Hackers Cut Cities' Power
#1
Hackers Cut Cities' Power
Cyber-security experts have long warned of the vulnerability of critical infrastructure like power, transportation and water systems to malicious hackers. Friday, those warnings quietly became a reality: Tom Donahue, a CIA official, revealed at the SANS security trade conference in New Orleans that hackers have penetrated power systems in several regions outside the U.S., and "in at least one case, caused a power outage affecting multiple cities."
We do not know who executed these attacks or why, but all involved intrusions through the Internet," Donahue said in a statement. "We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge."
Other details were murky: Donahue didn't say when or where the cyber attacks had occurred, or how many people had been affected. He also glossed over what element of the systems had been exploited.
In recent months, security researchers have emphasized long-standing security vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) systems that control U.S. critical infrastructure systems ranging from power plants to dams to public transit (See " America's Hackable Backbone").
At the DefCon hacker conference in August, researcher Ganesh Devarajan of the security firm Tipping Point gave a presentation showing techniques that hackers can use to find points in SCADA systems that are vulnerable to hijacking and sabotage. The next month, the Associated Press obtained a U.S. Department of Homeland Security video, known as the "Aurora Generator Test," demonstrating how a cyber-intrusion could be used to physically destroy a large power generator.
In the past two years, hackers have in fact successfully penetrated and extorted multiple utility companies that use SCADA systems, says Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. "Hundreds of millions of dollars have been extorted, and possibly more. It's difficult to know, because they pay to keep it a secret," Paller says. "This kind of extortion is the biggest untold story of the cybercrime industry."
Paller told Forbes.com in June that he expected those incidents to increase, and warned that a botched extortion attempt could lead to accidental damage. "There's been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems," he said. "That kind of chatter usually precedes bad things happening."
Cyber-extortion and its collateral damage aren't new, says Bruce Schneier, chief technology officer for security firm BT Counterpane. He says that offshore-hosted Web sites, most often offering pornography and gambling, are frequent victims of hacker extortion. Targeting power companies, however, is a new wrinkle, he says.
But Schneier suggests that security researchers shouldn't assume that SCADA was the weak link in the power system attacks revealed Friday. If, as the CIA suggests, the penetration involved "inside knowledge" of the system, it may have been performed by an employee with administrative access. "How much of this is a computer vulnerability, how much is a human vulnerability?" he asks. "I wouldn't jump to any conclusions."
Regardless of the tactics used to hack the foreign power systems, he warns that the U.S. has no special immunity. "There's nothing magical about a system being in the U.S.," he says. "The same vulnerabilities are everywhere."
The SANS Institute’s Paller, who says Donahue had carefully considered the decision to reveal the power grid attacks, believes the CIA made its revelation with American security in mind. “My sense is that they wouldn't have disclosed this if they thought the problem had been fixed,” he says.
by:Andy Greenberg 01.18.08/ co: http://www.forbes.com/2008/01/18/cyb...rss_popstories
We do not know who executed these attacks or why, but all involved intrusions through the Internet," Donahue said in a statement. "We suspect, but cannot confirm, that some of these attackers had the benefit of inside knowledge."
Other details were murky: Donahue didn't say when or where the cyber attacks had occurred, or how many people had been affected. He also glossed over what element of the systems had been exploited.
In recent months, security researchers have emphasized long-standing security vulnerabilities in the Supervisory Control and Data Acquisition (SCADA) systems that control U.S. critical infrastructure systems ranging from power plants to dams to public transit (See " America's Hackable Backbone").
At the DefCon hacker conference in August, researcher Ganesh Devarajan of the security firm Tipping Point gave a presentation showing techniques that hackers can use to find points in SCADA systems that are vulnerable to hijacking and sabotage. The next month, the Associated Press obtained a U.S. Department of Homeland Security video, known as the "Aurora Generator Test," demonstrating how a cyber-intrusion could be used to physically destroy a large power generator.
In the past two years, hackers have in fact successfully penetrated and extorted multiple utility companies that use SCADA systems, says Alan Paller, director of the SANS Institute, an organization that hosts a crisis center for hacked companies. "Hundreds of millions of dollars have been extorted, and possibly more. It's difficult to know, because they pay to keep it a secret," Paller says. "This kind of extortion is the biggest untold story of the cybercrime industry."
Paller told Forbes.com in June that he expected those incidents to increase, and warned that a botched extortion attempt could lead to accidental damage. "There's been very active and sophisticated chatter in the hacker community, trading exploits on how to break through capabilities on these systems," he said. "That kind of chatter usually precedes bad things happening."
Cyber-extortion and its collateral damage aren't new, says Bruce Schneier, chief technology officer for security firm BT Counterpane. He says that offshore-hosted Web sites, most often offering pornography and gambling, are frequent victims of hacker extortion. Targeting power companies, however, is a new wrinkle, he says.
But Schneier suggests that security researchers shouldn't assume that SCADA was the weak link in the power system attacks revealed Friday. If, as the CIA suggests, the penetration involved "inside knowledge" of the system, it may have been performed by an employee with administrative access. "How much of this is a computer vulnerability, how much is a human vulnerability?" he asks. "I wouldn't jump to any conclusions."
Regardless of the tactics used to hack the foreign power systems, he warns that the U.S. has no special immunity. "There's nothing magical about a system being in the U.S.," he says. "The same vulnerabilities are everywhere."
The SANS Institute’s Paller, who says Donahue had carefully considered the decision to reveal the power grid attacks, believes the CIA made its revelation with American security in mind. “My sense is that they wouldn't have disclosed this if they thought the problem had been fixed,” he says.
by:Andy Greenberg 01.18.08/ co: http://www.forbes.com/2008/01/18/cyb...rss_popstories
#2
RE: Hackers Cut Cities' Power
We knew it was coming. This is what happens when to allow your companies controls to be accessable over the internet. It may be a benefit to the workers but is also a liability without proper monitoring and protection.
#5
RE: Hackers Cut Cities' Power
That isnt the point. Way to be a dick.
The point is that such a high profile company is so easily infultrated. Access to security cameras can give thieves the upper hand if they were to plan something. There are millions of possibilities.
Not only do you have control over cameras on these networks, you also have control over secondary computers, printers, and what ever is on the network.
All this can be done through google.
The point is that such a high profile company is so easily infultrated. Access to security cameras can give thieves the upper hand if they were to plan something. There are millions of possibilities.
Not only do you have control over cameras on these networks, you also have control over secondary computers, printers, and what ever is on the network.
All this can be done through google.
#8
RE: Hackers Cut Cities' Power
Interesting. But if you knew how lax Disney was on security, it's really a moot point. There's a ride that's been closed for a few years now and I know people who have walked right into it. I believe it was called Imagineering or something like that? I know the lower level of the attraction is still open but upstairs has been closed for quite some time. Kinda sad to see that place in the shape it is in up there though.
After googling like you said Sebba, I dunno how you managed to get ANYTHING from those videos. I couldn't read a thing that ANY of them were typing in for searches...
After googling like you said Sebba, I dunno how you managed to get ANYTHING from those videos. I couldn't read a thing that ANY of them were typing in for searches...