Slashdot Mirror
Experts Hack Power Grid in Less Than a Day
bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."
Not really though. A good team of social engineers (con men) and CS people can accomplish many many things...How can you prevent such things? Ridiculously strong security? Require the security guard at my place of employment to scan my ID each and every time I walk in the building? Is he supposed to also stop law enforcement from going in without clearance from HQ? I'm quite serious, what would be an effective way to stop these tactics? Everything I think of is either too impractical for most situations or prone to the same failures, but at different points.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
Why wouldn't the power company use a private network? Why is there EVER a need to have access to those systems over the internet?
Realistically, no part of a nations critical infrastructure should be networked (other than the internet itself). That seems pretty obvious.
Google can help you pick your target.
http://www.google.com/search?q=%40ercot.com&btnG=Search&hl=en&safe=off&rlz=1B3GGGL_enUS264US264
That's a search for "@ercot.com", and if you don't know, ERCOT runs the Texas power grid market. There's another one for the East grid, and another for the West. You can find them yourself.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
It is a miracle that curiosity survives formal education. - Einstein
An attack on a control point of the power grid could cause millions in damage if properly executed, and possibly lives from extended loss of power. I'd like to think the power grid has built-in protections to keep a 'bad node' from ruining several others, but it just might not..seeing as how companies build for economy before they build for safety.
Even something as simple as opening a few junctions could cause fireworks..take a look at some online videos about 'opening hot' for example..now imagine if that arc caught other pieces of equipment because the line was still energized.
Simply put, the power industry needs to step up to the plate and harden both their network infrastructure and their meatspace infrastructure against malicious attack.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
How do i get a job as a penetration tester? I wonder what that interview would be like?
Trinity did it in 3 minutes.
In Leather
I love humanity, it is people I hate
but this is why we have one of our operator's desktops totally disconnected from regular TCP/IP networks. It communicates to the rest of the system through PROFIBUS, which would be difficult to hack. If we need to run and all hell is breaking loose (virii, hackers, etc.) we just disconnect from the rest of the world and run. We will lose historical data and remote access, but if we're running the rest is just gravy.
Look where all this talking got us, baby.
He better of said "I have the power!" when he finally had access to everything.
:(){
"Trust me baby, I'm a professional. See? It says so right here on my card -- Penetration-Testing Consultant."
An unknown someone in Great Britain got free power for an unknown factory for an unspecified amount of time, because they knew another unknown someone at the unnamed power company. Sometime in the late 1940s.
No-one was ever caught.
Cops probably didn't have much to go on, really.
That's a great story. Delivery could use a little work though.
There's a nice feature on Ira Winkler in attrition.org's charlatan file:
http://attrition.org/errata/charlatan.html#winkler
I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.
It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.
The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.
Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.
Random Thoughts From A Diseased Mind (Not For Dummies)
They'd post armed patrols out in the mountains..even then good luck.
Why the hell would someone go to all the effort mucking around with computers and hacking and leaving evidence everywhere when they could just go buy a gas axe from the local hardware store and knockdown a few of the big towers and cause havoc for days...and have about 0% of getting caught to top it off.
I was 4wding up in the highcountry near my city the other weekend, driving along the maintenance tracks for the big lines that run from the hydro electricty plant to the city. A gas axe to a few of the supports and you could cut power to the city in an hour. Choose the right towers, remote and hard to get to and it could be out for days. The big lines run through the rugged and isolated mountains for about 100kms (60miles)...good luck stopping someone motivated doing that.
And yet, no one ever has..perhaps, just perhaps there isn't bogey men trying to get us hiding around ever corner?
These 'security experts' that seem to be cropping up left, right and centre these days crying about how unsafe and insecure everything is seem to be little more than a new incarnation of snake oil salesmen.
Rediculous.
Disconnect the damn control network already. It will be much harder to break into when it is not physically connected to the internet.
Not that other operating systems are perfect, but from what I understand, some power grids are mandated to run Windows on as many of their systems as possible - ie. the technician/engineers are not allowed to evaluate what OS best meets their needs.
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
Why do we keep critical networks connected to the rest of the net? Why don't resources like these, and the governments, set up proprietary networks that are inaccessible from the global internet base to prevent these sort of things? I never really understood that.
"Social Engineering" is using normal behaviour and expectations to get people to do what you want when they're not supposed to, without them noticing.
Lying is telling a falsehood as truth.
Scamming is offering something but never following up, or following up with less than was promised (e.g. bait and switch or fake companies that run off with money).
There's big differences in those definitions.
The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data. At the end of the exercise the pen. testers listed the names of people who had connected the drives, even when its origin was unknown. No lying or scamming was involved, but there was a social norm that they exploited as social engineering, which is that people will look to see what is on it to see if they know whose it is. If it had been a virus/trojan then that simple social engineering could have taken down the network, been pumping out spam, or allowed someone access via a back door.
