Some recent fun in the fluffy stuff. Ride safely:
Just like information security on a large corporate network. Want me to explain how to achieve NERC CIP 002-009 compliance, or perhaps avoid HIPAA fines…let’s go skiing. Speaking of tips, when in Vail on a big powder day head for Red Square:
Way to go Heath!
A truly gut wrenching story is now being circulated about a WWII veteran who slowly froze to death after a utility company installed a device that shut off his power. The Star Tribune title gives a good indication of where things are headed: Freezing death of Mich. man in house sparks anger, soul-searching, resolve to prevent repeat
On Jan. 13, a worker with the city-owned utility installed a “limiter” on Schur’s electric meter after four months of unpaid bills. The device restricts power and blows like a fuse if usage rises past a set level. Electricity is not restored until the device is flipped back on by the homeowner, who must walk outside to the meter.
City Electric Light & Power did not contact Schur face-to-face to notify him of the device and explain how it works, instead following its usual policy by leaving a note on the door. But neighbors said Schur rarely, if ever, left the house in the cold.
At some point, the device evidently tripped and was not reset, authorities said. Schur’s home was heated by a gas furnace, not electricity, but some gas furnaces do not work properly if the power is out.
Should the neighbors have monitored his situation and intervened, should the utility have interfaced with their customer more? This all begs the question of monitoring and surveillance as well as privacy. Perhaps the most pressing issue for some is that the man was elderly and needed special care, but it is not clear how and when this level of detail can be managed before the utility enters into security issues around privacy? On the flip side, if a customer has paid their bill regularly for fifty years, how difficult can it be for a utility to wait a couple months until temperatures/conditions are safe before terminating power and starting an investigation?
Also worth noting is that the utility in question is a municipal entity and therefore escaped a law designed specifically to prevent this type of tragedy.
A Russian ‘cybermilitia’ is being blamed for disrupting Kyrgyzstan networks:
…what’s worrisome to [Don Jackson, the director of threat intelligence at SecureWorks] is the speed with which this attack was mounted. “To put some perspective on this, it’s been an escalating pattern from Estonia to Georgia to here,” he said, referring to the 2007 and 2008 attacks against other former Soviet republics. “The attacks are more closely coinciding with events that are core to the Russian interest, with increasingly fast response and quick mobilization.
“When it once took days or weeks, now we’re seeing it within hours,” Jackson said.
The so called “militia” is really a group that manage botnets and servers more commonly used for spam and phishing. They are believed to be Russian because of the traffic patterns, but the fact that they use resources also for political events underscores their background and interests.
Austin, Texas discovered its road signs were tampered with only a couple weeks after their vulnerabilities were disclosed, according to the statesman.com:
Someone reprogrammed two city construction road signs near the University of Texas early Monday morning in an attempt to warn Austin of an imminent zombie attack.
Messages that typically alert Lamar Boulevard drivers to a detour for Martin Luther King Jr. Boulevard splashed several warnings like “Caution! Zombies Ahead!” and “Nazi Zombies! Run!!!”
Amusing, but the facts of the case are not as impressive as I had hoped.
Jones, who has one of only two keys to the locked access panels on the portable signs, said that the hacker broke into the panels on each sign and bypassed the passwords before leaving five different zombie messages and even changing one of the passwords. Jones said he had to wait until 8 a.m. to call the manufacturing company to figure out how to override the hacker’s work. He speculated that the hacker could be a computer genius from UT.
Uh huh, a genius. That’s definitely the profile of a person who applies public instructions on how to reprogram a road sign. Note that anyone can reset the password to the default even if it has been changed.
The hacking occurred within weeks of various articles appearing online with descriptions of how to hack into these road signs — which point out that such an act is illegal.
Dennis Crabill, project manager with the Public Works Department, said the access panels are always locked and are not programmed with the default passwords these sites suggest. Short of having a watchman on duty around the clock, he said there is little more the city can do to prevent such vandalism.
Once that stupid reset function has been properly fixed, perhaps stronger passwords? Patches for known vulnerabilities? Maybe a more sophisticated combo/key lock more resistant to cutting, instead of a weak one that requires only a key? How about an alerting system that uses radio or cell to report attempts to break in, or even that the locked panel has been opened? They also could use timed lockouts to prevent brute forcing the password. I guess I could think of a lot of things other than a watchman.
My favorite example so far, of this kind of trespass (hard for me to call it hacking when it comes with instructions), came from MIT last year:
