Slashdot Mirror
Experts Hack Power Grid in Less Than a Day
bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."
Why wouldn't the power company use a private network? Why is there EVER a need to have access to those systems over the internet?
Realistically, no part of a nations critical infrastructure should be networked (other than the internet itself). That seems pretty obvious.
An attack on a control point of the power grid could cause millions in damage if properly executed, and possibly lives from extended loss of power. I'd like to think the power grid has built-in protections to keep a 'bad node' from ruining several others, but it just might not..seeing as how companies build for economy before they build for safety.
Even something as simple as opening a few junctions could cause fireworks..take a look at some online videos about 'opening hot' for example..now imagine if that arc caught other pieces of equipment because the line was still energized.
Simply put, the power industry needs to step up to the plate and harden both their network infrastructure and their meatspace infrastructure against malicious attack.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
How we know is more important than what we know.
Maybe don't go to the extremes of requiring everything to need high security (such as entering the building or doing everyday work), but things such as shutting down the power grid should require extra security. Access to the important controls should have extra security. With security, one size does not fit all.
I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.
It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.
The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.
Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.
Random Thoughts From A Diseased Mind (Not For Dummies)
Disconnect the damn control network already. It will be much harder to break into when it is not physically connected to the internet.
Why do we keep critical networks connected to the rest of the net? Why don't resources like these, and the governments, set up proprietary networks that are inaccessible from the global internet base to prevent these sort of things? I never really understood that.
Accessing to the crucial computers should require a training where computer security and social engineering are explained. Every user access should have different passwords easily revocable as soon as a flaw is detected. Of course, crucial computers should be on a different network than internet-connected systems.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
"Social Engineering" is using normal behaviour and expectations to get people to do what you want when they're not supposed to, without them noticing.
Lying is telling a falsehood as truth.
Scamming is offering something but never following up, or following up with less than was promised (e.g. bait and switch or fake companies that run off with money).
There's big differences in those definitions.
The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data. At the end of the exercise the pen. testers listed the names of people who had connected the drives, even when its origin was unknown. No lying or scamming was involved, but there was a social norm that they exploited as social engineering, which is that people will look to see what is on it to see if they know whose it is. If it had been a virus/trojan then that simple social engineering could have taken down the network, been pumping out spam, or allowed someone access via a back door.
After the '03 outage it made me wonder how safe all those high-rise electrical towers that run across the country are. A stick of dynamite on a tower itself, or even just a few shots with a rifle to the wires attached. Would just one tower lead to another blackout - scary considering those towers are of course everywhere.
I've wondered over the years what someone with a high powered rifle taking potshots at oil/propane/liquid hydrogen tankers on the interstates would do. Mainly this crosses my mind while driving alongside one of them and having seen too many Hollywood movies with things blowing up.
Seperation of privileges is the best method. Social engineering tends to work because people who have privileges lack certain information and/or lack authority in the role of the privileges they have.
If you have full authority in your role and personally know everyone who is involved in your role then you can't be easily tricked by people outside your role in to doing things.
This requires education and a proper company structure, which requires good smart people in management.
...and that is all I have to say about that.
http://jessta.id.au
The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data.
That is probably the ONLY example I've seen that DOESN'T involve lying or scamming. Usually 'social engineering' refers to calling in to the receptionist, posing as the IT helpdesk, or something else, and then have them tell you their passwords...or type 'arcane things into a command line'...or run the attachment in an email you send them...and they do it without a 2nd thought. And that, would be a clear case of 'lying' or even 'scamming'.
Phishing sites, email spam from 'John' that says "Check out our Vacation Photos", etc also fall under the wide umbrella of 'social engineering'.
shutting down the power grid should require extra security
DANGER WILL ROBINSON!
CRITICAL FAILURE IS IMMINENT, YOU MUST SHUT DOWN THE REACTOR IMMEDIATELY
Please enter password:
Password is incorrect!
Password is incorrect!
Password is incorrect!
You have been locked out for 10 minutes.
