Search This Blog

Tuesday, February 21, 2012

The Dogma of Stupid: US Infrastructure Security

There has been some recent news "chatter" about the threat to our country'ss infrastructure by the hacker group known as "Anonymous."

You've probably seen them, or at least pictures of them, with the "V for Vendetta" masks on.

About six months ago the US Department of Homeland Security warned us about them: "Several racist, homophobic, hateful, and otherwise maliciously intolerant cyber and physical incidents throughout the past decade have been attributed to Anonymous, though recently, their targets and apparent motivations have evolved to what appears to be a hacktivist agenda."  Again, recently, US General Keith Alexander of the NSA, brought these fears to light (see this).

But this really makes me wonder...

For one thing, STUXNET and it friends, like Duqu, have been around a while and are specifically designed to attack the kind of infrastructure you see in "the real world" - Iranian centrifuges not withstanding.

Unfortunately for all of us Microsoft Windows and its variants (like Windows XP, Windows 2000, Windows 2003 Server, Windows 2008 Server) as well as things like the Microsoft web server IIS have very well taken over the world.  There probably are very few businesses left on earth that do not have some form of Windows-based software in use.

Sadly, many large infrastructure-type business, e.g., power plants, waste processing facilities, water treatment plants, and so on, have picked up on Windows systems over the years as well.  Now, in and of themselves the only real danger from these Windows-based systems in a stand-alone environment, i.e, not connected to the internet, is that they might crash - probably an acceptable risk for run-of-the-mill systems in offices. 

For industrial controllers, i.e., software running the power plant or waste water system, again not connected to the internet, the danger is even less.  Typically these commercial systems are well tested and debugged before being put into production.

The real danger here is that, for what ever reason, some moron has decided to connect these systems to the internet.

And this is where the fun begins.  Most computers running industrial equipment have a very specific job to do.  For example, in a waste water system this might involve monitoring pumps, pump speeds, value positions, that sort of thing.  The infrastructure of the plant was designed to work a certain way, i.e., fill tank A, when tank A reaches point X turn on agitator motor C for 10 minutes, open valve D, ...

The Windows-based controller, when installed, is programmed to perform these tasks.  It receives inputs from various sensors, it controls various devices, and it does its job.

Normally these systems have no need to work over and use the internet - at least until probably 15 years ago or so.  After all, why would they?

Updates and monitoring where handled with dialup systems - you remember - 1200 baud or 56K baud modems - that worked over phone lines.  These dialups spoke specific "languages" and talked only to specific phone numbers so hacking into them really required a lot of specialized knowledge and access.

But more recently all this has changed.  For many reasons, cost and convenience chief among them, the dogma of stupid drove everyone to connect these systems to the internet.  Now, rather than paying for a special phone line, the remote technician can simply "telnet" in and fix the system.  Diagnostic data can simply flow automatically to remote systems for monitoring.

(This is well documented in the IT world.)

Seems simple enough.

Until Anonymous shows up.

Now Anonymous doesn't have to be very smart to hack these systems - they're probably not really even geniuses.

Why?

Because Microsoft has already done their work for them.

You see, when all these Windows-based systems were connected to the internet all the well-understood flaws of Windows - particularly in an internet environment - where also exposed.

Long ago Bill Gates (remember him?) thought the internet was a "joke."  "Who would use that?" he wondered.

So when working on Windows the whole notion of security was sort of, well, not worried about.  Microsoft, you see, liked code to be efficient, not secure.  Secure was expensive because the software, to be secure, had to do more work and more work means more processing which means the "user experience" is "slow."

So everywhere in Microsoft's code all sorts of shortcuts were taken to ensure things were fast.  No one ever considered the consequences of this (and to be fair this was not an issue at the time).  Billions and billions of lines of code where written.

All of it buggy.

So for the last ten or fifteen years hackers have been figuring out these bugs and exploiting them.  Hacking into remote windows systems is trivial - there are web sites around that provide tools kits and instructions for writing viruses for Windows.

So Anonymous really doesn't have to do any work to be successful, especially at the hardware level.

Above this lots of folks at these various infrastructure businesses (like the local "Water Works") don't worry (or even know) about configuring these controllers for security.  So most passwords are defaults, like "1234."  And once someone figures out one there are probably hundreds more with the same password.

Do you think they patch their systems?  Do they upgrade from old, insecure versions to the latest ones?

Nope - the budget crisis and their pension obligations have left them all cash-strapped - so no patches or updates for many years.

(Of course, there are many, many other types of hacking as well involving WiFi, exploiting humans, etc.)

All of this available on the internet by simply Googling "buffer overflow example code windows."

But the US government doesn't want you to know all this - because then they, the collective "government" - look stupid.  Stupid for installing probably millions of Windows-based systems at every level of infrastructure and hooking them up to the internet.

So instead they work to create a "dogma" about Anonymous - evil racist, homophobic bastards.  No doubt they will come and eat your children.

The truth, of course, is that Anonymous is simply pointing out that the government (and industry) is simply following the dogma of stupid.  Not checking passwords, not securing things, hooking mission-critical systems to the internet, that sort of thing.

Basically the government (and industry) are the ones at fault.  Hooking up known-to-have-lax-security mission critical systems to the internet.

But you'd never get that (or all this) by reading the Homeland Security PDF.

Now ask yourself.

Does the local nuke plant really have that much better security on their software systems?

There's a good reason, I think, that Anonymous chose the "V for Vendetta" masks as their moniker.

The movie is about how the "repressed" everyday "joe" stages a revolt against a controlling, totalitarian and stupid government.  V is the "leader" of this revolt and wears the "V" mask.

All this is old news.

Anonymous are indeed hackers, but they are resting on the shoulders of those who came before them in terms of technology and technique.

They seem to be more "political" than anything else.

Could Anonymous take down the power gird?

You bet...  And they probably wouldn't even break a sweat.  How many old Windows computers in the guise of "industrial controllers" do you think are wound into import elements of the power grid control in the US?  Most significant US power grid failures result from the propagation of one failure - just watch the Discovery Channel for details (I wonder of Anonymous does?).

How many of these controllers probably has the default password of "1234?"

Figure this out and you will see that the probability of attack is basically 100% and only a matter of time.

This is the dogma of stupid.

No comments:

Post a Comment