Malware Infects US Power Facilities Through USB Drives

← Back to Stories (view on slashdot.org)

Malware Infects US Power Facilities Through USB Drives

Posted by Soulskill on Tuesday January 15, 2013 @07:12PM from the under-your-thumbdrive dept.

angry tapir writes "Two U.S. power companies have reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The publication (PDF) did not name the malware discovered. The tainted USB drive came in contact with a 'handful of machines' at the power generation facility and investigators found sophisticated malware on two engineering workstations critical to the operation of the control environment, ICS-CERT said."

136 comments

Min score:

Reason:

Sort:

Scan the security cameras... by eksith · 2013-01-15 19:21 · Score: 5, Insightful

...If they have them installed and actually recording. Find out which ones were inserting the USB drives in question, fire them and ban them from ever being hired at any infastructure facilities. Train the remaining employees in security best practices and run random scans of any equipment they bring into the premises.
More often than not security breaches are a result of an oversight, but far too often, it's laziness and incompetence.

--
If computers were people, I'd be a misanthrope.
1. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 19:41 · Score: 3, Insightful
  
  They know who did it - it was apparently a contractor installing software.
  And banning USB keys or "scanning" is not the solution - the solution is to not use vulnerable crap like windows for any critical functions at something like a power plant. Although banning/firing any contractor that specified a windows based system for the installation in the first place, could be a good first step.
2. Re:Scan the security cameras... by The+Cisco+Kid · 2013-01-15 19:45 · Score: 1, Troll
  
  "laziness and incompetence" = using Microsoft platforms for power plant engineering systems.
  "security best practices" = never letting Microsoft platforms near anything mission critical at such an installation.
3. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 19:45 · Score: 2, Interesting
  
  the solution is to not use vulnerable crap like windows
  If the malicious code was embedded in the software which was intentionally installed, then exactly how would the choice of OS have fuck-all to do with it?
4. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 19:46 · Score: 1
  
  Before you fire them, find out *why* they did it. Was it necessary to do their job? Organizations often impose restrictions that make the expected processes impossible, and it works only because employees ignore the restrictions. If that is the case, make it clear to the other employees that they were close to being fired too because, presumably, they did similar things. Do not spare the culprit -- he/she should have reported that the expected processes don't work under the imposed restrictions, not ignore them.
  Also, place a strip of duct tape over all USB ports. IT can remove the tape if they need to, but $RANDOM_EMPLOYEE will know that they are not expected to remove the tape. That won't block a malicious employee, but might block a lazy or incompetent one. Removing the ports will work, but is probably to cumbersome.
  FTA: "found sophisticated malware on two engineering workstations critical to the operation of the control environment"
  FTA: "in early October to report a virus infection in a turbine control system"
  And why can software be installed on these things except updating the control software? Seems like a problem with the equipment itself, and a market opportunity for manufacturers of security-hardened equipment.
  FTA: "An outside technician used a USB drive to upload software updates during equipment upgrades" ... or for manufacturers / service companies who don't damage the equipment of their customers.
  And the mandatory question: Why the heck has a random employee permissions (in the computer sense, not the organizational one) to install things on their computer?
5. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 19:59 · Score: 0, Informative
  
  The choice of OS made it vulnerable to the "malicious code" in the first place.
  or... choosing windows based software, which is itself vulnerable to "malicious code"
6. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 19:59 · Score: 0
  
  Somthing tells me your making assumptions here. There are not real "viruses" for GNU/Linux. Theory OK. Some insane set of steps users have to take first demos-yes. But real viruses? No.
7. Re:Scan the security cameras... by symbolset · 2013-01-15 20:06 · Score: 1, Funny
  
  Strangely I agree with this moderation. If there ever was a day when "redundant" should be an up mod, this is it.
  
  --
  Help stamp out iliturcy.
8. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 20:17 · Score: 0, Flamebait
  
  a 10 year old developmentally challenged kid on a Valium binge would be less of a troll and more informed than you.
  Get off Torvalds cock for once
9. Re:Scan the security cameras... by inasity_rules · 2013-01-15 20:40 · Score: 2
  
  I agree, but what you suggest is impractical. Normally the consultant would have specified the requirements, and then chosen from a list of options given. Practically, all of those options would be Windows, because, guess what, it is the industry standard. Practically then, any contractor suggesting a different system would be at a disadvantage because they would be deviating from the de facto standard. Industry has so much momentum changing from windows is excessively difficult.
  
  --
  I have determined that my sig is indeterminate.
10. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 21:03 · Score: 1, Funny
  
  or... choosing windows, which is itself "malicious code"
11. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 21:04 · Score: 1
  
  If you think the only OS with issues are Microsoft OS', explain how all the centrifuges in Iran got infected? OS no longer matters, there is mal-ware out there for all OS'. There is no way to stay in front of all possible mal-ware threats so the simple method to address the issue, ban all USB drives, one of the main vectors for transmission of bad-guy software. Also ensure everyone doing ANY installs are well trained to not make mistakes like this in the future and also educate everyone else, being in a USB device and connect it to the company machines at all, you are fired.
12. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 21:28 · Score: 0
  
  Unfortunately, there aren't many options for other systems than windows in automation world, except for dedicated PLCs of course, which run their own embedded systems, windows and one linux(that i know of, don't know if it does anymore though). Also all programming software is for windows, except for some smart relays or small PLCs, which may have a java based software like siemens logo does.
  I've only run into one open source project for PLC programming and the development for it seems quite slow. It's not really an option yet, also because the industry doesn't follow any file standards, so you can't open programs from another package with another.
  Everything else from HMI software to data gathering stuff runs on windows (unless of course you've built your own). There are couple open source options for HMI software, that run on other platforms.
13. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 21:31 · Score: 0
  
  It is my understanding, that they were infected through the HMI software, which runs on windows. From there you can send/receive data from the PLC and reprogram it if you want to. So the malware software ran on the HMI machine and sent bogus data/programmed faulty code to the PLC.
14. Re:Scan the security cameras... by Anonymous Coward · 2013-01-15 22:17 · Score: 0
  
  But the choice of OS is dictated by the vendor. We have clinical systems like this: you get given a supplied PC and quite often, Tamper Ye Not.
  Hilariously, if the control PC is air-gapped, its antivirus will *by definition* be spectacularly out of date.
  This is never as simple as it seems...
15. Re:Scan the security cameras... by hairyfeet · 2013-01-16 00:33 · Score: 0
  
  Uhhh...Why have USB slots on the PCs in the first place? Its really not that hard to just epoxy some plugs into the slots in the back and pull the cable to the front ya know. Even if they did do what you say its still possible an enemy might in the future blackmail an employee into plugging a drive in, can't do that if its common knowledge there ain't no USB slots on their machines.
  If it were me while I was at it I'd set a GPO blocking Windows from enabling any CDROM or floppy drives along with the USB drivers so even if somebody in some out of the way place cracked the case open and reconnected the headers it wouldn't do any good as Windows wouldn't load the drivers.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
16. Re:Scan the security cameras... by RoboJ1M · 2013-01-16 00:46 · Score: 2
  
  But, it was a contractor installing software.
  The OS didn't need to be vulnerable.
  The infected application had super user rights.
  Of course no doubt it DID leverage holes in windows and it wasn't there to compromise the power station, just run spam chewing malware.
  And it was only ON the stick in the first place because of Windows security holes.
  But by definition any OS (GNU Linux, OSX, Windows) on which you are installing software if vulnerable by default
  Of course in a secure environment such as GNU Linux or BSD or whatever, the machines that wrote the stick in the first place would have been astronomically less vulnerable to leaky security and easy compromise such as the box where the contractor spent the morning browsing drive by pr0n sites.
  If it was a malicious contractor, no OS is going to save you.
17. Re:Scan the security cameras... by aurispector · 2013-01-16 00:55 · Score: 5, Funny
  
  Since windows is the de facto standard and as such the bulk of malware is targeted at it. Pick any platform, make it the standard and the amount of malware written for it will explode.
  Nice rhymes BTW - that english degree is paying off for you!
  
