7085690
story
Comments: 85 +- News: Hackers Broke Into Brazil Power Grid Operator's Website Last Thursday on Tuesday November 17, @06:41PM
Posted
by
kdawson
on Tuesday November 17, @06:41PM
from the wolf-no-really-this-time-i-mean-it dept.
from the wolf-no-really-this-time-i-mean-it dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicpower.gif); width:59px; height:66px;
power
background: url(//a.fsdn.com/sd/topics/topicnews.gif); width:60px; height:66px;
news
An anonymous reader writes "A week ago, 60 Minutes had a story (we picked it up too) claiming that hackers had caused power outages in Brazil. While this assertion is now believed to be in error, hackers were inspired by the story actually to do what was claimed. Last Thursday, they broke into ONS, the operator of the grid (Google translation; Portuguese original). DarkReading has specific details on the SQL injection vulnerabilities the hackers probably used."
Related Stories
IT: Massive Power Outages In Brazil Caused By Hackers 462 comments
Submission: Hackers broke into Brazil grid last Thursday by Anonymous Coward
Executive ability is prominent in your make-up.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
full disclosure (Score:1, Insightful)
And, two days after the blackout, the systems analyst Maycon Vitali, 23, revealed in the blog "Hack'n'roll" to a login page of the ONS revealed error in the validation data. The flaw could allow a hacker to send command to the database and find sensitive data from ONS.
The failure was published in the newspaper Folha de S. Paulo on Monday (16).
This is exactly why full disclosure is not good.
Re:full disclosure (Score:5, Insightful)
And, two days after the blackout, the systems analyst Maycon Vitali, 23, revealed in the blog "Hack'n'roll" to a login page of the ONS revealed error in the validation data. The flaw could allow a hacker to send command to the database and find sensitive data from ONS.
The failure was published in the newspaper Folha de S. Paulo on Monday (16).
This is exactly why full disclosure is not good.
How so? If two days after the vulnerabilty was exploited causing millions of dollars of damage they *still* don't fix it, then the public has the right to know how much the security of the systems sucks. It may be the only way to prevent this from happening again.
Parent
Re: (Score:3, Insightful)
Agreed. Sometimes the only way to motivate people to fix a problem is to embarrass them in public. FFS, no part of any critical operation should ever be exposed to the internet, period. If is't sensitive, keep it isolated from everyone - including your billing departement, public relations, sales, and even the company officers. Whenever they need to see something sensitive, they can pick their lead arses up, and move to an office dedicated to the internal workings of the company. When they are ready to
Re:full disclosure (Score:5, Informative)
He was condemned by a court for breaking the law, more info here [fayerwayer.com] (spanish)
What kind of action should one take in those cases? Has this happened before in other countries?
Parent
Re: (Score:2)
Instead of coming forward after having made this bug aware and seen no activity in months, obviously making sure the first time to point out possible solutions to the case to make repairs quick and easy, I would have posted it in the underground and let the rest of the script kiddies do their job...this would have been done under a new assumed log on name and done from within a internet cafe where I had never been before...also make sure that cafe has no internal cameras, and pay for the service in cash.
Unf
Re: (Score:2)
I may have run into this exact situation in US government websites. Also, I have found many other serious bugs in financial websites. I document some on my blog [blogspot.com], but I am seeking advice on how to handle, and monetize my future findings.
The last time I found a large bug at a large online trading account (with a pink logo), I gave up the bug, and signed an NDA. They barely fixed the problem and they didn't listen to my other advice. When the FBI got involved... well, let's just say it is interesting what they
Re: (Score:2)
Sounds to me like they screwed up, and now they're covering themselves. It sounds much better if they can say some nasty hacker brought the problem to their attention by trying to break in, as opposed to it being shown that they ignored an innocent guy who was willing to help them for months. Never attribute to malice what can be explained by stupidity (I think that's the quote). Or in this case laziness.
This seems like the way a lot of people would react, so you're probably right that getting out of the
Re: (Score:3, Insightful)
Your solution: Hide or pretend the vulnerability doesn't exist, or ignore the possible ramifications of its exploitation and further promote shoddy programming practices.
The better solution: Make the vulnerability public so that the company is forced to do something about it immediately, hence preventing any threats (pending their programming practices improving).
Full disclosure puts the responcibility on the company to keep their products/services secure,
Re: (Score:2)
Hey everybody, I found a big red button that will blow up the world! I'm going to make its location public so that the governments are forced to fix this little vulnerability.
Re: (Score:2)
Anti-Sec couldn't hack their way into a Menuet box if they had physical access.
Fucking script kiddies.
actually (Score:5, Informative)
the hackers invaded the _website_, the ONS network of computers that actually control the system is private and not connect to the internet.
Re:actually (Score:4, Interesting)
the hackers invaded the _website_, the ONS network of computers that actually control the system is private and not connect to the internet.
They may not have hacked the power grid, but TFA says the website has all kinds of fun docs which, I'm assuming, any smart hacker would go after in order to study up on their target.
Never forget that the next best thing to an insider is the freakin' manual.
Parent
Re: (Score:2)
It's a whole different ballgame if they are using vlans to isolate the control network. Then a hacker just has to penetrate a router or take advantage of poor vlan isolation in some switches. Plus, you're bound to have at least a few employees who just have to have their machine connected to both networks at the same time and think using two network cards is safe.
closed systems (Score:3, Funny)
One would think critical power networks would be close systems.
Re:closed systems (Score:5, Informative)
> One would think critical power networks would be close systems.
Read the article. What was broken into was the "corporate network" of the organization that runs the system. The control system was not broken into and in fact appears to be protected by an air gap.
Parent
Re: (Score:2)
The control system was not broken into and in fact appears to be protected by an air gap.
