Slashdot Mirror
Hacking Group Linked To Chinese Army Caught Attacking Dummy Water Plant
holy_calamity writes "MIT Technology Review reports that APT1, the China-based hacking group said to steal data from U.S. companies, has been caught taking over a decoy water plant control system. The honeypot mimicked the remote access control panels and physical control system of a U.S. municipal water plant. The decoy was one of 12 set up in 8 countries around the world, which together attracted more than 70 attacks, 10 of which completely compromised the control system. China and Russia were the leading sources of the attacks. The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
The plant is real and the headline is a cover up/reverse sneak - because panic. But hey, if it turns out to be a honeypot, don't expect it to work twice :)
Why are critical systems on the 'net?
They functioned perfectly 30 years ago without the internet...
CAPTCHA = 'yourself'
Spoof the interface to make the attackers believe they are attacking a foreign industrial plant.
In reality, they are attacking the utility plant located down street based on WiFi location.
The main purpose of the honeypot system is to obfuscate the true location of the target (the attackers own infrastructure).
Then watch hilarity ensue.
Defense systems would be great. You could get countries to nuke themselves using their own cyber ops team.
"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
Uhhhhhh Stuxnet was an exploit of Siemen's industrial control systems which regulated the RPMs of centrifuges....
Have gnu, will travel.
While I personally think that's awesome, how is that legal?
In part, perhaps because 30 years ago the advantages of/needs for large scale efficiency and coordination weren't so great as today? Isolated systems may have higher operations costs and may not efficiently integrate into big systems, but they tend to have few or no remote attack vulnerabilities. Bottom line: economics favor connected systems, and anything on the net can be pwned.
This just one more example of why critical systems should never be connected to the internet. The should always be an air gap.
"The researcher behind the study says his results provide the first clear evidence that people actively seek to exploit the many security problems of industrial systems."
The first eh? I guess he hasn't heard of the tools included in such common distros as Back Track, why do you suppose SCADA exploitation apps are in there?
"If any question why we died, Tell them because our fathers lied."
RTFA. Yes, IP addresses are easily spoofed, and provide essentially no information on the target. That is, in fact, why more information than that was gathered, using the nature of the honeypot in question to gather additional data from the attacking machines. I suspect that it would be possible to configure your system and network in such a way as to spoof the nature of your own local network configuration so that a counterattack of this nature would reveal misleading information about your locality... but the nature of the attacks, and the response to them, make this exceedingly unlikely. tldr; yeah, it was people in China and Russia, and there's proof. Still doesn't mean that their governments were involved, of course.
and now the PHB saves big by remoteing it out to one office.
Pooh sets up a honeypot; finds most attacks come from himself and bees. Oh bother.
As somebody who left the network / sysadmin business before the attacks started from the inside (send enough malware to everybody inside a company and you will get lucky at a certain moment), how would you protect it best?
Airgap it (or properly firewall it), and people will complain about the costs of duplicate infrastructure, remote support from vendors will be a pain etc.
Monitor the network and spot anomalies, it's a hard task but could be the way to go. Except that you need skilled people there (not saying that there aren't, my experiences in a TAC shows that there aren't many).
Letting the attackers waste time in a honey-pot while your own network is isolated? At least you learn from it and you give them a false sense of victory.
What is wisdom, any thoughts?
bash$
http://articles.latimes.com/2012/aug/03/nation/la-na-cyber-security-20120803
U.S. Chamber of Commerce leads defeat of cyber-security bill
Why is Snark Required?
If I root a computer in China, and then attack a computer in the US, how can the person in the US identify the location of the attacker (me), without rooting the computer in China? They just really really want it to be in China, so it is?
Learn to love Alaska
Sounds like most pork barrel defense programs I've ever heard of.
putting the 'B' in LGBTQ+
Lets explore this concept a bit.
Lets say that each unionized employee that would be on site cost the utility $150,000 a year and you need 3 of them at each site to achieve disconnection from the internet. That's only $450K a year per site and lets say it covers 20 sites per company or utility type (lets examine Columbus Ohio which charges a sewage fee based on water usage so the 20 sites would cover both aspects). That's about $900 million a year. A big amount or is it. This is taxes, benefits and all connected with the employment of the people.
Columbus, in their 2012 consumer confidence report (under the power and water reports section) claimed they provide 51 billion gallons of water to 1.1 million people per year. Of course this is all measured in cubic feet x 100 (100 cubic feet) when billing (noted by ccf). 1 ccf of water is equal to 748 gallons of water according to their site. So if we divide the 51 billion gallons by 748, we should get the ccf being billed. What we now have is 68,181,818 ccf or we could shorten that to about 68.1 million ccf. Now, to reach that $900 million/ year, it would take a rate increase of $13.50 per ccf which brings in $920,454,543 extra.
