
Boeing hit by WannaCry virus – could cripple some jet production - 0xCMP
https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/
======
danso
FWIW, the headline of the article has been changed by the Seattle Times. The
second clause is now _" but says no impact on jet production"_; originally, it
was: _" could cripple some jet production"_.

(it's about 1 hour since the original submission)

~~~
eloff
paging dang

~~~
acct1771
Send them an email (hn@ycombinator.com? not sure, on mobile, check site), as
they claim to only see comments like this by chance.

------
mzs
Anyone know for sure this is WC? Anyone seen actual samples? Is this just a
case of people that would not really know the differences seeing something
like what they think WannaCry behaves like and jumping the gun. I would hope
this is something new.

edit: It's all overblown

[https://twitter.com/GossiTheDog/status/979133770921017347](https://twitter.com/GossiTheDog/status/979133770921017347)

[https://twitter.com/GossiTheDog/status/979134886467526656](https://twitter.com/GossiTheDog/status/979134886467526656)

[https://twitter.com/GossiTheDog/status/979140927813046273](https://twitter.com/GossiTheDog/status/979140927813046273)

~~~
russdill
I've worked at a large company similar to Boeing. Our IT providers are the
same (CSC). Backups are regimented and any virus activity is dealt via, as the
tweet puts it, remediation. If a computer is detected as having a
virus/suspicious activity, etc, it is carted off immediately and wiped (they
possibly do forensics, dunno). The system is reimaged, backups are checked and
restored.

------
programbreeding
>Once the news broke, some on social media raised the "nightmare scenario" of
the virus infecting an airplane’s control software and possibly triggering a
ransomware demand while in the air.

>"The plane would have to have been connected to an infected system.," he
said. "The chances are pretty minimal."

If they can't confidently say the chances are guaranteed 0% then they need to
actually look in to it and not just dismiss the idea.

~~~
ams6110
Well, aircraft avionics do not run Windows. Thankfully. Though some of the
diagnostic and maintenance equipment almost certainly does. So there's
probably a path for malware, though likely not mainstream Windows ransomware.

~~~
ryandrake
I’ve worked on (non-safety critical) airborne systems that ran Windows
Embedded, as freightening as it sounds.

~~~
bigiain
And there's evidence the "non-safety critical" airborne systems are not nearly
as well isolated from the flight control systems as most people assume:

[https://www.wired.com/2015/05/feds-say-banned-researcher-
com...](https://www.wired.com/2015/05/feds-say-banned-researcher-commandeered-
plane/)

"He obtained physical access to the networks through the Seat Electronic Box,
or SEB. These are installed two to a row, on each side of the aisle under
passenger seats, on certain planes. After removing the cover to the SEB by
"wiggling and Squeezing the box," Roberts told agents he attached a Cat6
ethernet cable, with a modified connector, to the box and to his laptop and
then used default IDs and passwords to gain access to the inflight
entertainment system. Once on that network, he was able to gain access to
other systems on the planes."

That one might just be a security researcher big-noting himself, but combined
with this next one, I do not have a great deal of confidence in Boeing (or any
of the airline industry's) software security teams...

[https://nakedsecurity.sophos.com/2017/11/15/dhs-says-it-
remo...](https://nakedsecurity.sophos.com/2017/11/15/dhs-says-it-remotely-
hacked-a-boeing-757-sitting-on-a-runway/)

I wonder what we'd find if Tavis Ormandy were seconded to Boeing for six
months? (And can I have a heads-up if that happens? I've got some stock I'd
like to short...)

~~~
skgoa
That bullshit story being pushed by this bullshitter for years does not
constitute evidence. There was no way for him to send data to any of the
safety critical systems.

------
nosuchthing
For a company that is so well funded and familiar with paranoid engineering,
how is it that something as basic as data integrity (offline backups) isn't
implemented?

~~~
tyingq
Lots of F500 companies raid the infrastructure budget to fund application
development because it drives revenue. It's rare to find one that funds
infrastructure the way a software company would.

Crap like 10+ year old servers, operating systems, etc, is rampant.

Similar for desktops. There's pressure to hold back on Windows version
upgrades because _" we can't divert app team resources to test if the app runs
okay on that..."_ Or just plain raiding the refresh budget altogether. Or, _"
the app/business team needs admin logins because reasons, so back off
infrastructure guy"_.

Fortunately, cloud seems to be a good solution to the mess. You're forced to
deal with (at least some basic) tech debt.

~~~
ams6110
I think the assessment of the risks needs to be looked at again. It may have
made sense at one time to be conservative with system updates and do a lot of
testing before rolling them out. In earlier days, OS updates were typically
not security patches but new versions or major service packs. Behavior and
APIs changed. But these days, what's worse: Dealing with some production
issues due to an OS security update (really rather unlikely, and the patch
infrastructure supports rolling back), or having your entire company taken
offline by malware like WannaCry?

~~~
Spooky23
Huh? The risks are way worse than they once were. Microsoft ships a lot more
broken shit than they did in the past, plus everything is bundled in such a
way that it’s easy to reinflict wounds.

Wormable stuff like Wanacry is usually identified and can be addressed as an
emergency. Otherwise, rolling out patches in production quicker than 30-60
days is just unwise in a big or complex environment.

------
craftyguy
They deserve it, for:

1) having mission critical systems on the internet and

2) not patching mission critical systems for vulnerabilities that have been
(extremely) public for nearly a year now

~~~
oneplane
Indeed. Which department of 'management level' deserves this is another
question, but somewhere, someone (probably C-level) decided that it wasn't
important enough and now got bit by it.

I'm pretty sure someone else will get the blame for it, for about 6 months
'improvements' will be made, and next year, we're going to see something like
this just repeat itself.

------
mtgx
And they said I was crazy when I was warning about ransomware for self-driving
cars (especially given carmakers mostly continue to ignore the software
security issues). Their time will come.

~~~
vanilla_nut
To be fair, self-driving cars don't need any help in endangering people's
lives. At this point Uber is basically malware in company form. Or maybe
that's Facebook.

~~~
bigiain
No need for "or" \- there's space for more than one malignant company form...

------
AnnoyingSwede
Wow, late bloomers :)

