Hackers Broke Into Brazil Power Grid Operator's Website Last Thursday

← Back to Stories (view on slashdot.org)

Hackers Broke Into Brazil Power Grid Operator's Website Last Thursday

Posted by kdawson on Tuesday November 17, 2009 @11:41AM from the wolf-no-really-this-time-i-mean-it dept.

An anonymous reader writes "A week ago, 60 Minutes had a story (we picked it up too) claiming that hackers had caused power outages in Brazil. While this assertion is now believed to be in error, hackers were inspired by the story actually to do what was claimed. Last Thursday, they broke into ONS, the operator of the grid (Google translation; Portuguese original). DarkReading has specific details on the SQL injection vulnerabilities the hackers probably used."

9 of 85 comments (clear)

Min score:

Reason:

Sort:

full disclosure by sopssa · 2009-11-17 11:41 · Score: 1, Insightful

And, two days after the blackout, the systems analyst Maycon Vitali, 23, revealed in the blog "Hack'n'roll" to a login page of the ONS revealed error in the validation data. The flaw could allow a hacker to send command to the database and find sensitive data from ONS.
The failure was published in the newspaper Folha de S. Paulo on Monday (16).
This is exactly why full disclosure is not good.
1. Re:full disclosure by mr+exploiter · 2009-11-17 12:20 · Score: 5, Insightful
  
  And, two days after the blackout, the systems analyst Maycon Vitali, 23, revealed in the blog "Hack'n'roll" to a login page of the ONS revealed error in the validation data. The flaw could allow a hacker to send command to the database and find sensitive data from ONS.
  The failure was published in the newspaper Folha de S. Paulo on Monday (16).
  This is exactly why full disclosure is not good.
  How so? If two days after the vulnerabilty was exploited causing millions of dollars of damage they *still* don't fix it, then the public has the right to know how much the security of the systems sucks. It may be the only way to prevent this from happening again.
2. Re:full disclosure by cosm · 2009-11-17 12:35 · Score: 3, Insightful
  
  Seriously? You must work for the government..
  
  Your solution: Hide or pretend the vulnerability doesn't exist, or ignore the possible ramifications of its exploitation and further promote shoddy programming practices.
  The better solution: Make the vulnerability public so that the company is forced to do something about it immediately, hence preventing any threats (pending their programming practices improving).
  
  Full disclosure puts the responcibility on the company to keep their products/services secure, as to keeping it a secret, which puts the burden on whistleblowers fearing prosecution.
  
  Which world do you prefer?
  
  --
  'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
3. Re:full disclosure by Runaway1956 · 2009-11-17 14:01 · Score: 2, Insightful
  
  Agreed. Sometimes the only way to motivate people to fix a problem is to embarrass them in public. FFS, no part of any critical operation should ever be exposed to the internet, period. If is't sensitive, keep it isolated from everyone - including your billing departement, public relations, sales, and even the company officers. Whenever they need to see something sensitive, they can pick their lead arses up, and move to an office dedicated to the internal workings of the company. When they are ready to put on their happy power hats, and interface with the world, they can return to their own office.
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Really.... by Darkness404 · 2009-11-17 11:50 · Score: 3, Insightful

Really -no- critical system be it power, heating, cooling, etc. should be on the internet. A local network is sufficient with the main computer controlling the other computers not being connected to the internet. How hard is it to understand?

--
Taxation is legalized theft, no more, no less.
1. Re:Really.... by Itninja · 2009-11-17 12:17 · Score: 4, Insightful
  
  Keeping a few connected computers off the larger WAN is easy enough. But as those computer grow in number it can become more difficult to prevent someone, somewhere from opening up ssh, ftp, rdp, or some other connection-type. Then the whole LAN becomes susceptible to the evils of WAN baddies.
  
  And don't even get me started on the lack of physical security on 'secure' systems. If you can touch it, it's insecure.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
Or maybe... by Monkeedude1212 · 2009-11-17 11:53 · Score: 2, Insightful

They were so good the first time they left no trace of their doings and even framed it on some other probable cause.
One of the hackers (I'm guessing the one who likes polo shirts) obviously thought it'd be way cooler to take public credit. They have now revoked his invitation to DEF CON.
Re:SQL injection? by etinin · 2009-11-17 12:10 · Score: 1, Insightful

Not if they have been politically appointed, something very common in brazilian state-run companies.

--
"I decided I could write something better than everything out there in two weeks. And I was right." - Linus Torvalds
Conspiracy theorys abound! by Anonymous Coward · 2009-11-17 12:20 · Score: 5, Insightful

This is ridiculous. You can easily hack into their corporate website, but there is no way hackers got into the Brazilian power grid management system, because there is no such automated system in the first place! The central agency controlling the grid Operador Nacional do Sistema (ONS) operates the center by calling their buddies on generating station over private phone lines. Unless you are a very good voice impersonator and know all the necessary protocols, you will not get very far. That's when lack of technology is a plus.