According to Columbus' website, the high side of the charges currently is $1.56 per ccf for water (this is without sewage fees added). The example they give for a non-industiral user shows about 16 ccf per month. This is an increase in a bill for this amount of usage of $216.00 per month or $2,592 per year over what they pay now.
Someone please check my math for errors as it's been a while. I went into this thinking it would only be a couple cents per unit increase and was surprised at how much extra it actually would be.
450K*20 != 900M, it's only 9M! Your rate increase would be $0.135/ccf, on the order of 10%. Given the sewer and other charges, that's more like a 4% increase on the bill. Not the end of the world.
I've never heard of anyone using city water for large scale crop irrigation. A greenhouse or two might use city water, but not a field of corn. Farmers will dip a pipe into a creek, river, pond, or lake, and pump the water to the fields. They will drill into the aquifer. They will hire trucks to haul in water. But they will not pay the city to pump the water. And the city probably wouldn't let them even if they wanted to, because they use so much water they'd drain their towers, leaving them nothing to fight fires.
Just damaging a few pumps and valves would shut down a city. Last year Minneapolis had a 20 block area shut down for a day due to a single burst water main, leaving many downtown buildings without potable water. Businesses sent the employees home because they couldn't provide sanitary facilities. Restaurants couldn't cook. The physical damage was minor flooding of a street and a construction site, but the financial damage was large.
John
I'm not trying to defend WiGLE but it isn't really identifying by IP or any other stock measure. I understand about the geolocation data based on IP addresses but the WiGLE site is mostly user generated by war drivers along with GPS data built by programs like Kismet and netstumbler. It refines the locations by averaging the latitudes and longitudes of the SSIDs gathered using the signal strength (squared) as a weight.
In other words, it relies on users- not out dated published materials who have visited the field and location. Try it yourself and see how accurate it is. Click on the map page, zoom out enough until you can click and drag it to your area, look at the available networks to your computer and then try to zoom in to where you are at and see if they are listed. Someone, or more likely several people, have been at or near your neighborhood and posted their finds. There are aps that run on phones and people can turn them on while driving home from work, riding the bus or subway or while doing anything else too. Imagine the Google street view car mapping access points and making all the information searchable.
Well, it looks like their site might have been slashdoted. It's not showing the SSID's any more and has replaced it with a plot error message. It might take a while for them to get it back up properly. I found my area and it was accurate within football field range. The Chicago example I posted was a random look up trying to be as neutral as possible.
it is much more likely that this is a false flag operation to remind people of their fears.
The US State Dept. travel alert is more likely to be a false flag operation as that is something that significantly more people will understand and relate to than this relatively 'geeks only' topic which at best only will earn a few paragraphs in most media. At risk of placing myself in the tinfoil hat category I have to admit that my very first thought when I read about the alert were, "this is very conveniently timed with the XKeyscore leak a few days earlier ".
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
My breakfast is better, up yours. My breakfast is better, eat yours.
1 Every nation war games every scenario and as a part of securing the ability to realize those scenarios should they have to, they carry on things with potentially sinister applications. News at 11.
2 Just saying this so no one gets drummed up into the idea that "this means they're going to attack!" or "this is totally outrageous !!" It is outrageous, on PlanetNice where humans are banned. Back on Earth, where humans are what they are ...goto 1
as for trolls the parent was actually quite informative and for me non-native speaker of english it was an intere4sting read. Still a troll as it should be but a nice one. At least something positive to think about on lazy sat afternoon.
TFA indicates they rooted the attacking computers using holes in the browsers they were attacking with, and then used the visible wifi hotspots to locate the machines. It does not say that they checked to make sure the machine was not being remotely controlled, or itself a honeypot. Using this technique not all the sophisticated attacks came from China, some were U.S., Japan, France, etc. but over half were from China. Also not all the honeypots were in the U.S., so its not only the U.S. being targeted.
refactor the law, its bloated, confusing and unmaintainable.
70 is low, I get 65 a day from my home hunny pot... mostly jest sweeps but there are some e-mail/ftp/php attacks done on it each day.
I just grabbed an arbitrary high value that I thought would include not only the worker's pay, but the employment taxes, benefits packages, management costs, insurance, retirement, and so on. The actual employee may only be making 80K or less but the entire cost of the employee is what I was going for.
There are a ton of costs beside the employee's pay that are associated with employing a worker. The entire picture is what I was trying to capture and I was trying to be on the high side of the estimate..