Time Bomb May Have Destroyed 800 Norfolk City PCs' Data 256
krebsonsecurity writes "The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date, according to krebsonsecurity.com. 'We don't believe it came in from the Internet. We don't know how it got into our system,' the city's IT director said. 'We speculate it could have been a time bomb waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.'"
It happened on Patch Tuesday. (Score:4, Interesting)
This is more common than people think (Score:1, Interesting)
I have seen time bombs left behind by two types of people when being called in as a consultant to deal with the aftermath:
1: The disgruntled employee. He leaves a hidden file that if not touched in 2-3 weeks will start wreaking havoc. I've even seen modified binaries of tar and such that encrypt the files, so even backups are trashed.
2: Someone wanting to frame another person. I've seen this done by clients of other consultants who do not want to pay the consulting fee. So they put a logic bomb in. The admin that left gets blamed and faces jail time. In this scenario, it is a word against word issue almost always, and juries tend to believe business owners far more than the admin who got railroaded.
Feh. (Score:3, Interesting)
If lil' ol' me can spend a few hundred dollars on enough hard drives stuffed into external enclosures the have two complete backups of all ~1.5TB of data in my system, surely a municipal government can spend a few thousand dollars to do it too.
What the hell, who runs systems that important without backups? Management teams named Shirley?
Re:Look, if you're the IT guy and this happens (Score:3, Interesting)
Even if you're a complete dolt and don't lose all of that, you can still recover data with some sophisticated technology. The hard drive might claim its empty but the bits are likely still in their last position. (Ever noticed how clearing the partitions off of your hard drive is instantaneous?)
This is why professionals can still recover a large chunk of data from a hard drive even if you used a drillbit to punch a hole in it. .
Re:Norfolk's IT is fail. (Score:3, Interesting)
Either way the city's in a world of pain now, but no where near the world of pain the guy that did this is going to be in. Something like this won't be that hard to figure out.
Yes, except that the folks in charge are making desperate efforts to destroy any and all evidence by overwriting, reinstalling, etc, per the article and website.
So, I guarantee a scapegoat has already been determined. In fact, a scapegoat was probably determined before the "incident" occurred, if you know what I mean. The odds that "the guy whom did it" is "the guy that'll be punished/plea bargain" are probably vanishingly low.
Now if the "journalist" was a real journalist, as opposed to a press release rewriter, we'd have an analysis of recent staffing changes in that office. My guess is the "wrong" company got a support contract, or perhaps there are union issues, or perhaps there was an unpopular plan to outsource to India that'll now "unfortunately have to be expedited". Or the IT director's brother or other relative dared to run against the mayor/other local politician. Etc etc etc.
Re:It happened on Patch Tuesday. (Score:4, Interesting)
Linky [theregister.co.uk]
Unless you're too lazy to click and read, too.
The specific problem BSODs the machine during any boot (effectively bricking it until fixed). Some of the comments talk about replacing files in the System32 directory with backups. Hmm.... coincidence? Could be.
The story would go from "interesting" to "fascinating" if it turned out that the hundreds of municipal PCs got trashed because they were rootkitted while the Microsoft Patch was being installed (apparently, the root cause of this BSOD problem).