Slashdot Mirror
US Government Warns Of 'Ongoing' Hacks Targeting Nuclear and Power Industries (reuters.com)
An anonymous reader quotes Reuters:
The U.S government issued a rare public warning that sophisticated hackers are targeting energy and industrial firms, the latest sign that cyber attacks present an increasing threat to the power industry and other public infrastructure. The Department of Homeland Security and Federal Bureau of Investigation warned in a report distributed by email late on Friday that the nuclear, energy, aviation, water and critical manufacturing industries have been targeted along with government entities in attacks dating back to at least May. The agencies warned that hackers had succeeded in compromising some targeted networks, but did not identify specific victims or describe any cases of sabotage. The objective of the attackers is to compromise organizational networks with malicious emails and tainted websites to obtain credentials for accessing computer networks of their targets, the report said.
According to the report, the Department of Homeland Security "has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign."
According to the report, the Department of Homeland Security "has confidence that this campaign is still ongoing and threat actors are actively pursuing their objectives over a long-term campaign."
Isn't it too bad we do nothing but discourage intelligent local grads from going into the IT industry, by making it clear that salaries and compensation in the industry are to be limited by the economies of the very people who are attacking us.
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Any bets the majority of compromised computers ran a version of windows? We need to stop using Windows in these environments.
No different than the supposed power plant attacks during the election last year?
Do we have that anymore?
pics or it didn't happen
When read stories like this I wonder:
Why were these facilities ever hooked up to the Internet at all?
Why did they not use a computing system that is compatible with anything else?
Answers
1. There are benefits to adding computers and internet connections to such facilities, probably a long list a very big benefits
2. A proprietory or unique computing system would lose out the benefits of ongoing major advances in computing occurring is 'mainstream' computing, driven by billions of dollars and millions of human beings working at all the time.
The Fail:
The possible major damage to such facilities, or major interruption of service. Note that this is a new vulnerability.
Comment: Prior to the internet these facilities worked. It isn't necessary for them to be hooked up to the internet in order for them to work. (Yes, they may have been hooked up to some Arpanet of something).
I think it is a failure of benefit vs risk analysis.
Meanwhile we are rushing into the IOT...
Our infrastructure is old. How can we even tell if it has been compromised.
Don't worry I'm sure that retard APK will tell us about how his hosts file will stop all this.
EMP attacks on the grid were too difficult to do right.
I'd like to see many more honeypots set up. Make 'em think they're doing something, and put the real stuff on highly encrypted VPNs and stuff.
Why did the NSA and CIA start a cyber arms race when the USA is the most vulnerable to the kinds of attacks it's creating and therefore provoking from non-USA aligned countries?
Debate is a form of harassment. Do not question my truth.
That this a plain and simple lie.
Contribute to civilization: ari.aynrand.org/donate
The US has been waging war against its citizenry since its inception. Free thought itself is even outlawed in its very Constitution. Read Article 1, Section 8, Clause 8 if you don't believe the government doesn't want to regulate freedom of thought in the country.
Time is what keeps everything from happening all at once.
I can't help but wonder that a country like USA which seem to perpetually wage war across the globe, with people that find themselves on the receiving end of that, that terrorism as terrible as it sounds must be at least something a country like USA would be expecting in a time of conflict (and some time after I guess), but it doesn't sound to me that protecting infrastructure is important to them. I just don't get it. I guess I don't trust what I am reading in the news. And paradoxically, with hysteria about hacking and terrorism today, I find it hard to take such news seriously.
A BLACK vote suppression & pro-industry/pollution source policy lobbying think tank with super-pac billionaire wings you mean. Not really just about vote suppression alone, right? That's a means to their ends. Total regulatory control.
Umm I think you might want to do a little reading before just discounting him like that. Heritage Foundation goes on and on about massive voter fraud, and was the driving force behind establishing the ridiculous Presidential Advisory Commission on Election Integrity.
They claimed 1100 cases of fraud based on their research, yet that number is highly deceptive at best, and more frankly not true. Their own research: https://www.brennancenter.org/... makes their claims look ridiculous, and in fact makes a very strong case for the opposite of their claims of massive fraud.