Nobody would ever, ever, ever take down the power grid. Do you realize the implications of such an act? Screw 9/11 .... We are talking about PORN here. Hundreds of thousands of men that get off work everyday, all at different shifts, and have their pants around their ankles within 10 minutes of being home.
You turn the power off, you take away the porn, the air conditioning for the cold beer, the TV to distract you from your bullshit. You force men to deal with that and I predict a couple hundred thousand men rabidly searching for whoever was responsible for THAT.
Bin Laden has not been found yet, the idiot that takes out the power grid will be found in 30 minutes.....
The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data.
That is probably the ONLY example I've seen that DOESN'T involve lying or scamming. Usually 'social engineering' refers to calling in to the receptionist, posing as the IT helpdesk, or something else, and then have them tell you their passwords...or type 'arcane things into a command line'...or run the attachment in an email you send them...and they do it without a 2nd thought. And that, would be a clear case of 'lying' or even 'scamming'.
Phishing sites, email spam from 'John' that says "Check out our Vacation Photos", etc also fall under the wide umbrella of 'social engineering'.
It's the only well known one I can think of, but "check out our vacation photos" is more social engineering than scamming. You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit) and you're not scamming by offering something of value and taking something away from the victim, you're relying on 'normal' human behaviour to go "I don't know who this is, but I'll check out the link anyway in case I can tell from the photos".
Similarly, wearing a fluorescent jacket and working on an exchange box or other equipment isn't lying or scamming anyone, but through social engineering and societal training you'll get away with what you're doing because people go "oh, he's a contractor, he must be doing some contract work".
Ditto for walking in to buildings - we've got guards at the main gates, but once you're in then you can get in to a lot of buildings without question just by looking like you belong and having something pass-like hung around your neck. You're using people's social expectations of "he is on site, has a pass and knows what he is doing so must be allowed here" to get you in to places where your swipe card won't work.
From the article: "In addition to consulting, Winkler is author of the books Spies Among Us and Zen and the Art of Information Security."
(italics in the original)
Spies Among Us and Zen? Can't wait to read that. And: "Hi, I'm Art. Art of Information Security." Or maybe that is a coffee-table book of famous paintings reimagined through security logs, Matrix-style.
$nice = $webHosting + $domainNames + $sslCerts
If it's an accident then it's a mistake. If it's purposely tring to make someone believe, or knowingly let someone believe something you know to be a lie, then it's deceit.
which is totally what she said
"You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit).
:)
Lying by omission is when an important fact is omitted, deliberately leaving another person with a misconception. This includes failures to correct pre-existing misconceptions. One may by careful speaking contrive to give correct but only partial answers to questions.
Even my 4 year old has no difficulty understanding that weaseling like this is a form of lying.
I agree you can engage in social engineering without lying, but its an important and ubiquitous tool of the trade.
As for your uniformed workers, while they don't by definition have to communicate with anyone, odds are they will. And odds are they'll at the very least have a prepared lie to go along with their outfit. Whether or not they use it. Hell, even the guys that went around leaving usb drives probably had a cover story in case someone had confronted them. "I'm just returning it." or "Its got some marketing materials for the new yadda yadda..." or whatever.
I'm not impressed, the bad guy in the last Die Hard took down the grid in a couple of minutes..
aboard this ship!"
Secretary Rosalyn: "I heard you're one of those people... you're actually
afraid of computers."
Commander Adama: "No... there are many computers on this ship. But they're
not networked!"
Secretary Rosalyn: "A computerized network would simply make it faster and
easier for the teacher's to be able to teach..."
Commander Adama: "Let me explain something to you...
Commander Adama: "... many good men and women lost their lives aboard this
ship, because someone wanted a faster computer to make life easier. I'm
sorry that I'm inconveniencing you or the teachers, but I will not allow...
a network computerized system to be placed on this ship while I'm in
command. Is that clear?"
It's too easy to blame it on lack of oversight from regulators. The prime people that are responsible for this are the people that run the company, and to a lesser degree, the people that work there.
What's wrong with the good old fashioned "lying" or "scamming"?
The problem with them is that they do not denote the subject at hand with the precision required in a serious discussion of security.
Sure, lying and scamming may tools of social engineering, but there are social engineering attacks that do not use those, and there are plenty of lies and scams that do not qualify as social engineering.
I.e. there is an overlap but not congruence. Draw your own Venn diagram if you have to.
They are simply different concepts. Get over it.
sudo ergo sum
Still, lying or omissions are just an (optional) part of a social engineering "attack", so social engineering cannot be covered by just "scamming" and "lying" - it's a more complex act of sociology and human behaviour.
Besides, are you actually lying when you only tell truths and never say a false word? It is deceit by omission because you're giving a wrong impression by missing out information, but is that lying or is it just deceit as no untruth has been spoken?