  --
  I have mod points. The reign of terror begins now.
18. Re:Scan the security cameras... by benjymouse · 2013-01-16 01:01 · Score: 5, Insightful
  
  the solution is to not use vulnerable crap like windows for
  
  Right. So there would never be any risk when using Linux?
  http://www.h-online.com/open/news/item/USB-driver-bug-exposed-as-Linux-plug-pwn-1203617.html
  http://news.softpedia.com/news/Researcher-Demonstrates-USB-Autorun-Attack-on-Linux-183611.shtml
  http://linux.slashdot.org/story/11/02/07/1742246/usb-autorun-attacks-against-linux
  http://www.omgubuntu.co.uk/2011/02/how-usb-autorun-malware-could-easily-infect-linux
  You are stupid to think that any OS is free of such problems. Or you are just blind to facts because of Linux fanaticism.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
19. Re:Scan the security cameras... by aaarrrgggh · 2013-01-16 02:23 · Score: 1
  
  To do it right, you would need one machine that you load the USB stick into, another machine scans that stick and copies selected file to the network. Very few guarantees in this situation though that you would be able to scan for all vulnerabilities or potentially damaging configurations.
  About the only thing you can do is have a second supervisory network watching the first, and taking over (with reduced functionality) when an abnormality is detected. If course that system needs to running different hardware (JACE need not apply), supported by a different vendor, etc. It gets very expensive, but is often done when you can't trust your controls. (Haven't seen a new system like this implemented in a long time though...)
20. Re:Scan the security cameras... by Svartalf · 2013-01-16 02:40 · Score: 2
  
  I don't think that it was embedded there (or we'd have a different story we'd be commenting on...)- it was just infecting the tech's USB thumb drive. Something that Windows actually excels at.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
21. Re:Scan the security cameras... by Svartalf · 2013-01-16 02:42 · Score: 1
  
  Ah, but you're reading MORE into this than is actually there (HINT: This story'd been WAAAAY different if it'd been YOUR story...).
  Quite simply put, you're glossing over that Windows is actually a BAD choice for a SCADA system software component- because this wouldn't have happened the way it was read and seems to be playing out if it'd not been a Windows system in the first place.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
22. Re:Scan the security cameras... by Svartalf · 2013-01-16 02:52 · Score: 2
  
  1) These are due to trying to make Linux "easy". If you're using a desktop install, it's going to happen. Autorun is a BAD and bogus idea, really.
  2) An embedded or secured Linux won't respond to Autorun like this. I think only the ones trying to be a Windows/OSX "competitor" like Ubuntu have this on by default.
  Sorry, it's more that the OS in question (Windows) does stupid things that're insecure by design - and adopting any of those bad ideas in your OS will cause the same sorts of problems. Your set of links merely proves this.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
23. Re:Scan the security cameras... by Anonymous Coward · 2013-01-16 03:22 · Score: 0
  
  Like Svartalf, I have to kinda disagree with you about this.
  Yes, all operating systems have security issues but Windows, in general, is a whole other beast.
24. Re:Scan the security cameras... by RoboJ1M · 2013-01-16 03:49 · Score: 1
  
  Yes, sorry, should have reiterated that Windows is just a bad choice full stop.
  (can my story be directed by Michael Bay please?)
25. Re:Scan the security cameras... by Feyshtey · 2013-01-16 04:31 · Score: 1
  
  This assumes, of course, that your security staff is better qualified and trained than your other staff. And that they have been granted authority to build adequate security measures.
  
  Security personnel (physical or digital) are not immune to negligence and incompetence . If they were there would be safeguards against allowing a USB drive to be functional in a critical infrastructure system or not having USB ports at all, and issolation from those machines that require such inputs.
  
  --
  "But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
26. Re:Scan the security cameras... by Feyshtey · 2013-01-16 04:49 · Score: 1
  
  Or you build a dev environment and *gasp* TEST SHIT BEFORE YOU ROLL IT TO PRODUCTION.
  
  Also not a failsafe solution, but my God why isnt it done more? If this shit is so critical please explain to me why? "Go for it Hank. Its from the vendor. What could possibly go wrong!?"
  
  --
  "But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
27. Re:Scan the security cameras... by tlhIngan · 2013-01-16 05:06 · Score: 2
  
  Uhhh...Why have USB slots on the PCs in the first place? Its really not that hard to just epoxy some plugs into the slots in the back and pull the cable to the front ya know. Even if they did do what you say its still possible an enemy might in the future blackmail an employee into plugging a drive in, can't do that if its common knowledge there ain't no USB slots on their machines.
  If it were me while I was at it I'd set a GPO blocking Windows from enabling any CDROM or floppy drives along with the USB drivers so even if somebody in some out of the way place cracked the case open and reconnected the headers it wouldn't do any good as Windows wouldn't load the drivers.
  Well, if you did security right, you have an airgapped network, which means the critical network and the corporate LAN are separated.
  But that brings a question - how do you update anything on the airgapped network? And yes, things do need updating now and again, including any Windows machines used to manage it. May be a software update, may be a configuration update (e.g., some new machinery was installed, or something was replaced and now the whole setup has to be reconfigured).
  The easiest way is a thumb drive.
  Otherwise what you have is a completely useless network that runs ancient software that has to be maintained somehow.
  Airgapped networks work, but they have a serious vulnerability in that going from an insecure to secure environment (let's say you gateway it so all data brought to the isolated network must be scanned by a gateway PC - now the gateway PC needs to have latest antivirus etc. - and how do you get those onto it, since it's airgapped?).
  Some people make fancy "data diodes" that are very strict firewalls - it lets the isolated network go and talk to the corporate network for updates, etc, but prevents anything from the isolated network from leaving it.
  But it's a huge problem with no easy solution - Stuxnet, the USAF, they all suffered when airgapped computers got infected. (The USAF when their UAV control PCs got infected because they used a thumbdrive to move a map update across).
28. Re:Scan the security cameras... by Anonymous Coward · 2013-01-16 05:19 · Score: 0
  
  As a software engineer I have to state that there is no such thing as non-vulnerable software. No matter how hard you try there will still be at some point a vulnerability found.
29. Re:Scan the security cameras... by timeOday · 2013-01-16 05:27 · Score: 2
  
  Everybody is rushing to agree with you, but I don't see how the use of a USB drive is the problem in this case. USB drives are a bad way to transfer information to secure systems because they are writable, so sensitive information can leak back into the open environment. But that's not what happened here, so it makes no difference whether the upload to the sensitive system had been done with a CD, USB drive, floppy... what do you think they should use, and what difference would it make? Are you assuming they failed to run a virus scanner on the software they uploaded? Those aren't 100%, especially not for targeted attacks. All secure systems are loaded with software and hardware that is ultimately from the open, so there is a chance of bad stuff leaking through. Even if you built the whole computer system onsite from sand and software written from scratch (which is absurd), there is still the trustworthiness of the people who do the work.
30. Re:Scan the security cameras... by Anonymous Coward · 2013-01-16 06:05 · Score: 0
  
