Tag Archives: Critical Infrastructure

Critical Infrastructure Can be Hacked by Anyone

Well that is not a comforting thought.

Cybernews is reporting that using an Internet of Things search engine (like Shodan, but they don’t say which), they were able to scan big swaths of the Internet. In their case they were looking for exposed IoT systems.

Not just any IoT, but critical infrastructure IoT. Here is just a sample of what they found.

This represents an onshore oil well and it looks like they could change flow from this interface.

This system seems to control five different off-shore wells.

Perhaps you would prefer to control the water supply instead.


Or perhaps you would like to drinking water undrinkable.

If you would prefer to mess up the other end of the process, maybe you could make this poop plant poop in the wrong place.

These hacks did not require a great deal of skill. They did not exploit zero day vulnerabilities that only nation states have access to. Sure it took some work, but these guys are journalists, not master hackers.

Only the electric grid as **BEGUN** to take these threats seriously and they are only taking baby steps.

In Europe, Facebook can be fined 125 million Euros for for not taking down a piece of terroristic content within an hour.

Have any of these companies been fined anything? I don’t think so.

Maybe hackers don’t want to start a fighting war, but for anarchists, who knows. Let’s say there is an anarchist in Iowa. Are we going to bomb Des Moines?

What if the hacker *WAS* in Des Moines but took over a computer in Germany to launch the attack. Are we going to attack Germany? Anarchists would like us to do that.

Needless to say, this is a bit of a mess and these are only samples of what they were able to do.

One of the problems that the critical infrastructure industries have is that many of their control systems were designed when people were still painting pictures on cave walls with ground up plants. Well, not exactly, but in technology terms, pretty much exactly.

If the government doesn’t FORCE these companies to pass security tests like the DoD is beginning to force contractors to deal with under the threat of not getting any contracts, nothing will improve.

Since most of these companies are regulated, their regulators need to approve the rate increases necessary to fix the problems and, for most regulators, this is a theoretical problem. After all, no one was provably killed by my decision not to force utilities to improve their security.

And since most legislators have trouble starting a Zoom conference without help from their millennial intern, I would not hold out a lot of hope for those same people understanding the complexities of industrial internet of things devices.

I just hope that it won’t take a Bhopal-style disaster to get their attention.

Security News for the Week Ending February 21, 2020

US Gov Warns of Ransomware Attacks on Pipeline Operations

DHS’s CISA issued an alert this week to all U.S. critical infrastructure that a U.S. natural gas compressor station suffered a ransomware attack. While they claim that the attackers did not get control of the gas compression hardware, they did come damn close. The ransomware took all of the machines that manage the compressor station offline. The utility was able to remotely WATCH the compressor station, but that remote site was not configured to be able run the site. The result was that other compressor stations on the same pipeline had to be shut down for safety reasons and the entire pipeline wound up being shut down for two days.

It appears that there was no customer impact in this case (perhaps this station fed other downstream stations that were able to be fed from other pipelines), CISA says that there was a loss of revenue to the company. The article provides guidance on protecting industrial control networks.

While this time the bad guys were not able to take over the controllers that run the compressors, that may not be true next time. Source: Bleeping Computer

Amazon Finally Turns on Two Factor Authentication for Ring Web Site After PR Disaster

After many intrusions into customer’s Ring video cameras where hackers took over cameras and talked to kids using very inappropriate language, Ring finally made two factor authentication mandatory for all users. While other competitors turned on two factor authentication years ago, Amazon didn’t, probably because they thought customers might consider it “inconvenient”. Source: Bleeping Computer

Real-ID Requirement To Get On An Airplane is Oct 1st

After 9-11, Congress passed the Real ID act (in 2005) to set a single national standard for IDs used to get on airplanes and get into government buildings. For years, Homeland Security has been granting extensions and now, the current plan is for Real ID to go into effect for getting on airplanes and into government buildings in about 8 months.

DHS says that only 34% of the ID cards in the US are Real ID compliant.

