Sunday, November 08, 2009
Brazil outage NOT caused by hackers
I just got through watching the CBS 60 Minutes special on cyberhackers, where they claim that major power outages in Brazil (in 2005 and 2007) were caused by hackers. This is unlikely to be true.
Hackers are like witches in Salem in the 1600s. When crops failed, people blamed it on the witches, who were burned at the stake. These people believed they were acting intelligently. The witches were convicted in “fair” trials, with “proof beyond a reasonable doubt”. For example, victims would testify how the accused witch would curse them, or give them the Evil Eye. Why would they lie about being cursed?
Now, when computers fail, people are immediately suspicious of hackers.
We know the CBS story is bogus. CBS news did not investigate the evidence. They instead cite “half a dozen sources” in the US intelligence community. However, these sources themselves did not investigate the evidence: they are simply confirming that they heard the rumor from people in the Brazilian government. Those government officials likewise did not investigate the evidence, they are likewise just passing on rumors.
CBS news didn't track this down. They didn't attempt to contact anybody in Brazil. They did not contact anybody at “Furnas Centrais Elétricas”, the company responsible maintaining those transmissions lines. They didn't even do a simple Google search, which would tell them that the company claimed at the time that the 2007 outage was caused by dust and soot from local forest fires (which, apparently, is a common problem in power transmission).
Most rumors of hacker infiltrations are false. If you investigate computers in any large organization hard enough, you'll find malware. This doesn't mean hackers have broken in, because most viruses are not under control of the hacker who launched them. Also, things get on computers that trigger deep scans from anti-virus scanners that are not necessarily malicious malware. This malware becomes a distraction to finding the true cause of what happened. Thus, when investigating a power outage, finding malware on computers doesn't mean hackers caused the outage.
Several years ago, I was doing a security assessment in a foreign country (not US, not Brazil). The customer told me a story they had personally been involved in. There had been an incident where hackers claimed to have come in via the Internet and turned off the power in several cities, and were demanding ransom money. On further investigation, however, it turned out to be an inside job. The outage was caused by one of the employees who worked on the main control console. The guy had simply flipped a switch, turning off the power. The guy, and his accomplice, were arrested, tried, convicted, and sent to jail. No “hacking” was involved.
This story sounds suspiciously like the story CIA agent Tom Donahue gave at a security conference a couple years ago. The difference is that his story stops at the point where hacker demand extortion money. Well, what happened next? Was the money paid? Or were the hackers caught? Donahue doesn't say. Like the CBS story about Brazil, we are given no details, we are expected to trust them. I doubt that Donahue was telling the truth, that anybody really investigated the evidence. I think he was just passing on rumors.
So why is CBS passing on these rumors? The answer is the same as the witch trials in the 1600s. The people who were accused were usually in some sort of conflict with their neighbors. Accusing them of witchcraft and testifying to being “hexed” was one way of resolving the conflict. The same is true of these cybersecurity stories: people in government want more control over the Internet. Different departments are fighting amongst themselves for that control (such as the NSA vs. the DHS), and all are fighting for more legal control against the private sector.
The CBS story is obvious government propaganda. All their sources are from the government, from people who stand to gain from increased government control over the Internet. For example, it says that the US power grid is insecure, and claims that the reason it's insecure is because it's not regulated by the government. That's not a reason. The federal government's computers are even less secure than the power grid – there is no reason to think that Congress can secure the power grid if they can't secure their own computers. Conversely, all the energy companies belong to the “National Energy Regulatory Commission” or “NERC”, which is does indeed regulate the cybersecurity of the power grid. The reason the CBS story exists is because somebody else, such as the DHS or NSA, wants to take control away from the NERC. That's why you have such a one-sided story from CBS – they never talked to anybody at NERC, or any of the power companies.
As a pentester, I know that our power grid is insecure. I've done security assessments at power companies. I know I can hack in from the Internet and cause power outages. However, government regulation isn't the answer. Cybersecurity regulation has proven itself to be a cure worse than the disease. It drives up the costs without doing anything significant to reduce the threat. For example, we just got through doing a pentest at a company that was paranoid about following all the regulations (HIPAA, SOX, PCI, etc.), yet we were able to break in easily with SQL injection bugs and the same vulnerability that led to Conficker. It was one of the most secure companies we've seen, but all these regulations had become a distraction to an otherwise talented security team.
There is a risk. Hackers will eventually cause a major power outage. In the grand scheme of things, though, it's not a big deal. Major power outages from accidental mistakes will always be a bigger threat. Nation states blowing up power lines (with bombs) will always be a bigger threat. Bad government regulation of the power grid will always be a bigger threat. The CBS piece is just propaganda.
UPDATE: Wired ThreatLevel confirms it was soot, not hackers. They did something radical: journalistic investigation. CBS, take note about how journalism should be done.
UPDATE FROM TWITTER: jack_daniel All you 60 Minutes naysayers are missing the point: it was CYBER-soot on the insulators.