Mercury Rising 鳯女

Politics, life, and other things that matter

Paging Richard Clarke…

Posted by Charles II on January 23, 2008

Tom Espiner, ZDNet:

CIA senior analyst Tom Donahue told a SANS Institute conference on Wednesday in New Orleans that the CIA had evidence of successful cyberattacks against critical national infrastructures outside the United States.

“We have information that cyberattacks have been used to disrupt power equipment in several regions outside the U.S.,” Donahue said. “In at least one case, the disruption caused a power outage affecting multiple cities.”

Donahue added that the CIA does not know who executed the attacks or why but that all of the attacks involved “intrusions through the Internet.”

The CIA analyst added that his agency had evidence of blackmail demands following demonstrations of successful intrusions.

And then there’s this from Dan Goodin in The Register, via Sonja Thompson at ZDNet:

Over the past four days, 15 per cent of the blocked malicious traffic has come from just a few hundred sites, which appear to be legitimate ecommerce destinations that have been compromised by attackers. This prompted Landesman to do some digging, and what she uncovered is unlike anything she’s seen before.

For one thing, the sites themselves are hosting the malware, which is then foisted on visitors. Most of the time attackers are unable to gain such a high degree of control over the sites they hack, so they redirect end users to servers under the control of bad guys and use them to drop malicious payloads. 

You know, US Army field operations are also increasingly dependent on the Web.  If hackers can paralyze business and utilities, they can probably do some pretty bad things to soldiers in the field.

4 Responses to “Paging Richard Clarke…”

  1. Charles said

    Oh, by the way. One of the infected web pages is that of Computer Associates.


  2. Michael said

    The commercial web is tenuous. Web 2.0 really will replace 1.0.

  3. Stormcrow said

    Web 1.0 was a nightmare. And Web 2.0 is even less secure than Web 1.0 was. If you doubt this, spend some time digging into the security history of PHP.

    Compromise of legitimate e-commerce is nothing new, and we’re going to see a lot more of it. Multiple reasons:

    (1) The Windows monoculture of the trusted internal network (and ALL of them are Windows-only these days) is fabulously open to attack. When you have more than a few thousand seats of Windows, even keeping three months behind the latest MS patches becomes a major, major undertaking, with much pain for everyone involved. I’m not guessing, because I was intimately involved with such an effort in my last job.

    Once you have turned “beachhead” systems in the trusted network, compromise of the web layer can be done from the inside.

    (2) Like I said earlier, Web 2.0 is even less secure than Web 1.0 was.

    (3) Security is NEVER, EVER designed in. So the costs of after the fact security, which are always an order of magnitude greater, are a serious barrier to management buy-in.

    If you don’t have that buy-in, you are dead in the water. Pack your things and leave; you’re not going to do any good there. I speak, again, from personal experience as well as the consensus opinion of the security community.

    (4) The bad guys are motivated by profits, profits, and more profits. Al Queda and recreational hackers are either not in the game at all, or are bit players. And the crooks are very, very good at what they do. Compromise of a legitimate web site is the next best thing to the Holy Grail for these guys. Just imagine the ROI of malware attacks mounted from a site people trust and therefore do not treat with normal care. They’re going to jump through quite a few hoops to do this.

    I have been tracking the “cyberattacks against power systems” story, and so far, NO specifics have been released.

    The story seems to have started with CIA senior analyst Tom Donahue, who announced this at a recent SANS conference. All Donahue would say was that they happened in “several regions outside the United States.” See Hackers Cut Cities’ Power (Forbes) and CIA Admits Cyberattacks Blacked Out Cities (Information Week). Here is the SANS Newsbites story: CIA Confirms Cyber Attack Caused Multi-City Power Outage. John Robb’s take is at JOURNAL: System Disruption for Economic Gain.

    Bruce Schneier puts much of the reporting down to hyperbole: Hacking Power Networks. So does Rob Rosenberger at Vmyths: SANS director confirms the CIA confirmed … absolutely nothing.

    The timing of the release of this information, whether it is true or not, may have been calculated. The day prior to this story breaking, FERC released it’s new critical infrastructure protection standards. The FERC news release is at FERC approves new reliability standards for cyber security. These have been in the works for a year and more: US approves standards to keep electric grid hacker-free.

    What we know for sure is that the SCADA controls we are using to manage our electrical power grid were designed two decades ago. This is a cause for legitimate concern in and of itself.

    Note that most of the protocols that have given all of us in the security communiuty so much pain over the last decade or so were also designed a couple of decades or more ago: smtp (email transport), telnet, ftp, NFS and SMB (file sharing), SNMP (network monitoring), the whole RPC suite, etc., etc., ad nauseum. Every one of these has a whole set of Grand Guignol security horror stories all to itself.

    These systems all have one thing in common. They were originally designed for a “friendly” environment and are deployed into what is now, two decades later, No Man’s Land.

  4. Charles said

    Thanks for the rundown, Stormcrow. Please let me know if the CIA ever releases specifics.

    I guess my main concern is that we are devoting all our resources to a military response to terror. But much more important even than who controls Iraq is who controls the Internet. That’s what Richard Clarke’s message was.

    What the criminals pioneer, terrorists will eventually use. So, it pays for many reasons to crack down hard on all forms of crime and electronic intrusion.

    Of course, if the government would stop wasting resources on wiretapping us and reading out e-mail, that would not be so hard.

Sorry, the comment form is closed at this time.

%d bloggers like this: