Cyber hacking. Your thoughts?

[Fly320s]

My uneducated opinion in I.T. is that the really important stuff should never be connected to the internet. It isn't a matter of "if they hack us," but a matter or "when they hack us."

Why was an important oil pipeline connected/controlled by an internet connection? That is just plain stupid.

[TiMSport]

Quote:

Originally Posted by Fly320s

My uneducated opinion in I.T. is that the really important stuff should never be connected to the internet. It isn't a matter of "if they hack us," but a matter or "when they hack us."

Why was an important oil pipeline connected/controlled by an internet connection? That is just plain stupid.

Agreed. This isn't the first time a critical operation was exposed and sadly it won't be the last.

[EME_Bounce]

The US hacked Iran’s nuclear production facilities that were airgapped. It’s not that simple.

[vreihen16]

Quote:

Originally Posted by Murf993

Might be the rum talking but maybe I should go into consulting.

You couldn't go any worse than the clowns currently collecting pay checks in the IT field!

After 35 years, I seriously want to leave IT for the exciting world of pizza.....

[TiMSport]

Quote:

Originally Posted by vreihen16

You couldn't go any worse than the clowns currently collecting pay checks in the IT field!

After 35 years, I seriously want to leave IT for the exciting world of pizza.....

Lol, that would probably be less stress.

[Murf993]

Quote:

Originally Posted by vreihen16

You couldn't go any worse than the clowns currently collecting pay checks in the IT field!

After 35 years, I seriously want to leave IT for the exciting world of pizza.....

Might be the rum talking but suddenly I feel like Pizza....

[TiMSport]

Quote:

Originally Posted by Murf993

Might be the rum talking but suddenly I feel like Pizza....

My question is are you giving any rum to Woodford?

[Murf993]

Quote:

Originally Posted by TiMSport

My question is are you giving any rum to Woodford?

No, he gets to lick the ice cream bowls though. However he's snoozing next to Lisa right now.

[jmack]

Quote:

Originally Posted by vreihen16

You couldn't go any worse than the clowns currently collecting pay checks in the IT field!

After 35 years, I seriously want to leave IT for the exciting world of pizza.....

I'm only 10 years in infosec and will be moving into goat farming once my kids are in school and my wife can start working again.

[DETRoadster]

Quote:

Originally Posted by Murf993

I mean I loved to google at work as much as the next guy but I'm thinking that you can't get hacked if you're not connected to the inter web right?

Not exactly. I remember the "old days" where the trick was for a hacker to put malicious code on a USB thumb drive, label the drive "employee salaries" and leave it in the company parking lot in the hopes that some dumb ass would spot it on their way in the door and be incapable of not ticking it into their work PC.

Or even earlier than that when computers were a bit of a rarity so we had shared PCs. You'd roll up with your floppy disc full of your work and use the pC for a few hours to do whatever you needed to do. Assholes would leave a virus on the PC that would then infect your disc and propagate to the net PC you stuck it in. I lost a term paper in college that way when the computer lab got infected.

But still, your point is a solid one. Critical infrastructure should be running on PCs that done have an Internet connection and are isolated from the general company network.

[zx10guy]

Air gapped systems are not 100% protected from vulnerabilities. There are other vectors which can introduce malicious code. Having worked in highly classified systems, those dangers are constantly being considered and systems designed to mitigate those risks.

Security is only as good as the mindset of the people that work with the systems and those in charge that dictate policy and funding. This is the foundation. Without this, you can throw the fanciest latest security tech at something and still have the same exposure without using it.

[vreihen16]

Quote:

Originally Posted by jmack

I'm only 10 years in infosec and will be moving into goat farming once my kids are in school and my wife can start working again.

I have joked that I am ready to eschew technology and move to a shack in the woods, but I already live in a small house surrounded by 7,000+ acres of state forest and lived through the Unabomber threats in the 1980's...so that's already been done.

Quote:

Originally Posted by DETRoadster

But still, your point is a solid one. Critical infrastructure should be running on PCs that done have an Internet connection and are isolated from the general company network.

