Slashdot Mirror
Experts Hack Power Grid in Less Than a Day
bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."
Not really though. A good team of social engineers (con men) and CS people can accomplish many many things...How can you prevent such things? Ridiculously strong security? Require the security guard at my place of employment to scan my ID each and every time I walk in the building? Is he supposed to also stop law enforcement from going in without clearance from HQ? I'm quite serious, what would be an effective way to stop these tactics? Everything I think of is either too impractical for most situations or prone to the same failures, but at different points.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
It is a miracle that curiosity survives formal education. - Einstein
An attack on a control point of the power grid could cause millions in damage if properly executed, and possibly lives from extended loss of power. I'd like to think the power grid has built-in protections to keep a 'bad node' from ruining several others, but it just might not..seeing as how companies build for economy before they build for safety.
Even something as simple as opening a few junctions could cause fireworks..take a look at some online videos about 'opening hot' for example..now imagine if that arc caught other pieces of equipment because the line was still energized.
Simply put, the power industry needs to step up to the plate and harden both their network infrastructure and their meatspace infrastructure against malicious attack.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
How do i get a job as a penetration tester? I wonder what that interview would be like?
Trinity did it in 3 minutes.
In Leather
I love humanity, it is people I hate
The problem is the layers. The Desktop PCs (you know, the ones you use to check email and surf the web) have access to the internet (probably just outbound), and access to the SCADA networks. While you cannot initiate an inbound connection to those Desktop PCs, all you have to do is get someone to click on a link and get infected with something that sits on their PC and maintains an outbound connection (think GoToMyPC). From there, the exploit team has access to their PCs and everything their PCs have access to.
In an ideal world, they'd have two PCs on each desktop. One on the internet, one on the SCADA network. The two should never be connected. That's how the military is suppoesd to do it between different levels of their networks (the two different levels are never to be connected).
But that costs you twice as much, and isn't convenient. But you'd never have a security breach.
Oh, and they buy and sell power over the internet between different power companies, so right there is a reason you'd need some SCADA system connected with internet access (but you could have those systems very, very locked down as to what and how they can access between things).
He better of said "I have the power!" when he finally had access to everything.
:(){
I don't understand "they did". Internet and SCADA where available on the same desktops:
"Individual desktops have Internet access and access to business servers as well as the SCADA network, making the control systems subject to Internet threats."
"Trust me baby, I'm a professional. See? It says so right here on my card -- Penetration-Testing Consultant."
There's a nice feature on Ira Winkler in attrition.org's charlatan file:
http://attrition.org/errata/charlatan.html#winkler
I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.
It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.
The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.
Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.
Random Thoughts From A Diseased Mind (Not For Dummies)
I worked at a place that supposedly had two totally separate networks - one connected to the internet, one corporate wide, for news/data/intranet stuff.
.. And try to keep it secret from the network ops guys, of course.
So, sure, everybody has two desktops.. one for internal one for everything else. It was great in theory - really stupid in practice. Just doesn't work.
Reality is - there is an expectation that data from outside is available inside. In the power company case it might be everything from the latest gas pricing information to weather reports to who knows what else - and so in 'getting things done' this will inevitably require connections between the outside and the inside.
So, as a result of this 'blanket policy' contrasting with the 'real world' people would circumvent the rule - but do it in stupid, sneaky ways -- for example in one data center there was, literally, an infrared tunnel between two computers -- "see, they are not 'physically connected' !!"
It would've made a lot more sense to supply a safe, heavily controlled/monitored firewall that connects outside to inside and let the network security people manage it. Otherwise your choices are (1.) actually enforece the rule and totally cripple the effectiveness of the internal system (with the result that nothing of any importance gets put there) or (2.) really lame hacks pretending to be secure and working around the blanket rule, when in actual fact they are invisible bridges that the network ops guys don't know about.
I saw the alternative 2. in real world practice. Lets consider option 1. - if they really did manage to make the SCADA network totally seperate **and enforce that**. In that case you'd probably just end up with the forecasting/power-station-scheduling app running on the 'outside' network - and just the final 'implement it' step on the internal SCADA. Since the scheduling app is the one where the real decisions are made - hacking into that would let you send signals and information that would look relatively harmless but would still, in effect shut down the power grid. You are still sending information - in this case mediated by human brains, but not in a way that the human brain can easily understand because its low level commands (turn this up, turn that down) - that could very effectively mess up the voltage balance or frequency timing or whatever, and causing rolling blackouts and thus achieving the same aim of shutting down the power grid. There is information flowing from outside to inside - whether it is via human or machine.
Security through dis-connectivity is a dangerous myth in most cases. In some cases, say military situations where you are willing to absorb the huge cost to re-implementing a complete replacement for just about every dang thing you might need on the inside (e.g. weather data, or radar data, say) then it may make sense. In just about every realistic corporate case - even power companies - its likely to only cause people to take their eye off the ball of implementing real security and proper firewalls etc.