AFAIK, no country has a power grid whose network is airgapped.
Even worse, almost everyone is using very old dial-up systems somewhere in their network.
Their only security is "do you know the phone number"
Considering that the hackers got a bunch of manuals off the website,
I'm guessing they now have those phone numbers.
Re: (Score:2)
What was broken into was the website of the organization that runs the system.
Re: (Score:2)
Air gaps are only good if it's not air at all, but brick.
Re:closed systems (Score:5, Informative)
FTA...
"ONS was notified last week of this problem. They've confirmed that, indeed, its Website was hacked. It claims to have fixed the SQL injection problems and that there was no danger because there was no connection between its Website network and back-end control network."
Parent
Really.... (Score:4, Insightful)
Re: (Score:2)
Maybe they just got into the company web site or billing system.
But even so imagine that the operator of the system wants to save $$$ by outsourcing maintenance to Indian or Chinese companies. They would have to get in with a VPN. If the tradeoff is between money and security, money wins.
Re: (Score:2)
> Maybe they just got into the company web site or billing system.
That would appear to be the case.
> If the tradeoff is between money and security, money wins.
Not when security failures cost real money.
Re: (Score:3, Informative)
Go to Options and change Comment Post Mode to Plain Old Text.
That will take care of the newlines (inserting <br /> tags for newlines).
Re:Really.... (Score:4, Informative)
They were not. Read the article.
"there was no danger because there was no connection between its Website network and back-end control network"
Parent
Re:Really.... (Score:5, Insightful)
And don't even get me started on the lack of physical security on 'secure' systems. If you can touch it, it's insecure.
Parent
Re: (Score:2)
Perhaps you want to think this through again?
How can ssh connect two isolated networks? Linux software is pretty powerful, but I don't think it extends to stringing wire and installing routers.
Re: (Score:2)
Re:Really.... (Score:4, Interesting)
I am told by the security people that the adaptor defaulted to 'ad-hoc' mode and could have easily been paired with passerby outside in the parking lot who had the know-how (and presumably the right credentials).
Parent
Re: (Score:2)
Re: (Score:2, Informative)
"A rede operativa é blindada, separada da internet e operada via comando de voz", segundo informou a entidade
In English,
According to the organization, "The operative network is secure, is separated from the internet, and is operated by voice command"
The article also says that the hackers got into the operative network but not in the operative network.
Re: (Score:2)
The "voice command" part bothers me a bit.
"Dear Aunt: let's set so double the killer select all". Whatcouldpossiblygowrong?
Re: (Score:2, Interesting)
SQL injection? (Score:3, Funny)
Somebody's fired.
Re:SQL injection? (Score:5, Funny)
Or everybody's fired!
Parent
Re: (Score:3, Informative)
ONS, the operator of the electric system, whose website was hacked, is not a state-run company. It is a private non-profit regulated by Brazil's National Electrical Energy Agency.
Re: (Score:3, Interesting)
Or maybe not just state-run companies even...
Do you believe in Coincidence? (Score:3, Funny)
60min does a story on the security of Brazil's power grid, Brazil says its not true, a few days later, they have the worst power outage in a decade, and now this story.....
Re: (Score:2)
It's like that James Bond movie, where they report the news quickly because they are the ones causing the news? I think its Tomorrow Never Dies but I can't be sure.
Re: (Score:2)
Re: (Score:3, Informative)
There was no issue with Itaipu. It remained working. For now it seems it was a problem with distribution lines.
Re: (Score:2)
As from the news I've read, Itaipu's output was first reduced in about 10% because of the start of the blackout, and later temporarily shutdown as there was nobody consuming power and no need to keep it running at full capacity.
Or maybe... (Score:3, Insightful)
They were so good the first time they left no trace of their doings and even framed it on some other probable cause.
One of the hackers (I'm guessing the one who likes polo shirts) obviously thought it'd be way cooler to take public credit. They have now revoked his invitation to DEF CON.
Re: (Score:2, Funny)
Oh, come on. Unless his Mom named him Roberto'); DROP TABLE Hackers; , little Bobby Tables is never going to register under his real name, do you?
Re:Or maybe... (Score:5, Funny)
Original xkcd reference. http://xkcd.com/327/ [xkcd.com]
Parent
Conspiracy theorys abound! (Score:5, Insightful)
This is ridiculous. You can easily hack into their corporate website, but there is no way hackers got into the Brazilian power grid management system, because there is no such automated system in the first place! The central agency controlling the grid Operador Nacional do Sistema (ONS) operates the center by calling their buddies on generating station over private phone lines. Unless you are a very good voice impersonator and know all the necessary protocols, you will not get very far. That's when lack of technology is a plus.
Misundestood news (Score:2, Informative)
Breaking News (Score:5, Funny)
Today hackers gained access to my bank account and increased the ballance to 100 millions dollars without alerting authorities.
Actually that didn't happen. My bank account is perfectly secure. There are no hackers anywhere that are smart enough to do such a thing.
Wrong summary (Score:5, Informative)
Well, first of all, the 60 minutes episode about blackouts in 2005 and 2007 provides absolutely no proof or other data about those blackouts being caused by hackers, except for two anonymous sources that suspect it was.
Second, there was no breach in the grid network, at least not know so far. What happened was that the ONS (the Brazilian electric grid operator) website was hacked.
Mod story down (Score:2, Informative)
Hackers didn't "break into the grid" or anything close to that. They defaced the *website*, that's it.
While that is surely a shame for them, is nothing even close to a real worry.
No power outages were caused at all (and, in fact, couldn't be caused).
Now please quit posting uninformed crap.
Busy hackers! (Score:2, Funny)