Indeed. Which department of 'management level' deserves this is another question, but somewhere, someone (probably C-level) decided that it wasn't important enough and now got bit by it.
I'm pretty sure someone else will get the blame for it, for about 6 months 'improvements' will be made, and next year, we're going to see something like this just repeat itself.
We all know dozens if not hundreds of engineers were very well aware of the vulnerability and even brought it to management attention multiple times to basically he told to f-off since it wasn't costing the company any money.
Meanwhile those managers collect ludicrous bonuses.
Even then - it was the thief who stole it who was "to blame".
I've walked past plenty of open doors, topless convertibles, unattended bicycles - without being compelled to steal anything.
To push the analogy too far - building a robot to check every parked car to see if it's unlocked and stealing the ones that are - is not OK, even though they were unlocked.
You'd be hard pressed to find anyone who's immediate reaction to that story is not "what the hell did you expect was going to happen, that's on you", regardless of where the blame philosophically lies.
Thievery happens, it's happened since the dawn of time and will happen up until the end. To not be aware of this is your fault. In my opinion arguing otherwise is like arguing the sea is to blame for destroying your house, when you built it unprotected on a beach.
Sure - and I won't argue about whether it counts as "contributory negligence" if you park your nice car unlocked in sketchy areas and it gets stolen (and I'm sure you'll be hearing that from your insurance company if it's you).
But if your sister/girlfriend/wife/mother is assaulted in the street and I said to you "what the hell did you expect was going to happen, that's on you" - I'd fully expect you to punch me in the face. (And yes, I realise the hypocrisy in that - welcome to the inconsistency of being a human being...)
Many a gravestone bears the epitaph "but I was right."
Of course criminals are wrong, to blame, and should be punished. Still, people are responsible for securing their own safety for as long as criminals exist.
But at least as big a part is paying your taxes, contributing to society, requiring your political representatives to write appropriate and sensible laws, ensuring the police are funded and trained to catch people who break them, ensuring the courts are capable and willing to punish them. "Securing safety" should be mostly a collective thing, not an individual thing. Society as a whole has a lot better opportunity to deter crime in the first place and to reduce the incidences overall - than most individuals do.
[edit]Oh, and not stealing other people's shit yourself, or giving a pass to your friends or family who do.
I'd actually argue that at least as important (if and only if this isn't the case) would be
3) Not having extensive WORM backups and a plan to simply nuke and repave everything, or even quickly substituting in duplicate clean hardware kept cold for emergency. This should include (to the extent possible) running everything isolated while infection source is determined.
I mean yes, both your points are important too though with caveats. For 1, it's not necessarily the case they had mission critical systems on the Internet. There are significant ways that malware can cross even decent air gaps (let alone softer protections). And of course sometimes even mission critical equipment does in fact need to have a WAN link, though in that case I'd hoped it'd have protects wrt their intranet.
For 2, yes to that also if Boeing just plain didn't patch when they could have. But particularly when dealing with a lot of heavy duty industrial control applications sometimes enormously expensive hardware will only work with very old systems and/or have other baroque and fragile dependencies. Perhaps more to the point, there are zero days out there too, and Boeing should be ready even if this was an entirely unknown vulnerability rather then an old one. Or for that matter if a bunch of their critical computers simply exploded into flame.
At their level I'd expect a very concrete and specific action plan to simply bootstrap from scratch in a worst case and bring themselves back up from mere computer failure within a few days at worst and with a limited amount of data lost. Of course, like I said at the start, maybe that is in fact what they're executing, the article was light on details. If they are having to do a "swap in fresh hardware/reimage/restore while preventing reinfection" scenario across tons of systems in a hurry that would indeed be an All Hands On Deck critical event, albeit one with hopefully a relatively deterministic time frame. While it wouldn't stun me to see even a big engineering oriented company like that mess up here in a facepalm way I also don't want to jump to conclusions too fast. Clearly something has gone wrong, but if they have a worst case plan all in place ready to go and practiced and are now executing, it wouldn't be good they'd have to but that's what worst case plans are for.
For a company that is so well funded and familiar with paranoid engineering, how is it that something as basic as data integrity (offline backups) isn't implemented?
Lots of F500 companies raid the infrastructure budget to fund application development because it drives revenue. It's rare to find one that funds infrastructure the way a software company would.
Crap like 10+ year old servers, operating systems, etc, is rampant.
Similar for desktops. There's pressure to hold back on Windows version upgrades because "we can't divert app team resources to test if the app runs okay on that..." Or just plain raiding the refresh budget altogether. Or, "the app/business team needs admin logins because reasons, so back off infrastructure guy".
Fortunately, cloud seems to be a good solution to the mess. You're forced to deal with (at least some basic) tech debt.
