Reader Comments

Subscribe: RSS

View by: Time | Thread

• 

  Anonymous Coward, 13 Jan 2015 @ 9:09pm

  
  

  I thought long ago when Stuxnet came out that it was going to be a future blueprint for how to disrupt infrastructure. Then after that came Obama admitting that the US was behind the malware.
  
  In the time since little has been done to lock down these various facilities, many of which we depend on for everyday life. The US has opened Pandora's Box. It will come home to haunt them and indirectly us all.
  
  It takes a while to dissect and understand complicated code. It's been years since it was discovered in the wild and enough time for that to now start happening. Sooner or later, North Korea, ISSIS, or whomever will use it. When it is used we will be able to thank our leaders for this new plague released.
  
  The fact that the NSA nor none of the other three letter agencies have bothered to tell software makers where their bugs and security holes are isn't going to help in this matter.

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 13 Jan 2015 @ 9:29pm

  
  

  Today's House Briefing

  United States House of Representatives
  Foreign Affairs Committee
  “Briefing: The North Korean Threat: Nuclear, Missiles and Cyber”
  Jan 13, 2015 10:00am to 1:00pm
  
  
  (Webcast also available via C-SPAN.)

  [ link to this | view in chronology ]

• 

  Charles (profile), 13 Jan 2015 @ 10:28pm

  
  

  "Meanwhile, critical infrastructure remains as vulnerable as ever."
  
  Shouldn't the critical infrastructure not be connected to the internet?

  [ link to this | view in chronology ]

  • 

    Anonymous Coward, 13 Jan 2015 @ 10:44pm

    
    

    Re:

    Shouldn't the critical infrastructure not be connected to the internet?
    
    I would agree with this but then take a look around at the world of industry. In the past decade, the middle class has lost a huge amount of workers. Most of those workers didn't go back to work at what they were doing before. Either the jobs left overseas or they were automated so that fewer could do the work of many.
    
    Instead of having a floor full of people monitoring processes we now have programs running on computers that do the monitoring allowing fewer to only answer the alarms and whistles. There is always an engineer in the head office or branch office that needs to know how his latest modification is doing, what the latest production figures are, or how some process could be speeded up. He no longer needs to travel to the location to do that. He can pull it up on his computer to look see.
    
    Notice that in the article they did not access the steel facility from the spearphished account. I would imagine they got passwords there. Instead it was accessed through the corporate network. Notice that they are very careful not to say where, nor how. I suspect this was a double system and the corporate network was not directly hooked to the internet. However, once you find the magic key, you then have access to the internal LAN. Once in, everything is there. I would imagine the internal LAN isn't directly hooked to the net but the corporate servers can be accessed provided you have a high enough authorization. Once in there you can roam at will. I would suspect there were lots of fences to jump arriving at that place to access it.
    
    Before you go far with this should not be, think that this is a common practice, from everything from milk processing, electric generation, city water pumps, traffic control, to making pesticides. It's far too late to shut the barn door, everyone is on their own private system doing the same method to cut manpower.

    [ link to this | view in chronology ]

  • 

    lfroen (profile), 13 Jan 2015 @ 10:44pm

    
    

    Re:

    In theory - yes. In practice, when you have to control several plants in different places - what options do you have? Even dedicated PPP line is "connected" to Internet - separated by provider router.
    Running physically several disconnected networks is insanely expansive and well beyond budget.

    [ link to this | view in chronology ]

    • 

      Anonymous Coward, 13 Jan 2015 @ 11:15pm

      
      

      Re: Re:

      It doesn't matter. IF the infrastructure is critical, it should mostd ecidedly not be public-facing.
      
      Transparent? Yes. But never public-facing.

      [ link to this | view in chronology ]

      • 

        lfroen (profile), 13 Jan 2015 @ 11:20pm

        
        

        Re: Re: Re:

        >> It doesn't matter. IF the infrastructure is critical, ...
        In your imaginary world, where money is not a function, maybe. However, here on Earth, cost matters.
        You don't make your house windows bulletproof, and steel door, right? (In case you _do_, please seek mental help immediately).

        [ link to this | view in chronology ]

        • 

          PaulT (profile), 14 Jan 2015 @ 1:17am

          
          

          Re: Re: Re: Re:

          "However, here on Earth, cost matters."
          
          As do risk and consequences. How great is the cost as a consequence of damage? How high is the risk of that damage?
          
