Slashdot Mirror
SCADA "Selfies" a Big Give Away To Hackers (csmonitor.com)
chicksdaddy writes: The world's governments are on notice that their critical infrastructure is vulnerable after an apparent cyberattack darkened 80,000 households in three regions of Ukraine last month. But on the question of safeguarding utilities, operators of power plants, water treatment facilities, and other industrial operations might do well to worry more about Instagram than hackers, according to a report by Christian Science Monitor Passcode. Speaking at a gathering of industrial control systems experts last week, Sean McBride of the firm iSight Partners said that social media oversharing is a wellspring of information that could be useful to attackers interested in compromising critical infrastructure. Among the valuable information he's found online: workplace selfies on Instagram and Facebook that reveal details of supervisory control and data acquisition, or SCADA, systems.
"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don't make an adversary's job easier." iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride. That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran's uranium enrichment operation – what an expert once described as "intel to die for."
"No SCADA selfies!" said Mr. McBride at the S4 Conference in Miami Thursday. "Don't make an adversary's job easier." iSight has found examples of SCADA selfies at sensitive facilities and warns that such photos may unwittingly reveal critical information that operators would prefer to keep secret. The firm's researchers have also discovered panoramic pictures of control rooms and video walk-throughs of facilities. Corporate websites can divulge valuable information to adversaries like organization charts or lists of employees — valuable sources of information for would-be attackers, says McBride. That kind of slip-up have aided critical infrastructure attacks in the past. Photographs published in 2008 by former Iranian President Mahmoud Ahmadinejad's press office provided western nuclear analysts with detailed views of the insides of the Natanz facility and Iran's uranium enrichment operation – what an expert once described as "intel to die for."
Well, the two-edged sword once again.
On one hand it's not a good idea to build your security around the intruder not acquiring information. Sooner or later someones tongue will slip, especially if they are fired and have beef with the company.
On the other hand security through obscurity is another layer of protection. It's another step that an intruder has to step over and will stop most script kiddies.
To connect those systems to the wan.
As someone who doesn't know an ass from a hole in a tree, maybe we should poison the net with all kinds of pictures showing every single possible SCADA device ever made as having been installed in every single location. And just to keep things interesting, why don't we make up a few dozen brands to add to the mix. Sometimes bad information is more potent than no information at all.
See: Human Health, Tobacco.
may unwittingly reveal critical information that operators would prefer to keep secret
If you attacker is waiting only on the type of system you have installed to attack you then you are absolutely screwed. I don't know of any company that keeps that a trade secret. I know what control systems and safety systems are used in various nuclear facilities, even though I work in a different sector. The vendors will proudly tell you who has which system, sometime even telling you which model processor cards etc are used in other facilities. One control industry conference I attended a nuclear power operator gave a public presentation on how their control system is designed complete with full network layout, and exact make, models, and firmware revisions of control and safety components.
"Selfies" are truly the least of a company's concern. Especially low resolution Instagram crap. Is that a super fancy new Triconex safety system I see? Or is it one from the 80s, hard to tell because the designs still look the same.
Isn't that when you find the CPU in your nuclear missile command centre has a Pentium bug?
...or horseshit if you prefer the American term.
The original article links to A SLASHDOT story. It's like the ultimate Rick Roll. Why link to reality if you can link to a previous warning threatening about what reality might become.
There are three links in the story. One is a slashdot story. Another is a bogus link. The third is a wannabe "article".
They're all HORSE SHIT. Or BULL WANKERS. Or POPPY COCK.
There's nothing to this "story".
E
It's social engineering 2.0, nothing new here. Instead of calling a random or targeted phone in the company and saying that you are the boss/the technician/whoever who need urgently some critical information, you just google the same information/become friend on facebook.
On another level, this is not complete garbage.
But it's all about the people there knowing what is a secret and what is not and more important: what is in plain view, is not a secret.
"SCADA selfies" could indeed be dangerous. But not because someone sees the model of the command console or a schematic of the power plant (which will 99% look like ANY OTHER plant).
The dangerous thing is the password written on the blackboard!
Ask TV5. They had their website CMS and social media accounts taken over (IIRC ISIS) after they broadcasted a few interviews shot in their newsroom - with the passwords written on a whiteboard so that the whole digital media team could access the accounts....
bickerdyke
They knew Mohammad was afraid of selfies, turns out he was right after all! This is how they defeated the spawn of the big and little Satan aka Stuxnet.
Not to skim off the delicious prattle of hackers zooming in on clunky JPGs to reveal passwords written on post-it notes (on CSI they have ways to zoom down to pimple-hair level)... well of course it's possible, no duh... there's a phenomenon I'd like to point out I feel will have a more disastrous effect than terrorism.
