back to article Conficker borks London council

An Ealing council employee infected the UK local authority's IT systems with the Conficker-D worm after he plugged an infected USB into a work computer, causing tens of thousands of pounds in damages in the process. The May incident took several days to clean-up and landed the west London council with a bill of £500,000 in …

COMMENTS

This topic is closed for new posts.

Page:

  1. John G Imrie
    WTF?

    Lost data

    After all the lost data from government departments WTF was the counsel employee doing with a USB stick in the first place.

    Joined up government IT, my Arse.

  2. Pete 2 Silver badge

    Didn't have to be like that

    While the employee might have done something bad / naughty / ill-advised, to just come out and blame him/her is a rather extreme point of view. A slight scraping off of the blame-culture veneer from this story shows an IT department with apparently no internal security, a very poor architecture with no defensive capability and maybe even a mass of interlinked systems (libraries to parking fines?) that should have no common points of failure.

    Further, it implies that Ealing council doesn't have a DR plan - or at least not one that isn't crap and very likely no spare capacity to deal with exceptional circumstances, such as the ability to catch up processing due to earlier downtime.

    One thing is correct in this story, if this had been a private company people would have been sacked: starting with the head of IT who allowed such an amateurish setup in the first place. There might even be a few directors having to answer embarrassing questions - regarding their legal responsibility to ensure an effective fail-over / fault-tolerant system. However, I'm sure that in a jobs-for-life council all that will happen is a few sarky memos, maybe a letter of reprimand to the lowest ranking official and an increase in council tax to recoup the losses.

    If they're really on the ball, they might even take away this guy's USB stick - though I doubt they do anything as radical, professional or inconvenient as implementing an anti-virus regime. Assuming, of course, that wasn't just a handy scapegoat for something even worse.

  3. Anonymous Coward
    Gates Horns

    Make 'em pay

    "...the council was unable to process more than 1,800 parking tickets, at an estimated cost of £90,000, libraries lost out on £25,000 in fines and booking fees, council property rent went uncollected, and £14,000 was spent in sorting out delayed housing benefit claims."

    Please remit to:

    Steven Balmer

    1 Microsoft Way

    Redmond, WA 98052

  4. Anonymous Coward
    Gates Horns

    "The specific virus hasn't been named...

    ... but it seems certain that it is Windows."

    There, fixinated once again.

  5. Pink Duck
    Thumb Down

    Epic Win for IT

    So that's lack of virus scanning, lack of security permission lock down, lack of tested backup systems to recover lost data and yet another instance of government fail.

  6. Anonymous Coward
    Anonymous Coward

    St.Trinians

    I quite liked the most recent one. 'Twas better than the previous one.

  7. Anonymous Coward
    Unhappy

    iPod

    We recently had a lass who plugged in her iPod to "charge" ...

    She didn't realize that it connected as a mass storage device, or realise that it could copy a file from her home machine to "autorun" on one of our "Instrument" PC's ... which unfortuatnely had to be run as administrator.

    Fortunately it didn't spread ... but it did mean a reboot into Ubuntu to recover the data and a format and re-install of the disk.

    The lass was mortified, USB devices are now disabled as part of the standard system install, autorun is now disabled as part of the standard system install and a nice Email from the director has told people not to do it.

    Nice.

  8. John G Imrie
    Unhappy

    Spare capacity.

    Further, it implies that Ealing council doesn't have a DR plan - or at least not one that isn't crap and very likely no spare capacity to deal with exceptional circumstances, such as the ability to catch up processing due to earlier downtime.

    Of cause they don't have any spare capacity, that got thrown out under the last but one efficiency drive, when the PHB toled them to stop paying for all that unused equipment.

  9. Dennis
    Thumb Down

    Lost revenue

    Do they really mean "lost revenue"?

    Sounds a bizarre arrangement.

    Sorry, the computer system is down. We'll just cancel your parking ticket.

    Sorry, the computer is down. This month's rent is free.

    Sorry, the computer is down. You can reserve a book, but we can't charge you the usual fee.

    Sorry, the computer system is down. You won't have to pay your library fine next time.

    Someone will have to remind the Council how cash works.

  10. Lionel Baden

    usbstor

    set to 4 problem solved !!