That means that IF the government doesn’t change the rules and if people don’t have some other form of approved ID, potentially 66% of the people will not be able to get on an airplane after October 1 or even enter a federal office building.

That might cause some chaos. Driver’s license officials say that even if they work 24-7, they could not issue all of the remaining ID cards by October 1. Will DHS blink? Again? After all, we are coming up n the 20th anniversary of 9-11 and if terrorists have not been able to blow up airplanes or government buildings using non-Real-ID compliant IDs in the last 19 years, is this really a critical problem? Better off to have a Real ID compliant ID card and not have to argue the point. Source: MSN

Sex Works

One more time Hamas tricked Israeli soldiers into installing spyware on their phones. The Palestinians created fake personas on Facebook, Instagram and Telegram, including pictures of pretty young women such as this one.

View image on Twitter

Unfortunately for the Palestinians, the Israeli Defense Forces caught wind of their plan and actually took out their hacking system before they were able to do much damage.

What is more interesting is that this is the third time in three years that the Palestinians have tried this trick. And, it keeps working. Source: Threatpost

AT&T, Verizon Join IBM in Exiting RSA Over Coronavirus

As fears of Coronavirus spread, the effect on the economy is growing. Mobile World Congress, the largest mobile-focused tech conference in the world, being held in Barcelona this year, was cancelled. Source: The Verge

Last Week, IBM cancelled their attendance and booth at RSA in San Francisco. This week their cancellations were joined by Verizon and AT&T. My guess is that attendance will be down significantly as well, without regard to whether tickets were already paid for or not. The total of exhibitors and sponsors who have decided to cancel is now up to 14. Source: Business Insider

These events generate huge income for businesses in the host cities and are very important for vendors looking for business.

This is likely going to continue to be an issue for event organizers and more events are likely to be cancelled.

Security News Bites for the Week Ending July 20, 2018

Israeli Startup Raises $12.5 Million to Help Governments Hack IoT

Given the sad state of IoT security, I am not sure that governments need any help in hacking IoT devices, but just in case they do, Israeli startup Toka raised $12.5 million to help police hack iPhones, Alexas, Echos and Nests, along with other IoT devices like your TV, refrigerator and dishwasher.

If you weren’t paranoid before, maybe you should be now.

Former Israeli Prime Minister Ehud Barak is a cofounder and Brigadier General Yaron Rosen, former head of the Israel Defense Forces cyber staff is the president of Toka.

Kind of like NSA’s Tailored Access Operations (TAO) that builds custom hacks for the NSA, Toka said they are going to see what customers ask for and then deliver.

This sounds like a company to watch.  (Source: Forbes)

U.S. Intel Chief Warns of Devastating Cyber Threat to U.S. Infrastructure

Director of National Intelligence Dan Coats said the warning lights are blinking red again, nearly two decades after 9-11.

Russia, China, Iran and North Korea are launching daily cyber strikes on the networks of federal, state and local government agencies, U.S. corporations and academic institutions.

Of the four, Russia has been the most aggressive according to Coats.

Coats warned that the possibility of a “crippling cyber attack on our critical infrastructure” by a foreign actor is growing. (Source: Reuters)

Voting Machine Vendor Admits Installing Remote Access Software After Lying About it to the New York Times

Election Systems and Software admitted in a letter sent to Senator Ron Wyden that they installed pcAnywhere remote access software on some voting machines delivered between 2000 and 2006.  This is opposite what they told a New York Times reporter in February, so either they were lying then or are lying now, pick one.

They stopped installing the remote access software in December 2007 after the laws changed which would have made installing that software illegal.

The remote access software was not on the ballot boxes in the local precincts but rather on the election management systems in the city and county headquarters.  There are much fewer of these systems and each one is accountable for many voting machines, which would make them a much more attractive target for hackers.  (Source: Motherboard)

LabCorp Shuts Down Network Due to Ransomware Attack

Laboratory Corporation of America, known to most Americans as LabCorp shut down portions of its network over the weekend due to suspicious activity.  That is about as vague as the company has been.

