Tag Archive for critical infrastructure

Cyber defense by semantics: hacks are now called “computer glitches”

The New York Stock Exchange is down and United Airlines is not flying for half a day. Naturally, everyone’s wondering, What’s going on? The public wants an explanation from the FBI and the affected institutions, and fast.
The response is quite astounding.
Voila! Cyber security problem solved: from now on all hacks are to be called “computer glitches.” United and the NYSE computer network outages are only the latest glaring examples of a classic bureaucratic solution to the problem – defense by semantics.
This “expert” explanation means two things: a) it’s a fairytale designed for little children and big fools; and b) the “cyber security experts” of the affected entities and the FBI probably have no clue as to what happened. That’s a very good indication of an expertly executed cyber attack – the effect is obvious but the attack has not even been detected — and forget figuring out that “the Chinese” or the “the Russians” did it. Because it is really unfathomable to imagine that programmers working on critical programs like these found “glitches.” Such programs are written and implemented by highly qualified programmers and software engineers and are tested numerous times under all imaginable circumstances. Furthermore, they’ve been running for quite some time with no “glitches” detected, and all those systems have built-in redundancies precisely in case of a “glitch.”
The “glitch” explanation is very convenient for those who failed to provide cybersecurity of this country.
All these events are a clear indication of our massive cyber security failure. This failure was inevitable. On the one hand in the last quarter century widely known cyber attack technology has advanced dramatically, and is becoming increasingly widespread. What a while ago only a few government agencies in the world could do can now be done by a lot of people, often by mere script kiddies, and certainly by our sworn enemies who aren’t restricted in what they can attack—the more damage the better. On the other hand, our cyber security has not advanced at all for the same quarter of a century. This is the inconvenient truth, despite of all the marketing and politically soothing statements from the entrenched cybersecurity establishment.
It is really sad that people responsible and paid for providing our cyber security are getting away with this cyber defense by semantics. No doubt the next step is to make the term “hacking” politically incorrect and make everyone use “computer glitch” instead. When that fairy tale runs out, they’ll think of another term. That’s assuming our computers are still functioning.

Power grid: when cyber lines cross

We have very little time to cure our stone age cyber defensive technology.
The CNN story citing testimony by Admiral Michael Rogers, head of U.S. Cyber Command, to a House Select Intelligence Committee November 20 sounded like shocking news. He stated that China can take down our power grid. http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/index.html

Shocking as it may be, if this is still “news,” surprise, surprise — it’s been known to everyone who was anyone in cyber security for over 25 years. First it was just the Russians, then the Chinese, then some vague criminals acting on behalf of “nation-states” were gradually added to the list.
Never mind the Russians and the Chinese – they also both have enough nuclear weapons to kill every squirrel in America. What is really troubling is the cyber security trend. Our cyber defensive capabilities have hardly improved for over a quarter-century. However, hackers’ attacking capabilities are improving constantly and dramatically. This is not a good equation — sooner or later these lines will cross. This means that a large number of unknown hackers will be able to take down our power grid and also decimate our power-intensive facilities, such as oil refineries, gas distribution stations, and chemical factories.
Now, think terrorists. They would be delighted to do exactly that, whether you kill them afterwards or not. This isn’t news, but it’s an increasingly troubling reality. We have very little time to cure our stone age cyber defensive technology. But that requires changing the current equation and making cyber defense inherently more powerful that the offense. That won’t happen until the doomed legacy password and firewall paradigms are abandoned and replaced by fundamentally different technologies.

“Russian Hackers” brand

The media constantly speculate about what “Russian hackers” are doing against Western targets. Publications such as The New York Times are increasingly concerned about “Russian hackers” in the energy and financial sectors in particular:

http://www.nytimes.com/2014/07/01/technology/energy-sector-faces-attacks-from-hackers-in-russia.html?nlid=58721173&src=recpb

http://bits.blogs.nytimes.com/2014/07/07/russian-arrested-in-guam-on-array-of-u-s-hacking-charges/

The term “Russian hackers” needs some clarification. Cyber operations in Russia are conducted by numerous entities with vastly different objectives, resources,  and constraints.

At least one distinct Russian military entity is tasked with infiltrating the critical infrastructure of potential adversaries, planting electronic/cyber bombs that can be activated when ordered, with a devastating result that would only be surpassed by a massive nuclear strike. This activity has been successfully carried out against the US for decades, and several generations of this malware are now sitting all over our critical infrastructure. Top American experts have deemed it practically impossible to detect and eliminate this malware. Welcome to the real world.

Totally different tasks are assigned to other Russian government entities. Acquiring technical/technological intelligence has been a traditional Russian favorite, and has become significantly more aggressive with the opportunities presented by cyberspace. This kind of  intelligence can save a lot of research money, effort and time while providing solutions with minimal delays. In the energy sector this is particularly significant for gaining competitive advantage  in world energy markets. The results are easy to coordinate since most of the Russian energy companies are government-controlled, which gives a great advantage to companies like Gasprom.

