Hackers Broke Into Brazil Power Grid Operator's Website Last Thursday

← Back to Stories (view on slashdot.org)

Hackers Broke Into Brazil Power Grid Operator's Website Last Thursday

Posted by kdawson on Tuesday November 17, 2009 @11:41AM from the wolf-no-really-this-time-i-mean-it dept.

An anonymous reader writes "A week ago, 60 Minutes had a story (we picked it up too) claiming that hackers had caused power outages in Brazil. While this assertion is now believed to be in error, hackers were inspired by the story actually to do what was claimed. Last Thursday, they broke into ONS, the operator of the grid (Google translation; Portuguese original). DarkReading has specific details on the SQL injection vulnerabilities the hackers probably used."

85 comments

Min score:

Reason:

Sort:

full disclosure by sopssa · 2009-11-17 11:41 · Score: 1, Insightful

And, two days after the blackout, the systems analyst Maycon Vitali, 23, revealed in the blog "Hack'n'roll" to a login page of the ONS revealed error in the validation data. The flaw could allow a hacker to send command to the database and find sensitive data from ONS.
The failure was published in the newspaper Folha de S. Paulo on Monday (16).
This is exactly why full disclosure is not good.
1. Re:full disclosure by mr+exploiter · 2009-11-17 12:20 · Score: 5, Insightful
  
  And, two days after the blackout, the systems analyst Maycon Vitali, 23, revealed in the blog "Hack'n'roll" to a login page of the ONS revealed error in the validation data. The flaw could allow a hacker to send command to the database and find sensitive data from ONS.
  The failure was published in the newspaper Folha de S. Paulo on Monday (16).
  This is exactly why full disclosure is not good.
  How so? If two days after the vulnerabilty was exploited causing millions of dollars of damage they *still* don't fix it, then the public has the right to know how much the security of the systems sucks. It may be the only way to prevent this from happening again.
2. Re:full disclosure by cosm · 2009-11-17 12:35 · Score: 3, Insightful
  
  Seriously? You must work for the government..
  
  Your solution: Hide or pretend the vulnerability doesn't exist, or ignore the possible ramifications of its exploitation and further promote shoddy programming practices.
  The better solution: Make the vulnerability public so that the company is forced to do something about it immediately, hence preventing any threats (pending their programming practices improving).
  
  Full disclosure puts the responcibility on the company to keep their products/services secure, as to keeping it a secret, which puts the burden on whistleblowers fearing prosecution.
  
  Which world do you prefer?
  
  --
  'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
3. Re:full disclosure by Anonymous Coward · 2009-11-17 13:16 · Score: 1, Informative
  
  Uh oh, best watch out or the Anti-Sec will destroy you... hahaha.
  Oh i bet those kiddos will be all over this story.
  Hey there AS, how'ya doin? You want some candy?
4. Re:full disclosure by Runaway1956 · 2009-11-17 14:01 · Score: 2, Insightful
  
  Agreed. Sometimes the only way to motivate people to fix a problem is to embarrass them in public. FFS, no part of any critical operation should ever be exposed to the internet, period. If is't sensitive, keep it isolated from everyone - including your billing departement, public relations, sales, and even the company officers. Whenever they need to see something sensitive, they can pick their lead arses up, and move to an office dedicated to the internal workings of the company. When they are ready to put on their happy power hats, and interface with the world, they can return to their own office.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
5. Re:full disclosure by mitoyarzun · 2009-11-17 14:46 · Score: 5, Informative
  
  Here in Chile a guy reported the government about a serious bug on their outsourcing website (chilecompra.cl), they ignored him for months, and he made the bug public (you were able to know your competition's offer to the government just by changing a GET parameter).
  
