnnnce, my friend
It's the same old story
Same old story
Same old song and daaaaannnnnce yeah yeah
Same old song and dannnnnnce, my friend
It's the same old story
Same old story
Same old song and daaaaannnnnce yeah yeah
put a *nix on them. That would have only been a viable option should the software running on them could be ported over to linux or unix.
At the very least they should have upgraded the computers to XP, if they could handle it, if not replaced them all together.
I don't even run an OS that is no longer supported and patched by the Manufacturer. So in this case running NT, I would have upgraded them, and kept Current AV on them. Doesn't much matter if you're not connected to the net, if people are jacking disks and jump drives into the machine, at some point some one is going to bring something in.
At the very least they should have upgraded the computers to XP, if they could handle it, if not replaced them all together.
I don't even run an OS that is no longer supported and patched by the Manufacturer. So in this case running NT, I would have upgraded them, and kept Current AV on them. Doesn't much matter if you're not connected to the net, if people are jacking disks and jump drives into the machine, at some point some one is going to bring something in.
It is so secure, stable and a great investment, meanwhile
in reality people's lives were at risk and look who is
to blame MS!
NO reason why a company cannot ditch this software and
MS Clowns for a real IT Solution Open_Source and
REAL Systems people...
Not the 'point & clickers'....
in reality people's lives were at risk and look who is
to blame MS!
NO reason why a company cannot ditch this software and
MS Clowns for a real IT Solution Open_Source and
REAL Systems people...
Not the 'point & clickers'....
As the worm used a vulnerability is Windows OS
to infect it.
So, is your position that every vendor is
responsible for the consequences if there are
bugs/vulnerabilities in their software?
If so, which OS are we supposed to run? OS X
has 3 times more vulnerabilities than Vista.
Linux kernel - without any apps or added
distro crap - has 2 times as many
vulnerabilities! Sustained over the last 3
years, at least! So what are we to do?
Windows Vista is *the* operating system with
most mechanisms in place to protect users
against exploits in MS and 3rd party software.
Linux has only limited protections which are
switched off in most distros anyway. OSX has
next to none. Should Microsoft learn from them?
Or should we blame someone who ran a 10 year
old OS without patching AND let the machines
connect to the Internet?
to infect it.
So, is your position that every vendor is
responsible for the consequences if there are
bugs/vulnerabilities in their software?
If so, which OS are we supposed to run? OS X
has 3 times more vulnerabilities than Vista.
Linux kernel - without any apps or added
distro crap - has 2 times as many
vulnerabilities! Sustained over the last 3
years, at least! So what are we to do?
Windows Vista is *the* operating system with
most mechanisms in place to protect users
against exploits in MS and 3rd party software.
Linux has only limited protections which are
switched off in most distros anyway. OSX has
next to none. Should Microsoft learn from them?
Or should we blame someone who ran a 10 year
old OS without patching AND let the machines
connect to the Internet?
It is so secure, stable and a great investment, meanwhile in reality people's lives were at risk and look who is to blame MS!
No, the person(s) to blame are the scum who are responsible for creating Conficker.
No, the person(s) to blame are the scum who are responsible for creating Conficker.
They don't care who makes the operating system. Wherever they can make the most money is where they will strike. No matter who is in control the scum will always be there to make our lives more difficult.
Many others in that ecosystem make a living exploiting users in more legal ways. I find their actions questionable too.
You need to GET real. The hospital IT administrators should be HUNG for gross negligence.
Leaving obsolete, unpatched systems running medical equipment should be a crimial offense -- REGARDLESS of the operating system.
Unfortunately, there are just as many idiots running unpatched and insecure Linux systems -- check the number of open relays available to spammers to get a clue.
Leaving obsolete, unpatched systems running medical equipment should be a crimial offense -- REGARDLESS of the operating system.
Unfortunately, there are just as many idiots running unpatched and insecure Linux systems -- check the number of open relays available to spammers to get a clue.
And forgot to hire non medical personnel to take care of their troublesome windows machines.
Perhaps they thought that the new imaging system was more important than replacing their well fnctioning machines only to adopt microsoft's latest and greatest for no reason.
Have you thought about it?
Perhaps they thought that the new imaging system was more important than replacing their well fnctioning machines only to adopt microsoft's latest and greatest for no reason.
