Chinese Hackers Infiltrate US Army Database, Compromise Safety of Dams

coolnumbr12 writes "Chinese hackers have infiltrated a sensitive U.S. Army database that contains information about the vulnerabilities of thousands of dams located throughout the United States. The U.S. Army Corps of Engineers' National Inventory of Dams (NID) has raised concerns that information gathered in the hack could help China carry out a cyber-attack on the national electrical power grid."

What Information?

[Alex+Pennace]

From the article it isn't clear exactly what information was deemed sensitive. Does this information include very specific details (like, "here is the password to that plant's SCADA system?" Or does it cover broader details that the public had free access to prior to the September 11 attacks, such information now being withheld as "critical infrastructure information?"

Re: What Information?

[xQx]

Meaning the three most effective ways to gain access are:
1. Take high res photos of people's desks as you walk past and read use the passwords that will be written on yellow sticky notes around the place.
2. Steal someone's phone or diary and look for the passwords they've noted in their contacts or notes.
3. When you find the password, which will be something like "skldjfsldfjsklfjsf!@*(#3-Feb13" and it's now 30 days later, try "skldjfsldfjsklfjsf!@*(#3-Mar13" or "skldjfsldfjsklfjsf!@*(#3-Mar14"

Because at the end of the day a human needs to remember these ridiculous passwords, and they will revert to either writing it down or using a pattern.

Re: What Information?

[rahvin112]

The human memory thing is why we should have moved to pass phrases a LONG time ago. You can get far more entropy with a phrase than you can ever get with a password, no matter how complex.

A simple four word phrase with capitalized words and some punctuation would easily have 4x the number of characters as that impossible to remember 15 letter password. And as you noted, 30 day changes ensure there is a date, or number that allows the use of the same password with a slight variation.

Oh yeah, thats a great idea

[MichaelSmith]

Destroy the economy of your biggest customer. Thats a great way to stay in business.

Re:Oh yeah, thats a great idea

[Genda]

Yeah, because the Chinese have bases in countries all over the world... Oh, wait that's us. No, it's the Chinese who are spending themselves into oblivion on weapons of war... Oh, wait, that's us again. We spend more on our military than the next 13 nations combined (but we can't afford to educate our children... bright.) I dunno, perhaps if we moved from offense to defense, these things wouldn't be issues?

Just a thought.

Re:Oh yeah, thats a great idea

[Sardaukar86]

The issues with the US education system do not appear to be the result of insufficient funding.

Lazy execs or engineers?

[grantspassalan]

I don't understand why anyone would want to connect really important things such as power plants and dams to the Internet. We have been running such things for about a century now and they work just fine. Anything behind a barbed wire fence should never be connected to the Internet. Why do people do this? Just for the convenience of some fat executive or lazy engineer who doesn't want to get his fat @$$ out of this office and see what is really going on with the machinery?

Re:Lazy execs or engineers?

[Karl+Cocknozzle]

I don't understand why anyone would want to connect really important things such as power plants and dams to the Internet. We have been running such things for about a century now and they work just fine. Anything behind a barbed wire fence should never be connected to the Internet. Why do people do this? Just for the convenience of some fat executive or lazy engineer who doesn't want to get his fat @$$ out of this office and see what is really going on with the machinery?

The issue isn't that individual devices are connected to the Internet per se, the problem is that many of these networks are not designed to isolate the sensitive systems from "vanilla" office computers. The problem is people in operations centers need access to weather, news etc and while they have news channels on video wall with various other readouts, sometimes they need to confirm stuff. If it really is going to freeze suddenly, that will require extra capacity as heaters, water heaters, and engine block-heaters get switched back on by some people.

They could run parallel LANs, with separate workstations and networks for the "sensitive" operational machines and the "regular" vanilla workstations where people do email and crap.

The risk is at the touch points, and good luck shutting them all down. How will the administrators receive alerts if the "sensitive" systems can't send SNMP pops to a monitoring system outside the virtual-wire--or to one inside of it that then emails you outside the wire. At some point, PEOPLE become the touch point and sneaker net with USB tokens becomes a problem. You can shutdown and cement over the USB ports but some applications require dongles somewhere and eventually something gets plugged into something and autorun.exe happens and the next thing you know, they're hacked by Chinese.

This problem runs many, many layers deep. If only "unplugging it" was that easy.