          If people are ignoring high long-term risks with a high cost (monetary and otherwise) as a consequence of failure just so they can save money in the shorter term, well you've just described the problem with modern corporate culture... Infrastructure that is genuinely critical will naturally have a high cost to properly secure it.
          
          "You don't make your house windows bulletproof, and steel door, right?"
          
          I don't but I don't live in a place where bullets are being fired every day, have a high risk of being robbed nor do I house anything vital to the operation of my company/city/whatever. Strangely, my priorities would change if I did...

          [ link to this | view in chronology ]

        • 

          Anonymous Coward, 14 Jan 2015 @ 2:02am

          
          

          Re: Re: Re: Re:

          ...And? Once again, if the infrastructure is critical, there is literally no reason not to have a separate network for that infrastructure with zero public-facing nodes.
          
          That cost can be borne. The other cost, in real lives, cannot.

          [ link to this | view in chronology ]

        • 

          Cal (profile), 14 Jan 2015 @ 4:28am

          
          

          Re: Re: Re: Re:

          "In your imaginary world, where money is not a function, maybe"
          
          What you are really saying is the size of the profit margin is what counts first, not security.
          
          THAT is what is crazy, security is always first because not secure, lose the business, the life, the house. "Self" defense, be it a person, a business is the natural first step since people came out of caves. What is going on with this when profit means more then security is crazy, definitely not normal.
          
          "You don't make your house windows bulletproof, and steel door,"
          
          Today, if one can afford it, yes. We live in a world where governments in just the 20th century murdered more people then died in all the known wars combined.
          
          Think about it.

          [ link to this | view in chronology ]

        • 

          Ninja (profile), 14 Jan 2015 @ 5:16am

          
          

          Re: Re: Re: Re:

          Well, BP decided to save a few million in valves and proper security and got a 20 billion loss (that huge Gulf oil spill). But when thousands of lives are at risk you must bear those costs even if it means raising prices. And if needed the law must mandate such disconnection from the internet.

          [ link to this | view in chronology ]

        • 

          jsf (profile), 14 Jan 2015 @ 8:40am

          
          

          Re: Re: Re: Re:

          "You don't make your house windows bulletproof, and steel door, right?"
          
          I lived in Chicago for 13 years, and while bulletproof windows are uncommon, steel doors are pretty common. Two of the three places I lived had them.
          
          Also bars, but not bulletproofing, on ground floor windows are fairly common as well.
          
          Finally steel doors are actually less expensive than a quality solid wooden door these days.

          [ link to this | view in chronology ]

        • 

          John Fenderson (profile), 14 Jan 2015 @ 9:10am

          
          

          Re: Re: Re: Re:

          "However, here on Earth, cost matters."
          
          What you're arguing here is that we as a society should absorb the cost of critical infrastructure being on the internet so that the entities who are doing this don't have to bear it. It's saving those entities a dollar while costing the rest of us ten.
          
          Cost matters, yes, but the cost directly to these entities is not the only part that matters.

          [ link to this | view in chronology ]

          • 

            Chris Brand, 14 Jan 2015 @ 9:38am

            
            

            Re: Re: Re: Re: Re:

            Ultimately, this sort of question should always be a balancing of risk, reward, and cost. A big additional factor that hasn't been mentioned in this thread is whether this is the sort of risk that can be insured against (and what requirements the insurance company imposes). Many businesses accept small risks of huge losses if doing so will save them a reasonable amount of money. If the risk doesn't materialise, that's a good decision.
            
            The biggest problem I see at the moment is that the risks are often not even considered - "We can have one person monitor three plants if we implement some monitoring software that we expose online" "sounds great. Do it". That will presumably change as events like this become more common (and as insurance companies learn to ask about this sort of risk).

            [ link to this | view in chronology ]

            • 

              Ninja (profile), 14 Jan 2015 @ 9:44am

              
              

              Re: Re: Re: Re: Re: Re:

              This sounds awesome but should we risk big outages or disasters because of it? Are we citizens ready to dispose of a few dozen lives if some pipeline goes boom? I believe we need to force better security in. I'm not sure if laws are the best tool but they are an alternative but certainly the proposals being discussed by the Govt now aren't the right path.

              [ link to this | view in chronology ]

        • 

          Rekrul, 14 Jan 2015 @ 12:34pm

          
          

          Re: Re: Re: Re:

          You don't make your house windows bulletproof, and steel door, right? (In case you _do_, please seek mental help immediately).
          
          No. I also don't put my light switches and thermostats on the outside of the house where just anyone can walk by and mess with them.