Part of it arises from the modern invention of "adolescence", when children have become sentient and somewhat responsible but have years to go before that magic 18th birthday, when it becomes legally possible to drink, vote and be thrown out of the house --- all on the same day. For a good part of the 20th century after school care options were limited but this did not seem to be much of a problem, most suburban kids ran wild and made it home in time for dinner. And those without a stay-at-home parent might go home, but some would check in with or join their parents at work. It was not uncommon to see after-school children hanging around any workplace. Then through the 80s and 90s things changed, as what we now know as the 'helicopter parent' rose to power --- ironically --- children became more segregated from the adult world than ever before. There were now places to go after school where children could be supervised by adults, yet remain wholly disconnected from the adult world. Where the presence of children in the workplace was once considered a polite necessity, children are now all but dis-invited, by concerns of distraction or corporate liability or just plain meanness, take your pick. Late in the game campaigns like Take Your Daughter To Work (Or Your Son Too, Sorry About That) Day came into being as some adults realized that society was being transformed by this segregation, but the novelty of a single day cannot replace the extent that youth had participated, or at least been aware, in the past.
Just as class trips give glimpses of the adult world, we must recall a time not so long ago when families took these trips too. As the world has gotten more paranoid and especially post-9/11, some of the most awesome wonders of the modern world are off-limits to children and adults alike. I recall the remarks of a gent who runs a nuclear power plant in Britain who sadly attributed the rise in irrational fear among the public to the (rather) sudden cessation of tours at the turn of the century, when groups once had been shown all areas and the kids were full of questions. And he is not alone, there has been a general lockdown of the more interesting and inspiring places in the industrial world, which stems from the simple question, "What's the worst thing a terrorist could do? Can we ensure that could never happen?" Not really, but we can lock doors and shut people out. That's a safe thing to do. At what cost though?
If all of your kids want to grow up to become video game designers, and no one seems to have any interest in running a refinery or keeping the power grid energized, and continue to act like children well into their adult years... then at least you should be able to figure out why. It has to do with the forced segregation of children and adults, and general lock-down of the inspiring wonders that the young could once have seen, for the price of a bus ticket.
We should be giving open tours again, not outlawing cameras. The future is at stake.
<blink>down the rabbit hole</blink>
In any of these systems, the weakest link is the human factor. Selfies in control rooms give these types of attacks plenty to work with. The name of an employee with access to these rooms, where exactly he's working and some info about his job. The next step might not be to "hack the system", but to give the company a call and go with "Hi, this is Engineer Jef Jefferson from the System X company, could you pass me Employee Z" ... "Hello Z, we've noticed that your system may still be configured with the default settings for blablabla ... ".
I don't know. I mean I work at a place that requires some form of secrecy in the form of NDAs and only talk to your close family about what you do. My employer regularly looks at employee public facing social media to look for stuff like this because it's a big deal, and every year one idiot seems to get fired or suspended because of this. It's not out of the ordinary. Your employer hires you to do a job and while you're on their property you have to follow their rules. They even went so far as to make their own intranet version of Facebook locally so people could share these things to other employees only... Nobody really uses it of course but it was a big enough deal to consider making their own social media platform for internal use.
Twinstiq, game news
Clean up radioactive waste (eg. Fukushima) with 1:1 salt by volume.
I remember taking a field trip in 4th grade to the local telephone central office. We toured the entire facility. I don't think I would be who/where I am today if I hadn't have taken that field trip. I had never seen so many different wires and connections and lights, and I wanted to know what they all did.
Today, the CO is a "domestic terrorist target" and as such is off limits to anyone, especially those pesky 10 year olds. You know they're all secret sleeper cells, right? Kids today are screwed, they're mentally DOA from all the nanny-state and helicopter parent garbage and there is no vision to the real world to break them out of it.
It makes me very sad.
become video game designers, and no one seems to have any interest in running a refinery
As someone who has dabbled in the former I'm glad to be doing the latter. But you are 100% right, we live in a sad world without exposure to the amazing things around us. As kids we latch on to amazing world around us. Every international flight has left me wanting (briefly) to become a pilot after sitting in the cockpit and asking (what must have been to the pilots) an endless stream of questions about what each button does. Every time there was an open day at the brigade I left wanting to be a fireman. In highschool we fetishised the awesome incredible and unbelivable power of a 4cyl turbo engine, because it's about the most amazing thing available to us knowing full well that we won't be driving a ferrari anytime soon. 5 years later when I was surge testing a 30MW compressor train I think back at how childishly we giggled at the blowoff valve in the car while my ears were screaming at the sound of the blow-off valve on this compressor opening.
I feel lucky I discovered this world. I didn't even know it existed going through school. My kids are going to know even less about it as it becomes a security risk to take any members of the public anywhere at all.
And likely, you're all NDAed up because the founder has "this really great idea".. it's like X, but with Y.
And all he needs is money, a management team, and some developers. He'll cut you in for 5%, because after all, it's his idea.
(no disrepect to women intended, but this mind set seems to be more common among males)
I think this is the second time I see posts pushing iSight Partners here on /. and I don't understand why. The guy quoted is their marketing guy. I debunked their previous report on malware here: https://www.linkedin.com/pulse/modpos-malware-isights-pathetic-effort-increase-vaduva-cism-cissp
Why are you guys pushing this marketing bullshit which is clearly fear mongering bullshit? This firm is a marketing/sales organization, not a security company.
many years ago, I worked for a large Utility as a Security Supervisor (IT), my manager and I recommended against outsourcing a digitized version of our Scada network. We were laughed out of the room by the distribution and money people, even though we raised flags about having this done by "marginal" countries due to it being vital infrastructure. Neither of us lasted long with the company after that. Now their worried, just because that country harbored the leader of a terrorist group and denied it.. We sew what we plant and we gave them the plans.