    No usb storage allowed whilst retaining use of usb kb + mice etc

  11. Anonymous Coward
    FAIL

    Incompetence is incompetence, whether public or private

    "One thing is correct in this story, if this had been a private company people would have been sacked: starting with the head of IT who allowed such an amateurish setup in the first place."

    Utter rubbish. I work in a company that has been recently affected by Conficker, where (not just IT) business-critical decisions appear to be made based on private agendas and based on whose faces are in favour rather than what is demonstrably best for the business. It is not the only company I have worked in where this is the case.

    Incompetence is incompetence, and it's just as likely in the private sector (where it will usually simply get swept under the carpet) as it is in the public sector.

  12. Adam Salisbury
    Coffee/keyboard

    @ Pete 2

    Sadly we can only dream of a world where our Government and public sector are as accountable as those of us in the private sector, I wish I could see at one scrap of efficiency, competence or real accountability between the lot of them at least once in my lifetime!

  13. Wolf 1
    Boffin

    Conficker? Doubt it!

    Surely to God it could *NOT* have been Conficker? That patch has been out for *OVER 1 YEAR*.

    Come on, Reg, we expect better of you. Or are you saying British IT at all levels is simply rubbish?

    Oh, wait...

  14. Anonymous Coward
    FAIL

    @Pete 2

    All of what you said makes perfect sense but in order to apply it to public sector it will require a Council Tax rise.

    Why, I hear you ask. Beacuse public sector never has enough resource to throw at those sort of setups in terms of money and/or manpower. Easy to make those comments if you work in the private sector as they will automatically throw money at the problem to fix it.

  15. Ian K
    Stop

    Inflated losses?

    "the council was unable to process more than 1,800 parking tickets, at an estimated cost of £90,000, libraries lost out on £25,000 in fines and booking fees, council property rent went uncollected"

    Library fines and fees I can see being a "collect now or miss the opportunity" thing, but parking tickets and rent? I though the former were issued by the warden-on-the-street's hand held systems, and uploaded to the central system later, while rents would go out whenever the appropriate system ran a batch mailing or similar.

    In for both of these they should be able to clear the backlog when the main system's back up. Some extra overheads, but surely not an outright loss of the sums involved?

  16. Anonymous Coward
    Happy

    USB Condoms?

    Is there a market?

  17. KLE
    FAIL

    I remember this.

    That is all.

  18. Anonymous Coward
    FAIL

    Grrrrr

    People still have auto-run enabled. Jesus.

  19. Anonymous Coward
    FAIL

    Another fine piece of outsourcing...

    This is standard Serco practice - Perimeter defences only.

  20. Guy

    @Wolf 1

    Don't know about patching but according to this article part of their solution is to upgrade.......... to Windows XP! http://www.itpro.co.uk/614755/1-million-cost-for-council-after-conficker-infection

  21. TeeCee Gold badge
    Thumb Down

    Re: Make 'em pay.

    I'd be looking to remit it to the useless git at the council responsible for ensuring that their A/V definitions are so dated that they're still vulnerable to Conficker.

  22. Cameron Colley

    Title?

    RE: iPod

    What on earth were you doing allowing USB mass storage devices _and_ autorun on an "Instrument" PC if it would likely cause problems?

    @Dennis: Not sure about the rent or library fines, but Parking fines have an expiry date -- it was explained in the previous article regarding this fuckup.

  23. Bilgepipe
    Gates Horns

    @Pete 2

    It's easy to list all the things that /should have/ been done, but Council's do not have the resources required to a) create the infrastructure you describe and b) employ staff skilled and competent enough to operate it without them leaving for better paid jobs.

    Having said that, Windows' overall crapness - starting with the staggeringly stupid Autorun facility - cannot be blamed on a lack of Council money.

  24. Paul Simmonds
    FAIL

    Anti-virus? No thanks - that costs money!

    Or am I being totally cynical?

  25. Anonymous Coward
    Megaphone

    Let's get it right

    Local councils are a mess IT wise at least.

    My wife works for a council and when they were going to get computers in, they were trained on Macs at a local school. They ended up getting Windows PCs. So that was a waste.

    Then they got told to manually update the McAfee VirusScan software on their own machines manually once every week. This was despite the fact that the software can do automatic updates if the option is switched on. It wasn't.

    I asked about this lack of IT skill being a IT engineer myself and I found out that the local IT person in charge of a large area of central Scotland was a Librarian. So go figure.