  He was condemned by a court for breaking the law, more info here (spanish)
  
  What kind of action should one take in those cases? Has this happened before in other countries?
6. Re:full disclosure by Anonymous Coward · 2009-11-17 15:43 · Score: 1, Interesting
  
  What kind of action? Leave the country, then report it. Any government that paranoid of a situation such as you describe is up to something.
7. Re:full disclosure by Anonymous Coward · 2009-11-17 16:29 · Score: 0
  
  No, full disclosure is a good thing, it keeps people on their toes.
  This is why having a computer that controls power grids connected to the internet is not good.
8. Re:full disclosure by Anonymous Coward · 2009-11-17 19:21 · Score: 0
  
  What you get here is a system developed by the lowest bidder. Do you really think they would have the money to have a separate isolated system?
  Lowest bidder = Cheapest system
  It might serve you well, or it might not.
9. Re:full disclosure by Khyber · 2009-11-17 23:40 · Score: 1
  
  Anti-Sec couldn't hack their way into a Menuet box if they had physical access.
  Fucking script kiddies.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
10. Re:full disclosure by hesaigo999ca · 2009-11-18 01:49 · Score: 1
  
  Instead of coming forward after having made this bug aware and seen no activity in months, obviously making sure the first time to point out possible solutions to the case to make repairs quick and easy, I would have posted it in the underground and let the rest of the script kiddies do their job...this would have been done under a new assumed log on name and done from within a internet cafe where I had never been before...also make sure that cafe has no internal cameras, and pay for the service in cash.
  Unfortunately we live in the day and age of people are just stupid, and think they have a right to be stupid, and will bring you to court to be able to stay stupid....just my way of thinking.
11. Re:full disclosure by Anonymous Coward · 2009-11-18 02:10 · Score: 0
  
  FFS, no part of any critical operation should ever be exposed to the internet, period.
  It isn't. The website got hacked, but there's nothing important there. At least nothing important to the operation of the electrical grid. The network they use to monitor and control the system isn't connected to the internet.
12. Re:full disclosure by fulldecent · 2009-11-18 02:22 · Score: 1
  
  I may have run into this exact situation in US government websites. Also, I have found many other serious bugs in financial websites. I document some on my blog, but I am seeking advice on how to handle, and monetize my future findings.
  The last time I found a large bug at a large online trading account (with a pink logo), I gave up the bug, and signed an NDA. They barely fixed the problem and they didn't listen to my other advice. When the FBI got involved... well, let's just say it is interesting what they focus their efforts on.
  I'm am sure I will find these bugs in the future. How do I turn security disclosures into advice that will be heeded and consulting fees?
  
  --
  -- I was raised on the command line, bitch
13. Re:full disclosure by linuxpyro · 2009-11-18 04:21 · Score: 1
  
  Sounds to me like they screwed up, and now they're covering themselves. It sounds much better if they can say some nasty hacker brought the problem to their attention by trying to break in, as opposed to it being shown that they ignored an innocent guy who was willing to help them for months. Never attribute to malice what can be explained by stupidity (I think that's the quote). Or in this case laziness.
  This seems like the way a lot of people would react, so you're probably right that getting out of the country is the best way to be safe.
  
  --
  Saying "I'll probably get modded down for this" in a post is the best way to get it modded up.
14. Re:full disclosure by kalirion · 2009-11-18 04:50 · Score: 1
  
  Hey everybody, I found a big red button that will blow up the world! I'm going to make its location public so that the governments are forced to fix this little vulnerability.
15. Re:full disclosure by n0tWorthy · 2009-11-18 05:23 · Score: 1
  
  Anyone that knows anything about the utility systems (power, water, gas, sewer) knows they are run by the most insecure systems out there. There have been reports of SCADA vulnerabilities for years (GOOGLE it yourself) and many concerns expressed (http://www.darkreading.com/blog/archives/2009/04/scada_security.html).
  Once someone can get out of a compromised system and onto a utilities internal SCADA network they have total control. The best place to practice is on a relatively insecure 2nd or 3rd world network where there are few legal consequences to hacking. Once the skills are honed up and scripts can be written to control large numbers of SCADA systems at once the real fun can begin. This is one of the major objectives of terrorists (http://www.pbs.org/wgbh/pages/frontline/shows/cyberwar/vulnerable/scada.html).
  
  --
  "Be kind, for everyone you meet is facing a great battle." - Philo of Alexandria -
actually by Anonymous Coward · 2009-11-17 11:46 · Score: 5, Informative

the hackers invaded the _website_, the ONS network of computers that actually control the system is private and not connect to the internet.
1. Re:actually by TubeSteak · 2009-11-17 12:43 · Score: 3, Interesting
  
  the hackers invaded the _website_, the ONS network of computers that actually control the system is private and not connect to the internet.
  They may not have hacked the power grid, but TFA says the website has all kinds of fun docs which, I'm assuming, any smart hacker would go after in order to study up on their target.
  Never forget that the next best thing to an insider is the freakin' manual.
  