It's the only well known one I can think of, but "check out our vacation photos" is more social engineering than scamming. You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit) and you're not scamming by offering something of value and taking something away from the victim, you're relying on 'normal' human behaviour to go "I don't know who this is, but I'll check out the link anyway in case I can tell from the photos".
Similarly, wearing a fluorescent jacket and working on an exchange box or other equipment isn't lying or scamming anyone, but through social engineering and societal training you'll get away with what you're doing because people go "oh, he's a contractor, he must be doing some contract work".
Ditto for walking in to buildings - we've got guards at the main gates, but once you're in then you can get in to a lot of buildings without question just by looking like you belong and having something pass-like hung around your neck. You're using people's social expectations of "he is on site, has a pass and knows what he is doing so must be allowed here" to get you in to places where your swipe card won't work.
If it's an accident then it's a mistake. If it's purposely tring to make someone believe, or knowingly let someone believe something you know to be a lie, then it's deceit.
which is totally what she said
"You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit).
:)
Lying by omission is when an important fact is omitted, deliberately leaving another person with a misconception. This includes failures to correct pre-existing misconceptions. One may by careful speaking contrive to give correct but only partial answers to questions.
Even my 4 year old has no difficulty understanding that weaseling like this is a form of lying.
I agree you can engage in social engineering without lying, but its an important and ubiquitous tool of the trade.
As for your uniformed workers, while they don't by definition have to communicate with anyone, odds are they will. And odds are they'll at the very least have a prepared lie to go along with their outfit. Whether or not they use it. Hell, even the guys that went around leaving usb drives probably had a cover story in case someone had confronted them. "I'm just returning it." or "Its got some marketing materials for the new yadda yadda..." or whatever.
It's too easy to blame it on lack of oversight from regulators. The prime people that are responsible for this are the people that run the company, and to a lesser degree, the people that work there.
What's wrong with the good old fashioned "lying" or "scamming"?
The problem with them is that they do not denote the subject at hand with the precision required in a serious discussion of security.
Sure, lying and scamming may tools of social engineering, but there are social engineering attacks that do not use those, and there are plenty of lies and scams that do not qualify as social engineering.
I.e. there is an overlap but not congruence. Draw your own Venn diagram if you have to.
They are simply different concepts. Get over it.
sudo ergo sum
Still, lying or omissions are just an (optional) part of a social engineering "attack", so social engineering cannot be covered by just "scamming" and "lying" - it's a more complex act of sociology and human behaviour.
Besides, are you actually lying when you only tell truths and never say a false word? It is deceit by omission because you're giving a wrong impression by missing out information, but is that lying or is it just deceit as no untruth has been spoken?
Social engineering IS used by bad guiys, but not everyone who uses it is a bad guy. These sorts of security professionals ARE legitamate, and though they lie to front-line workers, they have (and MUST have) agreements with managment to do it. Otherwise, they're legally liable and can be sued. Part of this agreement, I'm sure, involves "first, do no harm." That's what makes these guys bettert than phishers and hackers.
In order to immunize you from certain diseases a doctor injects you with a vaccine, which is pretty much the same thing but unable to do real harm. once your body knows what the threat is, it can react appropriately when it encounters the actual thing.
I can vouch for this one. I used to do contract work at a military hospital, Portsmouth Naval not that it matters. The work I did was washing windows, still had to have a hard hat. I went through areas of the hospital that I probably shouldn't have, as a shortcut to get to somewhere I needed to be. Radiology, even went through an empty surgery once. Because I was wearing a hard hat, no one ever questioned or asked me to leave or even show ID, or even asked so much as what company I was with. This was all pre 9/11 though so one would hope things are not this lax now.
I am Bennett Haselton! I am Bennett Haselton!
Father, I have my foot in your bedroom and also in the hallway. As you can see from my diagram I am not only in the bedroom, I am also in the hallway. - Eddie Izzard
Belief? Hope? Preference?The Existential Vortex
....Same way autorun works from a CD....
Of course this works only in Windows! There you have another reason to use a Mac or Linux. Why, oh WHY does MS program their OS to automatically run whatever crap is on a data storage device?
All theory is gray