  I dont know how you were marked as troll, maybe because people do not like the fact that you are right. but this is probably one of the best practices out there.
  Do not let Microsoft on any mission critical device, unless you have stripped it down to its bare essentials and turned off everything and reconfiguring the Windows OS with a stable hardened version. but this is not the Micro$oft way, instead we get Windows 8 with its "easy to use" user interface.
  Blah. I mark you as insightful. if I had the mod points, and were not posting as an AC.
31. Re:Scan the security cameras... by hairyfeet · 2013-01-16 06:11 · Score: 1
  
  Well I don't know why I was downmodded for pointing out the obvious, but as far as me when I had locked down systems I would use DVDs. I had the system set up so I could put in a password and re-enable the drivers for the DVD, then update through DVD. It worked great and we never had a bug.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
32. Re:Scan the security cameras... by Hentes · 2013-01-16 06:18 · Score: 1
  
  But that argument goes both ways, you can disable autorun in Windows as well.
33. Re:Scan the security cameras... by Jeremiah+Cornelius · 2013-01-16 06:35 · Score: 1
  
  I shot a STUXNET into the air
  It fell to earth, I care not where...
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
34. Re:Scan the security cameras... by PhxBlue · 2013-01-16 06:45 · Score: 1
  
  But it's a huge problem with no easy solution - Stuxnet, the USAF, they all suffered when airgapped computers got infected. (The USAF when their UAV control PCs got infected because they used a thumbdrive to move a map update across).
  The kicker is that it was already against DOD policy to transfer thumbdrives between secure and non-secure networks before the 2008 incident (which I assume is what you're referring to). So policy alone obviously isn't the only piece of the puzzle.
  
  --
  !#@%*)anks for hanging up the phone, dear.
35. Re:Scan the security cameras... by kelemvor4 · 2013-01-16 06:50 · Score: 1
  
  The choice of OS made it vulnerable to the "malicious code" in the first place.
  or... choosing windows based software, which is itself vulnerable to "malicious code"
  ahh, I see your point! So you're saying they should have chosen an OS that is invulnerable to "malicious code"...
36. Re:Scan the security cameras... by Anonymous Coward · 2013-01-16 06:54 · Score: 0
  
  What's your beef with JC?
37. Re:Scan the security cameras... by LoRdTAW · 2013-01-16 08:02 · Score: 2
  
  The exploit you posted is two years old and fixed. But I do get your point about no OS being 100% secure. But most of these Industrial automation infections are most likely due to bad security practices or outdated and unpatched Windows systems.
  My bet is the control systems are running windows XP or worse, 2000 (I wouldn't be surprised if NT can be found in some places). Manufactures of soft PLC/PAC hardware still offer systems pre-installed with Windows XP and XP embedded even though it is a security nightmare. The reason being backwards compatibility. Most industrial PC hardware is designed for long life spans. A PC motherboard that can be bought off Newegg from Asus or Gigabyte might change every few months or yearly. And every time a new chip set comes out the previous generation boards and chip-sets are discontinued. Industrial boards typically have runs lasting years to ensure a customer that 5 or even 10 years later they can get them a replacement board. Software is costly and redeveloping a multi-million dollar factory automation system is often impossible without very costly downtime. Something as simple as a windows update can completely bring an entire system down. In short the mentality is "if it ain't broke, don't fix it". And often enough, you can get away with it.
  I work for a shop where we still have three machines running windows 2000 for CNC motion control along with one running XP. I could upgrade to Windows 7 as the company who makes the CNC system has up to date software that runs on 7. Any time I have proposed upgrading the machines, the production manager, engineer and boss won't hear any of it (if it ain't broke, don't fix it!). I have to maintain a small inventory of P4 systems pre-loaded with XP pro and the CNC software to ensure that I have replacement systems at the ready. When I first started working you wouldn't believe the shit that was going on. The previous IT guy was a cousin of the owner who was a programmer, he wasn't an IT expert and was ignorant about security (im no expert either, but I make sure I follow best practices). I had employees plugging their iPhones into the CNC PC's to charge as well as listening to Pandora through a web browser on the CNC PC using a pair of speakers they bought in. I put a stop to that nonsense. I now have each computer on a domain account that is locked down (no web browser), no physical USB access by the operator and the CNC PC's on their own isolated network that is filtered by a firewall (pfSense). Its far from perfectly secure but it will stop 90+% of the silly nonsense that can screw you over.
38. Re:Scan the security cameras... by benjymouse · 2013-01-16 08:18 · Score: 1
  
  The exploit you posted is two years old and fixed. But I do get your point about no OS being 100% secure. But most of these Industrial automation infections are most likely due to bad security practices or outdated and unpatched Windows systems.
  Exactly. This is most likely not because of the OS but because of poor security procedures at the plant. My point was exactly that this was most likely not due to the OS but rather due to lax procedures. The carbon between the keyboard and the chair is more and more becoming the weakest link.
  
  In short the mentality is "if it ain't broke, don't fix it". And often enough, you can get away with it.
  Yes, provided that you put procedures in place which compensate for the weaknesses, e.g. if a system needs to run a 10 year old XP system then *disconnect* from the network or at least *isolate* it, block the USB ports and uninstall or block any software not needed for the operation.
  
  I had employees plugging their iPhones into the CNC PC's to charge as well as listening to Pandora through a web browser on the CNC PC using a pair of speakers they bought in.
  
  Oh the horror! You have my sympathies!
  
  I now have each computer on a domain account that is locked down (no web browser), no physical USB access by the operator and the CNC PC's on their own isolated network that is filtered by a firewall (pfSense). Its far from perfectly secure but it will stop 90+% of the silly nonsense that can screw you over.
  That's the way to do it. Props!
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
39. Re:Scan the security cameras... by Anonymous Coward · 2013-01-16 08:43 · Score: 0
  
  I worked at one company where all desktop machine has the USB ports and floppy & CD drives removed. It didn't cause any problems because the people using those machine didn't have any business reasons that required them.
40. Re:Scan the security cameras... by Anonymous Coward · 2013-01-16 08:53 · Score: 0
  
  More often than not security breaches are a result of an oversight, but far too often, it's laziness and incompetence.
  Oversight? Laziness and incompetence? Aren't those all the same thing?
41. Re:Scan the security cameras... by Anonymous Coward · 2013-01-16 10:31 · Score: 0
  
  http://slashdot.org/comments.pl?sid=2238996&cid=36457426
42. Re:Scan the security cameras... by DarwinSurvivor · 2013-01-16 11:43 · Score: 1
  
  The problem is you HAVE TO disable it in windows, along with a toilet papper roll's length of other bullshit vulnerabilities. If you use embedded Linux, you're checklist can be written on the palm of your hand with a sharpie.
43. Re:Scan the security cameras... by Jeremiah+Cornelius · 2013-01-17 13:46 · Score: 0
  
  The FBI has been after him, since he began promoting usage of the Windows hosts file to evade tracking and detection. They have a black mark next to his name and are looking for enough evidence for a "material support of terrorism charge" based on messages like these:
  [bollocksquote]
  