I think the assessment of the risks needs to be looked at again. It may have made sense at one time to be conservative with system updates and do a lot of testing before rolling them out. In earlier days, OS updates were typically not security patches but new versions or major service packs. Behavior and APIs changed. But these days, what's worse: Dealing with some production issues due to an OS security update (really rather unlikely, and the patch infrastructure supports rolling back), or having your entire company taken offline by malware like WannaCry?
Huh? The risks are way worse than they once were. Microsoft ships a lot more broken shit than they did in the past, plus everything is bundled in such a way that it’s easy to reinflict wounds.
Wormable stuff like Wanacry is usually identified and can be addressed as an emergency. Otherwise, rolling out patches in production quicker than 30-60 days is just unwise in a big or complex environment.
>Once the news broke, some on social media raised the "nightmare scenario" of the virus infecting an airplane’s control software and possibly triggering a ransomware demand while in the air.
>"The plane would have to have been connected to an infected system.," he said. "The chances are pretty minimal."
If they can't confidently say the chances are guaranteed 0% then they need to actually look in to it and not just dismiss the idea.
Well, aircraft avionics do not run Windows. Thankfully. Though some of the diagnostic and maintenance equipment almost certainly does. So there's probably a path for malware, though likely not mainstream Windows ransomware.
The question then becomes: why the hell do the aircraft production systems run windows? Is making aircraft in bulk that much less important than flying an individual aircraft?
At some point, using systems susceptible to malware to conduct critical business is simply negligence. Windows is not a sane default.
"He obtained physical access to the networks through the Seat Electronic Box, or SEB. These are installed two to a row, on each side of the aisle under passenger seats, on certain planes. After removing the cover to the SEB by "wiggling and Squeezing the box," Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes."
That one might just be a security researcher big-noting himself, but combined with this next one, I do not have a great deal of confidence in Boeing (or any of the airline industry's) software security teams...
I wonder what we'd find if Tavis Ormandy were seconded to Boeing for six months? (And can I have a heads-up if that happens? I've got some stock I'd like to short...)
That bullshit story being pushed by this bullshitter for years does not constitute evidence. There was no way for him to send data to any of the safety critical systems.
FWIW, the headline of the article has been changed by the Seattle Times. The second clause is now "but says no impact on jet production"; originally, it was: "could cripple some jet production".
The article is hyperbolic in the extreme. Reporter got ahold of a poorly phrased email from a manufacturing manager who lost their shit (which happens every time their production floors even so much as pass gas) over something they didn't understand., then blew it even further out of proportion by speculating on everything under the sun. I mean, come on, "and now I'm hearing xxxx may be down too! everybody panic!" ?
Anyone know for sure this is WC? Anyone seen actual samples? Is this just a case of people that would not really know the differences seeing something like what they think WannaCry behaves like and jumping the gun. I would hope this is something new.
I've worked at a large company similar to Boeing. Our IT providers are the same (CSC). Backups are regimented and any virus activity is dealt via, as the tweet puts it, remediation. If a computer is detected as having a virus/suspicious activity, etc, it is carted off immediately and wiped (they possibly do forensics, dunno). The system is reimaged, backups are checked and restored.
And they said I was crazy when I was warning about ransomware for self-driving cars (especially given carmakers mostly continue to ignore the software security issues). Their time will come.
To be fair, self-driving cars don't need any help in endangering people's lives. At this point Uber is basically malware in company form. Or maybe that's Facebook.
42 comments
[ 2.7 ms ] story [ 92.0 ms ] thread1) having mission critical systems on the internet and
2) not patching mission critical systems for vulnerabilities that have been (extremely) public for nearly a year now
I'm pretty sure someone else will get the blame for it, for about 6 months 'improvements' will be made, and next year, we're going to see something like this just repeat itself.
Meanwhile those managers collect ludicrous bonuses.
But yeah - this was negligence.
(Also, #1 is not necessarily true - WannaCry spreads via USB too - https://www.tripwire.com/state-of-security/featured/wannacry... )
More like: she left all her bright-red sports car car doors open with the windows rolled down, parked unattended in a sketchy part of town
I've walked past plenty of open doors, topless convertibles, unattended bicycles - without being compelled to steal anything.
To push the analogy too far - building a robot to check every parked car to see if it's unlocked and stealing the ones that are - is not OK, even though they were unlocked.
Thievery happens, it's happened since the dawn of time and will happen up until the end. To not be aware of this is your fault. In my opinion arguing otherwise is like arguing the sea is to blame for destroying your house, when you built it unprotected on a beach.
But if your sister/girlfriend/wife/mother is assaulted in the street and I said to you "what the hell did you expect was going to happen, that's on you" - I'd fully expect you to punch me in the face. (And yes, I realise the hypocrisy in that - welcome to the inconsistency of being a human being...)