  --
  [Fuck Beta]
  o0t!
2. Re:actually by Anonymous Coward · 2009-11-17 13:29 · Score: 0
  
  the hackers invaded the _website_, the ONS network of computers that actually control the system is private and not connect to the internet.
  what you can expect from kdawson? dont even bother.
3. Re:actually by fluffy99 · 2009-11-17 16:16 · Score: 1
  
  It's a whole different ballgame if they are using vlans to isolate the control network. Then a hacker just has to penetrate a router or take advantage of poor vlan isolation in some switches. Plus, you're bound to have at least a few employees who just have to have their machine connected to both networks at the same time and think using two network cards is safe.
4. Re:actually by Anonymous Coward · 2009-11-17 23:49 · Score: 1, Informative
  
  If your security consists of hiding the manual... You're doing it wrong.
5. Re:actually by Anonymous Coward · 2009-11-18 02:23 · Score: 0
  
  Yeah, lots of fun docs. You can download detailed maps of the grid with lots of interesting stuff, like capacities of power plants and transmission lines and so on. In the USA this stuff may be considered sensitive due to concerns about national security, but in Brazil they put that kind of information freely available on their website for anyone to see, no hacking required.
closed systems by Haxx · 2009-11-17 11:48 · Score: 2, Funny

One would think critical power networks would be close systems.
1. Re:closed systems by John+Hasler · 2009-11-17 12:10 · Score: 4, Informative
  
  > One would think critical power networks would be close systems.
  Read the article. What was broken into was the "corporate network" of the organization that runs the system. The control system was not broken into and in fact appears to be protected by an air gap.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
2. Re:closed systems by nametaken · 2009-11-17 12:10 · Score: 4, Informative
  
  FTA...
  "ONS was notified last week of this problem. They've confirmed that, indeed, its Website was hacked. It claims to have fixed the SQL injection problems and that there was no danger because there was no connection between its Website network and back-end control network."
3. Re:closed systems by TubeSteak · 2009-11-17 12:47 · Score: 1
  
  The control system was not broken into and in fact appears to be protected by an air gap.
  AFAIK, no country has a power grid whose network is airgapped.
  Even worse, almost everyone is using very old dial-up systems somewhere in their network.
  Their only security is "do you know the phone number"
  Considering that the hackers got a bunch of manuals off the website,
  I'm guessing they now have those phone numbers.
  
  --
  [Fuck Beta]
  o0t!
4. Re:closed systems by Tellarin · 2009-11-17 13:21 · Score: 1
  
  What was broken into was the website of the organization that runs the system.
  
  --
  -- SouNerd.com
5. Re:closed systems by twoDigitIq · 2009-11-17 13:39 · Score: 1
  
  I work in IT at an energy company whose systems are tightly integrated with "the grid" and I can testify that someone with the right knowledge (or even someone well versed in the art of social engineering) could wreak havoc on the power lines here in the U.S.
6. Re:closed systems by L4t3r4lu5 · 2009-11-17 22:43 · Score: 1
  Of course! And no employee on an internal system has ever:
  
  Installed their own wireless access point to get internet access
  Dicked about with patch leads to "fix the network"
  Ever done anything which can well and truly render useless any security system put in place (Hamachi / Tor installation?)
  Air gaps are only good if it's not air at all, but brick.
  --
  Finally had enough. Come see us over at https://soylentnews.org/
7. Re:closed systems by Anonymous Coward · 2009-11-18 02:01 · Score: 0
  
  AFAIK, no country has a power grid whose network is airgapped.
  It might have been that way 10 years ago, because a few companies hooked up the two systems, but the way they are designed are to be separate systems.
  You might want to learn a little bit more I suggest Critical Infrastructure Protection (CIP):
  http://www.nerc.com/page.php?cid=2|20
Really.... by Darkness404 · 2009-11-17 11:50 · Score: 3, Insightful

Really -no- critical system be it power, heating, cooling, etc. should be on the internet. A local network is sufficient with the main computer controlling the other computers not being connected to the internet. How hard is it to understand?

