Comments

JohnMarch 19, 2019 7:27 PM

@albert
"Convenience trumps security every time."

Yes... but it's because that's what consumers buy... not because that's what The Elite coerces them into buying...

Normal ordinary people don't "get" security. It is mystical magical unicorns to them, so they don't care if they get it or not... But they "get" convenience. It is something they desire. It's something they (think they) understand. Even if they don't really need it, it's more obvious to them, it's tangible, visible...

Only when security goes horribly wrong do people start caring... but the horse has left the barn by then... and they are still mystified how to deal with it, they don't want to change their behavior to be less convenient to get it, they just want someone else to fix it for them...

Why? Because you can't "see" security... you can only see the results of security going horribly wrong, after someone hacks in and your widget doesn't function anymore (or blows up and kills everyone, depending on the situation). It's going to take a seriously horrifying mess to make people care enough to make it better....

WinterMarch 20, 2019 2:24 AM

@albert
"The computerization of America (and the World) has enriched are few lucky ones by billions of dollars, and it's done so without much concern for any resulting problems."

Try to sell that idea to all those billions who now have a mobile phone + internet access who could not even know what happened in the next village a decade or so ago. The computerization has made life better for most humans (including yours).

I live in an area with a lot of intricate water works, with bridges that have to open and close, water locks etc. Having people that drive around checking and operating is not an efficient option.

I agree with Bruce that government should mandate good security, they are the ones that commission and operate all these installations.

This is not much different from plane and car safety rules. It will never be perfect, but air travel has become pretty safe over the years.

PhaeteMarch 20, 2019 6:53 AM

I'm not sure if i can agree calling that article from technologyreview "good".

It's 2 years late, no real additional information, just a link to a half year old fireeye attrib report.
It has a clickbait title.
More then 50% of the article uses scaremongering type of sentences instead of informative or otherwise.

I'd say a writer had a quota to meet and rewrote and old article, resulting in a sub par read.

1&1~=UmmMarch 20, 2019 9:45 AM

From the article,

"'Their research paints a worrying picture of a sophisticated cyberweapon built and deployed by a determined and patient hacking group whose identity has yet to be established with certainty.'"

Is in effect pointing out the attribution problem. The article goes on to indicate that a company thinks it has even identified a University Professor behind it.

Politically it sounds good as it targets Russia, but Originally the same types of researcher pointed at Iran because it appeared to be the Geo-Political choice at the time.

Does this worry people?

It would me if I was a member of that Professors family or one of his students etc. It's about a decade now since the US raised the 'kinetic response' flag. But we forget that some countries actually follow through, as with Israel and Gerald Bull. Oh and the US are known to go after individuals with cruise missiles and more modern reusable thus far less costly UAV drones with weapons like 'hell fire'. As you would expect there has been collateral damage, that if this continues could easily be comming to a nice middle class urban area near you real soon.

It's something people real should be having serious conversations about. Especially as there is way to much 'That's horible, nobody would do that' thinking. People realy should get to grips with the notion of 'If it's possible then someone will do it sooner rather than later' as this malware amply demonstrates.

The article mentions Union Carbide and the Bhopal 'accident' what few remember now is it was not just cheap labour that caused the plant to be 'out sourced' there. At that time there was no compensation law in India that could be used by potential victims to get compensation and the Indian government had put in place various policies for amongst other things what we now call 'arms length managment' where Union Carbide were not exactly actively involved. Also local parts sourcing giving rise to the use of undesirable or substandard parts thus xausing not just maintenance issues but safety ones as well. Further as those involved in the early days of 'outsourcing to India' officials would include in their labour cost promotions the fact that the compensation laws were 'business friendly'. So if the plant did blow up 'so what' it won't effect the profits with massive compensation claims and the attendent legal fees. But further they also pushed the lack of 'zoning' thus the workers would live literaly in the plants shadow, thus transportation provision was not needed...

It's worth looking up what happened after that. It's a clasic case of 'attribution failure' oh and Stratfor and wikileaks get to make appearances.

Even though India has brought in legislation since, it still has shocking working conditions with child labour still being exploited, who's lives are often misserably short. It's clear that there is no 'trickle down' effect of any meaning as the differential between the few at the top and the masses at the bottom just continues to widen.

But there is also another important lesson in there for all of us. The Triron attack got caught by pure chance and the fact the Saudi Company involved was actually more security concious than the industry standard. But attacked it was and via the Internet through what you could fairly call 'Industrial IoT Devices'. They miggt be bigger and more expensive, but they have a lot of DNA in common with those ultra cheap Chinese 'spy on you' IoT devices that try to leverage profit by the gathering and marketing of your PII. Both have a very soft and vulnerable undervelly and a lot of the security failings in one appear in the other.