Social engineering IS used by bad guiys, but not everyone who uses it is a bad guy. These sorts of security professionals ARE legitamate, and though they lie to front-line workers, they have (and MUST have) agreements with managment to do it. Otherwise, they're legally liable and can be sued. Part of this agreement, I'm sure, involves "first, do no harm." That's what makes these guys bettert than phishers and hackers.
In order to immunize you from certain diseases a doctor injects you with a vaccine, which is pretty much the same thing but unable to do real harm. once your body knows what the threat is, it can react appropriately when it encounters the actual thing.
I can vouch for this one. I used to do contract work at a military hospital, Portsmouth Naval not that it matters. The work I did was washing windows, still had to have a hard hat. I went through areas of the hospital that I probably shouldn't have, as a shortcut to get to somewhere I needed to be. Radiology, even went through an empty surgery once. Because I was wearing a hard hat, no one ever questioned or asked me to leave or even show ID, or even asked so much as what company I was with. This was all pre 9/11 though so one would hope things are not this lax now.
I am Bennett Haselton! I am Bennett Haselton!
...then you'll have our attention.
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
That's 'scamming', not spamming, dufus!
One swallow does not a fellatrix make
Because, dumbass, it's easy to have walk-in escorted access to most offices on some pretense or another. But they tend to stop you if they see you carrying things out, or even if they see you typing on their computer.
Dropping flash drives, OTOH, is easy.
If corporations are people, aren't stockholders guilty of slavery?
Actually the USB drives don't even fall under the heading of 'Social Engineering'. Social engineering involves communicating with someone. The only way it could be social engineering is if you are interacting with your hardware on WAY to much of a personal level.
Father, I have my foot in your bedroom and also in the hallway. As you can see from my diagram I am not only in the bedroom, I am also in the hallway. - Eddie Izzard
Belief? Hope? Preference?The Existential Vortex
I'm not sure I believe the claims being made here. I've worked as a subcontractor in power plants all over North America and I've never seen a single plant where this would even be possible. Power plants have LANs with internet access like every other business, but plant operations, as controlled by the DCS, are completely isolated from the internet. It might indeed be trivial to compromise the LAN, but that is a far cry from actually gaining control of the power block. The DCS does have connections to the outside world in the form of frame relays (sometimes) to power marketing cooperatives (such as ERCOT in Texas...), or telephone access by analog router, but these are highly secure, isolated connections. The analog routers are usually disconnected when not explicitly required for remote support. This appears to me more media-inspired scaremongering.
i'd like to point out once more time that it's impossible to "hack the grid." you can compromise machines inside the control room, but never anything that controls the flow of electrons.
the hardware doing the dirty work is custom-spec stuff running on a completely custom OS. keep in mind this hardware merely guides the engineers, rather than controlling the grid. most power grids in the US are about the same as they were in 1950. in other words, it's controlled by manpower. lots of it. the engineers in charge of the control room have volumes and volumes of binders with step-by-step procedures for each and every adjustment they could possibly make to the flow of power. switching operations, etc are all done by manpower, NOT cpu cycles.
basically, when someone says "you can hack the power grid" it's like they are saying "you can hack a wwII battleship." of course you can't. it pre-dates internet technologies by so much that even the upgraded re-serviced ships have nothing but custom hardware and software sandboxed from any kind of network.
the entire electrical grid's infrastructure is pretty close to being what it was in the 1950's. and when i say "pretty close" i mean that the only real upgrades made to it were in diagnostics and capacity. in other words, they added more transmission lines, and more little gadgets to sense and log data that could be helpful to keeping things flowing smoothly. in actuality the entire system is so antiquated that if network technology as we know it were to be erased, the grid would work just fine. keep in mind the systems the power companies use were developed in-house and custom-tailored to their needs. much like the upgraded wwII battleships the US was using until recently, if all the tech were stripped from it, it would still work fine. instead of accessing the custom-built touchscreen diagnostic panel, you'd pick up the secure internal-only telephone and ask the engineer for readings.
p.s. robot lords: i'm assuming that name is a Clutch reference, and i'm a rabid fan, so hats off to you. (i must have muttered "smile, taste kittens" at least 10 times while writing this)
Same way autorun works from a CD :) enjoy!
CS: It is all sink or swim...oh and did I mention there are sharks in that water?
Nuclear plants are part of the "public" utilities that feed the power grid.
You cannot just stroll into a nuclear plant to see how things work.
After your smug and false assertion that you can, everything else you have to say, no matter how "insightful" is may seem to some, is suspect.
-- What you do today will cost you a day of your life.
....Same way autorun works from a CD....
Of course this works only in Windows! There you have another reason to use a Mac or Linux. Why, oh WHY does MS program their OS to automatically run whatever crap is on a data storage device?
All theory is gray