(comp.risks):
Date: Thu, 12 Feb 1998 11:23:36 -0500
From: mandrews@fd9ns01.okladot.state.ok.us
Subject: Risk: Massive NT Outage due to Registry corruption
[This was sent me by someone at a Fortune-100 manufacturer, and is
anonymized and sanitized at the original sender's request. It is genuine.]
> The recent power fluctuations here in [placename] corrupted the NT
> registries in our [server-community-names]. As a result, our entire NT
> network (>10K machines) is down, and has been since 5 am this
> morning. (I'm doing direct IP to [product-name] to do mail. Thank God.)
> Once the registries got corrupted, the databases of user signons went,
> too. And, of course, the tape backups won't load because NT requires a
> timestamp somewhere in the guts that the tape image doesn't match to the
> clock. So every NT server, and most NT workstations, won't do anything
> except local work.
> If this were just office workers, it would be annoying enough. But the
> [product name] servers require such close tie-ins to the machine accounts
> that they are dead -- guess what helps run our factories? Can you say loss
> of $1M+ per hour?"
> Why am I telling you? Because our NT guys have suddenly realized that this
> is a good candidate for a denial of service attack: once the registries
> get corrupted, the entire resource domain has to be reloaded by hand --
> and that apparently includes desktops. If you have ideas on how to go
> check the registries on your NT servers, I'd suggest you go do so.
In another letter, the original sender elaborates:
> If you are recovering from this, every desktop user will have to
> delete/disable their <user>.pwl file to be able to get back on the
> network, because that file hardcodes which domain server they are
> on. HOWEVER, if they do that, they can then not get into any other service
> on their desktop for which they've stored the password, because they're
> all in that file. if the user doesn't remember the password, they're SOL,
> because the latest patch from MS keeps the *.pwl files from being hackable
> by the "standard" hacker and pwledit tools -- but it is also rendered
> unreadable to the MS standard pwl editor, too.
The total outage was in excess of 12 hours, and the loss-of-revenue from
the outage is estimated to be more than $10 million.
Mike Andrews, D.P. Director, Okla. Dept. of Transportation
mandrews@fd9ns01.okladot.state.ok.us
--
Rachel Polanskis Kingswood, Greater Western Sydney, Australia
grove@zeta.org.au http://www.zeta.org.au/~grove/grove.html
r.polanskis@nepean.uws.edu.au http://www.nepean.uws.edu.au/ccd/
"Yow! Am I having fun yet?!" - John Howard^H^H^H^H^H^H^H^H Zippy the Pinhead
--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to slug-request@slug.org.au with
unsubscribe in the text