I know of a municipal building in our region where their entire infrastructure is on a flat IP subnet. Servers, clients, access control locks, and even the guest wifi all on the same network with no firewalls or routing whatsoever. Probably designed by some 12-year-old, and signed off on by a politician that types with two fingers because it works...until they get hacked.

I'm not going to name the company, but there is a very large player in the K-12 school content-filtering market that I was asked to look at as a favor when a school near my office couldn't get it to work. Their black box was actually static-coded to ignore the subnet mask and default gateway being provided by DHCP, and assumed a /24 with .1 as the default route. Great assumptions for a cable modem in someone's house, but rendered the thing 100% useless on a segmented network with /26 subnets to isolate rooms. The company did not see any flaw in their logic, and defended their product because they were too clueless to fix it.

As for jumping the air-gap in Iran, an infected USB thumb drive full of "naked women pictures" dropped outside the front door will surely result in a nuclear meltdown in a few hours.....

[CTinline-six]

Quote:

Originally Posted by Fly320s

My uneducated opinion in I.T. is that the really important stuff should never be connected to the internet. It isn't a matter of "if they hack us," but a matter or "when they hack us."

Why was an important oil pipeline connected/controlled by an internet connection? That is just plain stupid.

This.

The reason is to cut cost, maximize profit.

Quote:

Originally Posted by vreihen16

You couldn't go any worse than the clowns currently collecting pay checks in the IT field!

After 35 years, I seriously want to leave IT for the exciting world of pizza.....

I work with several different agencies being employed by an IT contractor, and I think the bigger problem is how businesses in general are run. It's very obvious when we take on a new client whether they see IT as just a service like cable TV, or if it is a tool they invest in to improve and strengthen their business. The businesses where information privacy is a liability tend to invest in much better security, where companies who don't give a shit if information gets hacked like Equifax could care less. A tool is only as good as the person (or organization) using it.

The truth is there should be a lot more security for critical systems like the pipeline and for our personal data, but placing priorities on profits and the way big tech operates doesn't allow for that.

[TiMSport]

Placing priorities on profits and appeasing shareholders will always win out, unfortunately.

[zx10guy]

And why I've been harping on having stated regulations which put in place financial penalties and in the case of gross negligence, jail time. None of these behaviors will change unless organizations and individuals get hit where they do care which is losing money or losing their time sitting in a cell.

The examples of the errant USB device being plugged into an air gapped computer is one example. But many people don't focus on other vectors such as the firmware that's installed in many of the subcomponents of devices. This brings up supply chain security. Many Federal agencies require TAA certified products. Some require BAA. But these come at an additional cost. Some OEMs go one step further to offer up secure supply chain services. Again at an additional cost. Then there's the software. The Solarwinds hack shows how things can go terribly wrong with a trusted software company. Even at the basics such as firmware updates. How many IT staffers spend the time to ensure the firmware is pristine by doing hash comparisons with the OEM's official hash?

[TheWatchGuy]

Quote:

Originally Posted by Murf993

Might be the rum talking but here goes. Why doesn't the command and control system for any infrastructure have a stand alone system for the expressed reason of avoiding hacking.

having built many water and wastewater plants, its not quite as simple as not being connected to the internet.

especially for smaller municipalities, most plants arent staffed 24/7. So in order to be able to monitor and operate plants, they need remote access which creates an entry point for these types of hacks.

the other issue is reporting. the EPA has strict monitoring/sampling/reporting regulations, and some plants auto report these to the EPA, creating another entry point for these types of hacks.

then you also have the water systems that have multiple plants, pump stations, pipelines, etc that all need to report to each other. In a small town, sure, you could hardwire them all together, but that is a significant cost that small towns cant afford. In a big city, its usually not economically feasible or practical to hardwire them all together either.

probably the most secure plant ive ever been a part of was a wastewater plant for a microchip manufacturer. Everything was on a local network and was staffed 24/7. However, even in that situation, they are still vulnerable to outside attacks if someone is able to get on their local network. Especially since this plant still needed a way to communicate with other manufacturing plants throughout the company. And with all the contractors and 3rd party vendors that are constantly coming in and out of the facility, it wouldnt be hard to get in.