I've been around the block a few times when it comes to Industrial Control Systems (ICS) and their very distinct lack of security due to technical transparency being given prefrence. Thus I'm well aware of the failings waiting for those that adopt IoT. Which is why I avoid them entirely, because I know that sooner rather than later some one with no morals or ethics will do the same again.

Thus we should be talking about when not if there is a 'Triton for the home' and just what the heck we are going to do as clean up afterwards. Do we alow the War Hawks to walk around humming 'Send in the Drones' or do we ensure that we have suitable spares and maintainence people to keep not just the lights turned on but clean water flowing in and sewerage flowing away to be dealt with. Because if we don't the 'Great Stink of London' will be coming to a town close to you, not that you will care because the chances are the delivery schedual systems for supplying shops will have failed and the shelves will be bare of staples such as food... Need I remind people of the 'KFC Crisis' where people could not get the bargin bucket they wanted or some such that became national news.

Slight joking aside if you realy want to hurt civilians in big numbers you have two choices,

1) Cascade Failures in infrastructure

2) APT type attacks on the 'supply chain' managment systems.

As many have found chairs are not easy to sit in when one leg has gone, but two? Thats become a skill that will appear on 'The US has got tallent' show ;-)

albertMarch 20, 2019 11:58 AM

@John,
"...but it's because that's what consumers buy... not because that's what The Elite coerces them into buying..."

The Elite are consumers as well. Who buys the "security systems" for large corporations? If you think they're smarter about computer security, think again. They simply delegate IT decisions to their experts. No skin off their nose if things go south. The computerization of society has led to almost total dependence on computer systems. Was this the plan of the Elite? No, I don't think they're that smart.

Other than that, you make some good points.

..
@Greg Lorriman,
I actually agree with the gist of your comments. The Elite have control of most world governments. They have an almost unlimited greed for money and power. The problem is simply -unlimited- or -unfettered- capitalism, or socialism, or whatever system you're talking about. This is the capitalist system we live in. It's not the fault of the government, they're only actors on The Stage; the "stand here, and say this" folks. They are bought and paid for by the Elite. Most members of Congress are second-string Elite anyway.

Different systems of government have different organizational constructions, but they all have Elite classes that run things. In a dictatorship, the dictator and his minions are the Elite class. In so-called socialist or communist countries, the Elite are the ruling Party. They all live like kings. Our Founding Fathers were the Elite of their day, setting up a republic to keep the rabble at bay. If you want an excellent history of world-wide elitism, see "Rule By Secrecy", by Jim Marrs.

@Winter,
"...The computerization has made life better for most humans (including yours)...." Don't tell me, tell the folks who died in the two Boeing 737MAX crashes. How about the woman killed by the self-driving car? The list is long, and grows longer every year.

Nothing beats a competent human being overseeing automation, even assuming competent people built the automation.

. .. . .. --- ....

Dave LahrApril 15, 2019 8:57 AM

In the article the author lays out the idea that the hackers first infiltrated the corporate system to figure out what hardware was being used in the plant, then obtained the hardware to develop the malware. Wouldn't it be easier / equally likely that they hacked the manufacturer (Schneider Electric) and figured out who they were shipping to? Heck, figure out their most popular models shipped to the broadest set of customers, then buy the hardware, write the malware, then start deploying it.

Who else uses the same model equipment as the Saudi plant? Now that they quietly* demonstrated they can do it, won't they go for high-stakes / high-value targets?

* quietly in that only security experts are interested. Others will maybe take notice when there is an actual disaster

Clive RobinsonApril 15, 2019 7:37 PM

@ Dave Lahr,

Wouldn't it be easier / equally likely that they hacked the manufacturer (Schneider Electric) and figured out who they were shipping to?

Yes and no.

It depends on if you are performing a "targeted attack" on a specific site, or a more general "fire and forget" attack on what's out there.

The former stratagem is that used by APT type attacks, the latter the run of the mill "low hanging fruit" style attacks, where you just cast tour hook into a target rich environment...

There are exceptions such as there is no clear way into a targeted site, you launch "fire and forget" with a highly targeted payload delivery. That way it spreads out replicating over and over. Only on finding a specific key does it unlock the payload and deploy it.

If you remember back to stuxnet it had that sort of replication pattern. Then later Flame had a similar replication process but the the payload had been highly encrypted by what was in effect a one way process. The decryption key was not included with the malware, instead it read in certain data from the compuyer and multiply hashed it. If the result was a valid key then the payload got decrypted, if it was not valid the payload went from encrypted payload to effectively being double encrypted thus as usless to malware investigators as the encrypted payload.

I had an argument with a security researcher Nicholas Weaver about it because he posited the usuall imposability of the brute force search.

My viewpoint was that brut force was irrelevant, there was around a billion PCs out there one of which most definitely had the key on it. Thus what was required was an application the AV companies could put out that would harvest the information and phone home with it. Thus the search would be not 2^256 of the brut force but one of 2^30 or so for the actual key forming data returned by the application.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.