Not the hack compromises the safety

[gweihir]

The vulnerabilities of the dams are the real problem, but for some reason the government prefers to lie about that. Most of these vulnerabilities are probably pretty obvious to an expert (and, yes, the Chinese have experts on damns and these can go to the US for vacation), so hiding these problems is pretty stupid in the first place.

Re:All your dam are belong to us! We now take wate

[Genda]

That's because if we actually made too big a stink, we'd have to deal with the dirty deeds we did in the first place to prompt such a response and the last thing we really want to do is to begin airing our dirty laundry. Grumbling under our breath about what a bunch of douches the Chinese are is about as far as we can go without having to scrape large amounts of egg off of our collective faces.

Public Information

[edibobb]

The U.S. Army Corps of Engineers doesn't keep classified information on civilian projects online, do they? Electrical distribution control systems are not accessible over the internet, are they? It looks to me like someone, whether Chinese, Lebanese, or Portuguese, got some not-so-sensitive information from the Corps of Engineers site, and the U.S. government is using it in its publicity campaign to pass laws giving the government (gasp!) more control over the internet.

Re:how is this not an act of war?

How about the Iranian scientist who was assassinated? People thought it was CIA/Mossad, but it turned out that he was working undercover for the US, and was assassinated by the Iranian intelligence service.

By your logic, that single event should exonerate the US for any future occurrences of assassination inside Iran.

Re:Been going on for at least a decade

[WGFCrafty]

“I know not what weapons world war III will be fought with, but world war IV will be fought with sticks and stones." Albert Einstein

Re:This crosses one of Obama's famous red lines.

[davester666]

Yes, we might stop letting them lend us money!

Re:how is this not an act of war?

[cold+fjord]

So there was no hacking involved. Simply someone handing out a password to a database to someone else who was not authorized.

It's called social engineering, and it is a well recognized hacking technique used in some infamous cases.

Since someone in the US Army or someone the Army authorized handed over the credentials you can hardly call it an act of war.

War, no. But it is still espionage apparently conducted by one of the last countries controlled by a Communist government whose officials periodically make public statements about attacking the United States with nuclear weapons.

The nature of the information they sought access to, and apparently obtained, isn't benign.

Dam - Sensitive Army database of U.S. dams compromised

. . . The database categorizes U.S. dams by the number of people that would be killed if a dam fails. They include “significant” and “high” hazard levels. . .

“In the wrong hands, the Army Corps of Engineers’ database could be a cyber attack roadmap for a hostile state or terrorist group to disrupt power grids or target dams in this country,” Van Cleave said in an email.

Gen. Keith Alexander, commander of the U.S. Cyber Command, warned in a 2011 speech that cyber attacks were escalating from causing disruptions to actual destructive strikes, including cyber attacks on hydroelectric dams.

Alexander provided what he said were indirect examples of two types of anticipated cyber attacks. . . The second involved the catastrophic destruction of a water-driven electrical generator at Russia’s Sayano-Shushenskaya dam, near the far eastern city of Cheremushki, in August 2009. One of the dam’s 10 650-megawatt hydro turbine generators, weighing more than 1,000 tons, was mistakenly started by a computer operator 500 miles away.

As a result, the generator began spinning, rose 50 feet in the air, and exploded, killing 75 people and destroying eight of the remaining nine turbines at the dam. . . more

Re:how is this not an act of war?

Not necessarily. There are many, many insecure servers and desktops in China and Taiwan; the language barrier, reliance on Windows XP, high rate of piracy (meaning patches rarely get applied) all combine to make it a humungous petri dish for malware and botnets. If you were trying to cover your tracks, it's be the logical place to vector your probes and attack through.

Re:Real reason

[cold+fjord]

In this case you would get more insight from a calculator or spreadsheet than from cynicism. The US Cyber Command budget isn't that large compared to either the Air Force budget or the DoD budget. Finding some justification to bump it up wouldn't make much difference - it isn't going to be the tail that wags the dog.

Misplaced cynicism can also mislead you by pointing you in the wrong direction, as above. If you started digging into the question of Chinese espionage against the United States, you would quickly and easily lean that it is a huge effort against wide ranging targets. Why you would think this relatively minor event is in some way inconsistent wtih the total Chinese effort, and therefore not real, is baffling. Interesting who you effectively trust.

China also has more than 3,000 front companies in the U.S. “for the sole purpose of acquiring our technology,” . . .
Inside the Chinese Boom in Corporate Espionage
Chinese Army Directing Cyber Espionage Against Western Businesses
China military unit 'behind prolific hacking'
The China Problem