Warning Over 'Panic' Hacks on Cities

Security flaws have been found in major city infrastructure such as flood defences, radiation detection and traffic monitoring systems. A team of researchers found 17 vulnerabilities, eight of which it described as "critical." From a report: The researchers warned of so-called "panic attacks," where an attacker could manipulate emergency systems to create chaos in communities. The specific flaws uncovered by the team have been patched. "If someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic," wrote Daniel Crowley, from IBM's cyber research division, X-Force Red. "While no evidence exists that such attacks have taken place, we have found vulnerable systems in major cities in the US, Europe and elsewhere." The team plans to explain the vulnerabilities at Black Hat -- a cyber-security conference -- on Thursday.

the 2013 zombie eas hack

[Joe_Dragon]

https://www.huffingtonpost.com...

"supervillain or not"

[KiloByte]

If making a series of false-flag terrorist attacks against your own citizens just to get elected doesn't make you a supervillain, I don't know what would.

And that one has been pretty widely proven, not just by Litvinenko but even by ordinary police, identifying the FSB as a culprit.

Thus, if doing so on own soil is "ok", you can expect anything in a rival country.

Re:"supervillain or not"

[TheRealQuestor]

If making a series of false-flag terrorist attacks against your own citizens just to get elected doesn't make you a supervillain, I don't know what would.

And that one has been pretty widely proven, not just by Litvinenko but even by ordinary police, identifying the FSB as a culprit.

Thus, if doing so on own soil is "ok", you can expect anything in a rival country.

And let me guess, the earth is flat, contrails are spreading mind control agent, the moon landings were staged, am I missing anything else that nutjobs and whackos believe too?

Re:"supervillain or not"

[KiloByte]

Uhm, what? Please tell me what's the connection between Putin repeatedly using such tactics, and often even intentionally going out of his way to sign them (Litvinenko could have been knifed during a "robbery", so could Skripal) -- and random nutjobs?

If you have doubts about Russian involvement, please for example check IPs of shitposters: there's a remarkable lack of bots from Russia, except of a rare operator error when the connection was directly from Petersburg (but no other part of the country). Or, see the language used by anti-Ukrainian commenters on Polish news sites: while having knowledge of Polish close to native, they say "fascist". No one in Poland uses that word for anything but Mussolini's gang -- like USians saying "nazi", we were taught to say "hitlerite". Then suddenly there was this influx of trolls who called Ukrainians "fascist" in like every second post... Just guess what country used this word for their non-"capitalist"="imperialist" enemies since the "Great Patriotic War".

Found evidence:

[Narcocide]

https://news.slashdot.org/story/18/01/30/181234/false-hawaii-missile-alert-sent-after-drill-recording-said-this-is-not-a-drill

Re:I love daisy duck!

[Narcocide]

Your poetry sucks.

People are stupid, "leaders" are no exception

[gweihir]

Almost all IT security these days is "cheaper than possible" because the people in charge are not able to do risk management. Until there are "reference catastrophes" of sufficient magnitude, they will mistakenly believe they are safe and do nothing. Then they will find out that decades of mismanagement are not easy to fix. It is always the same story. It is always utterly stupid. It is always completely obvious to actual experts what is going on, but nobody listens to them.

The leadership we have on all levels is not modern, educated, enlightened. It is cave men (and the occasional cave-woman) dressed in suits, full of themselves, greedy, corrupt and utterly incompetent and unsuitable to fill their core responsibilities.

Re:People are stupid, "leaders" are no exception

[Thud457]

And even when we do learn our lesson from hard experience, latter generations ignore the perfectly unmistakable warnings their forefathers left behind. Apply this wisdom to current events as you see fit.

Re:People are stupid, "leaders" are no exception

[gweihir]

Indeed. Most of these "leaders" will repeat history because they are unable to learn from it. The thing that really makes me angry is the sheer stupidity involved.

Re:People are stupid, "leaders" are no exception

[gweihir]

I pretty much expect what we have. That does not mean I have to be happy about it.

Re:People are stupid, "leaders" are no exception

[gweihir]

True, the incentives are utterly perverted.

Re:People are stupid, "leaders" are no exception

[tlhIngan]

Almost all IT security these days is "cheaper than possible" because the people in charge are not able to do risk management. Until there are "reference catastrophes" of sufficient magnitude, they will mistakenly believe they are safe and do nothing. Then they will find out that decades of mismanagement are not easy to fix. It is always the same story. It is always utterly stupid. It is always completely obvious to actual experts what is going on, but nobody listens to them.

The leadership we have on all levels is not modern, educated, enlightened. It is cave men (and the occasional cave-woman) dressed in suits, full of themselves, greedy, corrupt and utterly incompetent and unsuitable to fill their core responsibilities.

A few problems.