--
Taxation is legalized theft, no more, no less.
1. Re:Really.... by MichaelSmith · 2009-11-17 11:58 · Score: 1
  
  Maybe they just got into the company web site or billing system.
  But even so imagine that the operator of the system wants to save $$$ by outsourcing maintenance to Indian or Chinese companies. They would have to get in with a VPN. If the tradeoff is between money and security, money wins.
  
  --
  http://michaelsmith.id.au
2. Re:Really.... by maxume · 2009-11-17 12:06 · Score: 1
  
  When it comes to security, the trade off is always between money and security.
  
  --
  Nerd rage is the funniest rage.
3. Re:Really.... by nametaken · 2009-11-17 12:12 · Score: 3, Informative
  
  They were not. Read the article.
  "there was no danger because there was no connection between its Website network and back-end control network"
4. Re:Really.... by John+Hasler · 2009-11-17 12:13 · Score: 1
  
  > Maybe they just got into the company web site or billing system.
  That would appear to be the case.
  > If the tradeoff is between money and security, money wins.
  Not when security failures cost real money.
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
5. Re:Really.... by Itninja · 2009-11-17 12:17 · Score: 4, Insightful
  
  Keeping a few connected computers off the larger WAN is easy enough. But as those computer grow in number it can become more difficult to prevent someone, somewhere from opening up ssh, ftp, rdp, or some other connection-type. Then the whole LAN becomes susceptible to the evils of WAN baddies.
  
  And don't even get me started on the lack of physical security on 'secure' systems. If you can touch it, it's insecure.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
6. Re:Really.... by cdesousa · 2009-11-17 12:22 · Score: 2, Informative
  
  You should read the article (or the translation) first.... That is exactly how the system is implemented. The original article says
  
  "A rede operativa é blindada, separada da internet e operada via comando de voz", segundo informou a entidade
  In English,
  
  According to the organization, "The operative network is secure, is separated from the internet, and is operated by voice command"
  The article also says that the hackers got into the operative network but not in the operative network.
7. Re:Really.... by mr+exploiter · 2009-11-17 12:23 · Score: 2, Interesting
  
  That's not how things work in practice. Remote monitoring from anywhere in the world is too tempting. You can take a look at what kind of thing SCADA vendors are selling to realize things are getting worse before they're getting better.
8. Re:Really.... by ColdWetDog · 2009-11-17 12:35 · Score: 1
  
  "The operative network is secure, is separated from the internet, and is operated by voice command"
  The "voice command" part bothers me a bit.
  
  "Dear Aunt: let's set so double the killer select all". Whatcouldpossiblygowrong?
  
  --
  Faster! Faster! Faster would be better!
9. Re:Really.... by stuckinphp · 2009-11-17 12:42 · Score: 1
  
  >> If the tradeoff is between money and security, money wins. >Not when security failures cost real money. /facepalm
  
  --
  if only
10. Re:Really.... by stuckinphp · 2009-11-17 12:43 · Score: 0, Redundant
  
  damn you slashdot.
  stop
  stripping
  newlines
  
  --
  if only
11. Re:Really.... by Anonymous Coward · 2009-11-17 13:14 · Score: 1, Interesting
  
  And yet, your bank probably uses internet based VPNs for their ATMs, because they are cheaper to run than dedicated lines.
12. Re:Really.... by thethibs · 2009-11-17 14:44 · Score: 1
  
  Perhaps you want to think this through again?
  How can ssh connect two isolated networks? Linux software is pretty powerful, but I don't think it extends to stringing wire and installing routers.
  
  --
  I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
13. Re:Really.... by supernova_hq · 2009-11-17 15:37 · Score: 1
  
  Depends what hardware it's running on :D
14. Re:Really.... by iammani · 2009-11-17 15:46 · Score: 1
  
  VPNs?
15. Re:Really.... by Itninja · 2009-11-17 16:34 · Score: 3, Interesting
  
  I've seen this happen. An engineer needed to get some files from his laptop to a Linux server. Since the server was not on the WAN he decided to use a USB drive, which was fine. Except that what he inserted was not a USB drive, but a USB wireless adaptor (he didn't know that). He spent over an house trying to get the 'drive' to work and then (for reasons unknown to me) left the adaptor in the server...maybe he forgot I don't know. It was there for over a week before anyone discovered it.
  
