[Dshield] power outages all across..,

Kenneth Coney superc at visuallink.com
Fri Aug 15 21:20:48 GMT 2003

We are still all speculating.  Then again so too was the media when they 
reported so and so said it wasn't this or that.  In my opinion if they 
didn't know already what caused it, then it was way too soon for a good 
analysis of what happened and assignment of blame and non blame.

That aside, if it was the worm, then an issue remains regarding future 
vulnerabilities for other as yet undisclosed buffer overflow defects in 
various operating systems.  We all lucked out in that this time the worm 
exploiting the vulnerability came out after the vulnerability was 
discovered.  Someday one will probably come out and we will "discover" we 
were vulnerable after someone else has already exploited the unrealized 
vulnerability.  A little paranoia is a good thing.

Re: [Dshield] power outages all across North Eastern US
"Geoff Shively" <gshively at pivx.com>
Fri, 15 Aug 2003 09:07:46 -0700
"General DShield Discussion List" <list at dshield.org>
Jon.Kibler at aset.com

Jon, Great points and they pretty much coincide with my
thinking in this problem. Though there is one thing that is
somewhat of a contradiction in logic that I have heard a
few times from others as well.

 >>If the Internet had been the source of the problem, I think
 >>we would have seen a failure REAL EARLY into this worm.

This would be true if SCADA or DCS systems were always
connected to the internet or some linking network -- but --
our scenario for penetration involves a remote controller's
laptop. If this laptop was a problem, and was infected, it is
not unlikely that it remained infected for a day or so after
the worm's peak when the controller connected into the
network and the outage occurred.

Remember guys, we are talking about 1 area that failed
and not at all plants, the other plants that shut down were
automatically 'tripped' and was part of procedure to
stop collateral damage. If a SCADA or controlling DCS
system were to be taken offline abruptly at a large scale
facility, this would be just the trigger for a massive
network shutdown to prevent further infection/intrusion.

I agree with Jon, Andre, and others- Too much coincidence.


Geoff Shively, CHO
PivX Solutions, LLC

Are You Secure?

More information about the list mailing list