Have you thought about it?
Or maybe updating the OS on any particularly machine would render it inoperable.
In the business I'm in, we have a some machines that run Windows NT and some that run Windows 2000 and there is nothing we can do about it at this time. We can't upgrade the OS because it will break the software. And we could upgrade the software, but the new software don't work with the old machines. If you happen to have a half million dollars per machine you can gives us, we would be happy to upgrade to the latest MS OS. I'm sure hospitals are in a similar situation.
In the business I'm in, we have a some machines that run Windows NT and some that run Windows 2000 and there is nothing we can do about it at this time. We can't upgrade the OS because it will break the software. And we could upgrade the software, but the new software don't work with the old machines. If you happen to have a half million dollars per machine you can gives us, we would be happy to upgrade to the latest MS OS. I'm sure hospitals are in a similar situation.
However most people on the M$ camp think you are stupid (I strongly disagree) because you haven't upgraded to M$'s latest and greatest and should malware pose you problems that is your (the user) fault and only your fault.
I understand very well why you are not on Linux. 10 years ago Linux wasn't the viable (superior) alternative that it is today. Those who started using windows back then did it for a reason. Those who do it today do it because of their failure to stay up to date with technology. Most would call them INCOMPETENT.
I understand very well why you are not on Linux. 10 years ago Linux wasn't the viable (superior) alternative that it is today. Those who started using windows back then did it for a reason. Those who do it today do it because of their failure to stay up to date with technology. Most would call them INCOMPETENT.
I agree.
BTW this...
"If you happen to have a half million dollars per machine you can gives us, we would be happy to upgrade to the latest MS OS."
was meant for Marty R. Milette not you. I should have been more clear.
BTW this...
"If you happen to have a half million dollars per machine you can gives us, we would be happy to upgrade to the latest MS OS."
was meant for Marty R. Milette not you. I should have been more clear.
are not a security breach. An exploitable annoyance, yes, but not much more susceptible to a Denial-of-Service attack than a ping-storm or any other overwhelming network traffic thrown at the IP address (even silently dropping packets to non-open ports uses CPU cycles).
Maybe that is the key word, "THINK"?
In critical systems the OS and applications must be locked down and not modifiable.
I know nobody though of this in the ancient NT era.
I don't know why this is STILL not easily do-able in Vista.
In critical systems the OS and applications must be locked down and not modifiable.
I know nobody though of this in the ancient NT era.
I don't know why this is STILL not easily do-able in Vista.
The problem is the lack of skilled network managers. Entities pull stooges off the street and put them in critical positions. They usually don't want to pay for network managers. And thus they get what they pay for.
The OS is not the problem. It is the management or lack thereof that is the problem.
The OS is not the problem. It is the management or lack thereof that is the problem.
Windows SteadyState: http://www.microsoft.com/windows/products/winfa
mily/sharedaccess/default.mspx
Can completely lock down a computer. It
can be set to revert changes for selected
drives (harddisks or partitions) on every boot
but still install patches. And a wealth of more
features such as only allowing whitelisted
programs etc.
And it's free.
mily/sharedaccess/default.mspx
Can completely lock down a computer. It
can be set to revert changes for selected
drives (harddisks or partitions) on every boot
but still install patches. And a wealth of more
features such as only allowing whitelisted
programs etc.
And it's free.
until you have an app (which includes even MS office as late as 2006) which absolutely will not run properly without the user running as Admin.
The IT departments should be fired and replaced with people that truly know how to manage a network. Unfortunately there are truly very few people that are really qualified to manage such networks. IT skills are sorely lacking in this country. Most IT departments are made up of "wanna' be's".
It is time for accountability, if an automaker
builds a car that catches fire in a crash,
they are SUED for it and held accountable.
This is ridiculous, everyone blames some system
admin it is the fault of the people who purchase
this software and go with a MS solution.
You can't tell me in this day and age, software
cannot be written to be ran on other platforms.
It is time to get rid of these road blocks of
securing infrastructure and go Open_Source where
problems are fixed and excuses blaming everyone
but these Windows advocates.
This puts peoples lives at risk, all because
someone wants fancy screensaves and pretty
icons.
It is time for REAL solutions not mickey mouse,
software with holes all in it that spends more
time being infected than actually used.
builds a car that catches fire in a crash,
they are SUED for it and held accountable.