          [ link to this | view in chronology ]

    • 

      Anonymous Anonymous Coward, 14 Jan 2015 @ 8:39am

      
      

      Re: Re:

      Could you explain for us less network savvy folks what is so 'insanely expensive'? Is it setting up the infrastructure? Is it hiring people to monitor it? Is it ongoing cost of 'renting' that infrastructure?
      
      And while your at it, what is considered 'insanely expensive'? Greater than the US GDP? Greater than this years profits? Greater than this years CEO bonus? Greater than this years IT budget?

      [ link to this | view in chronology ]

• 

  Ponkyperson, 13 Jan 2015 @ 10:43pm

  
  

  too late run

  Its too late, the idiots running the US are incapabale of anything now, too many idiots promoted to serious postitions withing the establishment, now we are all going to hell.
  
  Run now, run for your life, it may be too late if you dont.
  
  Run!!!!!!

  [ link to this | view in chronology ]

  • 

    PaulT (profile), 13 Jan 2015 @ 11:15pm

    
    

    Re: too late run

    Story headline:
    
    "Damage To German Steel Mill"
    
    Story body:
    
    "A report [pdf link] recently released by Germany's Federal Office for Information Security"
    
    Linked story:
    
    "hackers had struck an unnamed steel mill in Germany"
    
    Your response:
    
    "the idiots running the US are incapabale of anything now"
    
    Well, there's certainly an idiot here somewhere...

    [ link to this | view in chronology ]

• 

  Jared, 13 Jan 2015 @ 11:59pm

  
  

  Big Government Surveillance

  If our government increases surveillance, then people will start communicating using Code. It's not difficult to communicate using encrypted messages. Those using Code to communicate will laugh at the NSA. Therefore the NSA will only be analyzing the uncoded communications of ordinary citizens. Information is power (big data). This is about power and control, not national defense. Wake Up!

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 14 Jan 2015 @ 12:48am

  
  

  That's it, The Internet is Broken.

  [ link to this | view in chronology ]

• 

  Ninja (profile), 14 Jan 2015 @ 1:12am

  
  

  This is terrifying for a number of reasons. Not in the sense of approving CISPA though, no. As it has been being pointed out ad nauseam by Techdirt and others it wouldn't have done shit to prevent any of the attacks that have taken place in the last dozen years.
  
  The terrifying bit is that NOTHING is being done to hold the ones that are responsible for the lousy security on critical systems and, better yet, forcing companies to practice good security on such systems. The blast furnace only shut down in a wrong manner with mainly damage to the equipment itself. I suspect this largely happened because the security valves and systems worked as intended. It could have been way less reassuring: such emergency security systems are also fallible. Wht if some pressure relief valve had failed? Depending on the size of the thing you could send quite a few blocks flying.
  
  One can only hope the morons legislating actually deal with the real problems instead of the glitter and vanity before something really catastrophic happens.

  [ link to this | view in chronology ]

• 

  Nicci Stevens (profile), 14 Jan 2015 @ 1:37am

  
  

  Why

  Why are critical systems on the public internet at all? When I have worked at power plants and on medical gear in hospitals its not even on unroutable addresses. Madness.

  [ link to this | view in chronology ]

  • 

    NoahVail (profile), 14 Jan 2015 @ 2:30am

    
    

    Re: Why

    Exactly. Take care of your nice things.
    
    Don't leave your toys out in the rain.
    Don't loan your powertools out to drunken, homeless 5 year olds.
    Don't hook critical SCADA systems up to the risky Internet.

    [ link to this | view in chronology ]

• 

  Anonymous Coward, 14 Jan 2015 @ 2:02am

  
  

  If they create new branches in the police to go after the millions of pirates then why the fuck cant they do the same with the occassional hackers?

  [ link to this | view in chronology ]

  • 

    Anonymous Coward, 14 Jan 2015 @ 5:26am

    
    

    Re:

    Not all hackers are bad..........some of them are in it to test that security is, well, secure, and then inform

    [ link to this | view in chronology ]

• 

  Oliver (profile), 14 Jan 2015 @ 2:28am

  
  

  No Subject

  I call BULLSHIT on that whole report.
  This is nothing but MS-grade FUD!
  
  How can anyone believe that vague a report?
  
  Cheers :-)

  [ link to this | view in chronology ]

• 

  Rich Kulawiec, 14 Jan 2015 @ 3:14am

  
  

  It's going to get MUCH worse

  The short-sighted people pushing "The Internet of Things" are charging ahead as fast as they possibly can, oblivious to the reality they're not actually building smart refrigerators or smart cars or smart watches: they're deploying targets. Millions and millions of targets, some of which have already been acquired by adversaries and most of which will be in due course.
  