Per the numbers from their own database, the 1100 is actually just a worst case scenario, possibly fraudulent cases. But if you actually look at the numbers, it's nowhere close to as bad as they claim. Just a just a couple highlights:
1. They looked at votes going back at least to 1948, only 105 possible instances were in the past 5 years.
Just 10 in person impersonations out of BILLIONS of votes examined.
And for Trumps claim of OMG MILLIONS of illegals voting to STEAL the popular vote from him? 41 cases, again, out of billions.
So yeah, when a private organization essentially gets to create a government commission and uses spin and deception to paint a far more dire situation than their own research suggests, I think it's fair to suspect they may have ulterior motives.
Yes and probably all this as well, there is plenty of next to irrefutable evidence for most of that too. I was just highlighting the voter suppression part, since that's all that was mentioned in the parent post.
More proof Trump is incompetent.
Is there _anyone_ in the world who doen's get emails fishing for login credentials?
Don't hook up critical infrastructure to the internet
problem solved.
Pull the cable to the internet. There is NO excuse to hook up critical infrastructure to the internet. None whatsoever! If you need constant monitoring of stuff, give someone a job to monitor. Do not, I repear, do NOT hook your systems up to the internet just to save a quick buck!
To Terminate, or not to Terminate, that's the question - SCSIROB
"Hacking" by now means nothing. So you can talk in circles all you want, you're not going to say anything useful. Until we stop making noise while refusing to say anything meaningful, all improvement in computer security will be incidental. So, are you going to remain part of the problem?
No "hacking" for you. Say what you mean instead.
Is that your security philosophy? If that's the case then you're an idiot. Pulling a cable doesn't make something secure. You need an entire culture of security to do that.
None whatsoever!
Oh I see now you don't actually work in the industry. Sorry but there's a myriad of reasons that these systems need to be networked over a wide scale, the least of which isn't that they don't work otherwise.
If you need constant monitoring of stuff, give someone a job to monitor.
Err no. Get a clue.
Air gaps help but a determined player will find a way. See Stuxnet.
Oct. 21, Juche 106 (2017) Saturday
U.S. Warmongers' Reckless Action Denounced
A spokesman for the National Peace Committee of Korea on Oct. 19 issued a statement in denunciation of the reckless military action of the U.S. warmongers obsessed with the anachronistic ambition for stifling the DPRK which is reaching the extreme line.
According to the statement, on Oct. 10 brass hats of the U.S. military at the Department of Defense reported to Trump the military options toward the DPRK. They focused on military options that ensure an intensive and surprise, preemptive attack, avoiding a total war as much as possible and minimizing their losses.
Of those options, the "decapitation operation" accompanied by a cyber warfare was chosen as the best way. Under this plan, they reportedly discussed for a long time on the issues of accurate location of north Korea's supreme leadership by such latest spy means as satellites and drones, precision strike by long-distance attack means including nuclear strategic bombers, destruction of core facilities and nuclear and missile bases in the north by infiltration of highly trained special operation forces and cyber warfare based on vicious virus Stuxnet, etc.
This shows that the U.S. started a war against the DPRK without declaration under its most dangerous war scenario, the statement said, and went on:
After all, the Korean peninsula is now put into the worst situation in which the outbreak of a nuclear war can never be averted.
It is the invariable and resolute counteraction method of Juche Korea to mercilessly punish the war maniacs with fire.
Those who dare challenge our supreme leadership should be found out and wiped out to the last one wherever they may be. This is the strong and fixed will of the army and people of the DPRK.
As been already declared, we will take the unimaginable toughest counteraction to bring the bitterest end and total destruction to the U.S. mainland, not "minimum loss", if Trump finally ignites a war, obsessed with illusion of "decapitation" and paralysis of commanding system by cyber warfare.
In case the present situation of the Korean peninsula goes to the worst phase, the U.S. is entirely to blame for it.
Rodong News Team
Pulling the cable makes something more secure. It drastically diminishes the number of potential intruders. Having no physical connection is the best kind of firewall. Anything that doesn't need to be on the Internet shouldn't have a connection, so instead of a good firewall, you should chose the best firewall.
This 'need to be networked' thing is nice on paper, but in fact, a lot of these 'needs' are not your own (company's) needs.
If you think everything has to be on the Internet, then in your words 'you are an idiot'.
