Re: Demarcation?!?
" It beggars belief that all these utility companies don't have better network designs."
In the circumstances "design" seems too strong a word.
Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we're told. The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is referred to using a …
Maybe I'm being too pedantic but 'hacktivist' is not a term I ever associated with causing actual harm to people - messing about with the chemical balance of a water supply is a long way off that. It doesn't matter that they didn't succeed in the end.
That said, I see the main concern is that the customer information wasn't used for fraud, so maybe I just have my values all wrong.
"maybe I just have my values all wrong"
You have. Google Camelford incident. That was an operational cock-up but it seems likely that something similar or worse could be achieved deliberately through illegal access to SCADA networks.
Having said that, if details of 2.5 million customers were exposed then they should be notified irrespective of whether there's any evidence of fraud. In fact, if they weren't notified it would be difficult to know whether there had been fraud or not. Hiding the whole incident behind a pseudonym is just irresponsible.
You mean 'pour'.
Your vengeance-filled angry reaction originates from somewhere very close to your reptilian brain stem. It's thus about as interesting or thoughtful as the firing of a single neuron in a Petri dish.
I've noticed this sort of ugly reaction style post over the years, it's a very consistent style, and it's become something of a pet peeve for me. (Sorry.)
Typically the thread degenerates into a contest with subsequent entries like "No! Pour FLAMING PETROL down their throats. Cut their d#$&s off." "No! Use flaming Bunker fuels and pump it into their ears..." Etc. Etc. Etc.
It would be useful to come up with a catchy name for the style of post, to make it easier to denigrate. Any ideas?
"It would be useful to come up with a catchy name for the style of post, to make it easier to denigrate. Any ideas?"
A 'post-tard', as in retard at posting, and rhymes with postcard which are used for brief inane messages.
Similarly 'mutard' for those who don't know how to use the mute button on a conference call and end up talking to themselves.
Yes, pour.
I see you are from the cupcake generation, where nobody gets punished, and everyone gets a trophy.
I am from the worked for it generation, where if you hurt someone you get hurt, if get a trophy you worked hard for it.
I have no sympathy for those that would inflict suffering on others for amusement, and see punishment for such actions as just. But maybe you want to give them a lollypop? and if your children are hurt or killed by these people you might see the world as it is and not though rose tinted glasses.
Call my reaction Vigilant, and I will call yours Cupcake.
'Vigilant'? Hardly. If your plan was Vigilant it would have involved actually looking at something rather than giving them and their kids injections in the eyes of radioactive napalm-spiders.
The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet.
The hackers were, according to the report, basically as clueless as the security bods and management who enabled them. The hacker was probably just a script kiddie arsing about and found this system, or a student looking to drop his water rate. He/she may not even have known it was a control system. So save the "crush their testicles with Osmium-booted rhinoceroses" talk for the people who caused the problem rather than those who bumbled into exploiting it.
"The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet."
Hmmm, I can't disagree that it's completely stupid to do what you've outlined above and that they have a level of responsibility but your argument is a bit like "it's your fault for being burgled as you have nice stuff!". Regardless of the cluelessness of the individuals who perpetrated this, they are ultimately responsible for what they do and "bumbling into exploiting it" does not absolve them from that responsibility....
My view - YMMV.
"The people responsible for this are the ones who shared credentials for critical systems on front-end web services. Those who made it so that the control systems were connected to the public Internet."
A characteristic of the "cupcake" generation, is their willingness to blame others for their own (and others') ill deeds. While the sysadmins in this case were clearly misguided, clueless and/or negligent, they are not responsible for the breach.
Responsibility lies clearly with the perp. End of story.
A "hacktivist" group with ties to Syria....
Verizon's RISK Team uncovered evidence that the hacktivists had manipulated the valves controlling the flow of chemicals twice – though fortunately to no particular effect.
To be sure, if they weren't caught they would have been back.
Simply remove email and Internet access from the majority of your employees. Far too many seem to assume it is a right to have a company email address and Internet access when the reality is very few employees actually need it for their jobs. Other messaging systems (such as Lync) can be limited to internal only conversations, removing the spearfishing threat and yet providing the same or better internal service than email. Then air-gap those few systems used for external email for those users whose role does require email from access to core networks.
Occam's razor folks,
Never attribute to malice that which be adequately explained by stupidity :
http://www.bbc.co.uk/news/uk-england-cornwall-17367243
Alright it may have been hacktivists, but it may have been water authority fuckwits.
paris, to fuck yur wits in the meantime....
This may be news to many of our younger adherents, of course.
Read and learn, gentlemen.
Another example of what happens when the bean counters decide free is better and the coders think using the internet for everything is way cool. Only fools and idiots will put sensitive, proprietary, or mission critical software onto the internet. They keep forgetting that a net is a bunch of string held together by holes and that a cloud is a bunch of holes held together by vapor.
The crux of the problem is why were the two systems ever linked to begin with. Treatment plant control systems have no need to be linked to the customer payment system or even on the Internet. Scada systems 30 years ago were not linked to anywhere but the control room which is one site so the connections were hardwired. This worked and still works.
The coroner Mr Rose got ir completely wrong in the inquest on Carole Cross. The presence of aluminium in the brain of an Alzheimer's sufferer is a consequence of, and not a cause of, the illness. Alzheimer's is caused by the development of amyloid plaques in the brain which then adsorb any aluminium whihc may be present in the bloodstream. Aluminium is present in the diet from other sources and not necessarilt the water supply. For example, the average cup of tea contains aluminum which comes from the tea leaves.
At least twice I've registered with Verizon Security Solutions in order to gain some offered benefit. "Fill in this form and we'll send you this or that info." Batting ZERO-for-two in them following through. The name 'Verizon Security Solutions' has thus acquired an aroma of incompetence. Negative brand equity.
What is it with people in the 'IT Security' field?
I would be willing to bet that the reason they are accessible from the web is due to lazy engineers who use VNC to remote in. In fact some engineers are so lazy they do not want to use a password to log on.
If you have never heard of this site http://vncroulette.com and the absolute insane things they find, What they find is open VNC servers open to the world