Forgot your password?
typodupeerror
Security News

DHS Asked Gas Pipeline Firms To Let Attackers Lurk Inside Networks 114

Posted by Soulskill
from the what-could-possibly-go-wrong dept.
wiredmikey writes "According to reports, which were confirmed Friday by ICS-CERT (PDF), there has been an active cyber attack campaign targeting the natural gas industry. However, it's the advice from the DHS that should raise some red flags. 'There are several intriguing and unusual aspects of the attacks and the U.S. response to them not described in Friday's public notice,' Mark Clayton wrote. 'One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.' According to the source, the companies were 'specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.' While the main motive behind the request is likely to gain information on the attackers, letting them stay close to critical systems is dangerous. The problem lies in the complexities of our critical infrastructures and the many highly specialized embedded systems that comprise them."
This discussion has been archived. No new comments can be posted.

DHS Asked Gas Pipeline Firms To Let Attackers Lurk Inside Networks

Comments Filter:
  • NEWSFLASH: (Score:5, Funny)

    by CanHasDIY (1672858) on Monday May 07, 2012 @05:24PM (#39920177) Homepage Journal
    DHS Actually Just Another Terrorist Organization; Few Surprised by Revelation
    • by Dyinobal (1427207) on Monday May 07, 2012 @05:29PM (#39920239)
      They should just rename it "Department of lets see if we can get more funding" Because in reality that is all they are trying to do. DOLSIWCGMF
      • Re: (Score:2, Insightful)

        by CanHasDIY (1672858)

        They should just rename it "Department of lets see if we can get more funding" Because in reality that is all they are trying to do. DOLSIWCGMF

        Yea, but then they might end up getting mistaken for all the other 'alphabet agencies,' since that's essentially the purpose of, well, all of 'em.

        • 1. Attackers who are from abroad, or hired by foreign governments, seeking information on how to disrupt/destroy gas distribution networks in USA, in order to destroy USA.

          2. Attackers sent by DHS itself, seeking ways to destroy/disrupt gas distribution networks in USA, in order to justify EVEN MORE URGENT FUNDINGS from the congress

      • Department of Inland Cash Kleptocratic Services.

  • by Anonymous Coward on Monday May 07, 2012 @05:27PM (#39920215)
    The conspiracy theorist in me says DHS.
    • by daveschroeder (516195) * on Monday May 07, 2012 @05:35PM (#39920315)

      Yes, it couldn't possibly be adversaries, and people want to do harm to the United States, in an environment where people like you firmly believe that everything must be a "false flag" operation designed to somehow take away your rights.

      ...

      Or, it could be this:

      Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation
      http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf [uscc.gov]

      Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage
      http://www.uscc.gov/RFP/2012/USCC%20Report_Chinese_CapabilitiesforComputer_NetworkOperationsandCyberEspionage.pdf [uscc.gov]

      How China Steals Our Secrets
      http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html [nytimes.com]

      China's Cyber Thievery Is National Policy—And Must Be Challenged
      http://online.wsj.com/article_email/SB10001424052970203718504577178832338032176-lMyQjAxMTAyMDAwOTEwNDkyWj.html [wsj.com]

      FBI Traces Trail of Spy Ring to China
      http://online.wsj.com/article_email/SB10001424052970203961204577266892884130620-lMyQjAxMTAyMDAwNzEwNDcyWj.html [wsj.com]

      NSA: China is Destroying U.S. Economy Via Security Hacks
      http://www.dailytech.com/NSA+China+is+Destroying+US+Economy+Via+Security+Hacks/article24328.htm [dailytech.com]

      Chinese Espionage Campaign Targets U.S. Space Technology
      http://www.businessweek.com/news/2012-04-18/chinese-espionage-campaign-targets-u-dot-s-dot-space-technology [businessweek.com]

      Report: Hackers Seized Control of Computers in NASA’s Jet Propulsion Lab
      http://www.wired.com/threatlevel/2012/03/jet-propulsion-lab-hacked/ [wired.com]
      http://oig.nasa.gov/congressional/FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2.pdf [nasa.gov]

