tag:blogger.com,1999:blog-37798047.post2124344609063635478..comments2024-01-16T05:48:33.523-05:00Comments on Errata Security: Brazil outage NOT caused by hackersDavid Maynorhttp://www.blogger.com/profile/09921229607193067441noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-37798047.post-19561520462875756092009-11-14T20:22:49.783-05:002009-11-14T20:22:49.783-05:00Actually, for all we know, CBS just potentially la...Actually, for all we know, CBS just potentially launched a cyberwar: A war based on disseminating misleading information. Under this circumstance, tricking attackers to think that Brazil's network is that vulnerable. And everyone starts attacking them, thus making it really happened.<br /><br />The rules did not say that cyberattack first launch has to be from network probing. :PCappellahttps://www.blogger.com/profile/14452457852151618282noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-78516931750102189302009-11-13T02:47:09.437-05:002009-11-13T02:47:09.437-05:00"""The fact is that hackers are les..."""The fact is that hackers are less of a threat to our power grid than accidental outages or physical bombs. Yet, people are more afraid of hackers because they fear most what they least understand. The CBS report played upon those fears."""<br /><br />_Excellent_ point that so few seem to understand/see. TV news is often about fears, with the solution (or lack of) just after the next commericla break. So many people don't seem to simply be rational. It's about accepted (but hopefully minimized) risk.. it's just a lack of asking questions (or maybe lack of thinking itself). Thanks for (yet again) helping to bring the truth to light.Unknownhttps://www.blogger.com/profile/07795624518305855743noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-59534784851764410932009-11-11T05:01:38.198-05:002009-11-11T05:01:38.198-05:00Robert, look this: Massive blackout leaves Brazil ...Robert, look this: Massive blackout leaves Brazil on edge (11/11/2009).<br /><br />"A massive blackout plunged tens of millions in Brazil's largest cities into darkness, sparking major disruptions, fears of crime and energy supply concerns Wednesday for the newly named Olympic hosts."<br /><br />See more: http://news.yahoo.com/s/afp/20091111/wl_afp/brazilenergyblackout.Anonymoushttps://www.blogger.com/profile/08974372462503244543noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-82998111114570450732009-11-11T01:45:54.255-05:002009-11-11T01:45:54.255-05:00Would they doing some tests???
http://www.cbsnews...Would they doing some tests???<br /><br />http://www.cbsnews.com/stories/2009/11/10/world/main5607148.shtml?tag=stack<br /><br />:-DFspmachadohttps://www.blogger.com/profile/07209534420776869516noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-73082269483291305922009-11-10T15:45:54.441-05:002009-11-10T15:45:54.441-05:00Blogger DK said...
As a pentester, I know th...<i>Blogger DK said...<br /><br /> As a pentester, I know that our power grid is insecure. I've done security assessments at power companies. I know I can hack in from the Internet and cause power outages.<br /><br /> That is a bold statement to make. I believe it to be possible, don't get me wrong. But since you claim to have inside knowledge, maybe you can elaborate on how you would accomplish this (since others like 60 minutes have it wrong).</i><br /><br />DK - I've done assessments of power companies as well. I was able to compromise a system that managed fuel levels. It's largely speculation as to what would happen if one were to adjust the level to cause the tanks to go empty or to cause a spill, but it's one of those screenshots where the customer suddenly becomes very pale. <br /><br />The other example I give in regards to the power grid is nuclear plants. I've been told by several nuclear engineers, that one requires a license modification to drill most holes in the walls of nuclear power plants. If you want to network two machines on different sides of a wall without dealing with the government, then an expedient solution is to connect them with wifi. I'm sure there's some sanity checks on what they systems do, but in every network I've been on systems usually have more access than administrators understand.Matthew Wollenweberhttps://www.blogger.com/profile/08462281652941920773noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-5556278659000639142009-11-10T15:37:03.917-05:002009-11-10T15:37:03.917-05:00Great post. I agree with your initial assessment. ...Great post. I agree with your initial assessment. I'd differ with you in regards to government regulation and the potential threat of hackers. <br /><br />I'd add a few points:<br /><br />1. Nation states have likely compromised power systems already. Wouldn't you? But them doing anything is unlikely as most nations consider any cyber warfare an act of war and others equate it to WMD. I think this is risk that one must just accept - besides, what else could you do?<br /><br />2. Non-state actors could liekly compromise the power grid, but they have limited reasons to do so. Estimates to compromise hardened targets by developing custom exploits and implant software are in the $1-2M range. Those numbers are largely made up, but I've seen several estimates by people who write such things agree on the ballpark. That's a lot of initial investment for a profit driven criminal endevour or a "just for fun" hacking experience. <br /><br />3. You alluded to the real problem - the fragility of the electrical grid. Hacking one power plant, scada system, whatever shouldn't have the potential to seriously mangle the system. But "cascading failure" seems to be the accepted norm. I'm not an electrical engineer but investing in a robust system would seem most prudent to me.Matthew Wollenweberhttps://www.blogger.com/profile/08462281652941920773noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-8592304776654452522009-11-09T23:55:08.231-05:002009-11-09T23:55:08.231-05:00This is really a great post Robert. Your point th...This is really a great post Robert. Your point that there is no evidence is well taken.