  I am told by the security people that the adaptor defaulted to 'ad-hoc' mode and could have easily been paired with passerby outside in the parking lot who had the know-how (and presumably the right credentials).
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
16. Re:Really.... by Procasinator · 2009-11-17 21:44 · Score: 2, Informative
  
  Go to Options and change Comment Post Mode to Plain Old Text.
  That will take care of the newlines (inserting <br /> tags for newlines).
17. Re:Really.... by Anonymous Coward · 2009-11-18 03:20 · Score: 0
  
  I happen to know for a fact that the A/C system in Rush Limbaugh's Palm Beach home is accessible and controllable via the Internet, as is the system for a small university nearby...
18. Re:Really.... by n0tWorthy · 2009-11-18 05:31 · Score: 1
  
  Many of these systems are locked in sheds alongside the larger transformer/switching sites. Cut the padlock and you have access to a Windows 2000 SCADA system that is on their SCADA network. Many of these also have modems and PCAnywhere. It really is scary.
  
  --
  "Be kind, for everyone you meet is facing a great battle." - Philo of Alexandria -
SQL injection? by XanC · 2009-11-17 11:50 · Score: 2, Funny

Somebody's fired.
1. Re:SQL injection? by etinin · 2009-11-17 12:10 · Score: 1, Insightful
  
  Not if they have been politically appointed, something very common in brazilian state-run companies.
  
  --
  "I decided I could write something better than everything out there in two weeks. And I was right." - Linus Torvalds
2. Re:SQL injection? by oGMo · 2009-11-17 12:52 · Score: 5, Funny
  
  "' WHERE 1=1; UPDATE plant_employees SET status='FIRED'; ..."
  Or everybody's fired!
  
  --
  Don't think of it as a flame---it's more like an argument that does 3d6 fire damage
3. Re:SQL injection? by Tellarin · 2009-11-17 13:25 · Score: 2, Informative
  
  ONS, the operator of the electric system, whose website was hacked, is not a state-run company. It is a private non-profit regulated by Brazil's National Electrical Energy Agency.
  
  --
  -- SouNerd.com
4. Re:SQL injection? by ArsenneLupin · 2009-11-17 20:16 · Score: 2, Interesting
  
  Not just Brazilian state-run companies...
  Or maybe not just state-run companies even...
Do you believe in Coincidence? by matty619 · 2009-11-17 11:51 · Score: 3, Funny

60min does a story on the security of Brazil's power grid, Brazil says its not true, a few days later, they have the worst power outage in a decade, and now this story.....
1. Re:Do you believe in Coincidence? by Monkeedude1212 · 2009-11-17 11:54 · Score: 1
  
  It's like that James Bond movie, where they report the news quickly because they are the ones causing the news? I think its Tomorrow Never Dies but I can't be sure.
2. Re:Do you believe in Coincidence? by Itninja · 2009-11-17 12:14 · Score: 1
  
  "You provide the pictures. I'll provide the war." Not sure who said that (Hearst?) but I think it was apocryphal anyway.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
3. Re:Do you believe in Coincidence? by etinin · 2009-11-17 12:18 · Score: 0
  
  I find it highly unlikely that the power plant with the second highest generation capacity in the world can be totally shut down from the internet.
  
  --
  "I decided I could write something better than everything out there in two weeks. And I was right." - Linus Torvalds
4. Re:Do you believe in Coincidence? by technix4beos · 2009-11-17 12:36 · Score: 1
  
  Indeed: http://www.nyu.edu/classes/keefer/ww1/byrne.html
  
  --
  user@host$ diff /dev/urandom /dev/uspto
5. Re:Do you believe in Coincidence? by Tellarin · 2009-11-17 13:26 · Score: 2, Informative
  
  There was no issue with Itaipu. It remained working. For now it seems it was a problem with distribution lines.
  
  --
  -- SouNerd.com
6. Re:Do you believe in Coincidence? by etinin · 2009-11-18 02:45 · Score: 1
  
  Brazilian newspapers say that the power plant was offline for like 10min, although the main problem was an issue with the distribution lines.
  
