Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Broke Into Brazil Power Grid Operator's Website Last Thursday

Posted by kdawson on from the wolf-no-really-this-time-i-mean-it dept.

An anonymous reader writes "A week ago, 60 Minutes had a story (we picked it up too) claiming that hackers had caused power outages in Brazil. While this assertion is now believed to be in error, hackers were inspired by the story actually to do what was claimed. Last Thursday, they broke into ONS, the operator of the grid (Google translation; Portuguese original). DarkReading has specific details on the SQL injection vulnerabilities the hackers probably used."

31 of 85 comments (clear)

  1. actually by Anonymous Coward · · Score: 5, Informative

    the hackers invaded the _website_, the ONS network of computers that actually control the system is private and not connect to the internet.

    1. Re:actually by TubeSteak · · Score: 3, Interesting

      the hackers invaded the _website_, the ONS network of computers that actually control the system is private and not connect to the internet.

      They may not have hacked the power grid, but TFA says the website has all kinds of fun docs which, I'm assuming, any smart hacker would go after in order to study up on their target.

      Never forget that the next best thing to an insider is the freakin' manual.

      --
      [Fuck Beta]
      o0t!
  2. closed systems by Haxx · · Score: 2, Funny

      One would think critical power networks would be close systems.

    1. Re:closed systems by John+Hasler · · Score: 4, Informative

      > One would think critical power networks would be close systems.

      Read the article. What was broken into was the "corporate network" of the organization that runs the system. The control system was not broken into and in fact appears to be protected by an air gap.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:closed systems by nametaken · · Score: 4, Informative

      FTA...

      "ONS was notified last week of this problem. They've confirmed that, indeed, its Website was hacked. It claims to have fixed the SQL injection problems and that there was no danger because there was no connection between its Website network and back-end control network."

  3. Really.... by Darkness404 · · Score: 3, Insightful

    Really -no- critical system be it power, heating, cooling, etc. should be on the internet. A local network is sufficient with the main computer controlling the other computers not being connected to the internet. How hard is it to understand?

    --
    Taxation is legalized theft, no more, no less.
    1. Re:Really.... by nametaken · · Score: 3, Informative

      They were not. Read the article.

      "there was no danger because there was no connection between its Website network and back-end control network"

    2. Re:Really.... by Itninja · · Score: 4, Insightful

      Keeping a few connected computers off the larger WAN is easy enough. But as those computer grow in number it can become more difficult to prevent someone, somewhere from opening up ssh, ftp, rdp, or some other connection-type. Then the whole LAN becomes susceptible to the evils of WAN baddies.

      And don't even get me started on the lack of physical security on 'secure' systems. If you can touch it, it's insecure.

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
    3. Re:Really.... by cdesousa · · Score: 2, Informative
      You should read the article (or the translation) first.... That is exactly how the system is implemented. The original article says

      "A rede operativa é blindada, separada da internet e operada via comando de voz", segundo informou a entidade

      In English,

      According to the organization, "The operative network is secure, is separated from the internet, and is operated by voice command"

      The article also says that the hackers got into the operative network but not in the operative network.

    4. Re:Really.... by mr+exploiter · · Score: 2, Interesting

      That's not how things work in practice. Remote monitoring from anywhere in the world is too tempting. You can take a look at what kind of thing SCADA vendors are selling to realize things are getting worse before they're getting better.

    5. Re:Really.... by Itninja · · Score: 3, Interesting

      I've seen this happen. An engineer needed to get some files from his laptop to a Linux server. Since the server was not on the WAN he decided to use a USB drive, which was fine. Except that what he inserted was not a USB drive, but a USB wireless adaptor (he didn't know that). He spent over an house trying to get the 'drive' to work and then (for reasons unknown to me) left the adaptor in the server...maybe he forgot I don't know. It was there for over a week before anyone discovered it.

      I am told by the security people that the adaptor defaulted to 'ad-hoc' mode and could have easily been paired with passerby outside in the parking lot who had the know-how (and presumably the right credentials).

      --
      I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
    6. Re:Really.... by Procasinator · · Score: 2, Informative

      Go to Options and change Comment Post Mode to Plain Old Text.

      That will take care of the newlines (inserting <br /> tags for newlines).

  4. SQL injection? by XanC · · Score: 2, Funny

    Somebody's fired.

    1. Re:SQL injection? by oGMo · · Score: 5, Funny
      "' WHERE 1=1; UPDATE plant_employees SET status='FIRED'; ..."

      Or everybody's fired!

      --

      Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

    2. Re:SQL injection? by Tellarin · · Score: 2, Informative

      ONS, the operator of the electric system, whose website was hacked, is not a state-run company. It is a private non-profit regulated by Brazil's National Electrical Energy Agency.

      --
      -- SouNerd.com
    3. Re:SQL injection? by ArsenneLupin · · Score: 2, Interesting
      Not just Brazilian state-run companies...

      Or maybe not just state-run companies even...

  5. Do you believe in Coincidence? by matty619 · · Score: 3, Funny

    60min does a story on the security of Brazil's power grid, Brazil says its not true, a few days later, they have the worst power outage in a decade, and now this story.....