<br /><br />The only thing I would disagree with is your assertion that accidental outages and bombs are more dangerous. I think up to this point, that is correct. However, isn't hacking a system far easier and less risky than trying to plant a bomb somewhere?<br /><br />Moreover, what happens when we have a smart grid that is more oversubscribed by relying on a system that would balance the load such that major appliances don't all turn on at the same time? What happens if a hacker convinces the appliances to all turn on at the same time and overload the grid to burn parts of the infrastructure down? What happens if they wait till a really hot day to do this so that thousands of people (mostly elderly) die from the heat?<br /><br />I think the real risk in these bogus stories is that it's like crying wolf. People get sick of it and they stop listening to your advice on the need to lock down the system. They get complacent and think that no one will bother.Georgehttps://www.blogger.com/profile/10128704008699660671noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-54454529512342729892009-11-09T22:50:41.889-05:002009-11-09T22:50:41.889-05:00why is it a stretch to think that hackers brought ...<b>why is it a stretch to think that hackers brought down the power in Brazil?</b><br /><br />It's not a stretch. Neither is it a stretch to believe Al Qaeda was responsible. The point is, there's no evidence. The CBS report is clearly bad reporting that does not double-check its anonymous sources. Look up "jorunalistic ethics" and "anonymous sources" on Wikipedia to understand the underlying problem.<br /><br />The fact is that hackers are less of a threat to our power grid than accidental outages or physical bombs. Yet, people are more afraid of hackers because they fear most what they least understand. The CBS report played upon those fears.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-27960129729721238162009-11-09T22:33:20.509-05:002009-11-09T22:33:20.509-05:00Considering what the fact that these power compani...Considering what the fact that these power companies run software from the mid-90s, why is it a stretch to think that hackers brought down the power in Brazil? <br /><br />I know that CBS is not exactly a "pillar of truth", but this isn't exactly tin foil stuff. <br /><br />The NSA (and some obscure def contractors) have been working on this for sometime...and yes, this is really happening.Unknownhttps://www.blogger.com/profile/05977950205484938211noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-73899497450491082922009-11-09T20:59:41.199-05:002009-11-09T20:59:41.199-05:00maybe you can elaborate on how you would accomplis...<b>maybe you can elaborate on how you would accomplish this</b><br /><br />Power companies believe their "control" networks are wholly disconnected from the Internet. This is never true. We consistently break into the "business" network with a typical SQL injection or WiFi issue, then scan the network until we find some sort of dual-homed machine (often some old Sun machine that hasn't been patched in a decade), and from there hop into the control network. Control networks are rarely patched -- in fact, they rarely have any authentication at all, so they are wide open.<br /><br />There are also indirect ways to cause outages. For example, we can hack a billing server to convince it that a downstream customer hasn't paid. Or, social engineering works to convince somebody to throw a switch.Robert Grahamhttps://www.blogger.com/profile/09879238874208877740noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-46161313371728243012009-11-09T20:34:13.448-05:002009-11-09T20:34:13.448-05:00As a pentester, I know that our power grid is inse...<i>As a pentester, I know that our power grid is insecure. I've done security assessments at power companies. I know I can hack in from the Internet and cause power outages.</i><br /><br />That is a bold statement to make. I believe it to be possible, don't get me wrong. But since you claim to have inside knowledge, maybe you can elaborate on how you would accomplish this (since others like 60 minutes have it wrong).Nopehttps://www.blogger.com/profile/13828284050841339609noreply@blogger.comtag:blogger.com,1999:blog-37798047.post-31093809491519390272009-11-09T04:26:24.923-05:002009-11-09T04:26:24.923-05:00"Hackers are like witches in Salem in the 160..."Hackers are like witches in Salem in the 1600s. When crops failed, people blamed it on the witches, who were burned at the stake."<br /><br />Actually, those who died were hanged rather than burnt. (And some also died awaiting trial.)<br /><br />I don't recall that there had been a crop failure, either.<br /><br />However, the crops were quite possibly of importance, inasmuch as it's been suggested that damp weather had caused ergot fungus to grow on the rye. This would have led to illness and strange behaviour in those who ate it. People who lacked an understanding of the causality involved might well have attributed that to human agency (in the form of witchcraft). After that, hysteria could take over - specially as Mather, whose head was cooler, was away in England at the time.<br /><br />So you're historically inaccurate. But I suppose the basic point that people who lack understanding see human agency where it's not is a valid one. On the other hand, I'm not sure that that's quite what you are saying. ...<br /><br />Interestingly, the anthropologist E. E. Evans-Pritchard famously found that the Azande actually lacked a concept of the accidental. It's since been said that that's not unusual among primitives. Perhaps to see agency in events is "natural" to us as humans, but the more we know the more that gets pushed back.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-37798047.post-30971744305027814142009-11-09T00:56:17.497-05:002009-11-09T00:56:17.497-05:00Spot-on - they want the control and the money, let...Spot-on - they want the control and the <i>money</i>, let's not forget that, heh.<br /><br />Another way to evaluate the validity of claims in this arena is employment of the appellation 'cyber-' in a non-sarcastic manner. Anyone who uses 'cyber-' seriously is likely to lack clue, in my experience.Roland Dobbinshttps://www.blogger.com/profile/06517186494484977438noreply@blogger.com