Experts Hack Power Grid in Less Than a Day 302
bednarz writes "Cracking a power company network and gaining access that could shut down the grid is simple, a security expert told an RSA audience, and he has done so in less than a day. Ira Winkler, a penetration-testing consultant, says he and a team of other experts took a day to set up attack tools they needed then launched their attack, which paired social engineering with corrupting browsers on a power company's desktops. By the end of a full day of the attack, they had taken over several machines at the unnamed power company, giving the team the ability to hack into the control network overseeing power production and distribution."
I hate the term "Social Engineering" (Score:1, Insightful)
Is everything on the internet? (Score:3, Insightful)
Realistically, no part of a nations critical infrastructure should be networked (other than the internet itself). That seems pretty obvious.
Oops. (Score:5, Insightful)
Even something as simple as opening a few junctions could cause fireworks..take a look at some online videos about 'opening hot' for example..now imagine if that arc caught other pieces of equipment because the line was still energized.
Simply put, the power industry needs to step up to the plate and harden both their network infrastructure and their meatspace infrastructure against malicious attack.
Re:I'm Shocked! (Score:5, Insightful)
Re:Is everything on the internet? (Score:3, Insightful)
Re:I'm Shocked! (Score:5, Insightful)
Security Measures (Score:5, Insightful)
I should hope that critical things like "TURN THE WHOLE POWER GRID OFF" are not even on a secure server. They should be on terminals that are not even connected to the Internet, much less networked to anywhere else in the building.
It's awfully difficult to hack something when it isn't connected to the Net. Even simple security like multiple checkpoints, a keycard, and several biometric scans (as well as regular, and often, virus and spyware scans) to get to a secure terminal would go well towards protecting the security of our power networks. Hell, post a guard nearby who isn't incompetent.
The one thing Social Engineers/Con Men fear most is challenges - and by challenges, I mean challenges of authority. PROVE you are who you say you are. Check their records against a secure terminal or a hard copy of an employee roster. If anything is remotely fishy, no matter how "important" they say the work is, don't let them past you.
Vigilance is the key, and far too many critical parts of our infrastructure still fail at it to this day.
Here is a "sane" security measure (Score:5, Insightful)
Seperate networks? (Score:4, Insightful)
Re:I'm Shocked! (Score:3, Insightful)
Re:Here is a "sane" security measure (Score:5, Insightful)
Re:I hate the term "Social Engineering" (Score:5, Insightful)
Lying is telling a falsehood as truth.
Scamming is offering something but never following up, or following up with less than was promised (e.g. bait and switch or fake companies that run off with money).
There's big differences in those definitions.
The most obvious example I know of is social engineering with USB pen drives. A penetration testing company was asked to test corporate security. They did it by leaving a number of USB pen drives around the office. With no lying or scamming, people took the drives, wondered whose it was, plugged it into the computer, and the drive automatically grabbed some data. At the end of the exercise the pen. testers listed the names of people who had connected the drives, even when its origin was unknown. No lying or scamming was involved, but there was a social norm that they exploited as social engineering, which is that people will look to see what is on it to see if they know whose it is. If it had been a virus/trojan then that simple social engineering could have taken down the network, been pumping out spam, or allowed someone access via a back door.
Re:I'm Shocked! (Score:3, Insightful)
After the '03 outage it made me wonder how safe all those high-rise electrical towers that run across the country are. A stick of dynamite on a tower itself, or even just a few shots with a rifle to the wires attached. Would just one tower lead to another blackout - scary considering those towers are of course everywhere.
I've wondered over the years what someone with a high powered rifle taking potshots at oil/propane/liquid hydrogen tankers on the interstates would do. Mainly this crosses my mind while driving alongside one of them and having seen too many Hollywood movies with things blowing up.
Re:I'm Shocked! (Score:4, Insightful)
Seperation of privileges is the best method. Social engineering tends to work because people who have privileges lack certain information and/or lack authority in the role of the privileges they have.
If you have full authority in your role and personally know everyone who is involved in your role then you can't be easily tricked by people outside your role in to doing things.
This requires education and a proper company structure, which requires good smart people in management.
Re:I hate the term "Social Engineering" (Score:5, Insightful)
That is probably the ONLY example I've seen that DOESN'T involve lying or scamming. Usually 'social engineering' refers to calling in to the receptionist, posing as the IT helpdesk, or something else, and then have them tell you their passwords...or type 'arcane things into a command line'...or run the attachment in an email you send them...and they do it without a 2nd thought. And that, would be a clear case of 'lying' or even 'scamming'.
Phishing sites, email spam from 'John' that says "Check out our Vacation Photos", etc also fall under the wide umbrella of 'social engineering'.
Re:I'm Shocked! (Score:2, Insightful)
DANGER WILL ROBINSON!
CRITICAL FAILURE IS IMMINENT, YOU MUST SHUT DOWN THE REACTOR IMMEDIATELY
Please enter password:
Password is incorrect!
Password is incorrect!
Password is incorrect!
You have been locked out for 10 minutes.