The financial sector offers a different kind of target. It attracts the concentrated attention of a wide variety of Russian hacking entities. This sector is simultaneously a part of our critical infrastructure, a vital resource for successful financial investment strategies for the vast amounts of various types of Russian money in the West (and East), and also a practically unlimited source of money to steal with little chance of being caught. Consequently, this industry is under attack from  all sorts of hackers: government, corporate, and private entrepreneurial.

This brief breakdown shows why so-called “Russian hackers” should be differentiated, and as a phenomenon it is certainly not unique to Russia. The players involved differ vastly in size, resources, sophistication and risk tolerance. Taking these differences into account enable us to better understand the nature, origin, and objective of Russian cyber attacks.

Utilities Hacking Paradigm Shift

 

With the pleasant long weekend over, now is a good time to check up on recent cyber history. It’s a common Government practice to release potential “hot potatoes” just before a holiday in the hope that they will pass generally unnoticed. So it’s useful to review the pre-holiday week’s releases right after the holiday. There is something there that caught my eye that I would like to address.

Interesting questions were raised by the following article, oddly published by an Australian publication on May 22: http://www.gizmodo.com.au/2014/05/hackers-broke-into-a-public-utility-control-room-by-guessing-a-password   (“Hackers Broke Into A Public Utility Control Room By Guessing A Password.”) In short, the story is commenting on the DHS announcement of the discovery and fixing of a hackers’ break-in into an unspecified public utility’s controls. This raises at least two questions.The first question is why the announcement was made at all. Everybody who is anybody in cybersecurity knows that within the US-Russia-China triangle practically all internet-connected utilities have been penetrated for decades. Malware representing electronic bombs have been mutually installed by these countries and have gone through several generations of upgrades; they are ready to use, and extremely difficult to detect. Obviously, the most vulnerable side of the triangle is the US, since it has the most advanced and most connected network of utilities. The existing status quo in the triangle is somewhat similar to the famous MAD – Mutually Assure Destruction– of the Cold War, and the situation is pretty stable. So, if it’s not news, why announce it? This question can probably be answered by the second question.

The second question is: what has been left unsaid in the announcement? This is probably the key to the whole thing. The announcement mentioned “hackers,” with no hints as to their identity. But the interesting detail is that the attack was performed by a very unsophisticated “brute force” approach, which any hacker with a  modern computer can do that easily. So, the only plausible explanation for the whole announcement is to tacitly acknowledge that some rogue hackers were able to penetrate a public utility, and to suggest that more such attacks may be coming. Obviously, rogue hackers of many denominations do not have the mutual restraints of the US-Russia-China triangle, and without such restraints they can do real damage.

Overall, it looks like the DHS is laying down the proposition that when some real damage is done, they can say that now anybody can take control of our utilities, as we warned you.

Cyber Bombs

Victor Sheymov’s Blog on Cyber Security and Intelligence

An important and often overlooked aspect is that many computers are infected by malware well before this malware is triggered. It means that many of our critical infrastructure computers already contain “cyber bombs” that are waiting to be triggered at the time chosen by the attacker to maximize the damage. This malware is extremely difficult to detect, and on a large scale such detection is a practical impossibility. Furthermore, disconnecting computers from the Internet in most cases would be ineffective, since malware can easily reconnect the computer to the Internet if a proper hardware and a wireless access are present, and they usually are. So we are sitting on multiple bombs embedded in our critical infrastructure at the mercy of multiple unknown attackers.

Thus we are facing a grim reality that we do not fully comprehend, and not much has been done about it so far. Our vulnerability has not improved over the years; indeed, it has deteriorated. The technology of cyber attacks has advanced more than technology of computer security. Let us review how we got into this situation and, more importantly, how to get out of it.

Running out of Time

Victors Sheymov’s Blog on Cyber Security and Intelligence

As a country, we are slowly coming to the realization that we are vulnerable. We are almost subconsciously accustomed to knowing that we are vulnerable to a nuclear attack by a very powerful potential adversary; luckily, there are only two of them on this planet. We are getting used to the realization that we are vulnerable to a possible collapse of the globalized monetary system. But we have yet to realize that we are vulnerable to a cyber attack that could be more damaging than anything except a massive nuclear strike. The most startling fact is that such an attack could be delivered by an individual or a small group with a few thousand dollars and access to nothing more than the Internet. This aspect is politely called “asymmetric warfare,” but in fact it represents the failure of our security technology.

The estimated annual cost of global cyber crimes is $960 billion, but that is just a small part of the threat. Damage to critical infrastructure and major industrial assets can easily surpass that, not to mention the potential of massive loss of life. We are beginning to realize that a cyber attack can literally incapacitate our critical infrastructure. Cyber attacks can explode oil refineries and chemical factories, clog up our streets and make emergency services powerless if they themselves are still available, and leave our houses without heating and air conditioning—or even blown up by the manipulation of gas distribution systems. If this list is not impressive enough, it can be very easily extended. And the reality is that at this time we are not doing much to defend against such attacks.