  --
  "I decided I could write something better than everything out there in two weeks. And I was right." - Linus Torvalds
7. Re:Do you believe in Coincidence? by Tellarin · 2009-11-18 04:18 · Score: 1
  
  As from the news I've read, Itaipu's output was first reduced in about 10% because of the start of the blackout, and later temporarily shutdown as there was nobody consuming power and no need to keep it running at full capacity.
  
  --
  -- SouNerd.com
Or maybe... by Monkeedude1212 · 2009-11-17 11:53 · Score: 2, Insightful

They were so good the first time they left no trace of their doings and even framed it on some other probable cause.
One of the hackers (I'm guessing the one who likes polo shirts) obviously thought it'd be way cooler to take public credit. They have now revoked his invitation to DEF CON.
1. Re:Or maybe... by Anonymous Coward · 2009-11-17 12:02 · Score: 2, Funny
  
  One of the hackers (I'm guessing the one who likes polo shirts) obviously thought it'd be way cooler to take public credit. They have now revoked his invitation to DEF CON.
  Oh, come on. Unless his Mom named him Roberto'); DROP TABLE Hackers; , little Bobby Tables is never going to register under his real name, do you?
2. Re:Or maybe... by Tellarin · 2009-11-17 13:28 · Score: 4, Funny
  
  Original xkcd reference. http://xkcd.com/327/
  
  --
  -- SouNerd.com
Accidents.... by jhcaocf197912 · 2009-11-17 12:18 · Score: 1

Hey Vinny, give Tommy a little ride....... make sure it looks like an accident.
Conspiracy theorys abound! by Anonymous Coward · 2009-11-17 12:20 · Score: 5, Insightful

This is ridiculous. You can easily hack into their corporate website, but there is no way hackers got into the Brazilian power grid management system, because there is no such automated system in the first place! The central agency controlling the grid Operador Nacional do Sistema (ONS) operates the center by calling their buddies on generating station over private phone lines. Unless you are a very good voice impersonator and know all the necessary protocols, you will not get very far. That's when lack of technology is a plus.
1. Re:Conspiracy theorys abound! by wilcley · 2009-11-17 13:15 · Score: 1
  
  Yes, but it's not clear what information was exposed in this breach. With the right names, phone numbers, and procedures, I suppose you could cause some disruption.
Misundestood news by aylons · 2009-11-17 12:22 · Score: 2, Informative

Hackers didn't broke into the ONS (national power grid operator) system. They have broken into its web site, and this has happened days after the blackout. And the website, naturally, has nothing to do with the operational servers. There are no evidences whatsoever that last Thurday's blackout was caused by an online attack.

--
This comment may contain speech figures. Reader discretion is advised.
Off-Grid Power by robwgibbons · 2009-11-17 12:36 · Score: 1

All of these breaches in power grids are only one more reason for the government to reward/subsidize off-grid (self-sufficient, solar-powered) homes.
1. Re:Off-Grid Power by Anonymous Coward · 2009-11-18 03:00 · Score: 0
  
  If it was that simple, it would have been done already. A large portion of the affected population lives in densely packed areas where there's no way you can fit enough photovoltaic cells to have self-sufficient buildings. Also, those suckers are pretty damn expensive.
  And you've got to remember that saving money was the reason they built those big transmission lines. Some of the affected states where self-sufficient already, but buying power from a big hydroelectric plant like Itaipu is cheaper than buying from lots of smaller H.E. plants or methane-burning thermoelectric plants.
2. Re:Off-Grid Power by indi0144 · 2009-11-18 16:52 · Score: 1
  
  Humm I remember now, a little piece of news around the time when Bush was in the office, maybe 6 months before leaving, about him buying a SHITLOAD of real state in that area of Brazil. Maybe the most valuable real state in the world because of the gigantic water reserves there.
  
  http://www.thetruthseeker.co.uk/article.asp?ID=5324
  (no link because slashcode could not be bothered to render my html tags properly, yes, I have an agenda)
  
  Maybe the power outgage was because Bush were trying to overclock his pc to cope with the performance hit of speech recognition software he just installed. He should go POWER PC FTW!
  
