Experts: Power Outage Not Related to Microsoft Internet Worm

Reuters | August 14, 2003

[HAL9000]

SAN FRANCISCO (Reuters) - Computer network and security experts said on Thursday there was no evidence the power outage in the northeastern United States and Canada was related to the Blaster worm that began spreading on Monday.

"I have no thought that (the outage) is Blaster related," said Alan Paller, research director at the SANS Institute in Bethesda, Maryland.

"The Internet is built not to worry about that," he said. "If you blow up any big chunk, it is designed to work." "There is no information available at this time to indicate that the power outages in the Northeast United States and Canada are related to intruder activity," said the Computer Emergency Response Team at Carnegie Mellon, in response to questions about the worm.

The worm targets Microsoft Corp.'s Windows XP and Windows 2000 computers, infects and crashes them and spreads to other vulnerable machines.

[South40]

Experts: Power Outage Not Related to Microsoft Internet Worm

Of course it isn't.

Everybody knows it was caused by George W. Bush, his tax cuts for the rich, and his buddies at Enron.

[Eala]

LOL! Almost...

[Tank-FL]

OK Hillary , I thought you were banned from these boards! <-- sarcasm

[joesnuffy]

of course not...wouldnt want to see the market results of something like this pinned on them
whoa...there goes my stock...

[Paul Atreides]

A few times, in Arrakeen, we had a power outage caused by a worm.

[Paul Atreides]

Experts: Power Outage Not Related to Microsoft Internet Worm

In a related story, thousands of Apple users had to cancel spontaneous "Nyah, nyah, nyah, nyah, nyah" parties.

[HAL9000]

Yes, but it's still interesting that the public immediately associates this type of calamity with Microsoft.

[TheFrog]

Re: "Experts: Power Outage Not Related to Microsoft Internet Worm" am I the only one who finds it amusing that people are saying its not the worm or terrorism when no one knows the initiating event yet.

[flamefront]

BTW -

Aug. 14, 2003, 9:52PM


Flaw seen in patch by Microsoft

Copyright 2003 CBS MarketWatch

SAN FRANCISCO -- A program Microsoft instructed customers to use to fix a hole in its Windows software, which is vulnerable to attack by the Blaster/Lovsan worm that infected computers this week, may itself be flawed.

A glitch in the Microsoft Windows Update patch-management system used to download Windows software fixes has tricked some customers into thinking their systems were patched to prevent Lovesan, when they really were not, said Russ Cooper, moderator of a mailing list with 30,000 subscribers that tracks Microsoft's software weaknesses.

"I know of numerous companies -- more than 10 -- with thousands of computers among them that have run into this problem," Cooper said. The problem is a result of the way Windows Update checks that a computer has run a particular patch, Cooper says. As of Wednesday, Windows Update only checked a database to see that the patch for Blaster/Lovesan had been run on a particular computer in the past -- not that the patch was installed and working.

It left open the possibility that computers that crashed during the process, were unexpectedly turned off or simply didn't have enough memory to install the software patch inaccurately reflected that the patch was successfully installed, when in some cases it wasn't, Cooper said.

Microsoft had no comment.

[Ed_in_NJ]

FROM:
LOCATION: Neohapsis / Archives / Bugtraq / Message Index / Message #0231

http://archives.neohapsis.com/archives/bugtraq/2003-08/0231.html

Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'

From: Virtual Master (vmastermmd.ath.cx)
Date: Fri Aug 15 2003 - 13:49:06 CDT

The german publishing house "heise", producing the magazines c't and ix, got a news on their page mentioning a probable link between the worm and the power outage.

http://www.heise.de/newsticker/data/ju-15.08.03-001/

The article is in german, but I'm trying to translate the important pieces to english:

The failing niagara power-plant belongs to National Grid USA. That power-supplier is listed as a reference customer of Northern Dynamics. Norhtern Dynamics labeled themselves as "Home of the OPC Experts" and offer a range of products that use OPC for control and operation systems.

OPC stands for "Ole for process control" and is based on microsofts COM/DCOM model. In a network affected by the W32.Blaster worm the DCOM-communcation fails, and therefor OPC fails on unpatched systems.

OPC is employed among other things for the linking of so called SCADA systems (Supervisory Control and Data Acquisition), as used by power-plants.