  Want to REALLY know what a HOSTS file can do for you, the end user (or corporate environs) & how/why itâ(TM)s BETTER THAN AdBlock &/or DNS servers alone? Take a peek here guys & enjoy -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182
  Iâ(TM)ve been using them for BETTER SPEED, BETTER ONLINE LAYERED SECURITY, & to an extent? Even BETTER âoeANONYMITYâ (vs. DNS request logs &/or DNSBL)â¦
  Iâ(TM)ve been doing this since 1997 or thereabouts, & itâ(TM)s just like putting a âoeTurboâ onto an engine in a vehicle (w/out the âoeturbo lagâ).
  P.S.=> And, yes, they really DO work (something âoeoldâ folks seemed to have forgotten, that lets YOU get âoemore bang for the buckâ in what you pay every month for ISP/BSP online access by also making you NOT download adbanners as well if you like (which have been found w/ malicious code in them MANY TIMES since 2004 (see URL above))â¦ & since ISP/BSPâ(TM)s like AT&T & others are moving to a âoepay by bandwith use/bandwith capâ type scenarios?? Blocking out adbanners can see you have a gain there not only speed, or potential security, but also BANDWIDTH CONSERVATION!
  IF youâ(TM)re a security pro & a network admin, then what the HELL is stopping you from using login scripts to migrate HOSTS files that are updated across all your network nodes/clients/workstations then?? HOSTS are good for stopping domainname/hostname based links (which IS what the majority of malware makers use, period)
  I know â" been populating a HOSTS file this way since 1997, & they use host/domain names, because they are RECYCLABLE, unlike IP addresses that once known as bad, get shut down & turned offâ¦ whereas a host/domain name means since you own it, you can go to yet another hosting provider & startup a botnet server or maliciously scripted site, in minutes, all over again & with the SAME domain/hosts name â" the RBN (Russian Business Network) was notorious for itâ¦ (& today, CoreFlood botnet did the same until the FEDS took over their C&C servers)
  If youâ(TM)re a âoesecurity proâ as YOU allegedly SAY you are, you didnâ(TM)t seem to note anything I stated, & youâ(TM)d also have noted that LAYERED SECURITY IS THE BEST THING WE HAVE GOING vs. these maliciously scripted threats out there today (& that means using HOSTS files in combination with other tools such as antivirus/antimalware, firewalls, HIPS & more).
  20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added layered security:
  1.) Adblock blocks ads in only 1 browser family (Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc.).
  2.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).
  3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.
  4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 4-7 next below).
  5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you ca
  
  --
  "Flyin' in just a sweet place,
  Never been known to fail..."
44. Re:Scan the security cameras... by Anonymous Coward · 2013-01-18 04:46 · Score: 0
  
  Poor reaction Jeremiah Cornelius. Disprove those points. FBI? There's no law against hosts files. You should be tracked by them for admittedly stalking others online (calling it trolling doesn't make it any better, that's just word manipulation) http://slashdot.org/comments.pl?sid=2238996&cid=36457426 as your own profile states about controlling words, along with your buddy webmistressrachel http://slashdot.org/comments.pl?sid=3373637&cid=42570685 along with you. Give us a break, learn to spell what you did for a job correctly. You might still be doing it if you could actually spell it right.
45. Re:Scan the security cameras... by Anonymous Coward · 2013-01-18 08:17 · Score: 0
  
  Posting as AC now Jeremiah Cornelius? You didn't here http://slashdot.org/comments.pl?sid=3384873&cid=42622385 You are welcome to disprove the points on hosts files use which isn't illegal by any means. So much for your "FBI" crap. You also avoid a direct question put to you here http://slashdot.org/comments.pl?sid=3384873&cid=42626347 also which points out you're quite illiterate and unable to properly spell that which you claimed to have done for a career there (which I doubt you did since you can't even spell it properly). You like stalking others by your own admission http://slashdot.org/comments.pl?sid=2238996&cid=36457426 along with your friend webmistressrachel http://slashdot.org/comments.pl?sid=3373637&cid=42570685 so if anybody merits being the target of the FBI, it is yourself, for online stalking.
46. Re:Scan the security cameras... by Anonymous Coward · 2013-01-18 08:19 · Score: 0
  
  Posting as AC now Jeremiah Cornelius? You didn't here http://slashdot.org/comments.pl?sid=3384873&cid=42622385 You are welcome to disprove the points on hosts files use which isn't illegal by any means. So much for your "FBI" crap. You also avoid a direct question put to you here http://slashdot.org/comments.pl?sid=3384873&cid=42626347 also which points out you're quite illiterate and unable to properly spell that which you claimed to have done for a career there (which I doubt you did since you can't even spell it properly). You like stalking others by your own admission http://slashdot.org/comments.pl?sid=2238996&cid=36457426 along with your friend webmistressrachel http://slashdot.org/comments.pl?sid=3373637&cid=42570685 so if anybody merits being the target of the FBI, it is yourself, for online stalking.
47. Re:Scan the security cameras... by Anonymous Coward · 2013-01-18 12:14 · Score: 0
  
  You avoid a direct question: Why'd ya pull yer resume off LinkedIn Jeremiah Cornelius -> http://slashdot.org/comments.pl?sid=3368135&cid=42529887 Is it since someone spotted you're not only a "San Fran 'Man'" (a fella is more like it) and that you can't even spell what you allegedly used to do for a job? It's correctly spelled PENETRATION, not "pentration" as you misspelled it there in front of 1,000's no doubt (one would think an anal penetration man from San Fran'd know how THAT is spelled at least, lol). Jeremiah Cornelius likes to troll others -> http://slashdot.org/comments.pl?sid=2238996&cid=36457426 , but he can't handle it when it's done in return showing he is illiterate, and that much is obvious. You fail troll. How many years did you leave your resume up there with that basic literacy fail on it? Yes you have been trolled. You like? I wager you don't since you removed your faulty resume (on the very thing you took pride in that you can't even spell correctly most likely indicating you weren't any good at it either).
48. Re:Scan the security cameras... by Anonymous Coward · 2013-01-19 11:11 · Score: 0
  
  You avoid a direct question: Why'd ya pull yer resume off LinkedIn Jeremiah Cornelius -> http://slashdot.org/comments.pl?sid=3368135&cid=42529887 Is it since someone spotted you're not only a "San Fran 'Man'" (a fella is more like it) and that you can't even spell what you allegedly used to do for a job? It's correctly spelled PENETRATION, not "pentration" as you misspelled it there in front of 1,000's no doubt (one would think an anal penetration man from San Fran'd know how THAT is spelled at least, lol). Jeremiah Cornelius likes to troll others -> http://slashdot.org/comments.pl?sid=2238996&cid=36457426 , but he can't handle it when it's done in return showing he is illiterate, and that much is obvious. You fail troll. How many years did you leave your resume up there with that basic literacy fail on it? Yes you have been trolled. You like? I wager you don't since you removed your faulty resume (on the very thing you took pride in that you can't even spell correctly most likely indicating you weren't any good at it either).
i wonder which is better by someone1234 · 2013-01-15 19:37 · Score: 1, Insightful

1. It is stuxnet
2. it is something else

--
Patents Drive Free Software as Hurricanes Drive Construction Industry
1. Re:i wonder which is better by oodaloop · 2013-01-15 22:52 · Score: 1
  
  Stuxnet was specially designed to go after equipment used in Iran for enriching Uranium. However, the code has been in the hands of hackers around the world for a while now, and I'd be surprised if it's never reused.
  
