Warning Over 'Panic' Hacks on Cities

Security flaws have been found in major city infrastructure such as flood defences, radiation detection and traffic monitoring systems. A team of researchers found 17 vulnerabilities, eight of which it described as "critical." From a report: The researchers warned of so-called "panic attacks," where an attacker could manipulate emergency systems to create chaos in communities. The specific flaws uncovered by the team have been patched. "If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," wrote Daniel Crowley, from IBM's cyber research division, X-Force Red. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere." The team plans to explain the vulnerabilities at Black Hat -- a cyber-security conference -- on Thursday.

the 2013 zombie eas hack

[Joe_Dragon]

https://www.huffingtonpost.com...

Icing on the cake

The main stream media does a good enough job creating panic as it is.
More so I might add than any one man with a twitter account.

Re:Icing on the cake

[Mr+D+from+63]

The main stream media does a good enough job creating panic as it is. More so I might add than any one man with a twitter account.

No kidding. They just claim vulnerabilities exist, then say there haven't been any successful hacks yet, and the only example they provide was a human error event, not a hack at all.

Caution: TDS Outrage ahead

Useless snark, insults, and shouting at the sky.

Process with caution.

2017 siren hack

US Hacker Sets Off 156 Sirens At Midnight garnered 230 replies.

I love daisy duck!

We both quack together during a leisurely fuck.

balls deep in feathers and it feels so right!

Re:I love daisy duck!

[Narcocide]

Your poetry sucks.

Re:I love daisy duck!

she will never cheat on me
she will always love me
i love the feels when the egg starts to emerge.

Re:I love daisy duck!

[K.+S.+Kyosuke]

I love daisy duck!

We both quack together during a leisurely fuck.

balls deep in feathers and it feels so right!

...something tells me you're not quite so bright?

running out of butt plugs

used to find them in a couple of popular cereal brands.

"supervillain or not"

[KiloByte]

If making a series of false-flag terrorist attacks against your own citizens just to get elected doesn't make you a supervillain, I don't know what would.

And that one has been pretty widely proven, not just by Litvinenko but even by ordinary police, identifying the FSB as a culprit.

Thus, if doing so on own soil is "ok", you can expect anything in a rival country.

Re:"supervillain or not"

[TheRealQuestor]

If making a series of false-flag terrorist attacks against your own citizens just to get elected doesn't make you a supervillain, I don't know what would.

And that one has been pretty widely proven, not just by Litvinenko but even by ordinary police, identifying the FSB as a culprit.

Thus, if doing so on own soil is "ok", you can expect anything in a rival country.

And let me guess, the earth is flat, contrails are spreading mind control agent, the moon landings were staged, am I missing anything else that nutjobs and whackos believe too?

Re:"supervillain or not"

[KiloByte]

Uhm, what? Please tell me what's the connection between Putin repeatedly using such tactics, and often even intentionally going out of his way to sign them (Litvinenko could have been knifed during a "robbery", so could Skripal) -- and random nutjobs?

If you have doubts about Russian involvement, please for example check IPs of shitposters: there's a remarkable lack of bots from Russia, except of a rare operator error when the connection was directly from Petersburg (but no other part of the country). Or, see the language used by anti-Ukrainian commenters on Polish news sites: while having knowledge of Polish close to native, they say "fascist". No one in Poland uses that word for anything but Mussolini's gang -- like USians saying "nazi", we were taught to say "hitlerite". Then suddenly there was this influx of trolls who called Ukrainians "fascist" in like every second post... Just guess what country used this word for their non-"capitalist"="imperialist" enemies since the "Great Patriotic War".

Found evidence:

[Narcocide]

https://news.slashdot.org/story/18/01/30/181234/false-hawaii-missile-alert-sent-after-drill-recording-said-this-is-not-a-drill

People are stupid, "leaders" are no exception

[gweihir]

Almost all IT security these days is "cheaper than possible" because the people in charge are not able to do risk management. Until there are "reference catastrophes" of sufficient magnitude, they will mistakenly believe they are safe and do nothing. Then they will find out that decades of mismanagement are not easy to fix. It is always the same story. It is always utterly stupid. It is always completely obvious to actual experts what is going on, but nobody listens to them.

