Slashdot Mirror
Iranian Hackers Probe US Infrastructure Targets
Taco Cowboy points out reports in The Register and The Jerusalem Post (along with a paywalled article at the WSJ) that say "[Iranian hackers are] responsible for a wave of computer attacks on U.S. corporations, with targets including oil, gas and electricity companies. Unlike the cyber incursions from China, the goal of the Iranian attacks is sabotage rather than espionage. The cyber attacks are seen as attempts to gain control of critical processing systems. The attacks on oil, gas and power firms have so far concentrated on accruing information on how their systems work – a likely first step in a co-ordinated campaign that would eventually result in attacks aimed at disrupting or destroying such infrastructure."
Maybe launching destructive malware at Iranian infrastructure wasn't such a good idea.
Iranian IPs are responsible for a wave of port scanning on US IP ranges.
Why is it okay for the US to sponsor cyber attacks, but not the Iranians? If it is an act of war, then did Congress authorize the US act of war?
Iran is annoyed at Adobe's new subscription pricing model. They're just looking for some valid serial numbers for Photoshop so they can keep expanding their military prowess.
Faster! Faster! Faster would be better!
I don't understand. Is this actually a threat or is it just an attempt to break into some webservers/desktops? Why would the SCADA system controlling things like gas and power be connected to any machine with an Internet routable IP or that is able to connect to any machine with an Internet routable IP? Is it impractical to only use bright red network cables for Important Things and, in those situations where it's worth the compromise, traverse a wireless link or a leased line (ie. phone system directly, not Internet) through a carefully configured VPN with more bright red cables on the other end? If you want access at your desk... another machine with bright red cables. And glue in all the usb ports. Power plants right? They don't do this do they? Why?
We have stopped maintaining our bridges and roads, and we have reduced infrastructure spending drastically. By the time you Iranians figure out how to destroy American infrastructure, there will be nothing left for you to destroy. Fools on you Iranians.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Okay, some questions.
Firstly, how do they know it was Iranian hackers? The linked article is the NYT reporting US officials as saying that the attacks came from Iran, and that the attacks could not be carried out without the regime's knowledge. Not a direct quote, btw - a paraphrasing of something a government official said, paraphrased by the reporter, and punched up by the editor for more impact.
Yet the register first line reads: "Iranian hackers are launching state-sanctioned attacks on US energy firms and hope to sabotage critical infrastructure by targeting industrial control systems, according to American officials."
There's a difference between attacks originating in Iran and attacks sponsored by the regime. Also, it's difficult at best to determine the origin of an attack - are they sure these attacks weren't proxied *through* Iran?
Secondly, how do they know that the goal is sabotage, when no sabotage has actually occurred? How do they know that this isn't just some bot herders trying to find more spam outlets? Certainly "accruing information on how their systems work" sounds more like a port scan or a vulnerability scan - which would be the first step regardless of the intent.
This is high-octane scare mongering. Be afraid, everyone! Don't use logic, let your emotions guide your opinions!!!
"We need to start this war with Iran. No one believes they have a bomb, and we've been saying they're 2 years away, since 1997. I know! Tell Cybercommand to "probe" US infrastructure, hopping from all the compromised router firmware, behind Iran's BGP space.
Give the story to Jerusalem Post - from "official sources". Don't worry about "leak prosecutions". We'll reserve those for the nosy bastards who try and discover that this is how we operate."
"Flyin' in just a sweet place,
Never been known to fail..."
The big question is why "critical" infrastructure is tied directly to the internet?
Why not? "Critical" does not mean "vulnerable". IAAESE*. It is not that hard to create a system that is not "hackable" in a dangerous way. You just need to design in multiple levels of safety:
1. Top level GUI
2. Control system running in a separate process, that sanity checks any input from the GUI.
3. A firmware monitor running on a hardened 8-bit processor (8051, AVR, etc.), that runs a watchdog timer and scans the system to ensure all parameters are within safe limits.