  On another note, as early as 2009 we've known China has been probing US electric companies and installing logic bombs. We know they're there, and we can't get rid of them. China has the ability already to shut down our power indefinitely, as in destroy the generators. And take a wild guess who makes the generators.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
2. Re:i wonder which is better by AmiMoJo · 2013-01-16 00:37 · Score: 0
  
  Was it retaliation in the cold war with Iran, or was it the start of an offensive by a third state? Or did US cyberweapons backfire?
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:i wonder which is better by toutankh · 2013-01-16 00:59 · Score: 1
  
  It seems to me that the US government wants to be able to use software-based attacks on other countries (like Iran with Stuxnet), while being totally protected from software-based attacks from the outside. In my opinion, this will never happen: US, like any other country, is and will be vulnerable to these attacks. No matter how much money they throw at it. In this context one might wonder whether it's in the US government's interest to bring the war to this terrain, like they did with Stuxnet.
Don't DEAL with problems, SOLVE them... by jkrise · 2013-01-15 19:39 · Score: 1, Interesting

I can't help but laugh at the infantile levels of thinking and planning which goes into building secure infrastructure systems. Here's how I would do it:
1. First, insulate critical infrastructure systems from the rest of the World. Don't install 'secure' routers or 'secure' firewalls. Simply insulate them. End of.
2. Do not install any software (OS, database or application) that needs to be activated from the outside, or auto-updated from the outside.
3. Do not ALLOW any USB based access to any of the networked machines, ever. If at all, the USB drive needs to be connected to a Linux machine, that does not auto-mount or run any auto-magic stuff. Then, any files that need to be sent to the server need to be quarantined prior to updating.
4. Same goes for WiFi. Only allow mahcines with known, registered MAC addresses, after pre-auditing and authorising them.
Dealing with the aftermath of such insecure architecture, without Solving them once and for all, is a criminal offence by the IT admins and must be prosecuted as such. Irrespective of the outcome or lack of any infections despite insecure architecture.

--
If you keep throwing chairs, one day you'll break windows....
1. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-15 19:53 · Score: 5, Insightful
  
  3. Do not ALLOW any USB based access to any of the networked machines, ever. If at all, the USB drive needs to be connected to a Linux machine, that does not auto-mount or run any auto-magic stuff. Then, any files that need to be sent to the server need to be quarantined prior to updating.
  The problem is the entire process of adding the software in the first place. The application should have been placed into a sterile test environment and proved out prior to ever being approved, then moved in a secure fashion to a staging environment for actual deployment. This whole thing reeks of massive violations of best practices, no matter what OS you happen to be using.
  For example: "ICS-CERT recommended that the power facility adopt new USB use guidelines, including the cleaning of a USB device before each use."
  Uh, yea NO SHIT. I work for an ISP and any code deployments which have to be done via USB, flash, or any other removable media MUST be done using company-owned media devices, that media is completely sterilized and staged in a pre-production environment prior to actual deployment. Anybody who let a contractor use his own equipment for such a deployment would be sacked without a second thought, and for this type of critical system we wouldn't rely on an outside contractor in the first place. Whoever is in charge of their practices and network/IT policies needs to be fired immediately and replaced by someone who is at least halfway competent.
2. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-15 20:17 · Score: 0
  
  1. Often impossible for software in question.
  2. See above.
  3. Autorun fuction is easily disabled on Windows, too. Additionally, Windows had software restriction policies at least since Win2000. So, if USB storage was used as attack vector, someone from IT security department needs to be fired (and sued).
  4. And see your IT department drown in bureaucracy.
3. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-15 20:19 · Score: 0
  
  I'd ban WiFi
4. Re:Don't DEAL with problems, SOLVE them... by thegarbz · 2013-01-15 20:21 · Score: 4, Interesting
  
  1. hahahahahahhahahahahah. Ok in all seriousness that is not only laughable but often actually simply illegal. The modern control world will often mandate some form of external data transfer live directly from the control system, and this is before taking into account satellite operated systems and other potentially unmanned sites. If you think that an airgap from other networks is the end of the discussion you've effectively made all your solutions unworkable in the industry.
  Much debugging is done over the network looking at live data trends.
  Much maintenance is done over the network through the use of smart instruments and asset management systems.
  Much analysis and improvement to processes, reliability analysis of critical machinery, and other such activities are done in a way which require some connection to the control system.
  Not to mention that airgap gives people a hell of a false sense of security.
  2. This is not only a good idea, but it's actually also a requirement by many vendors.
  3. Unworkable. Engineers will have your balls in a vice before you get through the commissioning phase. Mainly because you won't get through the commissioning phase as something will be wrong and there's no way to get data on or off the machine in question. The idea of locking it down to prevent autoruns is good. Providing sterilised USB keys for use is good too. Most of the problems are brought in from home, not transferred between work machines and the process network.
  4. WiFi ... on a process network? Dear god why! WiFi used for field devices should sit on their own isolated network with very careful and selective routing only to the aforementioned non-airgapped process network.
5. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-15 20:51 · Score: 1
  
  > Only allow mahcines with known, registered MAC addresses, after pre-auditing and authorising them.
  right. a 6 byte mac is such a strong protection measure.
6. Re:Don't DEAL with problems, SOLVE them... by dkf · 2013-01-15 22:28 · Score: 1
  
  Only allow mahcines with known, registered MAC addresses, after pre-auditing and authorising them.
  right. a 6 byte mac is such a strong protection measure.
  Just because some people have lockpicks doesn't mean that you shouldn't put a lock on your front door. Same principle.
  Which isn't to say that the devices should then allow anyone on the network to connect — sane security is always in depth — but neglecting a simple measure that keeps a lot of trouble off the network is foolish. Most people inclined to try are just looking to get free networking, and don't care which network they use. Wireless MAC filtering is how you deal with them, along with implementing other orthogonal security measures like WPA2.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
7. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-15 22:57 · Score: 0
  
  4) Faking a MAC on wifi is dead simple. This only adds a false sense of security and a lot of manual work - for no useful protection.
8. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-15 23:00 · Score: 1
  
  MAC filtering is useless. Anyone that gets that far can easily bypass the "security". The only thing it adds is a lot of manual labor to update - and hassle for users when it doesn't work correctly. (eg. typo, replaced wifi card, etc)
9. Re:Don't DEAL with problems, SOLVE them... by marevan · 2013-01-15 23:29 · Score: 1
  
  What you're saying is, or at least SHOULD be the standard in nuclear power plants (in Europe, dunno about USA NPP:s). The process network has no connections whatsoever to outside, or even to office network. USB-media is strictly forbidden. Mind you, only thing to make sure of this (oversights and carelesness happens) would be filling the usbports of all the computers with polyurethane. And wireless? IT Security will get in a shitstorm-mode even if you mention wireless anywhere else than in visitor network.
10. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-16 00:37 · Score: 0
  