First, you cannot tell the difference between good security and bad security. It always changes, and what was once good policy can turn out to be really bad policy. E.g., forcing password changes on intervals (e.g., every 30-90 ddays). Or using SMS as a valid form of 2FA.

Second, like a lot of IT work, the better you're at it, the worse you look. A good sysadmin would hardly life a finger to do anything - it's all taken care of and often things are proactively maintained so emergencies practically are rare. Thus the admin looks like he does nothing all day - because he's made sure it all takes care of itself. Likewise, proper security practices look like nothing is happening - you may get attacked, but your defenses withstood the attack, so it looks like nothing happened. Where else has this happened? Well, lots of people believe the Y2K bug was severely overhyped because nothing happened, and that was purely because the worst stuff was fixed. But people maintain it was a waste of money because nothing happened.

Third, security is hard. Defenders have to protect every potential point of entry, while attackers only need one. Just because you're defending against attack #1, doesn't mean you're not vulnerable to attack #2. It just seems you're doing a good job.

It's practically impossible to dictate the worth to the company - it's like buying a stone that wards off elephants - you're trying to convince people, effectively, "You want $X per year to make sure ... nothing happens?".

And even worse, you can't compare - perhaps you spent $0 this year, and are safe because you got lucky on #3.

There's no really clean answer to it - look like a chump for paying millions per year, look like a hero for not. Look like a chump for paying millions and still getting attacked, look like a hero for paying nothing and not. There's no answer to any of this.

And even worse, do too much and you can make yourself even more exposed because your users will rebel when you interfere with their work.

Re:People are stupid, "leaders" are no exception

[gweihir]

A few problems.

First, you cannot tell the difference between good security and bad security.

I disagree. The people who can are out there and you can hire them. Not cheap and they will tell you things you will not want to hear. But you can get them to look at your situation, tell you were you stand, and what you need to do to keep that standing or to improve it.

I do agree (basically summarizing the rest of your points, my apologies), that it also takes real insight to recognize these experts and that hiring them and doing what they recommend is often politically problematic and often actually impossible without getting yourself fired. But the problem is neither on the technology side, nor on the risk-management side. Both can be done. The problem is purely political.

Steps for panic including profit

1: Flash something to Teslas and other "always-on" vehicles. A lot of vehicles use interference engine designs, so by having those mistime, cylinders will smash into valves, and that is the end of that.
2: Wait for a natural disaster like a hurricane, or something requiring an evacuation.
3: Trigger the vehicles to destroy their engines, or just erase their ECM firmware.
4: ????
5: Profit.

It only takes a few vehicles to be disabled from remote as a percentage to render all highways out of a city impassible, and with a lot of businesses having zero interest in security (breaches can make the top brass wealthy, as they can short before the announcements hit), it would not be difficult for a dedicated blackhat group to do this, putting themselves on the map.

Every building fire alarm has a security flaw

[mea2214]

Anyone is authorized to pull it even if there isn't a fire.

Re:Every building fire alarm has a security flaw

Anyone is authorized to pull it even if there isn't a fire.

The fire alarm is open to anyone in the building.

The flaws discussed here are open to anyone on the Internet.

Re:I love daisy duck!

[K.+S.+Kyosuke]

I love daisy duck!

We both quack together during a leisurely fuck.

balls deep in feathers and it feels so right!

...something tells me you're not quite so bright?

Re:Icing on the cake

[Mr+D+from+63]

The main stream media does a good enough job creating panic as it is. More so I might add than any one man with a twitter account.

No kidding. They just claim vulnerabilities exist, then say there haven't been any successful hacks yet, and the only example they provide was a human error event, not a hack at all.

Re:Simple reason

[ole_timer]

...a "sophisticated" hack...

Re:Simple reason

[gweihir]

And if it is large enough, blame "terrorists" or "traitors". Also a very old strategy that works time and again.

Re:Simple reason

[ole_timer]

;) ...or it was "allowable espionage" or "...it was no one's fault..."

Wasn't this one of the Die Hard movies?

[taustin]

And about a dozen episodes of CSI?

Critical infrastructure connected to the Internet

[najajomo]

"Security flaws have been found in major city infrastructure such as flood defences, radiation detection and traffic monitoring systems."

What retard connected their city infrastructure directly to the Internet.

Re:Critical infrastructure connected to the Intern

[wyHunter]

Almost all of them. Believe it or not.

Put my tax money toward storm defense please

[Lije+Baley]

How many people have actually been seriously harmed or killed by something like what is described in these over-hyped "oh noes we need more security!" (read: give us more money) scenarios? Whatever number you come up with, it will be nothing compared to the damage cause by natural causes - storms, heat, cold, animals, not to mention the stupid things that humans do. I'll put my money towards limiting damage from those things, thank you. I wan't my power company to trim the trees and bury the power lines, to prevent days-long outages that kill people, instead of spending money on keeping hackers from flipping off a substation or generator for a few hours, ruining your cocktail party.