Re: [IP] Malware kills 154

2010-08-24 Thread Steven Bellovin
With his permission, here is a summary of the Spanish-language article by Ivan 
Arce, a native speaker of Spanish.  (I misspoke when I said he read the actual 
report.)  Note the lack of any assertion of causality between the crash and the 
malware.

--

- The malware-infected computer was located at the HQs in Palma de
Mallorca. The plane crashed on take off from Madrid.
- The fact that the computer was infected was revealed in an internal
memo on the same day of the incident.
- The computer hosted the application used to log maintaince failure
reports. It was configured to trigger on on-screen alarm (maybe a dialog
with an "OK" button?) when it detected 3 failures of a similar kind on
the same plane
- Spainair  was known to take up to 24hs to update the system with
maintaince reports as admitted by two mechanics (I dont know the proper
english term for this) from the maint. team.
- This isn't a minor issue given that the same plane had two failures on
the prior day and another failure on the same day. The maintaince crew
was responsible for reporting failures immediately when they were
discovered.
- That last failure on the same day, had prompted the pilots to abort
the take off at the head of the runway and get back to the gate when an
overheated valve was detected.
- Then the pilots forgot to activate flaps and slats.
- The plane had an onboard audible alarm to signal that condition, the
alarm did not go off.

Reading this full account is quite saddening.

So, in sum, it seems that a set of failures and errors were combined and
led to terrible consequences. In this overall picture, malware had a
very limited and small impact.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com


Re: [IP] Malware kills 154

2010-08-24 Thread Chad Perrin
On Tue, Aug 24, 2010 at 06:44:02PM -0400, Steven Bellovin wrote:
> 
> On Aug 24, 2010, at 12:32 19PM, Chad Perrin wrote:
> 
> > On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote:
> >> 
> >> And the articles I've seen do not say that the problem caused the
> >> crash.  Rather, they say that a particular, important computer was
> >> infected with malware; I saw no language (including in the Google
> >> translation of the original article at
> >> http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes,
> >> though the translation has some crucial infelicities) that said
> >> "because of the malware, bad things happened.  It may be like the
> >> reactor computer with a virus during a large blackout -- yes, the
> >> computer was infected, but that wasn't what caused the problem.
> > 
> > The problem was evidently a couple of maintenance technicians who didn't
> > do their jobs correctly.  The computer comes into the matter because one
> > of its jobs was to activate an alarm if a critical system whose failure
> > *was* the proximate cause of the crash was not working properly.  It
> > didn't activate the alarm, which would have led to the aircraft being
> > prohibited from taking off, because of the malware.
> > 
> 
> What I have not seen are any statements attributed to the investigating
> agency that support your last conclusion: that the malware is what
> caused the alarm failure.  
> 
> I saw a very good summary of the official findings; I'll ask permission
> to repost them.

I'd love to see it.  I don't for the life of me remember which articles I
saw from which I got that impression of events; if you have better
sources, I'd love to know about it.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]


pgpW0QF5sQrBw.pgp
Description: PGP signature


Re: [IP] Malware kills 154

2010-08-24 Thread Steven Bellovin

On Aug 24, 2010, at 12:32 19PM, Chad Perrin wrote:

> On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote:
>> 
>> And the articles I've seen do not say that the problem caused the
>> crash.  Rather, they say that a particular, important computer was
>> infected with malware; I saw no language (including in the Google
>> translation of the original article at
>> http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes,
>> though the translation has some crucial infelicities) that said
>> "because of the malware, bad things happened.  It may be like the
>> reactor computer with a virus during a large blackout -- yes, the
>> computer was infected, but that wasn't what caused the problem.
> 
> The problem was evidently a couple of maintenance technicians who didn't
> do their jobs correctly.  The computer comes into the matter because one
> of its jobs was to activate an alarm if a critical system whose failure
> *was* the proximate cause of the crash was not working properly.  It
> didn't activate the alarm, which would have led to the aircraft being
> prohibited from taking off, because of the malware.
> 

What I have not seen are any statements attributed to the investigating agency 
that support your last conclusion: that the malware is what caused the alarm 
failure.  

I saw a very good summary of the official findings; I'll ask permission to 
repost them.

--Steve Bellovin, http://www.cs.columbia.edu/~smb





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com


Re: [IP] Malware kills 154

2010-08-24 Thread Bill Frantz
This came in from SANS NewsBites Vol. 12 Num 67 : Did a computer 
virus cause the 150 deaths in the Spanair crash?