      Chinese hackers took control of NASA satellite for 11 minutes
      http://www.geek.com/articles/geek-pick/chinese-hackers-took-control-of-nasa-satellite-for-11-minutes-20111119/ [geek.com]

      Chinese hackers suspected of interfering with US satellites
      http://www.guardian.co.uk/technology/2011/oct/27/chinese-hacking-us-satellites-suspected [guardian.co.uk]

      Former cybersecurity czar: Every major U.S. company has been hacked by China
      http://www.itworld.com/security/262616/former-cybersecurity-czar-every-major-us-company-has-been-hacked-china [itworld.com]

      China Attacked Internet Security Company RSA, Cyber Commander Tells SASC
      http://defense.aol.com/2012/03/27/china-attacked-internet-security-company-rsa-cyber-commander-te/ [aol.com]

      Chinese Counterfeit Parts Keep Flowing

      • by moortak (1273582) on Monday May 07, 2012 @05:44PM (#39920425)
        Yeah, but China and Iran aren't the ones saying to let the attackers hang out for a while.
        • by poity (465672)

          That makes no sense as a rebuttal. I mean Hannibal didn't tell the Romans "let me hang out in the Italian countryside for a while" either. That doesn't mean he wasn't working towards Rome's downfall, or that Fabius didn't have a plan to counter him obliquely (or that Fabius wanted to enslave his fellow Romans with made up stories about Carthaginian boogeymen*).

          *which is what I gather many slashdotters would have said back in the day.

          • by moortak (1273582)
            The reason people are suspicious is that a group with a bad track record is encouraging something dangerous. Sure the Chinese, the Iranians, hell the Canadians are looking to access systems in the US, but that isn't a reason to trust DHS. What we know about this one incident is that DHS made a rather unorthodox request.
            • by Aighearach (97333)

              The reason people are suspicious is that a group with a bad track record is encouraging something dangerous.

              You might be total unaware of this, but police at all levels often to not make arrests as soon as they uncover a crime. When it is a major crime that is part of a criminal network, they often instead seek to get survailance in place without tipping off the suspects. Many times they catch a much bigger criminal this way. The person originally investigated might even end up as a witness for the prosecution. Your "something dangerous" is standard police technique.

              Now, go upstairs and see if your mom subscribes

              • by moortak (1273582)
                Police generally don't play along with attacks currently in progress, especially when it vastly increases the chance of greater harm.
                • by Aighearach (97333)

                  Waiting to see a repeat of the crime while it is in action, and watching in secret sometimes for years while additional felonies are being committed... is the normal way that crime is investigated. If there is not an immediate danger to people, they often prefer this more thourough approach.

                  If you don't know that already, it means you are ignorant of the topic. Knowing you are ignorant, then when something sounds "wrong" and you actually don't know, that is called a "learning opportunity."

        • Yeah, but China and Iran aren't the ones saying to let the attackers hang out for a while.

          Yeah, but China and Iran aren't the ones saying to let the attackers hang out for a while.

          Does anyone remember "Operation Fast and Furious"? The DHS let a Border Patrolman be killed through their incompetence. We here in Arizona are familiar with the competence of our former Governor Janet Napalireno. A middle aged bureaucrat in comfortable shoes.

      • Re: (Score:3, Insightful)

        by cpu6502 (1960974)

        The odds of death by terrorist are lower than death by a spacerock falling from the sky & hitting you on the head. Stop being afraid of unlikely events.

        • Ok, I'll stop being afraid of unlikely events.

          Since the events linked in my post have all actually occurred or are ongoing right now, and are easily provable to any reasonable person who takes an objective look at reality and the known doctrinal Chinese cyber warfare strategies advocated by the PLA's senior leadership [infosecisland.com], I suggest we respond and defend appropriately.

          That, or continue pretending they don't exist, or that when they do it's all a secret US government plot to oppress its citizens. Yeah, I'm sure

        • by ArcherB (796902) on Monday May 07, 2012 @06:10PM (#39920789) Journal

          The odds of death by terrorist are lower than death by a spacerock falling from the sky & hitting you on the head. Stop being afraid of unlikely events.