  3) The network I work on is airgapped. We deal just fine with having to route all data transfer requests through security. Also, CD-Rs. USB keys are too easy to write to. We require the use of CD-Rs or DVD-Rs to transfer data. You can miss a virus infecting a USB drive, but not your CD burner (which is only installed at the 'CD Burner' desktop) spinning up. All CDs coming in require a virus scan.
  1) Meh. Insulating does not me unnetworked. It's perfectly reasonable to have your secure network send information updates (but not READ BACK FROM) to a server which allows the outside world to read that data. Sending commands BACK is where you need to really watch it. If you do not have to allow this, don't.
11. Re:Don't DEAL with problems, SOLVE them... by AmiMoJo · 2013-01-16 00:41 · Score: 1
  
  It must be nice working at a place where money is no object when it comes to security. For most places they will look at something like this and do a cost/risk analysis before deciding to just format USB drives before using them for deployment.
  Compared to the cost of setting up a secure staging area and doing proper security management simply recovering from occasional incidents like this is far cheaper. Plus they get free help from the government and look like the victims to most people.
  Security doesn't make economic sense unfortunately, which is why we always have to legislate it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
12. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-16 01:54 · Score: 0
  
  I can't help but laugh at the infantile levels of thinking and ignorance that goes into slashdot comments about securing infrastructure systems.
  You have absolutely no idea of the complexity of these systems and their need to communicate across-site, across-town, across-county, across-region, across-country. You think that the power plant just guesses when it should increase or decrease power? Things tend to go Bang! if you screw that up.
  End of.
13. Re:Don't DEAL with problems, SOLVE them... by dbIII · 2013-01-16 02:13 · Score: 1
  
  It used to be done like that - then middle management with MBA's in shouting wanted to show off instrument status displays to other MBA's in the comfort of their offices so that they sould win pissing contests. That meant closing the air gap and letting dedicated p0rn surfing machines onto sensitive networks.
14. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-16 02:23 · Score: 0
  
  4) WiFi? Hate to disillusion you, that's pretty damn insecure unless you're piling something like SCADASAFE's algorithm in between the RTU and the monitor and control servers talking to the RTU. It's entirely too easy to bash through Pre-shared (rainbow code attacks ARE possible with FPGA hardware in hand...) and I seriously doubt you're using something slightly more robust like LEAP because that'd require quite a bit hardware than most places are willing to field into an otherwise airgapped system. At least the Industrial wireless systems that are used with SCADA tend to have at least AES 128 bit symmetric key implemented on their hardware- which is actually much more robust than most WPA2 implementations.
15. Re:Don't DEAL with problems, SOLVE them... by Svartalf · 2013-01-16 02:25 · Score: 1
  
  MAC filtering keeps the absolutely low pikers out. When I can sniff your MACs OTA and can spoof them trivially it means nothing. WiFi isn't a good answer for anything involved with SCADA- it's a disaster waiting to happen.
  
  --
  I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
16. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-16 02:31 · Score: 0
  
  1) You're a fool. Airgapped means PRECISELY that. Anything else is NOT insulated. If you're sending things out, it can be hacked to be sent back the other way. If it's hooked into the corporate network, the ONLY realistic way is to have it going through a one-way NAT firewall. Even then, it's NOT "insulated"- it's got a shielded path. If, for any reason, there's an exploitable surface on your firewall (even a DoS is an exploitable surface) you're going to have serious issues with that design and you're going to have it taken down or worse. It's another attack surface that you'd not have if you were honestly insulated.
  Sure, it's inconvenient. Real security IS precisely that.
17. Re:Don't DEAL with problems, SOLVE them... by aaarrrgggh · 2013-01-16 02:37 · Score: 1
  
  Eventually, configuration changes and updates are required. You would need a complete duplicate plant to really test the proposed updates; that generally isn't possible like it would be for a web server or even a banking system. Sure, you can test input and output, but you cannot see all of the complex interactions of the overall process. You cannot tune the process to real-world conditions either.
  As for the GP's comment on no remote access, what exactly do you suggest for non-manned sites? Smoke signals? You can argue that there shouldn't be unmanned sites... But 24x7x365 staffing? Do you need two people so one can go on their breaks/lunch/etc? Suddenly you have gone from something that easily fits into an existing employee's role to a $600k/year cost... Just to eliminate non-local access. There are some things where this is a drop in the bucket, but there are a whole lot of facilities that just barely make that much profit in a year.
18. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-16 02:38 · Score: 0
  
  3) Virus scan? Bwhahahaha! What if you've got a zero-day virus- the scanner's not going to catch it. It's better to use something with at least a few less vulnerabilities. I can assure you that you're still going to get zapped with this procedure. It's just slightly more difficult to do so. All you're doing is glossing over that Windows is a BAD choice for these sorts of systems.
19. Re:Don't DEAL with problems, SOLVE them... by Locutus · 2013-01-16 04:06 · Score: 1
  
  because a few Linux stations for USB data staging, scanning and final file relocation onto the network is just so outrageously expensive...
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
20. Re:Don't DEAL with problems, SOLVE them... by AmiMoJo · 2013-01-16 05:33 · Score: 2
  
  Won't help. You still have to make sure people use them, and all the control software runs on Windows.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
21. Re:Don't DEAL with problems, SOLVE them... by Hatta · 2013-01-16 06:02 · Score: 1
  
  1. hahahahahahhahahahahah. Ok in all seriousness that is not only laughable but often actually simply illegal. The modern control world will often mandate some form of external data transfer live directly from the control system
  Easy enough. Dump it over a serial port which is never read from.
  and this is before taking into account satellite operated systems and other potentially unmanned sites.
  Again, easy enough. Network the unmanned control system to the manned control center, but leave the manned control center disconnected from any other networks.
  
  --
  Give me Classic Slashdot or give me death!
22. Re:Don't DEAL with problems, SOLVE them... by Hentes · 2013-01-16 06:21 · Score: 1
  
  I wonder whether the power lines could be used for communication, as a separate intranet.
23. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-16 08:48 · Score: 0
  
  2. Do not install any software (OS, database or application) that needs to be activated from the outside, or auto-updated from the outside.
  Yesterday one of the topics was medical software and equipment - often there's few alternatives to choose from and they all require the machines to dial home for updates. So what do you do? Your need for the instrument is bigger than any possible security issues.
24. Re:Don't DEAL with problems, SOLVE them... by Anonymous Coward · 2013-01-16 11:12 · Score: 0
  
  MAC filtering is not a lock on your door. MAC filtering is a sign on the door that says "Please knock before entering."
  Anyone who wants "free networking" badly enough to crack your WPA key is not going to be slowed down by a MAC whitelist.
25. Re:Don't DEAL with problems, SOLVE them... by Locutus · 2013-01-16 15:17 · Score: 1
  
  so pour epoxy in the USB ports and last I checked, Windows still worked on a standards based TCP/IP network.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
26. Re:Don't DEAL with problems, SOLVE them... by thegarbz · 2013-01-17 15:36 · Score: 1
  
  You have a very simplistic view of how complex these systems can be. What you're proposing may work for very small installations like gas wells or pipeline monitoring stations but it would be impossible to do over larger systems like electricity grids. The idea underlying your proposal is what is actively used in many large control systems. Have a satellite monitoring system (SCADA without the "control") and connect to the main control system via a one-way firewall. Then let people access that system via VPN.
  Also the ability to lay your own private network is often hampered at which case you're back to firewall, VPN, and the internet to send your control signals, and not having fast control over a state/country wide grid is more dangerous to every day operations than the supposed risk of terrorist attacks.
27. Re:Don't DEAL with problems, SOLVE them... by thegarbz · 2013-01-17 15:42 · Score: 1
  