4. Mechanical interlocks, governors, brakes, fuses, etc.
I have read plenty of stories about how hackers will drop elevators full of passengers into the basement, and turn traffic lights "all green". But anyone that works on those systems will tell you that it is all baloney. It is physically impossible to do that from software. That kind of sabotage would need at least a crowbar and a soldering iron.
I think that what is really going on is the industry is promoting these scare stories in the hope of getting government pork dollars to "fix the problem".
* I Am An Embedded System Engineer.
The real question is which of the following is going to happen first:
Why hasn't someone made a sitcom about this yet?
When you extrapolate
1) the increasingly-vaguely-worded and -legally-authorized reach of national governments to act in what might be defined broadly as "military" ways wherever they see fit
2) plus the ever-increasing capabilities of non-state actors (some call them terrorists, when it's convenient) and the state-sponsors that back them, not to mention the actual inability of states to closely control these assets
3) the (current) ability to execute such actions through proxies/remotely/etc such that they are nearly perfectly anonymous
4) and the increasingly brittle infrastructure of a modern, interconnected, INTEGRATED data- and electronically-driven (mostly Western) society.
The intersection of these lines seems inevitable: a non-state actor (perhaps sponsored by a state, whether or not this specific action IS sponsored/authorized) is going to accomplish something really heinous, like a Chernobyl-level meltdown, or perhaps the destruction of the electrical grid across the East Coast of the US (something that costs $billions and/or thousands+ of lives).
What happens then? If the US is catapulted into a paroxysm of 10 years of war over the relatively puny-but-showy 3000 deaths of the WTC attack, what would we do if that casualty number was 20,000? 100,000?
"Someone will need to pay dearly" would seem to be the logical response of this otherwise-torpid democracy. But what if we don't know who that is, or (almost worse) are only "pretty sure" we know who it is?
-Styopa
I have read plenty of stories about how hackers will drop elevators full of passengers into the basement, and turn traffic lights "all green". But anyone that works on those systems will tell you that it is all baloney. It is physically impossible to do that from software.
Yes, the elevator thing is silly as they've all had mechanical safety features since the days of Elisha Otis. If by turning traffic lights all green you mean in both directions, then that's also probably silly. That doesn't mean that all scenarios, including the damage from the interruption of certain services, are silly.
Nobody cares about your propaganda. Everyone knows USA is doing exactly the same, if not at an even larger scale.
Signature intentionally left blank.
The steps you mention are good ones, but an air gap is still a very good step in that defense in depth approach.
Maybe in some situations. In others it can make the situation worse. If you disconnect everything, and have to send out a truck to make an adjustment at a substation, then you have a problem when there is a big storm and not enough trucks. For most sensibly designed systems, disconnecting from the network will likely cause more problems than it will prevent.
However, they don't necessarily guard against interruption of service.
I once worked on a control system for a hydroelectric dam. The software could adjust the gates to control the flow of water to adapt to electrical demand, but only within certain limits, which were set depending on expected demand. To go outside those limits, a worker had to manually extract and reinsert a steel rod. It is also common in coal/gas/nuke plants to require manual intervention to shutdown a generator, or even reduce the power into the "brown-out" zone. Since that is something that will almost never need to happen, requiring manual intervention is reasonable. Designing a system to prevent a denial of service is harder than just preventing catastrophic failure, but it is still possible.
I'm not an embedded system engineer, but I've done a system for low speed monitoring which has worked out well, allowing for information to be obtained, but keeping the private stuff private. It isn't a 100% perfect solution, but for a lot of needs, it functions well.
Create two network segments, one "public" in the sense that it is connected somehow to the Internet, and one "private" in that it has no connections.
Place two machines on each subnet. They are connected by a null-modem cable with the a set of Tx/Rx pins cut, so no traffic can flow back from the public subnet to the private one.
From there, one can use syslog or some other item to cat text data to the serial port on the private network, then on the public side, have something that constantly reads from it to a file.
Yes, this is slow (115200 bits max), but no matter how pwned the system on the receiving, public side winds up, an attack to the private network isn't going to happen without someone onsite to breach the gap.
Of course, there are variants of this that can be considered less secure: Two machines sharing the same iSCSI target that writes logs, and the one on the public network has read-only access while the public one has read-write.
