LA Covers Up Bad Cybersecurity

This is bad in several dimensions.

The Los Angeles Department of Water and Power has been accused of deliberately keeping widespread gaps in its cybersecurity a secret from regulators in a large-scale coverup involving the city's mayor.

Posted on March 11, 2020 at 10:52 AM • 11 Comments

Comments

MikeMarch 11, 2020 11:42 AM

Is there a link to the 10 page complaint, if it is in fact publicly available? I hate when things like this (or similarly, court rulings) are reported without a link to the source.

Kurt SeifriedMarch 11, 2020 12:12 PM

I'm guessing

“And the appropriate steps have been taken to ensure that our cybersecurity is compliant with all applicable laws and security standards.”

Is actually not completely incorrect. Most standards/laws don't force you to keep up to date or even on supported versions of software.

NikMarch 11, 2020 12:57 PM

@myliit :
Last time I voted in Los Angles -2019 was a paper vote with INK-A-VOTE. The machines themselves :
hxxps://www.verifiedvoting[.]org/resources/voting-equipment/ess/inkavote/

In the area of cryptography and key management, multiple potential and actual vulnerabilities were identified in the InkaVotePlus, including inappropriate use of symmetric cryptography for authenticity checking, use of a very weak homebrewed cipher for the master key algorithm, and key generation with artificially low entropy which facilitates brute force attacks. In addition, the code and comments indicated that a hash (checksum) method that is suitable only for detecting accidental corruption is used inappropriately with the claimed intent of detecting malicious tampering. 106 instances were identified of SQL statements embedded in the code with no evidence of sanitation of the data before it is added to the SQL statement


No worries there. The bigger worry is the history of corruption and funds disappering from LADWP and such. They certainly saved on infrastructure maintenance in order to give large payouts to top officials.

MattMarch 11, 2020 1:24 PM

"Most standards/laws don't force you to keep up to date or even on supported versions of software."

NIST CSF PR.IP-12: A vulnerability management plan is developed and implemented

Per NIST, that maps to the following:
CIS CSC 4, 18, 20
COBIT 5 BAI03.10, DSS05.01, DSS05.02
ISO/IEC 27001:2013 A.12.6.1, A.14.2.3, A.16.1.3, A.18.2.2, A.18.2.3
NIST SP 800-53 Rev. 4 RA-3, RA-5, SI-2

There are certainly standards and laws that mandate patching and using supported software.

{0=0,1=1}March 13, 2020 12:52 PM

In the community of L.A.'s defense, they have been under siege in my opinion by more than one sortie of acts of what I believe were and are acts of domestic terrorism. The loss of property and lives and livelihoods has likely been underreported and underestimated.

They are entitled to shield themselves from further attacks.
Even the adult industry workers of Chatsworth(?) California are not unanimous in their activities nor beliefs nor cultures nor origins. And that suburb is not represtative of the whole of L.A.

ABC Disney pushes a significant quantity of controversy with fewer (less) punitive results going their way.

How's this for a kicker?: I might have been personally acquainted with several of the perpetraitors and accomplices.

From a different angle, however,: Why are we often being forced to teach digital and computer systems what we already understand or experience with ease? This seems both suspiscious and reasonable to me.

P.S. - What is lurking underneath the cement squares in your front yard's sidewalk chiseled away by the elements and the unknown? The part that I knew of, had only one(1) location, and has likely moved on elsewhere many years ago.

Please cease attempts to destroy this planet; we already have plenty of issues. Maybe you'd like to take a look elsewhere within the universe at other cosmos?

{0=0,1=1}

{0=0,1=1}March 13, 2020 12:55 PM

EDIT: (correction of previous comment, recheck your tallies)

"This seems both suspiscious and UNreasonable to me. "

unreasonable
unreasonable
unreasonable
unreasonable
unreasonable

checksum(google form's and lack of sleep) = not a joke.

a maxi pad makes a better OTP, ODB. OTF EOTx

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.