  It really doesn't matter how detailed/vague this particular report is: its significance has little to do with a single steel mill in Germany. The takeaway from this should be a sobering realization that "the Internet of Things" is quite rapidly turning into "the Internet of Bots" and that serious consequences await.

  [ link to this | view in chronology ]

  • 

    Anonymous Coward, 14 Jan 2015 @ 5:28am

    
    

    Re: It's going to get MUCH worse

    Skynet is waking

    [ link to this | view in chronology ]

  • 

    Ninja (profile), 14 Jan 2015 @ 5:44am

    
    

    Re: It's going to get MUCH worse

    I honestly don't see why my trash can or my refrigerator should be connected in any way...
    
    In any case I doubt that everyday gadgets connected to the internet can do any serious harm. Still they are being deployed with lousy security to say the least and to clueless people in general who won't probably change any passwords.

    [ link to this | view in chronology ]

    • 

      Rich Kulawiec, 14 Jan 2015 @ 5:58am

      
      

      Re: Re: It's going to get MUCH worse

      In any case I doubt that everyday gadgets connected to the internet can do any serious harm.
      
      I invite you to write that down on a piece of paper and place it above your screen. Then wait five years.

      [ link to this | view in chronology ]

      • 

        Ninja (profile), 14 Jan 2015 @ 7:57am

        
        

        Re: Re: Re: It's going to get MUCH worse

        Depends on the gadget. We are talking about refrigerators and wash machines. What's the worst that one can do with a refrigerator if given remote control? Turn it off? It's quite different from an industrial high pressure boiler that has the potential to send several blocks flying.

        [ link to this | view in chronology ]

    • 

      Anonymous Coward, 14 Jan 2015 @ 7:31am

      
      

      Re: Re: It's going to get MUCH worse

      "I honestly don't see why my trash can or my refrigerator should be connected in any way..."
      
      When foods all have rfid's embedded, and I remove a staple from my fridge, it adds that item to my shopping list which is cloud synced because the wife is already on the way to to grocery store, and when she gets there, she'll see that item automagically appear on her smart phone shopping list app.
      
      I can totally see the usefulness of that.

      [ link to this | view in chronology ]

      • 

        Ninja (profile), 14 Jan 2015 @ 7:53am

        
        

        Re: Re: Re: It's going to get MUCH worse

        This wouldn't need the fridge to be connected to the internet. A local 'home center' could collect that data and make it available (considering you trust it won't be used to target annoying ads based on your consumption) but it still doesn't make sense to allow remote control. And automation may be problematic. What if you don't want to buy that product again? I still maintain that full connection is not needed.

        [ link to this | view in chronology ]

      • 

        Anonymous Coward, 14 Jan 2015 @ 8:31am

        
        

        Re: Re: Re: It's going to get MUCH worse

        I can totally see the usefulness of that.

        
        Law enforcement will love it, as they can tell when you have guests, as will your health insurance company, who can tell whether you have a healthy diet.

        [ link to this | view in chronology ]

        • 

          Ninja (profile), 14 Jan 2015 @ 9:39am

          
          

          Re: Re: Re: Re: It's going to get MUCH worse

          That is another issue. But I believe they will suffer equally from fear of the masses so I wonder which prison is worse...

          [ link to this | view in chronology ]

      • 

        John Fenderson (profile), 14 Jan 2015 @ 10:30am

        
        

        Re: Re: Re: It's going to get MUCH worse

        "I can totally see the usefulness of that."
        
        Me too. But that is a pretty small amount of usefulness, and certainly doesn't balance well against the risks.

        [ link to this | view in chronology ]

    • 

      Anonymous Coward, 14 Jan 2015 @ 7:32am

      
      

      Re: Re: It's going to get MUCH worse

      I'm afraid it's time to look at Distributed Denial of Service attacks and amplification via compromised devices. While your toaster doesn't have much processing power it can still spew a lot of packets at a target and add to a denial of service attack.

      [ link to this | view in chronology ]

    • 

      John Fenderson (profile), 14 Jan 2015 @ 10:29am

      
      

      Re: Re: It's going to get MUCH worse

      "In any case I doubt that everyday gadgets connected to the internet can do any serious harm."
      
      Some of those gadgets certainly could. Think heaters, furnaces, etc. However, the really huge risk of the IoT initiative is that it will increase the comprehensiveness and effectiveness of spying.
      