Thank you for contributing to the overall naive attitude American industry has for securing critical systems.
You're welcome. But my experience is that the people that design and operate critical systems are not at all naive. They have a very good appreciation for the risk. Let's look at some numbers:
Number of Americans deprived of power in the last year because of lightning: millions.
Number of Americans deprived of power in the last year because of flooding or storm surges: millions.
Number of Americans deprived of power in the last year because of TERRORISM: zero.
So maybe TERRORISM isn't really as big as a problem as you think. Or maybe industry is already doing a pretty good job of securing their systems. Maybe we should focus our efforts on building robust, fault-tolerant systems that will stand up to any source of problems, rather than focusing just on things like "air gaps" that only prevent the (so far) non-existent problem, while making it harder to deal with real problems like natural disasters.
No one believes they have a bomb,
Iran nuclear report: IAEA claims Tehran working on advanced warhead
Your "anti-Zionist" / anti-Israeli trolling does grow tedious at times.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
Well when I get to dislike various Muslim nations without being accused of being anti-Islam, then we can have a discussion.
A discussion can be had right now. Both statements are illogical.
Filthy, filthy copyrapists!
My problem with Israel is their treatment of the Palestinians and their continued creation of illegal settlements. It has noting to do with their religion.
"What the American public doesn't know is what makes them the American public." -Ray Zalinsky (Tommy Boy)
You are the troll. And a very low-value poster. The Guardian link refers to a nano-diamond creation device supplied by Russia for industry, and which "western" intelligence tried to spin as related to weapons research. Here is the thorough debunking from Moon of Alabama. The "reporting" on nano diamonds was spanked SO BADLY by this blog, that all traces disappeared from press and punditry before November ended.
The whole issue is a misrepresentation of the highest order - from 11/11. Let me update you, with an analysis that is independent, not mere military/government stenography. Concerning the IAEA findings more recently, in August of 2012:
IAEA: Iranian "Nuclear Danger" Decreased
The International Atomic Energy Agency (IAEA) just released its most recent report (GOV/2012/37) on the state of Irans nuclear program.
As usual this report is used to hype up the "nuclear Iran" scare. The London Times even headlines Iran is stockpiling weapons grade uranium, a new reported finds (sic) which is completely false as even its own report below that headline says:
Not only is any Uranium Iran has below weapons grade but, according to the new IAEA report, Iran has today less enriched Uranium that could quickly be converted into a nuclear weapon than it had in May 2012, the time of the IAEAs last report (GOV/2012/23) on the issue.
Critics of Irans nuclear program are most concerned with the Uranium Iran enriches to a level of 20% U-235 isotope. This enriched Uranium, critics say, could be quickly enriched further to up to 95% and then be used to manufacture a nuclear explosion device.
But enriched Uranium can have several forms. For enrichment natural Uranium is converted into Uranium hexafluoride (UF6) and, slightly heated and under pressure, fed as a gas into centrifuges to separate out the U-238 isotopes. This increases the content of U-235 isotopes needed for nuclear reactions. The enrichment product with 20% U-235 is still in the form of UF6 which could be again fed into a centrifuge cascade for even higher enrichment levels.
But UF6 is not usable as nuclear reactor fuel. For reactor use the UF6 has to be converted into Triuranium oxtoxide (U3O8) and from there into Uranium dioxide UO2. These can be formed into fuel elements to be fed into a reactor. Once this is done there is no easy and quick process to convert these fuel elements back into UF6 for further enrichment. Enriched UF6 once converted into U3O8 and UO2 fuel plates is thereby not directly usable for producing bomb grade uranium and of little proliferation concern.
Iran needs fuel elements with 20% enrichment level for the Tehran Research Reactor (TRR) to produce nuclear isotopes for medical purposes.
According to the May 2012 IAEA report Iran had, at that time, enriched 110.1 kg 20% enriched UF6 at the Pilot Fuel Enrichment Plant (PFEP) in Natanz and 35.5 kg 20% UF6 in the Fuel Enrichment Plant (F
"Flyin' in just a sweet place,
Never been known to fail..."