Re: [IP] Malware kills 154
With his permission, here is a summary of the Spanish-language article by Ivan Arce, a native speaker of Spanish. (I misspoke when I said he read the actual report.) Note the lack of any assertion of causality between the crash and the malware. -- - The malware-infected computer was located at the HQs in Palma de Mallorca. The plane crashed on take off from Madrid. - The fact that the computer was infected was revealed in an internal memo on the same day of the incident. - The computer hosted the application used to log maintaince failure reports. It was configured to trigger on on-screen alarm (maybe a dialog with an "OK" button?) when it detected 3 failures of a similar kind on the same plane - Spainair was known to take up to 24hs to update the system with maintaince reports as admitted by two mechanics (I dont know the proper english term for this) from the maint. team. - This isn't a minor issue given that the same plane had two failures on the prior day and another failure on the same day. The maintaince crew was responsible for reporting failures immediately when they were discovered. - That last failure on the same day, had prompted the pilots to abort the take off at the head of the runway and get back to the gate when an overheated valve was detected. - Then the pilots forgot to activate flaps and slats. - The plane had an onboard audible alarm to signal that condition, the alarm did not go off. Reading this full account is quite saddening. So, in sum, it seems that a set of failures and errors were combined and led to terrible consequences. In this overall picture, malware had a very limited and small impact. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: [IP] Malware kills 154
On Tue, Aug 24, 2010 at 06:44:02PM -0400, Steven Bellovin wrote: > > On Aug 24, 2010, at 12:32 19PM, Chad Perrin wrote: > > > On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote: > >> > >> And the articles I've seen do not say that the problem caused the > >> crash. Rather, they say that a particular, important computer was > >> infected with malware; I saw no language (including in the Google > >> translation of the original article at > >> http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes, > >> though the translation has some crucial infelicities) that said > >> "because of the malware, bad things happened. It may be like the > >> reactor computer with a virus during a large blackout -- yes, the > >> computer was infected, but that wasn't what caused the problem. > > > > The problem was evidently a couple of maintenance technicians who didn't > > do their jobs correctly. The computer comes into the matter because one > > of its jobs was to activate an alarm if a critical system whose failure > > *was* the proximate cause of the crash was not working properly. It > > didn't activate the alarm, which would have led to the aircraft being > > prohibited from taking off, because of the malware. > > > > What I have not seen are any statements attributed to the investigating > agency that support your last conclusion: that the malware is what > caused the alarm failure. > > I saw a very good summary of the official findings; I'll ask permission > to repost them. I'd love to see it. I don't for the life of me remember which articles I saw from which I got that impression of events; if you have better sources, I'd love to know about it. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpW0QF5sQrBw.pgp Description: PGP signature
Re: [IP] Malware kills 154
On Aug 24, 2010, at 12:32 19PM, Chad Perrin wrote: > On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote: >> >> And the articles I've seen do not say that the problem caused the >> crash. Rather, they say that a particular, important computer was >> infected with malware; I saw no language (including in the Google >> translation of the original article at >> http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes, >> though the translation has some crucial infelicities) that said >> "because of the malware, bad things happened. It may be like the >> reactor computer with a virus during a large blackout -- yes, the >> computer was infected, but that wasn't what caused the problem. > > The problem was evidently a couple of maintenance technicians who didn't > do their jobs correctly. The computer comes into the matter because one > of its jobs was to activate an alarm if a critical system whose failure > *was* the proximate cause of the crash was not working properly. It > didn't activate the alarm, which would have led to the aircraft being > prohibited from taking off, because of the malware. > What I have not seen are any statements attributed to the investigating agency that support your last conclusion: that the malware is what caused the alarm failure. I saw a very good summary of the official findings; I'll ask permission to repost them. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: [IP] Malware kills 154