The leadership we have on all levels is not modern, educated, enlightened. It is cave men (and the occasional cave-woman) dressed in suits, full of themselves, greedy, corrupt and utterly incompetent and unsuitable to fill their core responsibilities.

Re:People are stupid, "leaders" are no exception

[Thud457]

And even when we do learn our lesson from hard experience, latter generations ignore the perfectly unmistakable warnings their forefathers left behind. Apply this wisdom to current events as you see fit.

Re:People are stupid, "leaders" are no exception

[gweihir]

Indeed. Most of these "leaders" will repeat history because they are unable to learn from it. The thing that really makes me angry is the sheer stupidity involved.

Re:People are stupid, "leaders" are no exception

The problem is that a the top brass of companies actually make more money when their company tanks. Say, a plane maker had a vulnerability, which caused every model of plane it made to stop functioning, or crash (with all control surfaces inoperative) if in mid-air. The C-levels would short their stock as soon as they knew internally, then laugh to the bank as the company folded.

The concept of a stakeholder is gone. Especially with HFT, as soon as company decides to not focus on this quarter above all else, their stock price plummets, so it pays to have a company only exist in the present and never plan for anything past the next quarter.

Re:People are stupid, "leaders" are no exception

What do you expect from a system that has as its only qualification for a leader that they secure the approval of more idiots than anybody else? They're not taking an aptitude test to win their seat.

Re:People are stupid, "leaders" are no exception

[gweihir]

I pretty much expect what we have. That does not mean I have to be happy about it.

Re:People are stupid, "leaders" are no exception

[gweihir]

True, the incentives are utterly perverted.

Re:People are stupid, "leaders" are no exception

We've had several 'reference catastrophes' already, but nobody was really punished for any of them, so there is no effect. See Sony, OPM, Equifax, etc.

If there's no risk to leadership or organization, there's no risk to manage.

Re:People are stupid, "leaders" are no exception

[tlhIngan]

Almost all IT security these days is "cheaper than possible" because the people in charge are not able to do risk management. Until there are "reference catastrophes" of sufficient magnitude, they will mistakenly believe they are safe and do nothing. Then they will find out that decades of mismanagement are not easy to fix. It is always the same story. It is always utterly stupid. It is always completely obvious to actual experts what is going on, but nobody listens to them.

The leadership we have on all levels is not modern, educated, enlightened. It is cave men (and the occasional cave-woman) dressed in suits, full of themselves, greedy, corrupt and utterly incompetent and unsuitable to fill their core responsibilities.

A few problems.

First, you cannot tell the difference between good security and bad security. It always changes, and what was once good policy can turn out to be really bad policy. E.g., forcing password changes on intervals (e.g., every 30-90 ddays). Or using SMS as a valid form of 2FA.

Second, like a lot of IT work, the better you're at it, the worse you look. A good sysadmin would hardly life a finger to do anything - it's all taken care of and often things are proactively maintained so emergencies practically are rare. Thus the admin looks like he does nothing all day - because he's made sure it all takes care of itself. Likewise, proper security practices look like nothing is happening - you may get attacked, but your defenses withstood the attack, so it looks like nothing happened. Where else has this happened? Well, lots of people believe the Y2K bug was severely overhyped because nothing happened, and that was purely because the worst stuff was fixed. But people maintain it was a waste of money because nothing happened.

Third, security is hard. Defenders have to protect every potential point of entry, while attackers only need one. Just because you're defending against attack #1, doesn't mean you're not vulnerable to attack #2. It just seems you're doing a good job.

It's practically impossible to dictate the worth to the company - it's like buying a stone that wards off elephants - you're trying to convince people, effectively, "You want $X per year to make sure ... nothing happens?".

And even worse, you can't compare - perhaps you spent $0 this year, and are safe because you got lucky on #3.

There's no really clean answer to it - look like a chump for paying millions per year, look like a hero for not. Look like a chump for paying millions and still getting attacked, look like a hero for paying nothing and not. There's no answer to any of this.

And even worse, do too much and you can make yourself even more exposed because your users will rebel when you interfere with their work.