          Source? Well over 3000 people have been killed by terrorists since 2000. How many have been killed by falling space rock?

          • Zero as far as I'm aware. The parent is definitely incorrect because of the requirement for the meteorite to hit you on the head.

            When you don't specify a time span, or the direct cause of death it gets more complicated. I've read a lot of conflicting numbers, but on a given day a person might easily be more at risk from terrorist attack, since there may be more data available to support that possibility. In the future the reverse could be true since we likely will have the means to know with certainty if t

          • by Ihmhi (1206036)

            Lots of people have been killed in airplane crashes too, but your odds of being in one are still pretty damn low.

          • by cpu6502 (1960974)

            Since we're talking about a LIFESPAN of a human being, not just one decade...... YES the number of Americans killed by falling meteorites over the last 80 years does exceed the 3000 killed on 9/11.

            And of course your odds of death-by-terrorist go down dramatically if, like me, you rarely fly. Just as if you don't play baseball, you're less likely to get killed by a ball than if you are a professional player. Or if you live on a mountain, your odds of dying from tsunami are near-zero.

            Let's face it: Most of

            • by ep32g79 (538056)

              Since we're talking about a LIFESPAN of a human being, not just one decade...... YES the number of Americans killed by falling meteorites over the last 80 years does exceed the 3000 killed on 9/11.

              Where in the hell do you get this stuff, the odds of being fatally hit by a meteorite is infinitesimal. There have only been a very small handful of individuals hit by meteorite in recent history and all of them survivors.

            • by Aighearach (97333)

              Zero is larger than three thousand? What?!
              Next you'll tell me that id two million wasn't born yesterday.

        • by swalve (1980968)
          It's only unlikely because people are working to make it unlikely.
      • by shmlco (594907) on Monday May 07, 2012 @05:49PM (#39920493) Homepage

        "According to reports, which were confirmed Friday by ICS-CERT, an active Phishing campaign is responsible for the U.S. Department of Homeland Security (DHS) issuing three warnings since the end of March that the natural gas industry has been under ongoing cyber attack."

        A phishing campaign. Because companies shouldn't already be protecting against these.

        More, "The specter of a cyber attack against critical infrastructure is a reality, but not because the DHS is guarding the Internet, but because the networks running the critical infrastructure are so poorly protected. It’s gotten to the point that simple Phishing attacks, things that proper email protection and awareness training cover, rate three separate warnings and alerts."

        So it's obvious we need widespread and over encompassing legislation like CISPA that bypasses any and all existing laws and regulations regarding privacy, and that grants the NSA a legal mandate and access to any and all information collected... to protect against phishing attacks.

        More: http://www.isights.org/2012/04/cispa-is-not-about-copyright-its-about-your-privacy-on-the-internet.html [isights.org]

        • Re: (Score:2, Troll)

          by daveschroeder (516195) *

          Just because content owners have their own motives doesn't invalidate legitimate cyber threats, nor does it mean that very real military [uscc.gov], industrial, and academic [bloomberg.com] cyber threats don't exist. Also, anyone paying attention realizes that the lines between governments, criminals, espionage, and activists blurs in the cyber realm. Responding to cyber threats, no matter where they originate or why, takes the same form.

          I'm sure it's better to have zero coordination because the slashdot crowd thinks it's a plot to t

          • I'm sure it's better to have zero coordination because the slashdot crowd thinks it's a plot to take away their ability to pirate copyrighted content.

            Wrong thread, bub.

          • by s.petry (762400)

            CISPA and other poor policies won't protect the infrastructure any better than what we have now. I worked at a DOD site for 8 years. We had weekly security bulletins, and very informed users. We had several well crafted spear phishing attacks every month, and 1 account was compromised out of 8,000 in roughly 4 years. That one breach was caught within a couple minutes, because the person and their coworkers communicated.