  More on-topic, Brazilian hackers are very good but mostly white hats, maybe they were pissed off because of the misinformation of the first news that hit the media but I also recall a series of severe power outages in urugay or paraguay (neighbor countries to Brazil) some days after the first incident. Maybe some /.er from there can give us some insights?
Power regs by Anonymous Coward · 2009-11-17 12:40 · Score: 0

I don't know what the regs are in Brazil, but in the US, NERC limits how the Generation and SCADA systems may be connected. There is to be no way to get to the Generation or SCADA systems from outside them.
Data is only allowed to be pushed out from those systems, and even better it should be pushed to a secured DMZ where only trusted systems can, with read-only access, pick up the data (since you have to get customer data back out somehow for the billing systems, etc.). Nothing should be allowed into the DMZ from non-Generation / SCADA networks. That means even the power utilities non-Generation or non-SCADA systems can't get to any of these networks/systems, period. The Generation and SCADA systems should not be able to get to any other networks than this secured DMZ.
If these simple rules are followed, there is no way to affect the grid from the Internet, or even the regular power utility corporate network. However, sadly, for different reasons these obvious security guards are bypassed.
Breaking News by lupine · 2009-11-17 12:43 · Score: 4, Funny

Today hackers gained access to my bank account and increased the ballance to 100 millions dollars without alerting authorities.
Actually that didn't happen. My bank account is perfectly secure. There are no hackers anywhere that are smart enough to do such a thing.

--
We have the best government that money can buy.
1. Re:Breaking News by Anonymous Coward · 2009-11-17 14:51 · Score: 0
  
  Damn looks like you're right. Well, we tried!
What the hell do you mean this isn't a dupe? by BlortHorc · 2009-11-17 12:50 · Score: 1

I'm sure I can't be the only one who saw this and thought, "You told us this, what, a week ago?". Goddamn moderators.
I think these guys were trolling jaded /. readers for kicks
Wrong summary by Tellarin · 2009-11-17 13:35 · Score: 4, Informative

Well, first of all, the 60 minutes episode about blackouts in 2005 and 2007 provides absolutely no proof or other data about those blackouts being caused by hackers, except for two anonymous sources that suspect it was.
Second, there was no breach in the grid network, at least not know so far. What happened was that the ONS (the Brazilian electric grid operator) website was hacked.

--
-- SouNerd.com
1. Re:Wrong summary by Anonymous Coward · 2009-11-17 16:15 · Score: 0
  
  What seems to me is that slashdot has been hacked by the brazillian government...kkkkk
  What the hell, if the website was corrupted there are for sure possibility of vital systems to have been invaded. Aren't there billing, payment, provisioning or any other system in this company connected to the internet?
  aren't these connect to the core systems either?
  Do you guys really believe from the bottom of the heart that is not possible go from the internet to the control system?
  Maybe you need better security advisors or better books... maybe better brains
  Someone just said the only truth in this history so far: If you can touch it, it's insecure.
"hackers" by clang_jangle · 2009-11-17 13:41 · Score: 1

hackers were inspired by the story actually to do what was claimed.
***sigh***
Some "hackers, or more accurately some script kiddies . The diggification of slashdot is not at all a good thing.

--
Caveat Utilitor
blackouts? by Anonymous Coward · 2009-11-17 13:53 · Score: 0

Man I've been having blackouts all say! It must be those damn Brazilian hackers!
1. Re:blackouts? by Virtucon · 2009-11-18 03:13 · Score: 1
  
  Nope, it's the excessive use of alcohol and Barbiturates..
  
  --
  Harrison's Postulate - "For every action there is an equal and opposite criticism"
Mod story down by acid06 · 2009-11-17 14:54 · Score: 2, Informative

Hackers didn't "break into the grid" or anything close to that. They defaced the *website*, that's it.
While that is surely a shame for them, is nothing even close to a real worry.
No power outages were caused at all (and, in fact, couldn't be caused).
Now please quit posting uninformed crap.
Busy hackers! by cpscotti · 2009-11-17 22:44 · Score: 2, Funny

That's why no one hacked the electronic voting system!! The good guys were busy having fun sql-injecting stuff in some "bigger" system..