Re:People are stupid, "leaders" are no exception

[gweihir]

A few problems.

First, you cannot tell the difference between good security and bad security.

I disagree. The people who can are out there and you can hire them. Not cheap and they will tell you things you will not want to hear. But you can get them to look at your situation, tell you were you stand, and what you need to do to keep that standing or to improve it.

I do agree (basically summarizing the rest of your points, my apologies), that it also takes real insight to recognize these experts and that hiring them and doing what they recommend is often politically problematic and often actually impossible without getting yourself fired. But the problem is neither on the technology side, nor on the risk-management side. Both can be done. The problem is purely political.

Re:People are stupid, "leaders" are no exception

Agree with all of your points, *except*:

E.g., forcing password changes on intervals (e.g., every 30-90 ddays). Or using SMS as a valid form of 2FA.

Anyone with half a brain always knew that constantly changing passwords and indeed passwords as a form of security was always a bad policy and ignores human nature entirely. Likewise, the news of SMS being a bad way of doing 2FA was trumpeted loudly by security researchers about 7 years or so before all of the companies (including banks) started rolling it out (some are still just now beginning to roll it out).

The problem is as the gp says:

The leadership we have on all levels is not modern, educated, enlightened. It is cave men (and the occasional cave-woman) dressed in suits, full of themselves, greedy, corrupt and utterly incompetent and unsuitable to fill their core responsibilities.

Full stop.

Re:People are stupid, "leaders" are no exception

To short stocks, you need to borrow them from someone who willingly has marked stocks for borrowing. There are not enough stocks, so they do naked shorting instead (shorting non-existing stocks).

Captcha: heroines

Steps for panic including profit

1: Flash something to Teslas and other "always-on" vehicles. A lot of vehicles use interference engine designs, so by having those mistime, cylinders will smash into valves, and that is the end of that.
2: Wait for a natural disaster like a hurricane, or something requiring an evacuation.
3: Trigger the vehicles to destroy their engines, or just erase their ECM firmware.
4: ????
5: Profit.

It only takes a few vehicles to be disabled from remote as a percentage to render all highways out of a city impassible, and with a lot of businesses having zero interest in security (breaches can make the top brass wealthy, as they can short before the announcements hit), it would not be difficult for a dedicated blackhat group to do this, putting themselves on the map.

A complete failure of design and engineering

Remote control of infrastructure was a mistake.

Every building fire alarm has a security flaw

[mea2214]

Anyone is authorized to pull it even if there isn't a fire.

Re:Every building fire alarm has a security flaw

Anyone is authorized to pull it even if there isn't a fire.

The fire alarm is open to anyone in the building.

The flaws discussed here are open to anyone on the Internet.

Re:Every building fire alarm has a security flaw

Actually, no, you aren't "authorized" to pull it if there isn't a fire. You are able to pull it regardless, but not authorized unless you have reasonable grounds to suspect that there's a fire.

The reason why we aren't constantly DoSed by fire alarms is that you're required to be physically present and if you engage the alarm without a good reason you will face significant consequences. If I walk off the street into a building and break the glass to activate a fire alarm, I could be charged with - at a minimum - vandalism and causing a breach of the peace. If I set off sprinklers I could face huge civil damages for all the property damage. If anyone gets hurt in the ensuing panic, I could be charged with reckless endangerment or even homicide in some jurisdictions. I have to enter the premises, so there's a good chance that I can be identified by witnesses, access logs, or CCTV, and a trail of physical evidence for investigators to follow.

If I cause a mass panic on the other side of the world via computer because some idiot connected their vital infrastructure to the electronic sewer that is the internet, then I'm very unlikely to ever be caught. Some poor shmuck running a tor exit node or pwned IoT device might get their door kicked in and murdered by a 'roided up SWAT bro, but I'd be laughing my ass off watching the news coverage from a different continent.

The internet is an underpass in the bad part of town. Keeping your stuff there is a bad idea.

Simple reason

All you need to do is blame "hackers" and it's not your fault. Whatever it is.

Re:Simple reason

[ole_timer]

...a "sophisticated" hack...

Re:Simple reason

[gweihir]

And if it is large enough, blame "terrorists" or "traitors". Also a very old strategy that works time and again.