            Is the infrastructure an absolute mess and disaster waiting to happen? Sure it is, n

            • by dgatwood (11270)

              Laws certainly can fix that. It's called strict criminal liability. You hold out funds in such a way that it causes a critical system to be built without proper security, and you go to jail when somebody compromises it. If the people responsible for the money could be held liable for damages when withholding that money causes loss of life or limb, we would have a lot fewer problems (and a lot fewer rich people walking the streets).

              • by s.petry (762400)

                While it sounds good, there is much wrong with your statement in practical terms. First point: There is well over 20 years of infrastructure to secure. Think about that for a while, laws won't fix that. Money will, and right now the US is broke. Second point: I like your idea, just like I think that the executives that got rich off the financial collapse (and continue to get richer) should be jailed. In reality, you won't pass anything of the sort. Just like there are no criminal actions against thos

            • by shmlco (594907)

              Sorry to keep linking to my own articles, but this was covered too.

              "Have a hacker steal millions of financial records, health records, or credit card numbers, and as long as they were participating in CISPA, they were acting in "good faith" to secure their networks, and as such can not be sued for failing to protect their customer's personal data."

              Complete and total excemption from privacy lawsuits? All for sharing a bit of data with the Feds?

              That legal "out" more than pays for the "security" systems needed

          • by shmlco (594907)

            "Just because content owners have their own motives doesn't invalidate legitimate cyber threats..."

            Content owners? Did I mention content owners? Doesn't the linked article say that CISPA is NOT about content?

            Yes, there are legitimate threats. But let's craft legislation that actually helps to protect against those threats AND that's crafted with privacy concerns at its core. With safeguards. That require and demand warrants and due process. And let's not past hasty, thinly veiled attempts at allowing the go

      • by overbaud (964858)
        So basically the USA is *still* not taking steps to secure its critical infrastructure networks and other countries including China are still taking advantage of said lack of security. Wow! News at eleven. Meanwhile the US and her allies are doing the same thing back. Australias DSD motto is "Reveal their secrets, protect our own" http://www.dsd.gov.au/ [dsd.gov.au] I'm sure teams in the NSA and CIA have similiar mottos. The idea of good guys vs bad guys because of the lattitude and longitude of where your mothers uteru
      • by foobsr (693224)
        Or: Cover up for Incapability regards advancing innovative non lawsuit driven economies?

        CC.

    • EPA. You know, the same group that wanted to "crucify" big-oil!

    • How the hell are "cyber attackers" getting into NATURAL GAS CONTROL NETWORKS in the first place?

  • Headline (Score:5, Funny)

    by girlintraining (1395911) on Monday May 07, 2012 @05:32PM (#39920265)

    Realworld equivalent: "Terrorist shows up at airport with bomb strapped to chest. Security waves him through, asks only that he not threaten anyone prior to detonation."

    • Re: (Score:3, Insightful)

      by Anonymous Coward

      And then when something bad happens they'll blame it on incompetence and say they need better tools to prevent attacks like this and roll out the next round of cyber laws they have sitting in the drawer targeted at domestic citizens.

      • And then when something bad happens they'll blame it on incompetence and say they need better tools to prevent attacks like this and roll out the next round of cyber laws they have sitting in the drawer targeted at domestic citizens.

        The government controls the media, and the media is the only way the citizens can keep tabs on the government, then they don't really even have to lie; They can do whatever they want, right out in the open, and anyone who provides evidence can simply be arrested for 'homeland security'.

    • Re: (Score:3, Insightful)

      by rtfa-troll (1340807)
      No; real world equivalent; there are a bunch of possible terrorists wandering around the airport carrying things that look like bombs but you don't know if they really are or how they are triggered. Your visiting security experts have identified a few of them but you know there are many more. You quickly work out that the terrorists can go in and out of the building at will completely bypassing the security gate and have been doing so for weeks on end, but you don't know how. You tell the guy in charg
    • by Aighearach (97333)

      Real-world equivelent:

      Police identify suspected thief and ask victim not to publicise report or scare off thief so they can follow her and catch the fence.