Patents Drive Free Software as Hurricanes Drive Construction Industry
Well, no, it just means that military planning for contingencies is happening. Hey, it's called 'preparedness', and isn't an act of war. Stockpiling of food, water, blankets against times of catastrophe isn't starting a disaster, either.
Pull the cable to the internet. There is NO excuse to hook up critical infrastructure to the internet. None whatsoever! If you need constant monitoring of stuff, give someone a job to monitor. Do not, I repear, do NOT hook your systems up to the internet just to save a quick buck!
Articles like this would have you think that nuclear power plant control systems are connected to the internet, but they are not. The authors use intentionally vague wording.
Pulling the cable makes something more secure. It drastically diminishes the number of potential intruders.
Not necessarily. Quite often pulling the cable makes everything less secure as it breeds a culture of complacency at best and breeds a better kind of idiot at worst. Pulling a cable is absolutely no substitute for actually having security thought through in the organisation, and I'll take well thought out firewall / VPN infrastructure any day over the pull the cable approach which by its nature necessitates bypassing the airgap.
Anything that doesn't need to be on the Internet shouldn't have a connection, so instead of a good firewall, you should chose the best firewall.
You've lost. Everything needs a network connection somewhere, and every network eventually needs a connection to the internet. The key is segregation in the design stage. Otherwise you'll end up with what we call box-rot, a set of computer systems isolated constantly being connected to and from with various mechanisms or best yet, ignored completely with security issues more wide open than a $2 hooker.
This 'need to be networked' thing is nice on paper
That paper is often one of the following:
- Legal requirement
- Technical limitation
- Geographical limitation
- Operational limitation
Most organisations would be unable to operate a local compressor without some access to a wider network let alone a country wide wind farm, energy grid, etc.
If you think everything has to be on the Internet, then in your words 'you are an idiot'.
But I repeat myself: Oh I see now you don't actually work in the industry.
Brilliant, companies can damn well create their own private networks to manage their distributed systems. They should be able to recreate their own private internets in about, what, a year or two in your pink unicorn world? No doubt they'll be able to all hire the best network engineers to pull off this task. The fortune 100 companies can all create their own internets, 100 of them. That will surely lower the attack surface!!! Wow! Have you told these companies how to make their distributed systems secure? I'm sure they'll listen to you!!
Oh, be sure to include the cost of continuing network operations for running their own private networks too while you are at it. Just so you don't miss anything, you'll be wanting to include equipment costs (stuff wears out), personnel (hint, they like job security, medical ins., retirement plans), facilities costs (can't just throw the new equipment anywhere), energy costs (damn, the energy companies don't just give it away), local and federal regulations (admittedly these are not large but you'll be wanting to add increasing dollars for future regs since those appear to be percolating in Congress), redundancy (the internet...get this...is very redundant and networks rely upon that redundancy to keep up and functioning). I'm sure I've missed a few costs, no doubt they'll occur to you as you write your recommendation to companies.
Come and try ti hack the power company here in Puerto Rico. You will fail miserably!!!
I'm assuming that critical energy infrastructure is airgapped from the Internet. Any single large-scale generating plant is easy to isolate, because all the maintenance is being done by permanent onsite staff.
But how do you isolate the grid itself? It inherently has to be controlled as a network, which you dutifully isolate at the outset from all other networks. Still, the vast array of spread-out components in a grid comes into close contact with possible malefactors at many points, most of which are unmanned and many of which would not be difficult to inject from the Internet directly, or from small portable devices carried by people dressed in stolen utility uniforms. Nobody passing by is going to question what that guy in a Local Electric truck is doing up on that pole, will they?
But the grid as it stands is for the most part dumb, which makes the outer parts of it not all that vulnerable to hacking. Now look at what happens when we start connecting small-to-medium scale renewables on the grid. Not only are there a lot of small unattended wind turbines and solar panels all over the place (just imagine the potential of a Stuxnet-style attack on wind turbine software that prevents whole windfields from feathering during a storm), but these generators have to be data-networked to the grid, to make regional control possible. The grid itself will need a much richer data connection among all of its components than it does now. The next generation of smart utility meters will not just gather continuous load information, but will have the ability to turn major user appliances on and off as supply fluctuates.
