Slashdot Mirror
CIA Claims Cyber Attackers Blacked Out Cities
Dotnaught writes to tell us InformationWeek is reporting that the CIA admitted today that recent power outages in multiple cities outside the United States are the result of cyberattacks. "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge. We have information that cyberattacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."
Am I the only one that thinks thats a really stupid thing to do?
... for US Federal elections. Coincidence?
a thinly-veiled excuse to get all george orwell up in your internets. this is the same CIA that found weapons of mass destruction in iraq...
Is there really any excuse of convenience that justifies connecting the nations major utilities to the internet?
At least if there is a firesale Justin Long and Bruce Willis will be there to save us. Coincidence that Mac Guy would be the one to save us? I think not.
I actually did skim the article, but I didn't see anything pertaining to when these attacks/outages happened or where (other than outside the US). Does anyone have an idea about what power outages they are refering to?
Every time you post an article on Slashdot, I kill a server. Think of the servers!
There is no better security than just not being connected, end of story.
Where does this idea that every computer that exists must be plugged into the net come from?
Gone!
Now add the fact that the US Director of National Intelligence has indicated that he wants to obtain the ability to monitor all Internet traffic data:
Contrast this with a second Ars article from yesterday, where the US Federal Energy Regulation Commission has just approved new security regulations for the organizations (mostly private) that run the US electrical grid. Rather than blaming evil foreign hackers, Ars reports that:
This all just sounds like an excuse to install packet loggers everywhere.
(And it's not just the US authorities who want to lock down and control the Internet; the UK also recently indicated a desire to install censorship devices at the ISP level. Good luck with that.)
Quick, somebody call Jack Bauer, he'll know what to do!
You must have clicked the box: "Always trust news from CIA"
I call BS on this one. I was in the US just two weeks ago. The airport was at security level 4 out of 5. I asked an officer what the threat was, and he told me that in the four years that he had been working there, the threat level had not budged from level 4. That means that there are effectively only two levels of threat: 4 and 5. This also means that the officers are authorized to perform 'checks' and other violations of the rights that I know Americans used to hold dear. This is a temporary situation, I understand, however the temporary situation has been in effect for over four years it seems! I believe that the CIA 'admitting' that the power outages are attacks are a way to drum up public support for more 'checks' and ways to survey the public. If they were real attacks then I doubt the CIA would make that public. I also doubt that the CIA would be the agency to do make that public. I don't subscribe to the many conspiracy theories that populate Reddit, but from the little that I did see in the US in the three days that I was there, things have changed since 1999 (last time I was there). People are now scared. People _want_ their government to invade their lives. That is scary. I was thinking of Winston Smith the whole time.
It is dangerous to be right when the government is wrong.
That's ridiculous. Power and services don't just suddenly cu
Table-ized A.I.
That's why they invented out-of-band management tools long, long ago.
Given the nature of how the internet works, having a dial-up line to a management console (who then requires authentication) is much better for OOB management than using the Internet.
Jeroen Ruigrok/Asmodai
You're absolutely correct. Remote administration is the way to go. Until the power goes out, in which case it's a holiday for the workers.
Am I the only one that thinks thats a really stupid thing to do?
It takes only a single breach. The story mentioned it may be an inside job, which means somebody may have put a single little link between the two systems, breaking the separation.
Table-ized A.I.
Yeah, something like Enron could never happen in the private sector.
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
Wardialers are to OOB management as portscanners are to internet-connected management.
Presuming that InformationWeek had their typical lame coverage here, a quick search found a much better article about this at Forbes (they even know to ask Bruce Schneier about it!) where they link to a nice background article about these SCADA systems.
1. There may be situations where the systems need to be remotely administered, and using the Internet is a much, much cheaper way to facilitate this than deploying a completely private network infrastructure just for this purpose, which probably isn't very practical (for both physical and financial reasons).
2. pr0n browsing. Actually here in Australia, the power generation company (at least in my state) does have it's own control network. It used to be Copper, but a while back they replaced it with fibre. They ended up with so much excess bandwidth that they wholesale it to companies. I assume they have their fibres separated from everyone else's.
Option 2 may cut into their profits a bit though
I haven't read TFA yet, but an attack from the Internet should *never* happen to something as important as this.