Re:I hate the term "Social Engineering" (Score:5, Insightful)
Similarly, wearing a fluorescent jacket and working on an exchange box or other equipment isn't lying or scamming anyone, but through social engineering and societal training you'll get away with what you're doing because people go "oh, he's a contractor, he must be doing some contract work".
Ditto for walking in to buildings - we've got guards at the main gates, but once you're in then you can get in to a lot of buildings without question just by looking like you belong and having something pass-like hung around your neck. You're using people's social expectations of "he is on site, has a pass and knows what he is doing so must be allowed here" to get you in to places where your swipe card won't work.
Re:I hate the term "Social Engineering" (Score:3, Insightful)
Re:I hate the term "Social Engineering" (Score:5, Insightful)
Lying by omission is when an important fact is omitted, deliberately leaving another person with a misconception. This includes failures to correct pre-existing misconceptions. One may by careful speaking contrive to give correct but only partial answers to questions.
Even my 4 year old has no difficulty understanding that weaseling like this is a form of lying.
I agree you can engage in social engineering without lying, but its an important and ubiquitous tool of the trade.
As for your uniformed workers, while they don't by definition have to communicate with anyone, odds are they will. And odds are they'll at the very least have a prepared lie to go along with their outfit. Whether or not they use it. Hell, even the guys that went around leaving usb drives probably had a cover story in case someone had confronted them. "I'm just returning it." or "Its got some marketing materials for the new yadda yadda..." or whatever.
Re:What kind of oversight do Loyal Bushies give??? (Score:3, Insightful)
Re:I hate the term "Social Engineering" (Score:3, Insightful)
The problem with them is that they do not denote the subject at hand with the precision required in a serious discussion of security.
Sure, lying and scamming may tools of social engineering, but there are social engineering attacks that do not use those, and there are plenty of lies and scams that do not qualify as social engineering.
I.e. there is an overlap but not congruence. Draw your own Venn diagram if you have to.
They are simply different concepts. Get over it.
Re:I hate the term "Social Engineering" (Score:3, Insightful)
Besides, are you actually lying when you only tell truths and never say a false word? It is deceit by omission because you're giving a wrong impression by missing out information, but is that lying or is it just deceit as no untruth has been spoken?
Re:I hate the term "Social Engineering" (Score:5, Insightful)
In order to immunize you from certain diseases a doctor injects you with a vaccine, which is pretty much the same thing but unable to do real harm. once your body knows what the threat is, it can react appropriately when it encounters the actual thing.
Re:Oops. (Score:4, Insightful)
I'd argue that building for safety is right up there, perhaps before economy even.
It's just that the power company's idea of safety != producing, delivery 100% of the time.
Electricity itself is dangerous. So the power companies do all sorts of things like install breakers to shut off the power if a potentially dangerous situation is detected. First is protect human life*, second is the expensive equipment. A fuse is cheap, even if it costs $100 because it's designed for 18KV@1KA compared to a switching station transformer.
Anyways, on 'possibly lives from extended loss of power.'
Anybody dependant on electricity for life should already have backups as necessary. If you're dependant on electricity to power a charger for your artificial heart, dialysis machine, breathing assistance device**, or whatever, you should have a generator, battery backup, whatever's needed. I mean, the way power delivery goes, local events can take out power to a house/business fairly easily, and are fairly common.
I think one guy with a medical problem requiring frequent access to electricity had the house hookup, a backup generator, and a 12V adaptar for cars.
*If nothing else, dead people tend to be REALLY expensive.
**Though I imagine simple pressurized O2 and an appropriately selected mechanical valve system should be able to eliminate the need for electricity for a good while.
Re:I hate the term "Social Engineering" (Score:5, Insightful)
Re:Here is a "sane" security measure (Score:3, Insightful)
Doesn't make it right. I'm not defending, just pointing out the obvious reason.
Re:die hard (Score:2, Insightful)
Bah... If you can't do it in under a minute while a gorgeous girl is <ahem> distracting you and John Travolta is holding a gun to your head, you're no-one.
Re:Here is a "sane" security measure (Score:1, Insightful)
Re:I hate the term "Social Engineering" (Score:3, Insightful)
Re:Here is a "sane" security measure (Score:4, Insightful)
Cost.
In a lot of cases, you have the power company desktops on the Internet and they have their own lan for desktops etc.
But then those computers CAN access the critical systems.
Then they slap a firewall or VPN inbetween the desktops and the critical systems... wow, it's magically OFF THE INTERNETS!
If you disconnect the two LANS, you're much more secure, but then Lazy McFatass has to WALK to a boring green screen to manage it.
It's much cheaper and employee friendly to just let these people access the secure systems from their desktop, using a remote terminal. Very sad, but true... and very risky.
Remember, it was poor desktop security and a WINDOWS VIRUS that knocked out the US Northeast power grid some 5 or 6 years ago.
Re:I blame the cold medicine (Score:3, Insightful)
Of course this works only in Windows! There you have another reason to use a Mac or Linux. Why, oh WHY does MS program their OS to automatically run whatever crap is on a data storage device?