This came in from SANS NewsBites Vol. 12 Num 67 : Did a computer virus cause the 150 deaths in the Spanair crash? --Judge to Examine Evidence on Malware in Spanair Fatal Air Crash Case (August 20 & 23, 2010) A Spanish judge will investigate whether or not malware on a Spanair computer system had anything to do with the system's failure to raise alerts prior to a 2008 airplane crash that killed 154 of 172 people on board. The official cause of the crash was pilot error; the pilots were found to have failed to extend the airplane's take-off flaps and slats. However, the investigation also found that a warning system failed to alert the pilots that the flaps and slats had not extended and had also failed to do so on two previous occasions. Each failure should have been logged into Spanair's maintenance system, which was found to be infected with malware. Three failures would have triggered an alarm that would have kept the airplane grounded until the problem was fixed. The judge has called for Spanair to release computer logs for the days before and after the crash. The malware infection appears to have spread through a flash drive. Internet Storm Center: http://isc.sans.edu/diary.html?storyid=9433 http://www.securecomputing.net.au/News/229633,trojans-linked-to-spanish-air-crash.aspx http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=226900089 http://content.usatoday.com/communities/technologylive/post/2010/08/infected-usb-thumb-drive-implicated-in-deadly-2008-spanair-jetliner-crash/1?loc=interstitialskip http://www.theregister.co.uk/2010/08/20/spanair_malware/ http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/ http://news.cnet.com/8301-1009_3-20014237-83.html?tag=mncol;title [Editor's Note (Schultz): This is a potentially very significant turn of events. If the loss of 172 lives can be traced to the presence of malware, corporate executives and government officials are likely to take security risk management much more seriously than they generally now do.] OBLegal: Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/ Cheers - Bill --- Bill Frantz| gets() remains as a monument | Periwinkle (408)356-8506 | to C's continuing support of | 16345 Englewood Ave www.pwpconsult.com | buffer overruns. | Los Gatos, CA 95032 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: [IP] Malware kills 154
On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote: > > And the articles I've seen do not say that the problem caused the > crash. Rather, they say that a particular, important computer was > infected with malware; I saw no language (including in the Google > translation of the original article at > http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes, > though the translation has some crucial infelicities) that said > "because of the malware, bad things happened. It may be like the > reactor computer with a virus during a large blackout -- yes, the > computer was infected, but that wasn't what caused the problem. The problem was evidently a couple of maintenance technicians who didn't do their jobs correctly. The computer comes into the matter because one of its jobs was to activate an alarm if a critical system whose failure *was* the proximate cause of the crash was not working properly. It didn't activate the alarm, which would have led to the aircraft being prohibited from taking off, because of the malware. That, at least, is what I've been able to figure out from the scant reporting on the situation I've found through Google. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpk2HTlHlU9K.pgp Description: PGP signature
Re: [IP] Malware kills 154
On Aug 23, 2010, at 11:11 13AM, Peter Gutmann wrote: > "Perry E. Metzger" forwards: > >> "Authorities investigating the 2008 crash of Spanair flight 5022 >> have discovered a central computer system used to monitor technical >> problems in the aircraft was infected with malware" >> >> http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001 > > Sigh, yet another attempt to use the "dog ate my homework" of computer > problems, if their fly-by-wire was Windows XP then they had bigger things to > worry about than malware. > To say nothing of what happens when you run a nuclear power plant on Windows: http://www.upi.com/News_Photos/Features/Irans-Bushehr-nuclear-power-plant/3693/2/ (slightly OT, I realize, but too good to pass up). --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
Re: [IP] Malware kills 154
On Aug 23, 2010, at 11:50 30AM, John Levine wrote: >>> "Authorities investigating the 2008 crash of Spanair flight 5022 >>> have discovered a central computer system used to monitor technical >>> problems in the aircraft was infected with malware" >>> >>> http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001 > > This was very poorly reported. The malware was on a ground system that > wouldn't have provided realtime warnings of the configuration problem > that caused the plane to crash anyway. > And the articles I've seen do not say that the problem caused the crash. Rather, they say that a particular, important computer was infected with malware; I saw no language (including in the Google translation of the original article at http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes, though the translation has some crucial infelicities) that said "because of the malware, bad things happened. It may be like the reactor computer with a virus during a large blackout -- yes, the computer was infected, but that wasn't what caused the problem. --Steve Bellovin, http://www.cs.columbia.edu/~smb - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com