  In the case of power companies they often run pilot cables and fibre with their HV cables when putting in new installations.
  It's the old ones that you need to worry about.
Good by Anonymous Coward · 2013-01-15 19:47 · Score: 2, Insightful

Good, if USB's are the infection route, then it probably means they've been smart enough to not connect these systems to the internet.
Good, they're not screaming 'cyber war' and conflating script kiddies with the country of the p0wned PC that sent the infection.
Bad, However, why have they left the USB ports open? And why are the ports autoexecuting this malware? I mean, even my Dad (82 years old) has the auto execute registry flag turned off. He can plug malware infected keys till his hearts content and it won't run. It's just really sloppy! You pay people to secure critical systems like this and they don't do their job, so you need to sack them and hire competent people instead.
Well at least as competent as an amateur 82 year old.
1. Re:Good by c0lo · 2013-01-15 20:29 · Score: 1
  
  Bad, However, why have they left the USB ports open?
  My guess? Tight budgets didn't allow for super-glue purchase.
  (ducks)
  
  --
  Questions raise, answers kill. Raise questions to stay alive.
2. Re:Good by Anonymous Coward · 2013-01-15 20:47 · Score: 0
  
  [ quack! ]
3. Re:Good by Locutus · 2013-01-16 04:28 · Score: 1
  
  this is the first time a USB devices has been found to pass an infection on to a host computer.
  
  Sorry about all the coffee or Coke on your keyboard.
  
  LoB
  
  --
  "Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
ICSCERT? by jasmusic · 2013-01-15 19:47 · Score: 0

U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
What a long ass name for such a useless agency. Who gives a fuck about their opinions? What, do you think the government knows more about power plants than the fucking people who actually build them?
1. Re:ICSCERT? by azalin · 2013-01-15 20:37 · Score: 2
  
  Well I'm not advocating this specific agency but
  a) Companies will not publish incident details, unless forced to in one way or the other. It is not in their, or their shareholders best interest to be open about mistakes. The systems used are probably not unique and are in use by several other companies as well. So if a flaw/known attack vector exists, others should be warned, so they can secure them.
  b) A single incident is not a big deal, but what about ten, or a hundred? Power is a strategic resource in this country and must be treated as such.
Apply hot glue by Anonymous Coward · 2013-01-15 20:02 · Score: 1

To all the orifices of the employees who plug random usb stickies to supah secret guberment computators... ...and to the admins of the said machines.
AutoIT by Anonymous Coward · 2013-01-15 20:13 · Score: 0

I run IT security for an entire country for an aerospace company, the most prevalent virus that we've detected is some unsophisticated and annoying worm that spreads via removable media and network file shares, it's based off AutoIT. Lucky for us sensitive areas don't even have USB controllers or have them disabled at BIOS level so it's only prevalent in low security areas and they've all been caught by our IDS & IPS.
Re: Fire him by Anonymous Coward · 2013-01-15 20:16 · Score: 4, Funny

When firing him, make him walk past all the other employees lined up at the front doors, who turn their backs one by one as he passes them. And as he walks to his car, the slow-clap chant of "unclean, unclean, unclean" should be encouraged. And a hail of out of date McAfee trial disks thrown at his car as he drives away.
No. It's not to punish him further, it's to reinforce acceptable group behaviour on those who remain.
"We don't do this to you if you steal a laptop or a roll of copper wire. We don't do this to you if sneak out at noon every day. This is the thing we do this for."
Re:Why the hell by c0lo · 2013-01-15 20:25 · Score: 3, Interesting

... would any machine running Windows be attached to or associated with anything that was critical to the operation of a power plant?!
Just in case you are scared about power plants failures - don't! There are much better things to be worried about.
For example - only a bit more that 4 years ago, the UK Navy finished retrofitting its nuclear subs with... Window XP and 2000! For sensors and weapons control no less. At the time, /.ers coined a new meaning for the BSOD.

--
Questions raise, answers kill. Raise questions to stay alive.
Why are essential services organisations... by Anonymous Coward · 2013-01-15 20:32 · Score: 0

...running Windows at all? Seriously, that's just asking for trouble.
Be careful of the back port by unix_core · 2013-01-15 20:32 · Score: 4, Funny

I've heard the infection spreads more easily if you stick it in the port on the backside. I know for most people, its a PITA to do that. you might have to get down on your knees an so on, though there are those who prefer it and for them it's especially important to use adequate protection.
1. Re:Be careful of the back port by Pieroxy · 2013-01-15 22:03 · Score: 1
  
  I've heard the infection spreads more easily if you stick it in the port on the backside. I know for most people, its a PITA to do that. you might have to get down on your knees an so on, though there are those who prefer it and for them it's especially important to use adequate protection.
  Yes, it's always more painful from behind, I agree.
  
  --
  Write boring code, not shiny code!
2. Re:Be careful of the back port by oodaloop · 2013-01-15 22:56 · Score: 0
  
  I'm still not sure if OP was trying to make the joke you did, or completely missed all those double entendres.
  
  --
  Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
3. Re:Be careful of the back port by hraponssi · 2013-01-16 01:24 · Score: 1
  
  you have to lube your stick
4. Re:Be careful of the back port by Anonymous Coward · 2013-01-16 02:18 · Score: 0
  
  Both were making the joke, and YOU missed it...
  But then this is /., afterall...
5. Re:Be careful of the back port by virgnarus · 2013-01-16 04:34 · Score: 1
  
  ...and for them it's especially important to use adequate protection.
  An anti-static wrist-strap?
6. Re:Be careful of the back port by Anonymous Coward · 2013-01-16 13:34 · Score: 0
  
  Hi guys, I'm actually having some trouble with the rear port on my wifes' hardware. Granted, it's fairly old and well used..... but when I insert my stick it isn't even detected. I used to use the same stick with my sisters unit when I lived at home, never had any detection issues. How do I tell if it's my device that's failing? Please advise........
Re:Why the hell by inasity_rules · 2013-01-15 20:41 · Score: 2

Because it is the industry standard and they would be fired for suggesting otherwise? Wake up, the world isn't full of perfect ideals.

--
I have determined that my sig is indeterminate.
Re:Why the hell by oobayly · 2013-01-15 21:11 · Score: 1

But "Windows for Warships" has such a great ring to it - much better than "Linux for Landlubbers".
Well known tactic by PacRim+Jim · 2013-01-15 21:16 · Score: 2

Hackers know that if you leave a dozen or so thumb drives around the parking lot of a target company, at least one person will be unable to resist looking to see what's on it.
Headline wrong. by Anonymous Coward · 2013-01-15 22:11 · Score: 0

Malware infects Windows OS through USB drives.
Headlines like this are why we have the majority of our boxes running linux scanning for windows viruses. It's why we aren't allowed to stick USB drives into the Linux machines.
I don't know why the people making standards for security never mention the elephant in the room: Windows.
Almost every security restriction is due to how WINDOWS does things "for" you.
1. Re:Headline wrong. by Anonymous Coward · 2013-01-15 23:04 · Score: 0
  
  It's why we aren't allowed to stick USB drives into the Linux machines.
  I guess you meant: "into the Windows machines"?
Get this BS story out by Anonymous Coward · 2013-01-16 00:32 · Score: 0