  • Wrong reason? (Score:4, Interesting)

    by DanTheStone (1212500) on Monday May 07, 2012 @05:32PM (#39920271)
    I wouldn't necessarily suspect that they were told to leave them alone to gather information. Perhaps it's pessimistic, but I read it "... so that we can use them to excuse passing CYBERWAR legislation like CISPA".
    • Re:Wrong reason? (Score:5, Insightful)

      by McMuffin Man (21896) on Monday May 07, 2012 @06:56PM (#39921391)

      Not reacting immediately to advanced, targeted intruders is standard tactics, and recommended by most experts in the field. This is news to Slashdot because folks here usually only deal with mass criminal attacks, which are a different beast entirely.

      This isn't a DHS conspiracy, not even one for new funding. It's just the government advocating reasonable measure even though I'm sure they knew they'd get pilloried for it. I rarely respect the DHS, but in this case I may make an exception.

      • by Aighearach (97333)

        Not reacting immediately to advanced, targeted intruders is standard tactics, and recommended by most experts in the field. This is news to Slashdot because folks here usually only deal with mass criminal attacks

        I thought it was because they have 6 or 7 digit IDs, and know nothing about real security practices because they were born yesterday!

  • is that DHS is asking them to allow the people to stay, but (typical /. fashion didnt RTFA) 1 how did DHS know that they were being attacked unless the companies told dhs, or dhs was already monitoring said companies to begin with.
    • Because some of the targeted companies discovered the attacks and alerted the DHS. These reports have been shared with gas companies for months, including details about the phishing emails, the malware processes, and the C&C domains involved.

  • Have these folks never heard of the concept of a honey pot to trap the would-be intruder? This is just plain stupid to let these folks snoop around and install whatever malware they want in such important infrastructure. It's like smoking near the pumps at a fueling station and they station attendant is told to leave them be so longer as they don't get "too" close to the explosive vapors.
    • by avgjoe62 (558860)

      Just a suggestion looking at your signature - shouldn't it be "Two of my imaginary friends were fruitful and multiplied with negative results."

  • "Don't check your customers for IDs. Just sell them and we'll track the criminals across the Mexican border." - This policy resulted in many, many deaths that could have been prevented by not encouraging stores to break gun laws and sell to criminals.

    Now it sounds like DHS is trying the same stupid strategy. Read more here: http://www.forbes.com/sites/realspin/2011/09/28/fast-and-furious-just-might-be-president-obamas-watergate/ [forbes.com]

  • by v1 (525388) on Monday May 07, 2012 @05:38PM (#39920341) Homepage Journal

    If you think about it, this could provide more information on your opponents. Though it is a bit of a gamble - can you get valuable information without too much risk? Or, is it worth the risk?

    Think about the whole process of infiltration. Once you get your foot in the door you start gathering information and testing the waters to see what you can do. If you don't think you've been discovered, but you have, then the defenders have some good opportunities. They can feed you false intelligence, make you think you are burrowing into an important control system that's actually a honeypot, give them a false sense of accomplishing their goal, waste their time and resources. Done properly, this is very useful counter-intelligence.

    Fooling the other guy is valuable. Tricking the other guy into thinking he's fooled you can be even more valuable. I think that's the core of what this is about. But as I said before, it's a risk, and could get out of control.

    • by Anonymous Coward

      Agree, it's not obvious from the summary that DHS acted in an irresponsible manner.

      One principal of warfare is to keep the enemy off guard. If the attackers can detect within hours that they've been discovered, that makes their jobs that much easier. They should be concerned that they've already been detected and may be under close watch.

  • Don't worry that they are trying to trim your pubic hair with a weed-wacker - as long as they are only touching pubes your fine!!!

  • Trying to get more data from an intruder isn't a bad thing, and they did state as long as it was 'safe' to do so.. DHS was not asking the companies to let the attackers get into sensitive stuff and just twiddle their thumbs.