Where I work, we have an In-Confidence network and some Protected stuff. Each level is ONLY allowed to connect to ONE level lower and then only via approved security mechanisms. So the In-Confidence can access the (Unclassified) Internet, but the Protected stuff can't talk to the Internet at all. Actually in our case we don't bother connecting the Protected stuff even to our In-Confidence network.
I would assume a power control system would be much higher security than In-Confidence (that's pretty low - any decent business should be at least that level in reality), and thus not allowed to talk to the Unclassified Internet.
This of course is for Government networks. The US power companies (as are most in Australia) are privately owned, so they don't have to worry about such trivial things as security rules.
On a side note, I'm constantly amazed at the expectation of vendors and PHBs that we will automatically open up our network so that some stray vendor can remotely debug their dodgy application. Yea sure, we'll let you in from your totally unknown network that has only knows what security holes and stuff going on inside it to access our server(s) with elevated privileges. Especially when everyone working in our IT department has gone through a security clearance, and they have whoever they snagged off the street.
Actually I've just had a look at TFA, and it doesn't have any sort of details on what / where (not USA) / when (well vaguely - recently) / why (profit ???) / how these attacks occurred.
Ever stop to think
My dad is an engineer working for a power company. Whenever this topic comes up he normally just shrugs and says won't work or that it isn't as green as you think it would be. First of all not every home has the ability to produce power by solar, wind, or other means. Of course in some areas like AZ it would have a good chance of working but then you have to consider the second point. To produce solar panels or wind turbines one must exert energy and also cause pollution. Santa Claus does not deliver them magically. Of course once a framework of solar or wind power is created the energy cost is not longer as much of a factor. The pollution however could very well be. To make solar panels involves complex chemicals and is usually based off of petroleum products. While the pollutants from making solar panels are not necessarily released into the air, they could very well be worse for the environment then that of gas or oil fired plants. Of course I have not made any study into this claim, but I ask people who are very strongly in support of solar power about it. Most of them don't even realize that in order to make the solar panels some factory somehwere has to make pollutants. I guess since they can't see the pollutants at their house it doesn't matter to them. Additionally I would be willing to bet that the pollution control on electrical generating plants is of a much higher degree than that of the solar or wind turbine producing factory. So while I don't know the exact facts I don't just blindly say that hey solar and wind power is green. You got to get that solar panel or wind turbine from somewhere. I hope that solar and wind power can become dominant not because of the environmental side, but because the oil supply will someday run out and I don't like being dependent on foreign nations for oil. As to your schema it would be more effective to have a couple more smaller plants and more redundant wiring. Of course the problem is cost and until it makes financial sense or the government forces them to, the power companies won't be over concerned about rare power outages. And as for the topic, stupid companies that are not secure from external threats over the internet are just that stupid. There are many ways to stop this and it has nothing to do with the structure or the grid, just from lazy management or IT.
everything I said is hearsay and might be wrong from bad memory, but I do know that somebody who knows about this stuff says it isn't all its cracked up to be.
This information was released at a major security conference. If they wanted to just scare everyone they would have released this info more directly to the public rather than at a meeting of specialists who could see through a line of BS. And if they were really going for the fear factor they'd leak this on a monday or tuesday morning, not at 6pm on the friday before a long weekend. It sounds to me like they want to diminish any possible panic, not amp it up. Notice they're not blaming terrorists or enemies either; the strong implication is organized crime with some kind of inside connections. I tend to be pretty skeptical of CIA but based on the little info that is here I'm guessing they're not making this up, and they probably are hoping that letting people know who are responsible for computer security at more localized levels will make it more likely for them to trace the perps.
This ain't Whiz Kids people, everything isn't connected, hackable, and DoS-able - and since when does the CIA say anything, much less in a press release? This is plain old simple psy-ops on dummmy Americans, who will say, "Yes, something must be done...for the children...", and then we'll all have a bunch more bullshit internet 'enhancing', privacy 'upholding', aptly named laws like the JESUS WRAPPED IN A FLAG Act.
Dear CIA, If you're so concerned, go unplug the router, and don't waste your breath and insult the intelligence of 14 year olds with your 'teh Chinas hackin teh Gibson!' line of crap.