 --Judge to Examine Evidence on Malware in Spanair Fatal Air 
Crash Case

(August 20 & 23, 2010)
A Spanish judge will investigate whether or not malware on a Spanair
computer system had anything to do with the system's failure to raise
alerts prior to a 2008 airplane crash that killed 154 of 172 
people on
board.  The official cause of the crash was pilot error; the 
pilots were

found to have failed to extend the airplane's take-off flaps and slats.
However, the investigation also found that a warning system 
failed to
alert the pilots that the flaps and slats had not extended and 
had also

failed to do so on two previous occasions.  Each failure should have
been logged into Spanair's maintenance system, which was found 
to be

infected with malware.  Three failures would have triggered an alarm
that would have kept the airplane grounded until the problem was fixed.
The judge has called for Spanair to release computer logs for 
the days

before and after the crash.  The malware infection appears to have
spread through a flash drive.
Internet Storm Center: http://isc.sans.edu/diary.html?storyid=9433
http://www.securecomputing.net.au/News/229633,trojans-linked-to-spanish-air-crash.aspx
http://www.informationweek.com/news/security/management/showArticle.jhtml?articleID=226900089
http://content.usatoday.com/communities/technologylive/post/2010/08/infected-usb-thumb-drive-implicated-in-deadly-2008-spanair-jetliner-crash/1?loc=interstitialskip
http://www.theregister.co.uk/2010/08/20/spanair_malware/
http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/
http://news.cnet.com/8301-1009_3-20014237-83.html?tag=mncol;title
[Editor's Note (Schultz): This is a potentially very significant turn
of events. If the loss of 172 lives can be traced to the 
presence of
malware, corporate executives and government officials are 
likely to

take security risk management much more seriously than they generally
now do.]

OBLegal: Please feel free to share this with interested parties 
via email, but
no posting is allowed on web sites. For a free subscription, 
(and for

free posters) or to update a current subscription, visit
http://portal.sans.org/

Cheers - Bill

---
Bill Frantz| gets() remains as a monument | Periwinkle
(408)356-8506  | to C's continuing support of | 16345 
Englewood Ave
www.pwpconsult.com | buffer overruns. | Los Gatos, 
CA 95032


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com


Re: [IP] Malware kills 154

2010-08-24 Thread Chad Perrin
On Mon, Aug 23, 2010 at 03:35:45PM -0400, Steven Bellovin wrote:
> 
> And the articles I've seen do not say that the problem caused the
> crash.  Rather, they say that a particular, important computer was
> infected with malware; I saw no language (including in the Google
> translation of the original article at
> http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes,
> though the translation has some crucial infelicities) that said
> "because of the malware, bad things happened.  It may be like the
> reactor computer with a virus during a large blackout -- yes, the
> computer was infected, but that wasn't what caused the problem.

The problem was evidently a couple of maintenance technicians who didn't
do their jobs correctly.  The computer comes into the matter because one
of its jobs was to activate an alarm if a critical system whose failure
*was* the proximate cause of the crash was not working properly.  It
didn't activate the alarm, which would have led to the aircraft being
prohibited from taking off, because of the malware.

That, at least, is what I've been able to figure out from the scant
reporting on the situation I've found through Google.

-- 
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]


pgpk2HTlHlU9K.pgp
Description: PGP signature


Re: [IP] Malware kills 154

2010-08-23 Thread Steven Bellovin

On Aug 23, 2010, at 11:11 13AM, Peter Gutmann wrote:

> "Perry E. Metzger"  forwards:
> 
>> "Authorities investigating the 2008 crash of Spanair flight 5022
>> have discovered a central computer system used to monitor technical
>> problems in the aircraft was infected with malware"
>> 
>> http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001
> 
> Sigh, yet another attempt to use the "dog ate my homework" of computer
> problems, if their fly-by-wire was Windows XP then they had bigger things to
> worry about than malware.
> 
To say nothing of what happens when you run a nuclear power plant on Windows: 
http://www.upi.com/News_Photos/Features/Irans-Bushehr-nuclear-power-plant/3693/2/
 (slightly OT, I realize, but too good to pass up).


--Steve Bellovin, http://www.cs.columbia.edu/~smb





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com


Re: [IP] Malware kills 154

2010-08-23 Thread Steven Bellovin

On Aug 23, 2010, at 11:50 30AM, John Levine wrote:

>>> "Authorities investigating the 2008 crash of Spanair flight 5022
>>> have discovered a central computer system used to monitor technical
>>> problems in the aircraft was infected with malware"
>>> 
>>> http://www.msnbc.msn.com/id/38790670/ns/technology_and_science-security/?gt1=43001
> 
> This was very poorly reported.  The malware was on a ground system that
> wouldn't have provided realtime warnings of the configuration problem
> that caused the plane to crash anyway.
> 

And the articles I've seen do not say that the problem caused the crash.  
Rather, they say that a particular, important computer was infected with 
malware; I saw no language (including in the Google translation of the original 
article at 
http://www.elpais.com/articulo/espana/ordenador/Spanair/anotaba/fallos/aviones/tenia/virus/elpepiesp/20100820elpepinac_11/Tes,
 though the translation has some crucial infelicities) that said "because of 
the malware, bad things happened.  It may be like the reactor computer with a 
virus during a large blackout -- yes, the computer was infected, but that 
wasn't what caused the problem.


--Steve Bellovin, http://www.cs.columbia.edu/~smb





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com