I never expected our small org to be the recipient of a "spear phishing" attack but it was.
Apparently these scams are on the rise. The attacker takes the time to learn as much as they can about the org using public information. In our case, the "attacker" waited for the xmas holiday when she knew that people would be out of the office (and therefor have auto-replies set up) to harvest some e-mail addresses (complete with sigs).
Once she had that, she was able to create an e-mail that looked identical a normal internal message which requested a wire transfer.
It was only due to the fact that we regularly do phishing audits on our users that the scam was detected. The accountant the message targeting was ready to authorize the transfer but then thought to forward the message to me for analysis.
So yeah, you just have to be aware of what you are putting out there.
My eyes reflect the stars and a smile lights up my face.
This reminds me I should check and see if the local power plant still offers tours and if I can take a pile of cub scouts. Last summer they got to go on a tour of the local water treatment plant and see how that works and they did like that so they may like the power plant as well. Way back when I was in high school there was a field trip where they offered plant tours and we had a choice of a half day at the power plant and the other half at the zoo or the whole day at the zoo. I was one of the few who chose to go to the power plant and everyone thought that was dumb. My response was that I had been to the zoo like a hundred times just like everyone else because it was only a few miles from school but I hadn't been to the power plant. When I got to the zoo after the power plant everyone who chose full day at the zoo was bitching that it was dumb as they had previously seen everything there before and that they wished they had gone to the power plant.
Time to offend someone
Is anyone else reminded of the old Playboy spread from the mid 90s that featured a model inside a DIGITAL data center? As I recall there was some butthurt about this at the time because there were supposed to be no cameras in that DC (and apparently there had been no permission given).
Though, in that case, it was just some pictures of server racks (and hers, of course) but its funny to cameras in datacenters coming up as (possibly) a real issue all these years later.
"I opened my eyes, and everything went dark again"
Funny story: When my company moved into a new secure building a few years back, we were all told that cameras were strictly banned (not just use of cameras, any possession of cameras in any form banned on-site). A few months later they issued us all with new smartphones. With cameras (Not disabled).
after a quick google search for SCADA selfies I very much agree.
I hope I didn't brain my damage.
Well said. I will be forwarding this post to friends and family. And next time my son is off school, he is coming to work with me - no matter how bored he may get.
The problem isn't selfies, the problem is poor maintenance, system design etc. This just gives the idiot who made the decision to connect the internet to the floodgate controller the ability to point his finger at someone else.
Its a simple rule don't directly connect your control plane to your windows desktop network that surfs the Internet. It's a bit like a toilet in the corner of your bedroom, undoubtedly convenient but a dumb idea.
Ah yes, this is why I come to Slashdot. Misery about the future. Geeks are some of the most depressed individuals I've ever seen, thinking things are worse now than they've ever been before.
For fucks sake, cheer up. The future is not at stake. How can anyone live with a positive outlook on life if they feel the need to be constrained by such negativity? Let life take the path it ends up leading. You can't do shit to change the world, so make life as comfortable as possible. That starts by not being so damn mopey!
I hired leehacks92@gmail.com Professional, Skilled and perfect hackers for hire. He's the real deal. .Clear criminal records, Change university grades, Improve credit rating , Bank transfers.
My husband was a serial cheater, Had to save myself and the kids so I hired him and I felt a bit skeptical but I paid and everything turned out perfect.
They hack email passwords, Social networks , Whats'app conversations, Cellphones, Any os
Contact them also for any general hacking services and you won’t be disappointed
I remember taking a field trip in 4th grade to the local telephone central office. We toured the entire facility. I don't think I would be who/where I am today if I hadn't have taken that field trip. I had never seen so many different wires and connections and lights, and I wanted to know what they all did.
I had one of the most amazing nerd-childhoods in the 1970s growing up as a free range kid in St. Thomas in the US Virgin Islands. A total microcosm of modern infrastructure in a small area. My after-school jaunts might take me to the telephone exchange, a radio station where I could use the production room if it was free and the chief engineer would let me know if he was going to do work on the transmitter, the (self contained no grid) power plant, a central monitoring alarm company that also broadcast Muzak, there's an old timer memory test, the newspaper from editorial to pressroom, an old-school watch repairman who'd hand me a magnifier so I could see what he was working on. Some of these people knew my parents but most just knew me, because I had shown up one day and introduced myself. During the same time period things in the general US of A were not quite as casual and much more spread out, but I'm sure opportunities like these existed for interested (and polite) young persons.
So I was kind of devastated when my daughter and I found ourselves in Crystal River FL a few years ago and I honestly believed that with a single phone call I might arrange a visit to a shut down/decommissioned nuclear power plant. Surely, I thought, we'd even be able to enter the actual control room or gaze down into the pool at the spent fuel... but all turned out to be a god-forsaken resounding motherfucking no.
<blink>down the rabbit hole</blink>