    I had to laugh when this happened:

    One of the PCs needed a new CR2032 battery fitted as it flashed it up on BIOS startup.

    What were the staff told to do by the local council IT dept?

    Phone the English PC hardware repair company which were located 200 miles away and ask them to come and fit it.

    Needless to say, they didn't come up and posted a battery to them. Then the girls in the office had to try to fit the battery and course as you'd expect, they didn't know how.

    So I did it unofficially for them.

    The PC repair company charged the Council £25 (+VAT) for a £2 battery they could have bought down the road. Total down time was 4 days for a BIOS battery.

    This is how this Council works. They have no money, and therefore no skilled IT professionals. They try to do everything on the cheap.

    Councils have no idea how to set-up modern IT security. They still believe Security is just closing a door and putting a padlock on the door.

  26. Sarah Bee (Written by Reg staff)

    Re: I remember this.

    This small individual pork and pickle pie is for you, KLE.

  27. Anonymous Coward
    Stop

    Linking between parking and libraries, etc?

    It's not that the systems will be linked - that's highly unlikely that you'd have one app/DB sharing two systems - but what is likely is that the library and the parking DB were on scabby, 5Mb fiber links that were saturated by traffic, rendering them useless - or VPN'd ADSL links, or similar, low capacity, single-point-of-failure connections.

    Council management much rather spending money on stuff they can see, like couches in meeting rooms and HD projectors, rather than redundant data links.

  28. Dr Who
    Happy

    @ anon 13.21

    This isn't about money or manpower, it's about basic housekeeping.

    In my experience, both in the public and private sectors, IT departments consider it *way* beneath them to take care of the basics. There is nothing remotely exciting about tape archive management, trial restorations, AV and patch management and the like.

    It is much better for your CV and for your credibility in general if you can talk about your strategy for leveraging the innovative power and opportunities of a hybrid virtualised storage infrastructure making best use of both private and hosted cloud architectures.

    Come on, be honest, which would you rather impress the ladies with in the pub tonight? OK, neither I know, but you catch my drift.

  29. Anonymous Coward
    Anonymous Coward

    Disable autorun?

    Why don't people disable autorun? Who needs this feature anyway?

    I started a new job earlier this year and received my desktop after about four weeks of form filling and waiting. Despite being freshly built, the PC came with a trojan which was not detected by the AV software for over a week (it was quite new and not Conficker). It was installed from the USB stick of the technician who installed the PC :-) Luckily, port restrictions in the corporate firewalls prevented the trojan from calling home.

  30. NogginTheNog
    Thumb Down

    Autorun

    Am I the only one who rather liked this gizmo (esp. on DVDs!), and misses it now it's disabled? :'-(

    Of course I'm (hopefully) savvy enough to not let anything infected anywhere near my boxes...

  31. Pete 2 Silver badge

    @AC 13:21

    > in order to apply it to public sector it will require a Council Tax rise.

    Oh you don't have to explain. As a council tax payer I have come to realise that *everything* the council does requires a rise in Council Tax. I would suspect that even reducing services would require a rise - in order to pay for the impact assessment and redundancy payments for those "service providers" who were reduced. It's not improvements that cost - it's changes: whether increases or decreases.

    Anyhooo, they don't care - they can just jack up the tax, without any possibility that the victims they mug for it can complain, refuse to pay, shop around for a better deal or even make them accountable for the rises - talk about exploitation of a monopoly! Even kicking them out at the next local elections and replacing them with another group of self-interested shysters won't change things - they all regard council tax payers as an infinite resource.

    Ahhh, I feel better now

  32. Anonymous Coward
    Linux

    not so mysterious I guess ..

    Come off it, John Leyden, no prizes for guessing the Operating System this "sophisticated virus" runs on?

    "Like many other organisations, Ealing Council’s computer and telephone network was attacked by a sophisticated virus"

    I'm running Portable Apps of a USB device here, on a local authority PC that's totally secure, as in right-click is disabled and the desktop is locked, except it really isn't, else how would I be able to run Portable Apps. Where are they getting their 'technical' staff lately ..

    Else use a bootable USB running something like Ubuntu on a pendrive. Have the drive identify itself to the network before access is granted. Case closed ....

    http://www.pendrivelinux.com/usb-x-ubuntu-610/

  33. AC 4
    FAIL

    so let me get this straight,

    They can't issue parking fines or library fines to the deserving but they can still catch up house benefraud payments to the thoroughly undeserving?