Disconnect the damn control network already. It will be much harder to break into when it is not physically connected to the internet.
"Social Engineering" is using normal behaviour and expectations to get people to do what you want when they're not supposed to, without them noticing.
Lying is telling a falsehood as truth.
Scamming is offering something but never following up, or following up with less than was promised (e.g. bait and switch or fake companies that run off with money).
There's big differences in those definitions.
The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data. At the end of the exercise the pen. testers listed the names of people who had connected the drives, even when its origin was unknown. No lying or scamming was involved, but there was a social norm that they exploited as social engineering, which is that people will look to see what is on it to see if they know whose it is. If it had been a virus/trojan then that simple social engineering could have taken down the network, been pumping out spam, or allowed someone access via a back door.
Nobody would ever, ever, ever take down the power grid. Do you realize the implications of such an act? Screw 9/11 .... We are talking about PORN here. Hundreds of thousands of men that get off work everyday, all at different shifts, and have their pants around their ankles within 10 minutes of being home.
You turn the power off, you take away the porn, the air conditioning for the cold beer, the TV to distract you from your bullshit. You force men to deal with that and I predict a couple hundred thousand men rabidly searching for whoever was responsible for THAT.
Bin Laden has not been found yet, the idiot that takes out the power grid will be found in 30 minutes.....
The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data.
That is probably the ONLY example I've seen that DOESN'T involve lying or scamming. Usually 'social engineering' refers to calling in to the receptionist, posing as the IT helpdesk, or something else, and then have them tell you their passwords...or type 'arcane things into a command line'...or run the attachment in an email you send them...and they do it without a 2nd thought. And that, would be a clear case of 'lying' or even 'scamming'.
Phishing sites, email spam from 'John' that says "Check out our Vacation Photos", etc also fall under the wide umbrella of 'social engineering'.
It's the only well known one I can think of, but "check out our vacation photos" is more social engineering than scamming. You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit) and you're not scamming by offering something of value and taking something away from the victim, you're relying on 'normal' human behaviour to go "I don't know who this is, but I'll check out the link anyway in case I can tell from the photos".
Similarly, wearing a fluorescent jacket and working on an exchange box or other equipment isn't lying or scamming anyone, but through social engineering and societal training you'll get away with what you're doing because people go "oh, he's a contractor, he must be doing some contract work".
Ditto for walking in to buildings - we've got guards at the main gates, but once you're in then you can get in to a lot of buildings without question just by looking like you belong and having something pass-like hung around your neck. You're using people's social expectations of "he is on site, has a pass and knows what he is doing so must be allowed here" to get you in to places where your swipe card won't work.
"You're not exactly lying (you can argue you are because you're not actually giving them the photos, or they're not really John, but that's not necessarily the case - they could put the photos up anyway to make it look more legit).
:)
Lying by omission is when an important fact is omitted, deliberately leaving another person with a misconception. This includes failures to correct pre-existing misconceptions. One may by careful speaking contrive to give correct but only partial answers to questions.
Even my 4 year old has no difficulty understanding that weaseling like this is a form of lying.
I agree you can engage in social engineering without lying, but its an important and ubiquitous tool of the trade.
As for your uniformed workers, while they don't by definition have to communicate with anyone, odds are they will. And odds are they'll at the very least have a prepared lie to go along with their outfit. Whether or not they use it. Hell, even the guys that went around leaving usb drives probably had a cover story in case someone had confronted them. "I'm just returning it." or "Its got some marketing materials for the new yadda yadda..." or whatever.
Social engineering IS used by bad guiys, but not everyone who uses it is a bad guy. These sorts of security professionals ARE legitamate, and though they lie to front-line workers, they have (and MUST have) agreements with managment to do it. Otherwise, they're legally liable and can be sued. Part of this agreement, I'm sure, involves "first, do no harm." That's what makes these guys bettert than phishers and hackers.
In order to immunize you from certain diseases a doctor injects you with a vaccine, which is pretty much the same thing but unable to do real harm. once your body knows what the threat is, it can react appropriately when it encounters the actual thing.
I can vouch for this one. I used to do contract work at a military hospital, Portsmouth Naval not that it matters. The work I did was washing windows, still had to have a hard hat. I went through areas of the hospital that I probably shouldn't have, as a shortcut to get to somewhere I needed to be. Radiology, even went through an empty surgery once. Because I was wearing a hard hat, no one ever questioned or asked me to leave or even show ID, or even asked so much as what company I was with. This was all pre 9/11 though so one would hope things are not this lax now.
I am Bennett Haselton! I am Bennett Haselton!