Of course criminals are wrong, to blame, and should be punished. Still, people are responsible for securing their own safety for as long as criminals exist.
But at least as big a part is paying your taxes, contributing to society, requiring your political representatives to write appropriate and sensible laws, ensuring the police are funded and trained to catch people who break them, ensuring the courts are capable and willing to punish them. "Securing safety" should be mostly a collective thing, not an individual thing. Society as a whole has a lot better opportunity to deter crime in the first place and to reduce the incidences overall - than most individuals do.
[edit]Oh, and not stealing other people's shit yourself, or giving a pass to your friends or family who do.
3) Not having extensive WORM backups and a plan to simply nuke and repave everything, or even quickly substituting in duplicate clean hardware kept cold for emergency. This should include (to the extent possible) running everything isolated while infection source is determined.
I mean yes, both your points are important too though with caveats. For 1, it's not necessarily the case they had mission critical systems on the Internet. There are significant ways that malware can cross even decent air gaps (let alone softer protections). And of course sometimes even mission critical equipment does in fact need to have a WAN link, though in that case I'd hoped it'd have protects wrt their intranet.
For 2, yes to that also if Boeing just plain didn't patch when they could have. But particularly when dealing with a lot of heavy duty industrial control applications sometimes enormously expensive hardware will only work with very old systems and/or have other baroque and fragile dependencies. Perhaps more to the point, there are zero days out there too, and Boeing should be ready even if this was an entirely unknown vulnerability rather then an old one. Or for that matter if a bunch of their critical computers simply exploded into flame.
At their level I'd expect a very concrete and specific action plan to simply bootstrap from scratch in a worst case and bring themselves back up from mere computer failure within a few days at worst and with a limited amount of data lost. Of course, like I said at the start, maybe that is in fact what they're executing, the article was light on details. If they are having to do a "swap in fresh hardware/reimage/restore while preventing reinfection" scenario across tons of systems in a hurry that would indeed be an All Hands On Deck critical event, albeit one with hopefully a relatively deterministic time frame. While it wouldn't stun me to see even a big engineering oriented company like that mess up here in a facepalm way I also don't want to jump to conclusions too fast. Clearly something has gone wrong, but if they have a worst case plan all in place ready to go and practiced and are now executing, it wouldn't be good they'd have to but that's what worst case plans are for.
Crap like 10+ year old servers, operating systems, etc, is rampant.
Similar for desktops. There's pressure to hold back on Windows version upgrades because "we can't divert app team resources to test if the app runs okay on that..." Or just plain raiding the refresh budget altogether. Or, "the app/business team needs admin logins because reasons, so back off infrastructure guy".
Fortunately, cloud seems to be a good solution to the mess. You're forced to deal with (at least some basic) tech debt.
Wormable stuff like Wanacry is usually identified and can be addressed as an emergency. Otherwise, rolling out patches in production quicker than 30-60 days is just unwise in a big or complex environment.
The article was suggestive that ransomware would cripple Boeing, which wouldn't happen if they had offline backups.
>"The plane would have to have been connected to an infected system.," he said. "The chances are pretty minimal."
If they can't confidently say the chances are guaranteed 0% then they need to actually look in to it and not just dismiss the idea.
At some point, using systems susceptible to malware to conduct critical business is simply negligence. Windows is not a sane default.
Every OS, every architecture, every platform, everything.
Nobody’s burning iOS or Chrome sandbox 0days to try to earn $50k USD ransoms.
Boeing use CATIA and Dassault Systèmes dropped non-windows client support for CATIA in 2008.
So it was on a cargo plane, then?
https://www.wired.com/2015/05/feds-say-banned-researcher-com...
"He obtained physical access to the networks through the Seat Electronic Box, or SEB. These are installed two to a row, on each side of the aisle under passenger seats, on certain planes. After removing the cover to the SEB by "wiggling and Squeezing the box," Roberts told agents he attached a Cat6 ethernet cable, with a modified connector, to the box and to his laptop and then used default IDs and passwords to gain access to the inflight entertainment system. Once on that network, he was able to gain access to other systems on the planes."
That one might just be a security researcher big-noting himself, but combined with this next one, I do not have a great deal of confidence in Boeing (or any of the airline industry's) software security teams...
https://nakedsecurity.sophos.com/2017/11/15/dhs-says-it-remo...
I wonder what we'd find if Tavis Ormandy were seconded to Boeing for six months? (And can I have a heads-up if that happens? I've got some stock I'd like to short...)
(it's about 1 hour since the original submission)
In reality, it was a minor blip.
edit: It's all overblown
https://twitter.com/GossiTheDog/status/979133770921017347
https://twitter.com/GossiTheDog/status/979134886467526656
https://twitter.com/GossiTheDog/status/979140927813046273