    Great fucking country we live in

  34. Doug
    IT Angle

    disable USB drive for security

    "After all the lost data from government departments WTF was the counsel employee doing with a USB stick in the first place", John G Imrie

    Look, the presence or absence of a USB drive does nothing what-so-ever to increase/decrease security. If I can get you to visit a certain web site or open a certain attachment, I can own your computer ...

  35. Jason Bloomberg Silver badge
    Pint

    Disable Autorun ....

    Disable Autorun ... save half a million quid. That's a quarter of a million pints ( more because I'm sure there'd be bulk order discount ).

    Utlimate blame rests with whoever enabled Autorun in the first place, and we know who does that to make all our lives "easier".

  36. Anonymous Coward
    Troll

    @AC - Make 'em pay

    Yeah, very logical of you indeed. It's a shame that not everybody is as l33t / ahead of the curve (delete to suit fanboyism) as you are.

    I suppose I could try to come up with an analogy about not using some other product properly, getting burned in some way, then blaming the vendor to show how deeply flawed your logic is, but what's the use?

    On behalf of myself and all "windoze" users in the world, I would like to apologise for not being as truly brilliant as you are. We really would mend our ways if we could, but you should realise just how incredibly better than everyone else you are. It'd take us millenia to catch up.

  37. Anonymous Coward
    Anonymous Coward

    ealing council

    Wrote to them complaining about a stupid IT decision, got back a reply that they would fix it if they could but they didn't have basic stuff like even sufficient ethernet cabling, never mind more necessary kit. It looks like a classical case of people doing their best under pressure and without resources, support, and morale going down a hole. Maybe the real problem lies elsewhere.

  38. Vigilant Mouse

    Ealing, queen of the dullards

    <Someone will have to remind the Council how cash works>

    I live there, and believe me, that isn't the problem. Someone will have to start employing council staff who can retain a certain amount of imformation in their heads or even - in case of emergency - look things up on good old-fashioned pieces of paper.

    Just try booking a council-owned hall or meeting room. The staff at the town hall can't deliver post to the correct offices. Other staff can't tell you whether the room is free or how much it should cost. They regularly lose cheques. And no-one would be prepared to take the awesome responsibility of actually handling some money.

  39. Tony S

    @AC 13:21

    "Easy to make those comments if you work in the private sector as they will automatically throw money at the problem to fix it"

    Ummm - I would suggest that you work in the Public sector as this is a common misconception amongst those particular people. The Private sector does not throw money at any project, even IT - if anything, the reverse is true.

    However to take a broader view, this specific instance just highlights how far we in IT have to go in our preparations, whatever sector we work in. We want to lock down PCs but can't - the senior managers "must" have access so that they can transfer dodgy pr0n, sorry important files between their home PC and their laptop (which is bolted to their desk for security reasons).

    We have to keep PCs and servers patched (whatever the OS), but are only allowed the 10 minutes between someone leaving work and the power being turned off to save electric.

    Most IT people suffer with delusions of adequacy - I suspect that no-one is as good as they like to think (and I include myself in that). The Germans use the word "Schadenfreude" - delight at someone elses calamity. But the reality is that each of us will have had to face (or will have to address) exactly the problems that the staff at the council had to. Perhaps we should be more sympathetic and try to learn from their misfortune.

  40. Pete Wilson
    Paris Hilton

    Council Security

    AC 'Let's get it right' said that "Councils have no idea how to set-up modern IT security. They still believe Security is just closing a door and putting a padlock on the door."

    I thought it was well-established that you put the sensitive stuff downstairs "in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard'."

  41. Anonymous Coward
    Grenade

    @AC - 14:22

    Don't tar us all with the same brush please. The district council I work for has a sophisticated and modern IT infrastructure. We have a staff of 27 in the IT department, which is not bad for the small council we are.

    Our council is rated 'excellent' and I think we're very good IT wise. We've were one of the first areas in the UK to use WiMax for our remote sites/users, and we are currently trying to innovate with VDI-powered agile working projects in the pipeline.

    Oh, and we change our own BIOS batteries.