  • This could be taken in any number of ways, but I'd go for two here:

    1.) (Giving DHS the benefit of the doubt) -> They *want* the cyber-spies (what name, Industrial Espionage would fit better here) to find and copy some of the firm's software. Why? Because they (DHS) are going to ensure that the copies the spies get will have some small, but interesting changes to them. Something the CIA pulled with the Soviets a while back. Though I would be surprised that they would think that strategy would work again.

    2

    • by Rasperin (1034758)
      Or the third thing (much more to the benefit of the doubt), it's a training exercise. Or the fourth, they want to know what they're looking for to formulate a plan to protect. Though I like your #2, I want nothing more than for them to be dissolved.
  • by Genda (560240)

    So there are a lot of folks who think that DHS is causing trouble to justify their own budget... could be, a little too obvious and Hollyweird for my taste but not outside the realm of possibility. My only question is that if in fact they're asking to not disturb the black hats so they can zero in on them...

    1. Why is this taking so long? Isn't this their specific mandate, aren't they armed to the teeth to detect cyber-terrorism in our nation's infrastructure, I would think that they'd be frog marching bad g

    • 1. The spear phishing emails were sent five or six months ago but the attacks using the malware didn't start until about two months ago.
      2. I imagine the story broke because someone at a gas company leaked one of the several emails sent to us the last week or so.
      3. All reports thus far indicate that the attackers were merely poking around and doing nothing destructive or particularly intrusive.

  • There are two good reasons for doing this.

    1) Just because you've identified attacker(s) in one part of the system, doesn't mean that they aren't in other parts. They could retaliate for that action.

    2) You can gain valuable intelligence about who they are and how they're doing it.

    Now the good reasons *not* to.

    Items 1 through 1,000,000) They were in critical infrastructure equipment, and have retrieved an unknown amount of informatio

    • Have you checked the numbers on your cost-benefit analysis? Are you sure it's not 1,000,000,000,000,000,eleventygazillion reasons not to do this?

  • by Zero__Kelvin (151819) on Monday May 07, 2012 @05:59PM (#39920647) Homepage
    I am not a DHS apologist, but this is exactly the same approach Clifford Stoll used to catch Markus Hess, and Stoll is no dummy. You can read about it in The Cuckoos Egg [wikipedia.org] (Ironic Caveat: Stoll took this approach only after trying to use other approaches and failing to get cooperation from numerous government agancies.)
    • Stoll was an individual, with few resources and no authority to require information from anyone. DHS is a large well-funded national agency with serious authority.

      They should have left that intrusion alone just long enough to get it traced.

      • by Aighearach (97333)

        If you know much about network security, you know that it is not like CSI where if you have the right Authority, you can press buttons and get a "trace." All that gets you is to who they wanted the attack to appear to be from. To do any real tracing you need both Authority, and also persistence, and live action. Not every packet in the world is going to be archived for you. You have to carefully observe the attacker in the act to catch them, especially if they are coming in from and via other legal jurisdic

  • While the main motive behind the request is likely to gain information on the attackers

    I have my doubts about that, after all what's more important, catching these people (who are most likely in non-extradition countries) or protecting the people of this country?
    I also have my doubts about the competence of the DHS, HLS, TSA and all the other "security" agencies that have suddenly sprung up after 9/11.

    Now stare at your phone and step into traffic...

  • This is what happens when you treat hacking as warfare and make the military responsible for security.

  • Most likely the affected companies told DHS to pound sand. It's in their interest to protect their networks, it's in DHS's interest to catch the purps.
  • ... whenever an intruder is detected. But they don't want them stopped? Something makes me think that this is some branch of the gov't conducting industrial espionage. If you spot us, let us know. So we can hide better the next time.

  • there's DOHs!! Ooooh someone's shutting down the generators for cooling. Oh no matter look big lovely donuts. Mmmmm :)
  • ENDANGER GAS PIPELINES

    (picture of a dog)

    CATCH SOME BORED IDIOT

  • Sure it's dangerous. However, I'm sure the Allies let their own occasional ship get sunk rather than save it and thus reveal that they had cracked the enemies' codes.

    You have to look at the bigger picture.

  • Critical infrastructure is accessible from the public internet. DERP DERP DERP DERP.

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...