All that being said, most water and wastewater plants have fail safe's in place and can be run locally if something like this happened. From hardwired alarms in MCCs and control panels with relays and switches that will shut down the equipment if one of the alarms is tripped, to local control stations that you can manually operate the equipment at locally inputted set points.

[vreihen16]

Quote:

Originally Posted by CTinline-six

The reason is to cut cost, maximize profit.
.
.
.
The truth is there should be a lot more security for critical systems like the pipeline and for our personal data, but placing priorities on profits and the way big tech operates doesn't allow for that.

BINGO! I reported an incident to Microsoft abuse one time. They responded...over a year later! I have the printed emails hanging on my office wall at work to show why Microsoft should be removed from the Internet as an irresponsible organization. FWIW, their abuse (and tech support) appears to be off-shored to Asia, and they are definitely getting what they're not paying for.

I love how the third-world hosting companies frequently have pleas to only blacklist individual IP addresses and not entire networks in their IP whois records. If you don't know what your customers are doing and are shifting the policing to my employer, your entire IP block (and ASN for that matter) has a special place in my firewall's naughty list.

Google is also pretty bad with Gmail. I have developed a set of filter rules to catch about 98% of the gift card and sextortion scams coming from Gmail. As big as a company as they are, they should be able to stop these emails from ever leaving their servers in the first place by implementing similar filters and user behavior heuristics to spot mass mailings. Realize that my pay checks are only 33% of what Google pays for entry-level programmers, and my employer doesn't offer free dry cleaning, cafeteria food, ball pits, or nap pods.....

[Redd]

I'm sorry to tell you all that hackers are by far smarter than any of us in here:

https://www.forbes.com/sites/leemath...from-a-casino/

The most secure computer is this one:

[zx10guy]

Quote:

Originally Posted by Redd

The most secure computer is this one:

I beg to differ:

[UncleWede]

Quote:

Originally Posted by TheWatchGuy

having built many water and wastewater plants, its not quite as simple as not being connected to the internet.

especially for smaller municipalities, most plants arent staffed 24/7. So in order to be able to monitor and operate plants, they need remote access which creates an entry point for these types of hacks.

the other issue is reporting. the EPA has strict monitoring/sampling/reporting regulations, and some plants auto report these to the EPA, creating another entry point for these types of hacks.

then you also have the water systems that have multiple plants, pump stations, pipelines, etc that all need to report to each other. In a small town, sure, you could hardwire them all together, but that is a significant cost that small towns cant afford. In a big city, its usually not economically feasible or practical to hardwire them all together either.

probably the most secure plant ive ever been a part of was a wastewater plant for a microchip manufacturer. Everything was on a local network and was staffed 24/7. However, even in that situation, they are still vulnerable to outside attacks if someone is able to get on their local network. Especially since this plant still needed a way to communicate with other manufacturing plants throughout the company. And with all the contractors and 3rd party vendors that are constantly coming in and out of the facility, it wouldnt be hard to get in.

All that being said, most water and wastewater plants have fail safe's in place and can be run locally if something like this happened. From hardwired alarms in MCCs and control panels with relays and switches that will shut down the equipment if one of the alarms is tripped, to local control stations that you can manually operate the equipment at locally inputted set points.

THIS!!! I TRIED to get our water plant to update the firewall and include a 24x7x365 monitoring service. Our only saving grace at this point is that they only have a 1.5MB/s connection.

All the updates (that aren't applied to SCADA systems) come from an internet source. Licensed software isn't available on a dongle any more.

Heck, our plant is running on a Dell desktop that has a rusted 3.5" floppy drive. I've bought 2 sets of replacement computers, but because they didn't maintain their maintenance agreements (PAY for them) we couldn't upgrade the iFix to Win 10 or 7.
We are just about done with a 5-year IT Master plan. Council will fall out of their seats when they see $8.7m