Re:Simple reason

[ole_timer]

;) ...or it was "allowable espionage" or "...it was no one's fault..."

Wasn't this one of the Die Hard movies?

[taustin]

And about a dozen episodes of CSI?

Largest and most successful "panic hack" ongoing

Radiation science is dominated by a paradigm based on an assumption without empirical foundation. Known as the linear no-threshold (LNT) hypothesis, it holds that all ionizing radiation is harmful no matter how low the dose or dose rate. Epidemiological studies that claim to confirm LNT either neglect experimental and/or observational discoveries at the cellular, tissue, and organismal levels, or mention them only to distort or dismiss them. The appearance of validity in these studies rests on circular reasoning, cherry picking, faulty experimental design, and/or misleading inferences from weak statistical evidence. In contrast, studies based on biological discoveries demonstrate the reality of hormesis: the stimulation of biological responses that defend the organism against damage from environmental agents. Normal metabolic processes are far more damaging than all but the most extreme exposures to radiation. However, evolution has provided all extant plants and animals with defenses that repair such damage or remove the damaged cells, conferring on the organism even greater ability to defend against subsequent damage. Editors of medical journals now admit that perhaps half of the scientific literature may be untrue. Radiation science falls into that category. Belief in LNT informs the practice of radiology, radiation regulatory policies, and popular culture through the media. The result is mass radiophobia and harmful outcomes, including forced relocations of populations near nuclear power plant accidents, reluctance to avail oneself of needed medical imaging studies, and aversion to nuclear energy—all unwarranted and all harmful to millions of people.

(abstract from Epidemiology Without Biology: False Paradigms, Unfounded Assumptions, and Specious Statistics in Radiation Science)

LNT encourages the hysteria surrounding nuclear, and transforms harmless levels of radiation exposure into real deaths. The tragedy at Fukushima was not the nuclear accident, but the misinformed response: a forced evacuation which claimed ~1600 lives, the monumental cost of an absurdly excessive cleanup, and the entire nation regressing to imported fossil energy. Oh, and the tsunami itself, which was all but ignored while the media focused on fearmongering and conflating the unrelated refinery explosions with the damaged reactors.

See X-LNT for a more accessible background on low dose radiation. Set aside your ideologies and inform yourself; it may save your life someday.

Critical infrastructure connected to the Internet

[najajomo]

"Security flaws have been found in major city infrastructure such as flood defences, radiation detection and traffic monitoring systems."

What retard connected their city infrastructure directly to the Internet.

Black Hat is not a "cyber-security conference"

The real reason that anyone goes to that particular conference is to get sloshed, play "Can you identify the Fed", and then get sloshed some more. By the end, most of the attendees are at some level of drunk.

Re:Critical infrastructure connected to the Intern

[wyHunter]

Almost all of them. Believe it or not.

Re:Critical infrastructure connected to the Intern

Haven't you been reading Risks To The Public for the past 20 years.

Put my tax money toward storm defense please

[Lije+Baley]

How many people have actually been seriously harmed or killed by something like what is described in these over-hyped "oh noes we need more security!" (read: give us more money) scenarios? Whatever number you come up with, it will be nothing compared to the damage cause by natural causes - storms, heat, cold, animals, not to mention the stupid things that humans do. I'll put my money towards limiting damage from those things, thank you. I wan't my power company to trim the trees and bury the power lines, to prevent days-long outages that kill people, instead of spending money on keeping hackers from flipping off a substation or generator for a few hours, ruining your cocktail party.

The sad part to me is...

We could have both the price efficiency *AND* the security/verifiability if only people would say 'performance is good enough now, where is our security/error correction?'

All major Intel, AMD and ARM chips have optional ECC support now, in some cases disabled only for market differentiation, in others only disabled to save a few traces in the design. The performance hit of it is negligable today, the cost under mass manufacture similiar to consumer level hardware already. If it wasn't for Intel market differentiating by ECC support, everyone would have migrated back to it already (Parity correction was standard until Intel's first chipset in the mid 90s, even on budget brand chipsets. Until Intel killed off 3rd party chipsets many of them included ECC in the late EDO and early SDRAM chipsets as well.)