Welp folks, here's another "PROBLEM" story queued for the problem, reaction, solution machine.
Fuckers are borrowing 42 for every 1 dollar and we have the DHS in opposition to the constitution stamping their name on mission creep everywhere they can find it.
ICS-CERT didn't get any better by having DHS stamped in front of the name
And so the psyop goes
shouting down the street, "malware's in the primary control grid" until the jouralizts get ahold of it on ABC, BBC, CBS, FOX, PBS, NBC and get public out cry, oh we can't have these malware's in the primary control grid so we have to spy some more, and take away more rights, charge more, and degrade the existing services, More smart meters, that way we can tell which house had the USB stick they'll trot out complete fucking fantasy to get to the end of their means.
repeat after me. Enron by decora · 2013-01-16 00:41 · Score: 1

is the only organization to succesfull shut down the power grid - and it did it with the help of the US government
most of the people in it kept their profits and many went on to work in the subprime mortgage industry.
Just disable USB drives through a machine GPO by benjymouse · 2013-01-16 01:12 · Score: 0

http://www.techrepublic.com/blog/datacenter/disable-removable-media-through-windows-server-2008s-group-policy-configuration/452
Really easy and simple. No need to script anything or to remove files from local systems.
How would you do that in Linux (which has had *many* vulnerabilities in USB drivers in *kernel* space)

--
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Reminds me of the second battle of Ypres by Anonymous Coward · 2013-01-16 01:17 · Score: 0

When the Germans used poison gas with success, but couldn't advance because they haven't invented gas masks yet. If you release a virus, you should be damn sure that you can defend yourself against it.
A handful of tainted Windows machines .. by dgharmon · 2013-01-16 01:46 · Score: 1

Do these handful of tainted machines run on Windows?

--
AccountKiller
stuxnet by trexd___ · 2013-01-16 01:46 · Score: 1

Isnt this is similar to the time when Stuxnet invaded Iranian nuclear power plant and was also infected through its PLC's. man i thought that would be warning enough.

--
accessing someones open account on facebook is not hacking
porn.exe, Sexy.exe virus variants are most likely by mastagee · 2013-01-16 01:58 · Score: 1

Seen several cases of this across several different companies. I would think that the power/utility company admins are subject to the same oversights that most are. This has been seen in several different variants, and the major AV vendors have trouble identifying it accurately.

Main route of infection is via autoplay.inf. It also spreads to all available drive letters, including external drives and network shares. Easy prevention would be to disable autoplay.inf across the forest with a GPO. Windows XP machines are usually the ones the culprit that allows the first infection. It goes through and hides and sets system attribs on folders (and sometimes changes permissions) on the network share (and any accessible drive letter) using the (domain) credentials of the currently logged in user. If that user has more access, more things get screwed up.

Pain to clean up; to do it thoroughly, each machine must be scrubbed clean while disconnected from the network. Also, all usb drives should be scrubbed as well.

Can't be sure that's what they were hit with, but I would not be surprised if this was it.
Management Failure by Lumpy · 2013-01-16 02:00 · Score: 1

Why does the SCADA systems even HAVE accessable USB ports? What moron bought Dell PC's instead of rackmount systems with locking face plates?
All of this is the fault of the Managers and upper managers of the facilities as well as the project manager that did not specify the PROPER EQUIPMENT for the systems.
You can set up windows to ignore USB memory devices, it's really easy if you have competent staff on hand that can do it.

--
Do not look at laser with remaining good eye.
1. Re:Management Failure by Anonymous Coward · 2013-01-16 11:02 · Score: 0
  
  Why does the SCADA systems even HAVE accessable USB ports? What moron bought Dell PC's instead of rackmount systems with locking face plates?
  All of this is the fault of the Managers and upper managers of the facilities as well as the project manager that did not specify the PROPER EQUIPMENT for the systems.
  You can set up windows to ignore USB memory devices, it's really easy if you have competent staff on hand that can do it.
  For all we know, the machine did have a locked cabinet, but the doofus with the USB stick had the key.
  Block USB mass storage if you like, but without proper training and procedures, the idiots will simply use a CD-R, or Dropbox, or an Ethernet crossover cable, or...
  You're on the right track. Management was the problem, for employing a technician who did not follow, or did not know to follow, safe practices.
Only two? by tippe · 2013-01-16 02:13 · Score: 1

Based on all of the other articles posted on /. regarding compromised corporate and military networks, it's amazing that these guys have limited the infection to only two computers. That's amazing! Way to go guys! Way to show up your peers! Bonuses for everyone (or at least the executives who I'm sure are the real heroes of this story)!
</sarcasm>
critical infrastructure endangered by... by Jawnn · 2013-01-16 02:16 · Score: 1

...failure to follow simple best practices. Nothing new here. Move along... move along.
what about not useing outside technicians by Joe_Dragon · 2013-01-16 02:32 · Score: 1

what about not useing outside technicians.
So they can have more control over over there work / pay for all hardware / software costs to make security right.
Don't fire / ban the tech who may be just following a script that may of just been to go X website and download this file to a usb key that will be used for the updates.
Also that malware may of even came from a different system that was being updated with the same usb key at a different place.
Ho-hum - The oldest attack vector by jtara · 2013-01-16 04:07 · Score: 1

This is something new?
I was working as a developer at a nuclear power station (S.O.N.G.S.) in the early 90's. The developer across the cubicle from me had a persistent "beeeping" problem with his PC, which he ignored. I asked him about it, and he said "the damn thing just beeps every now and then". He was pretty unconcerned about it. Like "yea, it beeps, so what?"
Turns out it was a virus.
The vendor that provided the PC was always very helpful. They were so helpful, that when a new BIOS update came out for the video cards they were using in some of the PCs, they helpfully went from desk to desk installing the BIOS upgrade - from an infected floppy disk.
No idea if the virus ever made if off of developer PCs and onto more critical systems. I suppose the "if it goes in it doesn't come out, except in a barrel" policy for the Red Zone helped contain it. (I worked in Health Physics, so potentially this could have affected systems that measure and track worker dosage.)
Re: Fire him by Feyshtey · 2013-01-16 04:44 · Score: 1

And more often than not the message that is actually recieved is "Dont do whatever you have to do to make this backwards shithole actually operate on the outdated, broken, kluge of a system that's been cobbled together by hogtied engineers over a generation of mismanagement. Just sit back, and watch it collapse under its own wait and tell the bosses, 'I told you so....'."

--
"But we have to pass the bill so that you can find out what is in it,..." - Nancy Pelosi
Nope, unfortunately. by Anonymous Coward · 2013-01-16 05:24 · Score: 0

USB drives can't be put in to Linux PCs beause Windows uses Autorun on them.
I don't know if they're afraid of pointing out Windows being insecure (therefore have to say "Don't use Windows" and get in a whole shitload of trouble because Microsoft doesn't like it) or whether they're just writing it that way because it isn't their problem.
Why would you allow that by Anonymous Coward · 2013-01-16 13:43 · Score: 0

We fill the USB ports with epoxy
Malware as a commercial weapon... by Anonymous Coward · 2013-01-17 07:19 · Score: 0

For an all-too-real but fiction take on this in a near future corporate world...
http://www.amazon.co.uk/A-joy-serve-company-ebook/dp/B004YTSZ5A/ref=sr_1_1?ie=UTF8&qid=1358450275&sr=8-1