LA has been getting them over the past few weeks pretty regularly. Entire sections of Hollywood down for several hours at a time (maybe a dozen blocks at a time), and then a couple days later it will be a section starting a few blocks away. Seems to have stopped a couple weeks ago (or was it last week?) But of course I can't tell, I haven't been driving up and down LA to check if it's still happening. But it seemed really weird and random, and the cops were not directing traffic right away (which suggests they were caught off-guard); after a while there were electrician types in groups at certain corners digging through wiring or whatever and looking confused. I noticed it 2 or three times at night, and then it hit my neighborhood in the afternoon on a weekend.
There is always a balance between cost and protection and it's easy to cut back the costs, since the risks are very hard to weigh. Many companies calculates with a certain amount of downtime caused by "unforseen" events. What's in this category also depends on the amount of money put into the security bag. They are just comparing the agreements with their customers and the cost for protection and are figuring out that "OK, we can allow to have a day or more downtime without violating our customer agreements".
It's all about money, but sometimes you may think that there are people as mean as Marwin Meathead.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
And if MS Windows is involved, then it escalates to willful negligence.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
From some articles it seems that the affected cities are from Central and South America, including some in Mexico.
I really liked the last paragraph in the article:
Windows + wifi + scada + power_grid = fun_and_games
Bitter and proud of it.
It's when Chuck Norris sets his foot ablaze with mere willpower, then does a roundhouse kick.
My developers gave up on that a long time ago. Now, whenever the end user asks for live assistance, or in any one of a number of error conditions, we spawn off an ssh tunnel from the customer site to our mothership server, send the error/status report, and leave the thing open for three days.
Yeah, we snag customer care techs off the street, it's true. But your security-cleared IT personnel install whatever we ship as root if we tell them too in the readme. I'm not trying to scare or insult you or act macho. It's pathetic that we could arrange to expose the networks of dozens of Fortune 500 companies. But realistically, if someone calls up and can't figure out what our software did with their tax information, it's a lot quicker to tunnel in and look at the logs than it is to walk them through the myriad of possibilities on the phone.
"We have information", "We suspect, but cannot confirm", "We do not know who executed these attacks or why", "other information related to the attack was not mentioned and is unlikely to be forthcoming". WTF? I suspect but cannot confirm that this is complete bullshit. I do not know who invented this bullshit or why. I will not mention other information related to this bullshit and it is unlikely to be forthcoming.
Gore and Kerry lost. Get over it. Typical Democrat whining - don't take fault for your shortcomings (i.e., poor choices in presidential candidates), but rather scream "UNFAIR!" and try to change the system to your advantage.
I'm not saying Bush is a great guy (I'm not fond of him at all), but he won. Get used to it. Quit making up excuses, and get over your egotistical Democrat mindset of "if we don't win, the other side cheated."
The whole reason the American auto industry is failing is because they CAN'T market what they want. They're forced to manufacture anemic go-karts with expensive technology out the tailpipe that total out in the most minor of accidents. Americans don't want cars like that, but environmentalists keep cramming them down our throats.
I know exactly what kind of car I want. Something simple, easy to work on, and devoid of computer control. I can't get that because of GOVERNMENT IMPOSED ENVIRONMENTAL REGULATIONS enacted by DEMOCRATS that REQUIRE extremely complex (compared to prior technology) design and technology.
More Democrat egotism. "The people would agree with us and buy hybrids if only those damned Republicans and big businesses didn't get in their way! It's not at all possible that they don't want them. We know they do, it's what we want!"
We, we, we. You guys just have your finger on the pulse of everything, don't you? Nobody disagrees with you, nobody has differing opinions.
I wouldn't give up my car for a golf cart. I wouldn't take a bus somewhere if you held a gun to my head. (Sit next to a bum soaked in urine while I wonder what that sticky stuff on the seat is? No thanks!) I don't want to fly down the interstate in a souped-up Rascal.
Bush was our fault. He won because of two reasons. First, people didn't like Al Gore. Second, people really didn't like John Kerry. But, being a Democrat, you can't believe your choices in candidates were inferior. Therefore, Bush cheated.
Damn skippy. When I worked as a SCADA dev, we had one (1) machine connected to the internet, in a locked room. If you wanted to move something from there to a machine on the LAN, you did it by burning CDs, and the culture (rather than just the 'procedures') was genuinely against installing anything that wasn't absolutely necessary. Nobody outside of IT had admin access to their desktops.
That was our dev house procedures though. As you say, it all falls apart on the production systems. Once customers started using commodity Windows boxes, it was all over. We found one production box where the night watchman had hacksawed off the padlock on the back, opened it up and installed a sound card so that he could play games on it, presumably by plugging an optical drive in for the duration. It was pwoned by his warez and needed a brain wipe. Quis custodiet ipsos custodes?