The attack hit the company’s genetic testing unit and spread from there.  The company has data on over 250 million Americans. LabCorp says there is no indication that data was breached, but according to people familiar with the attack, it is a strain of the common ransomware SamSam and it has infected tens of thousands of workstations.

The hackers demanded $52,000 in ransom which LabCorp says it has no intention of paying.

LabCorp is working hard to try and minimize brand damage as the fight for marketshare with Quest Diagnostics.  Unfortunately, unless they can prove that no data was stolen, under HIPAA rules, this will be considered a breach and must be reported to the government, at which point we will get more details.  Source: Wall Street Journal.

Your Air Safety Is Dependent on Windows 3.1 – And Vacuum Tubes

As if Paris didn’t have enough problems, Paris’ Orly Airport had to close briefly last week because a Windows 3.1 system that sends Runway Visual Range information to pilots failed.  Windows 3.1 dates back to 1992.  The French air traffic control union said that Paris airports use systems running 4 operating systems, including Windows 3.1 and XP, all are between 10 and 20 years old.  The system should be upgraded anywhere between 2017 and 2021, depending on who you talk to.

But don’t beat up the French too much.  Until the late 1990s or early 2000s, the FAA was still using systems running with VACUUM TUBES.  Seriously.  For a while, the U.S. Government was the largest user of vacuum tubes, which had to be specially made for them.

And many of you probably remember last year when a mentally ill technician attempted suicide after setting fire to an Air Route Traffic Control Center outside Chicago.  Air traffic around the country was screwed up for weeks.

Fundamentally, there is a lot critical infrastructure in the U.S. and around the world that is older than most of the readers of this blog.  Software that is 20, 30 or even 40 years old is not likely to be as secure, reliable or robust as software built today.  However, whether it is inside power plants, trains, or air traffic control systems, it is what we got.

From a hacker standpoint, that is a dream.  Much of the software was designed and built pre-Internet, but much of it is connected to the Internet anyway.  Which is why Admiral Rogers, head of the NSA, told Congress recently that he is convinced that there are several countries that have the ability to take out pieces of our critical infrastructure.  Several today.  Probably more soon.

Unfortunately, there is so much of it and the critical points are almost all under private ownership.  Nationwide, we are talking hundreds of thousands of pieces of infrastructure – drinking water, gas, electric, waste water, etc.

Unless we get serious about upgrading it,some hacker is going to get there first.  That is not a very exciting thought.

Information for this post came from ARS Technica, Baseline and Wired.

NSA chief admits China could cripple U.S. power grid, financial networks

According to articles on ZDNet and ABC, NSA chief Admiral Mike Rogers said in testimony before the US House Intelligence Committee that China and probably one or two other countries could shut down critical computer networks that could force U.S. power and water grids, aviation systems and financial systems offline.

Let that sink in for a minute.

The reason this is possible is that over the last 10 years, all of these industries have moved their communications from private networks or unnetworked to the Internet without much thought about security – only about cost and convenience.  And, as I have often said, when security comes up against cost, security almost always loses.

On top of that bomb, Rogers said that it is a matter of when, not if.

Although the details of all of this are classified, what has come out is that most of the critical infrastructure has been infected with malware and if or when that malware is activated, the poop is going to hit the rotating air movement device.

AND, at this point, there is no reasonable way to undo the damage.  It will take decades of work to fix the decades of poor security practices.

Let’s hope we stay relatively friendly with those nations.

Of course, the thing that Admiral Rogers did not say is that we can likely do the same thing to them, so we have the cold war all over again – mutually assured destruction.

EXCEPT, that other countries – like China – are probably way less sophisticated in how they network their critical infrastructure (CI), so taking that CI down requires much more sophistication.  Let’s hope we can do that and declare a stalemate.

I do have to give Admiral Rogers credit for admitting what we in the security community have known about privately for years.  It does take cojones.

Mitch Tanenbaum