      I will not be hooking these things up to the internet for that reason, and strongly discourage anyone else from doing so.

      [ link to this | view in chronology ]

• 

  Guardian, 14 Jan 2015 @ 5:48am

  
  

  ahhh the real world hard disk killer

  back in 89 we destroyed a 10 K Hard disk by just having it run all night at max spon speed....
  
  this is just improving on the old

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 14 Jan 2015 @ 7:59am

  
  

  Siberian pipeline sabotage

  Stuxnet wasn't the first such attack: the Siberian pipeline sabotage happened in 1982. "The result was the most monumental non-nuclear explosion and fire ever seen from space."

  [ link to this | view in chronology ]

• 

  GEMont (profile), 14 Jan 2015 @ 10:56am

  
  

  Selling Shit As Shinola is a Fascist Art Form

  "Meanwhile, critical infrastructure remains as vulnerable as ever."
  
  It is absolutely essential to the plan that critical infrastructure remain vulnerable. If it were not so, then none of the intended legislation-to-be, rerouting tax-money into phony multi-billion dollar anti-terrorist, anti-hacker, cyber-security scams would be possible.
  
  If you want to make laws against a specific behavior, you first must make sure that the behavior appears to be criminal and that there is a lot of it taking place, or at the very least, flood the news media with reports of its extremely high occurrence rate.
  
  This is how the Drug War was manufactured and maintained.
  
  It is a very highly effective method of social engineering for fun and profit.
  
  This is how the peer to peer equals piracy scam was created and maintained. It is a method that works.
  
  To see it being used once again to create a Cyber Security Scam that will lead to legislation eliminating privacy and the internet, is no surprise at all.
  
  ---

  [ link to this | view in chronology ]

• 

  FatBigot, 14 Jan 2015 @ 1:08pm

  
  

  Not as easy as it sounds.

  I'm afraid that people calling for critical process plant not to be connected to the internet are demanding a simple solution when they do not really know what the problem is. This is the same issue as politicians demanding backdoors for the intelligence services in all encryption.
  
  If the process operators require advice, I'd much rather VPN to read the SCADA screens and advise, rather than having to go to site which may be 200 miles away. This is doubly true on the night shift, when it might save me getting dressed at all, but will require that I can access from home, which means over the public internet. Obviously management are happy with this because call-out costs are greatly reduced.
  
  For an insight on what can go wrong with a blast furnace, read this report on an explosion that happened in 2001: http://www.hse.gov.uk/pubns/web34.pdf

  [ link to this | view in chronology ]

  • 

    Andrew D. Todd, 14 Jan 2015 @ 4:48pm

    
    

    Telecommunications Is Not The Internet. (to EatBigot, #43)

    One must not confuse telecommunications with the internet. Something as big and expensive as a steel mill can easily have its own dedicated communications infrastructure, at various possible levels, viz: ditch; duct; cable; fiber; or "lambda," that is, a frequency in a fiber. Digging a ditch and putting ducts in it costs about $50,000 per mile, and that is trivial compared to the cost of building a rail line, several million dollars a mile or more. A steel mill isn't much good without a railroad. Steel mills often have their own private railroads to handle specialized tasks such as hauling crucible-cars filled with molten iron. Naturally, connecting at the level of ditch, duct, cable, fiber, or lambda costs more than a Virtual Private Network, because someone has to actually go out and make up connections between fibers, but it does provide more unequivocal separation from other traffic.
    
    I was reading in this month's Flying Magazine (Peter Garrison, "Aftermath," Feb 2015) about an airplane, a twin-engine Cessna 310, which crashed because the owner-pilot was attempting to save perhaps ten dollars on the price of gasoline. He bought about twenty gallons less fuel that he should have (say about an hour of flying time), because he was advised that fuel was fifty-three cents a gallon cheaper at his destination. Parenthetically, the mandatory overhauls and part replacements on an airplane of that type might have been at least $500/hour. I think you will perceive a certain similarity.

    [ link to this | view in chronology ]

  • 

    John Fenderson (profile), 15 Jan 2015 @ 8:30am

    
    

    Re: Not as easy as it sounds.

    "If the process operators require advice, I'd much rather VPN to read the SCADA screens and advise, rather than having to go to site which may be 200 miles away."
    
    Using a VPN would count as a minimum security requirement, but it would be even better to not be connected to the internet. That does not in any way mean that there is no way to do remote administration. It only means that your remote connection is not through the internet.

    [ link to this | view in chronology ]