If you were blocking sigs, you wouldn't have to read this.
Sure it's a republic, as opposed to a monarchy.
But it's also a democracy, as opposed to a dictatorship.
More precisely, it's a representative democracy, as opposed to a direct democracy.
Republic means that it's not led by a hereditary monarch — as opposed to a monarchy where there is a hereditary monarch.
Democracy means that the people of the country either make the laws and the government decisions, or elect representatives who make the laws and the government decisions — as opposed to a dictatorship where the people have no say (or have practically no say).
Representative democracy means that you vote for representatives who make the laws and govern — as opposed to direct democracy where the people make the laws and/or govern.
It's abundantly clear that the US is a republic and a representative democracy.
It's a weak democracy, since it's a two-party system where it's mathematically extremely difficult for any but the two ruling parties to come to power, but that only makes it weak, it's still a democracy.
Why do some people get this weird illusion that republics are not democracies? Are you under the impression that Britain having a queen makes it more democratic than the US? Or do you give these words completely different meanings?
I find it unsettling and worrying that some people are so badly informed about something so very important. The school system must be terribly bad in your country.
Terrorists can't threaten a country's freedom and democracy. Only lawmakers and voters can do that.
We are into lying, like, you know... BIG TIME!
We also have secret wars, illegal financing, blackmail, brainwashing, manipulation of the press, assassination, extra-judicial surveillance, detention and punishment. What'd I leave out? Oh, yeah! "Harsh Interrogation". That's just "torture" between us. But I digress. The mainline business is lying - it's like the life-blood of the other operations.
Now trust us on this one: The Internet is extremely dangerous.
Really. You'll have to get on board with us over this one, as we begin to curtail the Internet. I know it's a useful tool for communication. But we'll all have to live with censorship, spying and blockage, to stop an Internet 9/11.
It is most important that you associate political speech and action on the Internet with suspicious motive - even with predilection for terror. We will develop this theme over the next few years, so stay tuned - and stay safe.
Trust us. Would we lie to you?
"Flyin' in just a sweet place,
Never been known to fail..."
The predictable response class, however else you may think of it, actually categorizes as "believing the information out of hand".
The other response is watched more closely for various reasons: to see who's missing screws or needs to be portrayed as such; to see who has anti-U.S. agendas or needs to be accused of such; conversely, to see whether any Americans are intelligent enough to "get it" (the intelligence game or information commodities manipulation), or, to see whether they've made any internal errors of estimation or accuracy.
That's just how the statements are analysed. As for motivation, sometimes these statements are provided to sort of "poke" the public and instigate certain beliefs to become more widely held (or more widely dismissed), and sometimes these statements are released as a form of "noise", or what some people mistakenly refer to as "smokescreening". In an actual smokescreen, some information is used to either obliterate the immediate availability of some other information or draw attention away from it. In the use of "noise", some information is important enough to covert yet valuable enough to keep on the information market, so instead of the information being occluded, it's obscured instead by means of flooding the market with information that's similarly themed (or even just similarly spelled).
So if you, say, go on about the public statement as if it's truthful, or possessed of a genuine concern for the American public's mental and emotional well-being, then you are definitely missing half the truth but might be missing all of it (depending on the motivation).
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Sometimes the hardest part of being the Mayor is recognizing when the village idiot has his flash of genius.
Apocalypse Cancelled, Sorry, No Ticket Refunds
Yeah, the naming of the cities is really interesting;
...
Since I was at the SANS Scada conference in NewOrleans and heard the Analyst's presentation.
He did not give out any information on what cities were hit, hell even what continent they were on.
When asked a question about verifying the data he replied
" What ? don't you trust the CIA ? "
The cyber-attacks were the result of cyber-intrusions conducted by cyber-hacker cyber-criminals intent on causing cyber-damage. When caught they will be elligable for cyber-representation by cyber-lawyers for cyber-prosecution. Unfortunately said attorneys will be unable to practice cyberlaw due to the cyber-trademark registered by cyber-lawyer Eric Menhart.
Cyber-lame.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
I've also gotten the impression that this is something that the CIA themselves may have done on other occasions.
Apocalypse Cancelled, Sorry, No Ticket Refunds