Hackers getting loose in smart grids could destroy entire cities.
did you think Europe has forgotten that you've been doing EXACTLY THE SAME THING against them, and other countries in the world, for years? And then you execute the "American spin" and call anyone else's pointing out your blatant hypocrisy and crimes a "Soviet spin". Nobody trusts America anymore.
I might be naive bot would not a big paty of theese concerns be mittigated if we removed the controll systems from publikly accessable networks (yes this includes pstn/isdn, Isolated network on dedicated fiber. correct me if Im wrong but if a system cannot be accessewd from the outside you atacjk surface is gratly reduced
See subject: I haven't seen enough about it to say it for sure (like what it talks to, which in specific targetted attacks, I don't have now).
* So don't even TRY to "put words in my mouth" I never have once said @ this point, stupid... & then YOU TRIED TO DOWNMOD HIDE ME SAYING THIS TOO? https://news.slashdot.org/comments.pl?sid=11258695&cid=55413651/
(Puh-leese - make me laugh more!)
APK
P.S.=> Hosts "scores" for me a LOT stopping MANY types of threats (nothing else does as much as hosts does on MANY fronts for a lot less resources + complexity vs. other "so-called 'solutions'"), especially lately (but also for a decade++ now easily also) though, but on this one? I am not certain of whether they can help, or not so FUCK off you UNIDENTIFIABLE anonymous trolling worm (you WISH you were ME, lol)... apk
Your whole post boils down to the false claim, "Everything needs a network connection somewhere, and every network eventually needs a connection to the internet."
If you turn your conclusions into presumptions all you do is go in a circle like an idiot.
Have the ever considered not connecting their critical infrastructure devices directly to the Internet and instead use VPNs running on embedded hardware.
No internet
No USB ports
Specialized connections requiring authentication and physical interaction only
To install an OS, one builds a new hard disk from a secure, verified, off-the-network, machine which itself is checked before every rebuild operation to ensure a verified state of software, registry (or if Linux, packages and file system) are what they should be.
Next, physical security. You donâ(TM)t get to bring your phone in.
Itâ(TM)s not perfect but it would make it impossible for Stuxnet and nearly any attack vector. If you want to keep someone out of your house itâ(TM)s best to lock the door...
Your whole post boils down to the false claim
The claim is only false outside of the industry and backed up by 4 key points you see coming up over and over again.
But I repeat myself: Oh I see now you don't actually work in the industry. ... Wait you're not the OP, well then clearly there's more of you.
Oh I see now you don't actually work in the industry
What industry is that? I didn't mention it in this comment. Did you read the part I wrote that said
If you turn your conclusions into presumptions all you do is go in a circle like an idiot.
So you want to be more truthy by forming an idiotic belief about what industry I work in? That wouldn't make your comments any more considered.
What industry do you imagine a person would need to work in to know that "Everything needs a network connection somewhere, and every network eventually needs a connection to the internet" is a false statement? It seems actually that anybody who works in any industry that uses networks should be able to evaluate the statement. There isn't one narrow industry where the Appointed Poobahs would have the Secret Knowledge of What Is A Network. ;) And surely people who work with networking would know it, though the funniest part is that most of the workers who work with networks are not in any particular industry, they're distributed across all industries.
Don't sell yourself short, I'm sure you can impersonate a macho cheesehead and run around the circular logic one more lap and say something even stupider.
What industry is that?
Fuck me, it's not like the industry isn't written in the title bar of your browser right now!
You weren't responding to the title bar of your browser... were you? Oh.
Undoubtedly a plain and simple lie spread by a leftist.
>Quite often pulling the cable makes everything less secure as it breeds a culture of complacency at best and breeds a better kind of idiot at worst.
Strawman. I didn't mean neglecting security patches or just any software upgrades. Upgrade offline, if you have a bug that is confirmed fixed by a patch. But never allow a 3rd party to issue a half-decent patch which will be silently applied on your production environment. Oh, wait, "i see you are not working in the industry"
>That paper is often one of the following
That paper is often created by lazy people who fall for buzzwords.
>But I repeat myself: Oh I see now you don't actually work in the industry.
Where did you see that? You checked the wrong file. If, by industry, you meant computing and not spying.
Patents Drive Free Software as Hurricanes Drive Construction Industry