The OPC experts from northern dynamics also list General Electrics, Siemens AG, european power-plant constructor ABB and the european organization for nuclear research as reference customers.

(end of 'copy')

ANY OTHER MENTIONS OF THIS SEEN?

[Ed_in_NJ]

Don't know that I would use the word "amusing," but it sure puts a dent in the purveyor's credibility!

Since there was no known 'excessive demand' for power that day (it was NOT extremely hot in the region), and no lightning in the area where this is now believed to have started, the question is "what was different about THAT day (versus the prior 25 years, in which there was no blackout)?"

It is very believable that, even if the worm did not DIRECTLY cause the event, some critical piece of the 'chain of protection' could have been taken offline temporarily to either protect it from the worm, or an application could have been closed down (and not backed up) while a patch was being made.

All speculation on my part, but certainly a possibility.

[flamefront]

You have an important fact to consider there, good find. I'll bet some people involved in the process control programming are very nervous at the moment and just might cough up a smoking gun memo or interview here that will describe a possible accidental problem.

Terrorism, too, was ruled out a little to quickly by politicians, as far as malicious expliotation is involved. Possible links ans clues about terrorist hackers should be looked at closely here whether accidental or maliscious action is involved here.

For example:

Jonathan Brunt
The Idaho Statesman
03-01-2003

MOSCOW - Sami Omar Al-Hussayen, who is accused of supporting terrorism, was affiliated with a program at the University of Idaho designed to prevent cyber terrorism.

On Wednesday, U.S. Attorney for Idaho Tom Moss said Al-Hussayen used knowledge he was learning in the U of I´s computer programs to assist terrorist groups.

Al-Hussayen, 33, was arrested Wednesday on charges of lying on his visa application. The federal grand jury indictment alleges that Al-Hussayen, a computer science doctoral student from Saudi Arabia, funneled more than $300,000 to groups that promote terrorism. ...

[flamefront]

(Dot collection, to be connected.)
Curiously on August 12th, just days before the blackout:

Warning of Internet terrorism threat
Jennifer Dudley
12aug03

MICROSOFT'S chief security expert yesterday warned Australian businesses to be prepared for terrorist attacks using the Internet.



Chief security strategist Scott Charney warned information technology professionals at Microsoft's Tech Ed conference in Brisbane they were "the first line of defence" against terrorists using the Internet to endanger public safety and national security.

Mr Charney said terrorist groups were using the Internet to organise members and warned businesses not to be complacent about their potential security threat.

"Terrorists clearly use the Internet as a communications medium, fundraising medium and for website communications," he said. "We need to work on critical infrastructure protection."

Mr Charney said governments had become dependent on IT infrastructure, but 85 per cent was owned by the private sector.

It was therefore up to businesses to guard against "a whole new set of threats".

[flamefront]

Also, from internetnews.com

July 31, 2003
Security Experts On Alert for Large-Scale Hacker Assault
By Sharon Gaudin

The security industry is on alert that an upswing in hacker activity could be signaling the coming of a broad-scale attack that could potentially affect millions of networks.
The increased hacker activity is pinpointing a vulnerability in Microsoft Corp.'s Windows operating system. A problem with the Windows RPC Interface Buffer Overrun was first disclosed on July 16. Security experts say hackers started experimenting with the vulnerability almost immediately, and the rate of system probes and online chatter about the vulnerability has been skyrocketing. ...

[flamefront]

Potential corroboration from USAToday "Network went wobbly hours before outage":

Michehl Gent, president of the North American Electric Reliability Council (NERC), said over the weekend that Thursday's problems started with three Ohio transmissionlines that failed in rapid succession. The cause of the failure is unknown. But the bigger question is why the system failed to contain the blackout to a limited area, as it is designed to do. He said it could be human error, equipment failure or both.

At 3:06 p.m., a 345-kilovolt transmissionline owned by Ohio-based FirstEnergy shut down for reasons that experts haven't determined. FirstEnergy, which owns four of the five lines in question, reported that an automatic system that was suppose to flash a warning on controllers' computer screens failed to operate after the line went down.

[Ed_in_NJ]

Interesting -- wonder what their computer environment/equipment is like.

Heard a report that Symantec says Cray machines could be affected by this worm.