This is ridiculous, everyone blames some system
admin it is the fault of the people who purchase
this software and go with a MS solution.
You can't tell me in this day and age, software
cannot be written to be ran on other platforms.
It is time to get rid of these road blocks of
securing infrastructure and go Open_Source where
problems are fixed and excuses blaming everyone
but these Windows advocates.
This puts peoples lives at risk, all because
someone wants fancy screensaves and pretty
icons.
It is time for REAL solutions not mickey mouse,
software with holes all in it that spends more
time being infected than actually used.
There's bugs in all software. Even OSX and Linux. As soon as people start getting sued for bugs, the dynamics of the industry will change drastically, and I'm not sure it will trend for higher quality software.
also Linux (Lexus) and windows (Model T) have their bugs, that's a fact of life.
I must agree with you on that!
I must agree with you on that!
for Linux's twice as many vulnerabilities as Vista? Torvalds? Red Hat?
If Shuttleworth was sued for Ubuntu vulnerabilities He'd soon go bust, and then what? He chose to distribute. He pay. Ubuntu has accumulated a staggering 1200 VULNERABILITIES in the Vista timeframe.
Should Apple be sued for their triple number of vulnerabilities. Not counting their buggy apps?
If Shuttleworth was sued for Ubuntu vulnerabilities He'd soon go bust, and then what? He chose to distribute. He pay. Ubuntu has accumulated a staggering 1200 VULNERABILITIES in the Vista timeframe.
Should Apple be sued for their triple number of vulnerabilities. Not counting their buggy apps?
State your sources, I want to investigate that.
then discount everything you never bothered to read because it wasn't written by you? Then again I forgot, you don't need to read anything. You are a psychic/medium always speaking for a dead man.
Secunia:
http://secunia.com/advisories/product/10611/
Ubuntu at 1146 vulnerabilities and still counting. These vulnerabilities are for the OS and bundled software which (because Canonical distributes it) becomes their responsibility per the above logic.
IBM:
http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
A report of vulnerabilities through 2008. Look under most vulnerable operating systems . The 2 at the top are OSX and OSX server. 3x the vulns of Vista.
Linux comes in at a mere 2x Vista. Note that it is Linux kernel i.e. just the bare bones Linux without any distro added software.
Microsoft has clearly upped the ante on security with SDL (Secure Development Lifecycle). Windows is also the OS with most and more complete exploit prevention techniques. Some Linux distros have some protections (although not 32bit Ubuntu). Mac OS X has virtually NONE.
http://secunia.com/advisories/product/10611/
Ubuntu at 1146 vulnerabilities and still counting. These vulnerabilities are for the OS and bundled software which (because Canonical distributes it) becomes their responsibility per the above logic.
IBM:
http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf
A report of vulnerabilities through 2008. Look under most vulnerable operating systems . The 2 at the top are OSX and OSX server. 3x the vulns of Vista.
Linux comes in at a mere 2x Vista. Note that it is Linux kernel i.e. just the bare bones Linux without any distro added software.
Microsoft has clearly upped the ante on security with SDL (Secure Development Lifecycle). Windows is also the OS with most and more complete exploit prevention techniques. Some Linux distros have some protections (although not 32bit Ubuntu). Mac OS X has virtually NONE.
That's from three (3) years ago, all very minor, all solved eons ago.
January 2009
Just goes to show you can't channel dead people all of the time.
Just goes to show you can't channel dead people all of the time.
Linux disto's power the Internet Backbone period.
Nice try from the jealous Windows user, you can't
argue with MS advocates.
The truth is there, they have to come out of the
fog to see the real facts.
Nice try from the jealous Windows user, you can't
argue with MS advocates.
The truth is there, they have to come out of the
fog to see the real facts.
"That's from three (3) years ago, all very minor, all solved eons ago"
No, it has been like that for the past three (3) years! Every year Linux has more vulnerabilities, every year OS X takes the crown of most vulnerable OS.
Not three years ago. For the past three years. Got that?
And you still didn't answer: If somebody takes advantage of any of those 1200 vulnerabilities, will Shuttleworth pay the damages? Should he?
Even if somebody runs an outdated Ubuntu and hasn't patched, should Shuttleworth still be liable?
