Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacks 'Probably Compromised' UK Industry (bbc.com)

Posted by msmash on from the security-woes dept.

Some industrial software companies in the UK are "likely to have been compromised" by hackers, according to a document reportedly produced by British spy agency GCHQ. A copy of the document from the National Cyber Security Centre (NCSC) -- part of GCHQ -- was obtained by technology website Motherboard. From a report: A follow-up by the BBC indicated that the document was legitimate. There have been reports about similar cyber-attacks around the world lately. Modern, computer-based industrial control systems manage equipment in facilities such as power stations. And attacks attempting to compromise such systems had become more common recently, one security researcher said. The NCSC report specifically discusses the threat to the energy and manufacturing sectors. It also cites connections from multiple UK internet addresses to systems associated with "advanced state-sponsored hostile threat actors" as evidence of hackers targeting energy and manufacturing organisations.

8 of 19 comments (clear)

  1. The better question by ColdWetDog · · Score: 3, Interesting

    And one much harder to answer is 'who isn't compromised.

    Given the low hanging fruit that is Internet connected industrial controls, I'd have to Wild Ass Guess that virtually all of the big companies have had their products peeled open by one or various disreputable groups (I'm looking at YOU ALL Five Eyes). Or maybe all of them.

    What happens when it's back doors all the way down?

    (Don't answer that, please.)

    --
    Faster! Faster! Faster would be better!
    1. Re:The better question by Anonymous Coward · · Score: 1

      I consulted with a hospital who had default passwords on almost everything, connected everything from IV pumps to VOIP calls over their 802.11 without protection, had all sorts of confidential information on unsecured, open Windows file shares, did not have unique logins for users (so forget user access control or audit trails)... It was horrible. And they didn't care.

      The last straw was when I found out their entire patient information database for their EHR was wide open, world-readable and writable on a globally available Windows file share. I got the hell out of that shithole the fastest I could.

    2. Re:The better question by Gravis+Zero · · Score: 1

      And one much harder to answer is 'who isn't compromised.

      Companies that don't needlessly connect things to the internet (which is nobody). Companies that invest in real security instead of faux security (which is nobody).

      It's almost as if MBAs running businesses think security is a pointless expense.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re: The better question by Anonymous Coward · · Score: 3, Insightful

      Be careful. Depending on your jurisdiction you may be required to notify one or more agencies if you discover something this bad.

    4. Re:The better question by AHuxley · · Score: 1

      What happens when it's back doors all the way down?

      The UK followed the US down the wide open, unencrypted, plain text, network facing server path thanks to "contractors", public private partnerships, total out sourcing and supporting the private sector.
      Every plain text, open server facing the internet issue that was big news in the USA years ago is now been repeated in the UK.
      Is that coincidence? Incompetence? A total lack of computer crypto design understanding in the UK mil and gov?

      Or policy?
      The private sector cannot be expected to carry the costs of real encryption on every server and document so they requested plain text and total to access gov/mil networks.
      That extra crypto compliance cost would hurt profits.

      Plain text and no encryption is a level playing field that allows any contractor to bid with confidence for government/mil work.

      Who wants to pay for a gov or mil approved super computer in their office that needs support calls every hour for a new crypto key?
      Thats a waste of their profits. Extra staff wages for security cleared staff on site in the UK just to look after layers of gov crypto every hour?
      A lot of the contractors are multi nationals. That secure office in the UK is a few lawyers and two people with the needed gov/mil contacts and security clearances. All the real work is then done in the cheapest nations on earth in plain text. The result is networked back to the UK, signed over by the legal contractor as a front company and given back to the UK gov. Just in time thanks to a total lack of any gov mandated encryption slowing down profitable global networks.

      The end result might be navy ship "parts" from South Korea or parts from China. Better profits to have a ship in port been worked on by contractors ordering new parts on plain text parts lists again than a ship with working parts still at sea. Everyone is winning with new orders for more spare parts and contractor overtime. Parts arrive and are gathered together to make up the plain text parts list in the UK and sent to the port just in time. Cryptography would slow all that down and might even expose the true origins and costs of the "parts" due to ongoing internal security reviews. Plain text and no crypto is much better in so many ways just like in the USA. Cleaning up after hackers is just a gov cost that can be passed back to tax payers as private sector contractor overtime. Still winning even when systems need a big clean up. Working crypto is not good for billable hours trying to understand what happened to a wide open server that faced the internet.

      --
      Domestic spying is now "Benign Information Gathering"
  2. Russia is a rouge nation by WillAffleckUW · · Score: 1

    Seriously.

    (sorry, just wanted to misspell rogue)

    --
    -- Tigger warning: This post may contain tiggers! --
  3. Re:Irresponsible Journalism the New Norm by M_Hulot · · Score: 1

    >> a document reportedly produced by British spy agency

    WHAT DOES THAT EVEN MEAN??

    I means that the document appears to be produced by a British spy agency, specifically GCHQ, but this cannot be verified with certainly.

    >>A follow-up by the BBC indicated that the document was legitimate

    Who is following up on the BBC to see if *they're* legitimate, Or are we supposed to take this government media arm at face value now?

    Everyone needs to make their own assessment of the accuracy of news outlets. I see no reason to doubt the BBC on this claim i.e. that GCHQ didn't explicitly deny the document.

    I'm not really sure what point you are making. Why would the BBC lie about this technical and, to my mind, plausible report?

  4. Re:Irresponsible Journalism the New Norm by dwye · · Score: 1

    Mr. RobotRunAmok is paranoid and distrusts government announcements that the sky is blue and water wet, especially when the government agency is citing another such agency as the source. This is despite the fact that there are so many weasel words in the announcement that it merely says that "hackers" exist and may not all be playing golf poorly.