    About the article - sounds to me like this was either a 0-day threat, or they have no desktop on-access anti-virus! I hope for their sakes it was the former, but still I'm amazed at the damage and amount it cost them to recover.

  42. kissingthecarpet
    Gates Horns

    @AC 15:02

    I'm glad you and the other lusers have finally realised the true situation. If its really going to take you & the others millenia to catch up, I suggest you refrain from using a computer until that day.

  43. Martin Owens

    Government

    Windows in Government == Sacked IT Staff

    There just is no excuse.

  44. John G Imrie

    @Doug

    I think you have mis-understood what I was getting at.

    I was wondering why a local government employee was plugging a USB stick into a local government computer attached to a local government computer. Exactly what data where they trying to share.

    The increase or decrease in security has nothing to do with it.

  45. A J Stiles
    FAIL

    Huh

    CONFIG_USB_STORAGE=n

    That was easy, wasn't it?

    Which part of "do not compile anything into your kernel that you really don't need" do people not get?

  46. Rob Beard
    Linux

    Re: not so mysterious I guess

    Your link points to a guide which covers Ubuntu 6.10! The support for that expired last year!

    Still probably a darn sight more secure than Windows 2000!

    You can do the same with Ubuntu 9.04 by booting from the CD, sticking in the USB stick and using the USB Stick creator.

    Rob

  47. Dunhill

    and you think that is bad ??

    See the government (and their offices) of my country (dom.rep.)

    100% corruptedxxxxx sponsored by microsoft, to force everybody to use ie6

    what of course does not work because they got the servers infected because they disabled or uninstalled the anti virus because else they were unable to use the usb/cd/dvd to play games or listen to music and now those servers are a complete mess.

    Yes everybody play games on the server and copy cd/dvd, that is the fastest machine, that is what multitasking is for --- or not ??

  48. Wolf 1
    Coffee/keyboard

    *Upgrading* to XP????

    Let me guess. They're running a mix of Windows 95/98? :)

    Upgrading to XP? Are you kidding me?

    And *please*, please don't tell me they're currently running Windows 2000 because that's a great OS even today, and an errant virus wouldn't require an upgrade from 2000 to XP!

    They do understand XP has been end-of-lifed, right? As in the only copies available are sitting in a warehouse somewhere? Good luck finding 1800 of them...

    Microsoft doesn't even allow you to downgrade Vista to XP at this point.

    Besides, if they are running 95/98 they *can't* upgrade to XP. The hardware won't take it.

    So we're looking at a situation where Windows 2000 machines don't *need* to be upgraded OR we're looking at Win 95/98 machines that *can't* be.

    If they have to replace the machines anyway, hold off till they can get Win 7 machines!

    Which will include MS's free AV program.

    British IT must be rubbish indeed. Either that or someone's been reading too much BOFH...

  49. Charles Smith
    Gates Halo

    Dumb management

    Windows 2000? I guess all of their PC's have all of the latest patches? ROFL

    Either the IT Director is responsible or the CFO who wouldn't let him have the money to keep their systems up to date.

  50. Anonymous Coward
    Grenade

    Gov at its best.....

    and not alone in the utter incompetance. Watched in awe at how the "Environment" Agency came up with a backup solution for 4 laptops (which were all being used as a desktop through docks, monitor, keyboard, shared printer etc)...they got two companies, one 150 miles away, and another 200 miles away to come and install a backup server. In comes company number one delivering a rack...a 42U comms rack. Next day in comes server company with a 1U rack machine....oops, it no fit. So they sit around for a week before the rack suppliers come, take the comms rack outside, and shoves it in a skip. Installs a new 42U rack. Server company returns and has now "scraped" *cough* the 1U rack server, and brought out a 2nd hand minitower. Shove it in the bottom of the rack, and give it a dog ancient DAT1 drive. The lil minitower gets a little toasty in the bottom of the rack, and bleeps away like a good one so out they come the rack people again and scrap the second 42U rack and replace it this time with a 24U fully air conned rack with all the trimmings...and still slap the minitower server in the bottom. Total cost of the job? £23k!!!! for a fecking backup system for 4 laptops?!

    The amount of waste caused, the amount of insane travelling, the amount of cash for a job you could of done for peanuts is utterly disgraceful. Nice to see the gov knows how to use tax payers money well isn't it!

Page:

This topic is closed for new posts.

Other stories you might like