No, it has been like that for the past three (3) years! Every year Linux has more vulnerabilities, every year OS X takes the crown of most vulnerable OS.
Not three years ago. For the past three years. Got that?
And you still didn't answer: If somebody takes advantage of any of those 1200 vulnerabilities, will Shuttleworth pay the damages? Should he?
Even if somebody runs an outdated Ubuntu and hasn't patched, should Shuttleworth still be liable?
I'm asking for just one, a single one.
As long as you don't show them here I will be calling you a liar.
As long as you don't show them here I will be calling you a liar.
Should Shuttleworth pay for any damages caused by his 1100+ vulnerability project?
If a user neglects to patch, is Shuttleworth still liable for damages caused by the bug?
If a user neglects to patch, is Shuttleworth still liable for damages caused by the bug?
Ask a lawyer.
Each and every vulnerability for every other product Microsoft currently offers. Oh, and in case you hadn't noticed it yet, Microsoft's internal bug lists for its products dwarfs anything known by the average "man in the street."
The comparison of bugs seen in FOSS where the code (warts and all) is available to a closed source variation has never been all that valid. The closest thing to a fair comparison done a few years ago indicates the bug rate of Microsoft's code was way higher than that of FOSS.
Never mind, if you want to believe something else then go right on believing it.
The comparison of bugs seen in FOSS where the code (warts and all) is available to a closed source variation has never been all that valid. The closest thing to a fair comparison done a few years ago indicates the bug rate of Microsoft's code was way higher than that of FOSS.
Never mind, if you want to believe something else then go right on believing it.
First off, I want to mention to the guy who claims that Linux powers the ENTIRE Internet backbone. That is utterly FALSE. While it is true that Linux still powers MOST of the Internet, the word ALL, in almost any statement, pretty much guarantees that the statement is false, and that statement is not the exception to the rule. Now, the only thing I have to say about this post is that this should be illegal. If medical equipment, responsible for the lives of those who depend on it, and in a position where there are high risks if the equipment doesn't work right, should be required to be maintained in a public record, and the hospitals who are infected with this, or any worm, virus, or other security threat, or harmful program of any kind, should be required to report to the general public such infections, since it is the general public who they serve. If I were to be in a hospital for something, and found out that their equipment failed, due to an "undisclosed" piece of malicious software, I would sue that hospital for every penny to their name, and a few million extra. That is utterly ridiculous. Anyone who accepts that this was not made public, and all details were not disclosed, should be ashamed, and will hopefully not learn a lesson the hard way by having a family member or friend lose their life, or be crippled, by such an incident.
--Master Joe
--Master Joe
Interesting little read, with one little flaw: We DO know the cause of the 2003 blackout in the Midwest. It had nothing to do with the BLASTER worm then in the field, but the finding was that overheated lines going to one Ohio community sagged in the early summer heat, shorted out, and caused automatic load-balancing software on both sides of the fault to try and switch the load to the OTHER SIDE of the break -- causing a catastrophic overload that circled Lake Erie in seconds and caused every utility for 500 miles to overload and shut down.
This was in fact reported within days of the fault. It was hard to miss, once the pieces were sorted out, but there was a lot of finger-pointing in both the US and Canada about who was to blame and who should be responsible for making sure this doesn't happen again. So far as I know, no permanent solution was ever put in place. Wonder how low those Ohio wires will get THIS summer.
This was in fact reported within days of the fault. It was hard to miss, once the pieces were sorted out, but there was a lot of finger-pointing in both the US and Canada about who was to blame and who should be responsible for making sure this doesn't happen again. So far as I know, no permanent solution was ever put in place. Wonder how low those Ohio wires will get THIS summer.
that medical equipment designers would use a general purpose operating system, particularly MS Windows with its known vulnerability to these sorts of attacks, for critical equipment on which people's lives depend. Any Unix variant is most unlikely to suffer this sort of fate, and can be easily cut down and adapted to make the attack surface smaller.
That's where the blame is to be directed. There are rigorous regulations governing the design of medical equipment. How did this sort of thing get through?
That's where the blame is to be directed. There are rigorous regulations governing the design of medical equipment. How did this sort of thing get through?
And the first question I will as is what OS the
machines are using. If it's Windows I'll be a
gentleman and lot someone else go first.
machines are using. If it's Windows I'll be a
gentleman and lot someone else go first.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