    1. Re:Do you believe in Coincidence? by Tellarin · · Score: 2, Informative

      There was no issue with Itaipu. It remained working. For now it seems it was a problem with distribution lines.

      --
      -- SouNerd.com
  6. Or maybe... by Monkeedude1212 · · Score: 2, Insightful

    They were so good the first time they left no trace of their doings and even framed it on some other probable cause.

    One of the hackers (I'm guessing the one who likes polo shirts) obviously thought it'd be way cooler to take public credit. They have now revoked his invitation to DEF CON.

    1. Re:Or maybe... by Anonymous Coward · · Score: 2, Funny

      One of the hackers (I'm guessing the one who likes polo shirts) obviously thought it'd be way cooler to take public credit. They have now revoked his invitation to DEF CON.

      Oh, come on. Unless his Mom named him Roberto'); DROP TABLE Hackers; , little Bobby Tables is never going to register under his real name, do you?

    2. Re:Or maybe... by Tellarin · · Score: 4, Funny

      Original xkcd reference. http://xkcd.com/327/

      --
      -- SouNerd.com
  7. Re:full disclosure by mr+exploiter · · Score: 5, Insightful

    And, two days after the blackout, the systems analyst Maycon Vitali, 23, revealed in the blog "Hack'n'roll" to a login page of the ONS revealed error in the validation data. The flaw could allow a hacker to send command to the database and find sensitive data from ONS.

    The failure was published in the newspaper Folha de S. Paulo on Monday (16).

    This is exactly why full disclosure is not good.

    How so? If two days after the vulnerabilty was exploited causing millions of dollars of damage they *still* don't fix it, then the public has the right to know how much the security of the systems sucks. It may be the only way to prevent this from happening again.

  8. Conspiracy theorys abound! by Anonymous Coward · · Score: 5, Insightful

    This is ridiculous. You can easily hack into their corporate website, but there is no way hackers got into the Brazilian power grid management system, because there is no such automated system in the first place! The central agency controlling the grid Operador Nacional do Sistema (ONS) operates the center by calling their buddies on generating station over private phone lines. Unless you are a very good voice impersonator and know all the necessary protocols, you will not get very far. That's when lack of technology is a plus.

  9. Misundestood news by aylons · · Score: 2, Informative

    Hackers didn't broke into the ONS (national power grid operator) system. They have broken into its web site, and this has happened days after the blackout. And the website, naturally, has nothing to do with the operational servers. There are no evidences whatsoever that last Thurday's blackout was caused by an online attack.

    --
    This comment may contain speech figures. Reader discretion is advised.
  10. Re:full disclosure by cosm · · Score: 3, Insightful

    Seriously? You must work for the government..

    Your solution: Hide or pretend the vulnerability doesn't exist, or ignore the possible ramifications of its exploitation and further promote shoddy programming practices.
    The better solution: Make the vulnerability public so that the company is forced to do something about it immediately, hence preventing any threats (pending their programming practices improving).

    Full disclosure puts the responcibility on the company to keep their products/services secure, as to keeping it a secret, which puts the burden on whistleblowers fearing prosecution.

    Which world do you prefer?

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  11. Breaking News by lupine · · Score: 4, Funny

    Today hackers gained access to my bank account and increased the ballance to 100 millions dollars without alerting authorities.
    Actually that didn't happen. My bank account is perfectly secure. There are no hackers anywhere that are smart enough to do such a thing.

    --
    We have the best government that money can buy.
  12. Wrong summary by Tellarin · · Score: 4, Informative

    Well, first of all, the 60 minutes episode about blackouts in 2005 and 2007 provides absolutely no proof or other data about those blackouts being caused by hackers, except for two anonymous sources that suspect it was.

    Second, there was no breach in the grid network, at least not know so far. What happened was that the ONS (the Brazilian electric grid operator) website was hacked.

    --
    -- SouNerd.com
  13. Re:full disclosure by Runaway1956 · · Score: 2, Insightful

    Agreed. Sometimes the only way to motivate people to fix a problem is to embarrass them in public. FFS, no part of any critical operation should ever be exposed to the internet, period. If is't sensitive, keep it isolated from everyone - including your billing departement, public relations, sales, and even the company officers. Whenever they need to see something sensitive, they can pick their lead arses up, and move to an office dedicated to the internal workings of the company. When they are ready to put on their happy power hats, and interface with the world, they can return to their own office.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  14. Re:full disclosure by mitoyarzun · · Score: 5, Informative

    Here in Chile a guy reported the government about a serious bug on their outsourcing website (chilecompra.cl), they ignored him for months, and he made the bug public (you were able to know your competition's offer to the government just by changing a GET parameter).

    He was condemned by a court for breaking the law, more info here (spanish)

    What kind of action should one take in those cases? Has this happened before in other countries?

  15. Mod story down by acid06 · · Score: 2, Informative

    Hackers didn't "break into the grid" or anything close to that. They defaced the *website*, that's it.
    While that is surely a shame for them, is nothing even close to a real worry.

    No power outages were caused at all (and, in fact, couldn't be caused).

    Now please quit posting uninformed crap.

  16. Busy hackers! by cpscotti · · Score: 2, Funny

    That's why no one hacked the electronic voting system!! The good guys were busy having fun sql-injecting stuff in some "bigger" system..