This is bad in several dimensions.
The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor.
Posted on March 11, 2020 at 10:52 AM • 11 Comments
Mike • March 11, 2020 11:42 AM
Is there a link to the 10 page complaint, if it is in fact publicly available? I hate when things like this (or similarly, court rulings) are reported without a link to the source.
Kurt Seifried • March 11, 2020 12:12 PM
I'm guessing
“And the appropriate steps have been taken to ensure that our cybersecurity is compliant with all applicable laws and security standards.”
Is actually not completely incorrect. Most standards/laws don't force you to keep up to date or even on supported versions of software.
myliit • March 11, 2020 12:41 PM
Doea anybody know how good/bad LA’s voting machines were?
Nik • March 11, 2020 12:57 PM
@myliit :
Last time I voted in Los Angles -2019 was a paper vote with INK-A-VOTE. The machines themselves :
hxxps://www.verifiedvoting[.]org/resources/voting-equipment/ess/inkavote/
In the area of cryptography and key management, multiple potential and actual vulnerabilities were identified in the InkaVotePlus, including inappropriate use of symmetric cryptography for authenticity checking, use of a very weak homebrewed cipher for the master key algorithm, and key generation with artificially low entropy which facilitates brute force attacks. In addition, the code and comments indicated that a hash (checksum) method that is suitable only for detecting accidental corruption is used inappropriately with the claimed intent of detecting malicious tampering. 106 instances were identified of SQL statements embedded in the code with no evidence of sanitation of the data before it is added to the SQL statement
No worries there. The bigger worry is the history of corruption and funds disappering from LADWP and such. They certainly saved on infrastructure maintenance in order to give large payouts to top officials.
Norio • March 11, 2020 1:16 PM
“Forget it, Jake, it’s Chinatown”
Matt • March 11, 2020 1:24 PM
"Most standards/laws don't force you to keep up to date or even on supported versions of software."
NIST CSF PR.IP-12: A vulnerability management plan is developed and implemented
Per NIST, that maps to the following:
CIS CSC 4, 18, 20
COBIT 5 BAI03.10, DSS05.01, DSS05.02
ISO/IEC 27001:2013 A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2
There are certainly standards and laws that mandate patching and using supported software.
POLAR • March 11, 2020 1:33 PM
@Norio
Passwordless Brooklyn
jewel, autograph • March 11, 2020 9:17 PM
bruce, this was a very informative video interview regarding cybersecurity or lack thereof. https://www.youtube.com/watch?v=l0RPn9Ikh0A
Impossibly Stupid • March 12, 2020 5:44 PM
This is news? I don't normally deep link to my own blog, but these jokers have been insecure going back until at least 2013:
Who is in control at the Los Angeles Department of Water and Power?
It may not be a coincidence that that was the same year mentioned in relation to litigation over their billing software problems. Why does it always seem like the $30 million no-bid contracts never go to someone who knows what they're doing?
{0=0,1=1} • March 13, 2020 12:52 PM
In the community of L.A.'s defense, they have been under siege in my opinion by more than one sortie of acts of what I believe were and are acts of domestic terrorism. The loss of property and lives and livelihoods has likely been underreported and underestimated.
They are entitled to shield themselves from further attacks.
Even the adult industry workers of Chatsworth(?) California are not unanimous in their activities nor beliefs nor cultures nor origins. And that suburb is not represtative of the whole of L.A.
ABC Disney pushes a significant quantity of controversy with fewer (less) punitive results going their way.
How's this for a kicker?: I might have been personally acquainted with several of the perpetraitors and accomplices.
From a different angle, however,: Why are we often being forced to teach digital and computer systems what we already understand or experience with ease? This seems both suspiscious and reasonable to me.
P.S. - What is lurking underneath the cement squares in your front yard's sidewalk chiseled away by the elements and the unknown? The part that I knew of, had only one(1) location, and has likely moved on elsewhere many years ago.
Please cease attempts to destroy this planet; we already have plenty of issues. Maybe you'd like to take a look elsewhere within the universe at other cosmos?
{0=0,1=1}
{0=0,1=1} • March 13, 2020 12:55 PM
EDIT: (correction of previous comment, recheck your tallies)
"This seems both suspiscious and UNreasonable to me. "
unreasonable
unreasonable
unreasonable
unreasonable
unreasonable
checksum(google form's and lack of sleep) = not a joke.
a maxi pad makes a better OTP, ODB. OTF EOTx
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment