Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
China Security The Military United States

Chinese Hackers Infiltrate US Army Database, Compromise Safety of Dams 256

Posted by samzenpus
from the protect-ya-neck dept.
coolnumbr12 writes "Chinese hackers have infiltrated a sensitive U.S. Army database that contains information about the vulnerabilities of thousands of dams located throughout the United States. The U.S. Army Corps of Engineers' National Inventory of Dams (NID) has raised concerns that information gathered in the hack could help China carry out a cyber-attack on the national electrical power grid."
This discussion has been archived. No new comments can be posted.

Chinese Hackers Infiltrate US Army Database, Compromise Safety of Dams

Comments Filter:
  • by Anonymous Coward on Thursday May 02, 2013 @06:55PM (#43615891)

    You guys have nine years to knock that shit off or there is gonna be trouble.

  • Real reason (Score:5, Interesting)

    by Anonymous Coward on Thursday May 02, 2013 @06:58PM (#43615909)

    quoted from "https://news.ycombinator.com/item?id=5642408"

    Of course they can, what makes you think they aren't?

    But a more interesting question is to look at what information is presented and what is missing. How much is new, how much is old. Then on policy stories like this one I sometimes pop over to the senate web site and look at what's coming up on the senate calendar [1] and oh look, on May 7th they are having a hearing to talk about

          Hearings to examine the Department of the Air Force in
          review of the Defense Authorization Request for fiscal
          year 2014 and the Future Years Defense Program.

    Hmm, who is in charge of Cyber Command? Why it's the Air Force! Who would have guessed.

    (yes I can be that cynical)

  • What Information? (Score:5, Insightful)

    by Alex Pennace (27488) <alex@pennace.org> on Thursday May 02, 2013 @07:03PM (#43615949) Homepage

    From the article it isn't clear exactly what information was deemed sensitive. Does this information include very specific details (like, "here is the password to that plant's SCADA system?" Or does it cover broader details that the public had free access to prior to the September 11 attacks, such information now being withheld as "critical infrastructure information?"

    • by linatux (63153)

      Hopefully the SCADA systems have a password other than the default

      • 123456

        conf password is "password"

        • by AG the other (1169501) on Thursday May 02, 2013 @07:45PM (#43616231)

          Actually army network passwords have or at least had to be when I worked for them 15 letters long, contain no dictionary words and have a minimum of 2 small letters, to caps and two symbols. They are also changed every 30 days and can not be reused.
          Also at random times all passwords are just set to be reset because that is what the admins are told to do.

          • I don't think the military owns or operates hydroelectric dams though
            • Re: (Score:3, Informative)

              by Anonymous Coward

              The Army Corps of Engineers manages public waterways & dams in the eastern states.

            • by AG the other (1169501) on Thursday May 02, 2013 @08:16PM (#43616449)

              They operate at least 4 or 5 in the state or Arkansas alone. During the 50s and 60s they just about damed up everything bigger than a trickle from a water hose here.
              That's the Core of Engineers. That are where the guys that build for the Army get practice for digging in the USA for when they go other places.
              They have a totally cool model of the Mississippi river in Vicksburg that they use to simulate floods, droughts and other projects in the entire Mississippi river drainage.
              That's a big area in case you didn't know.

          • by xQx (5744) on Thursday May 02, 2013 @07:54PM (#43616305)
            Meaning the three most effective ways to gain access are:
            1. Take high res photos of people's desks as you walk past and read use the passwords that will be written on yellow sticky notes around the place.
            2. Steal someone's phone or diary and look for the passwords they've noted in their contacts or notes.
            3. When you find the password, which will be something like "skldjfsldfjsklfjsf!@*(#3-Feb13" and it's now 30 days later, try "skldjfsldfjsklfjsf!@*(#3-Mar13" or "skldjfsldfjsklfjsf!@*(#3-Mar14"

            Because at the end of the day a human needs to remember these ridiculous passwords, and they will revert to either writing it down or using a pattern.
            • by rahvin112 (446269) on Thursday May 02, 2013 @08:15PM (#43616445)

              The human memory thing is why we should have moved to pass phrases a LONG time ago. You can get far more entropy with a phrase than you can ever get with a password, no matter how complex.

              A simple four word phrase with capitalized words and some punctuation would easily have 4x the number of characters as that impossible to remember 15 letter password. And as you noted, 30 day changes ensure there is a date, or number that allows the use of the same password with a slight variation.

              • Correct horse battery staple.

                http://xkcd.com/936/ [xkcd.com]

              • And watch every password become "Mary had a Little Lamb!" ;-)

              • I do like phrases, but I am suspicious of the *real* entropy associated with them (I promise you it is not just a function of the number of characters). The problem is, as always, the end user is still free to abuse the system and make dumb password choices.

                I think we need to stop letting users choose their own passwords. The only reason to do that is to make it easier for them to memorize, but then the easiest thing to memorize is something trivial and insecure, and to base it on something personal (whic

                • by tragedy (27079)

                  It's not meant to be a function of the number of characters. If you have a four word phrase, each word can be any of at least a quarter of a million English words, which gives 4 sextillion possible combinations. That's not even counting all the possible nouns you could throw in there, not to mention a little random punctuation, etc.

                  For passwords, I think we should start having multi-factor authentication. It's the 21st century, it's high bleeding time anyone with cause to have lots of passwords had their ow

              • by adolf (21054)

                IThinkUrWrong
                123456789012

            • by ceoyoyo (59147)

              Try "this is FU#K!NG stupid1". If that doesn't work, go to 2. If spaces aren't allowed, omit them.

          • contain no dictionary words and have a minimum of 2 small letters, to caps and two symbols

            Ironically, anal retentive password rules like this one actually undermines the password entropy. In this case I'll bet 99% of the passwords contain exactly two symbols.

          • what about embedded systems / ones that only have a few basic longin names?

        • by Holi (250190)

          >Notice: If you post anonymously do not expect a reply.
          Even if it's interesting and on topic?

          Which this comment most definitely isn't.

      • by citizenr (871508)

        Hopefully the SCADA systems have a password other than the default

        Can you finally change Siemens default password or will it still break whole system and is not supported like in the 'good old days'?

    • Or does it cover broader details that the public had free access to prior to the September 11 attacks, such information now being withheld as "critical infrastructure information?"

      Given the alarmism and push for "cyberwarefare" I'm willing to bet all that was in those files were things like the engineering specs of the dams and maybe the results of any surveys since that would be part of plans for maintenance and repair.

  • by ColdWetDog (752185) on Thursday May 02, 2013 @07:04PM (#43615955) Homepage

    Dam these Chinese!

    • Dam these Chinese!

      ...And then three hours later you just feel like you'll pass out if you don't hack somebody else...

  • Destroy the economy of your biggest customer. Thats a great way to stay in business.

    • by Nerdfest (867930)

      I'd guess that China's long term goal is not merely economic domination.

      • by Genda (560240) <mariet.got@net> on Thursday May 02, 2013 @07:41PM (#43616213) Journal

        Yeah, because the Chinese have bases in countries all over the world... Oh, wait that's us. No, it's the Chinese who are spending themselves into oblivion on weapons of war... Oh, wait, that's us again. We spend more on our military than the next 13 nations combined (but we can't afford to educate our children... bright.) I dunno, perhaps if we moved from offense to defense, these things wouldn't be issues?

        Just a thought.

        • Even more funny is the fact is that since we can't educate our chidlren, we'll have to import our talent to run our war machines since we'll be nothing but a bunch of ignoramous who believe that dinosaurs and Jesus got along or something silly that or that the earth is only 5000 years old.
        • Re: (Score:3, Insightful)

          by Sardaukar86 (850333)

          The issues with the US education system do not appear [usc.edu] to be the result of insufficient funding.

        • by magarity (164372)

          Yeah, because the Chinese have bases in countries all over the world... Oh, wait that's us. No, it's the Chinese who are spending themselves into oblivion on weapons of war... Oh, wait, that's us again. We spend more on our military than the next 13 nations combined (but we can't afford to educate our children... bright.) I dunno, perhaps if we moved from offense to defense, these things wouldn't be issues?

          Just a thought.

          You need to check the ratios on the federal budget to see on what it is the US is spending itself into oblivion. Military spending is not the lion's share. And spending on public education exceeds what the feds spend on the military.

        • by cold fjord (826450) on Friday May 03, 2013 @03:20AM (#43618093)

          Yeah, because the Chinese have bases in countries all over the world...

          The People's Republic of China, A.K.A. communist China, has a growing number of military bases and access to facilities around the world. The Chinese fleet has been participating in anti-piracy actions around Somalia, giving them experience in extended naval deployments. The Chinese navy is planning to build something like four aircraft carriers and is currently flying aircraft off their first one that they are bringing into operation now after learning much from the Brazilian navy. Chinese special forces have been training the military in Venezuela. The Chinese are active in Africa.

          The Chinese have also been bullying many of their neighbors, laying claim to distant islands and extensive land areas. Why don't you ask the Indians what they think of China's behavior, they are forming several new airborne infantry units to help deal with the threat? Or the Japanese, who are suffering a growing number of incursions by Chinese aircraft and sea vessels? Of perhaps the Philippines, which is seeing Chinese territory grabs on their doorstep?

          No, it's the Chinese who are spending themselves into oblivion on weapons of war... Oh, wait, that's us again.

          US military spending has recently generally been between 4% to 5% of GDP, well below historic levels. The army and navy and rumps of what they were at the end of the Cold War. Spending on social welfare programs is several times the military budget and is continuing to grow, and will grow for decades to come. It is Social Security, Medicare, Medicaid, now joined by Obamacare which really starts kicking in this year, that will bankrupt the US, not the military spending.

          I'm afraid you don't know what you are talking about there.

          We spend more on our military than the next 13 nations combined

          A large part of that is personnel costs. The US has an all volunteer military that pays its members a salary competitive with the civilian sector unlike many other major nations that use conscription to fill their armies. An American corporal in the Army or Marines makes about what a Chinese general makes per month. I'm sure you can figure the impact of that out. Same thing applies to weapons purchases. Maybe you've heard that Chinese engineering staff and factory labor is cheaper than American?

          On the other hand pretty much all European countries allied with the United States spend less than they should [nytimes.com] by treaty goals. As a result they had a hard time with the intervention in Libya without American assistance.

          If it makes you feel better the Chinese are upping their military budget by 10.7% this year.

          (but we can't afford to educate our children... bright.)

          The US throws large amounts of money at education. The problem isn't with how much money, but what it is spent on, like growing numbers of administrators. There are also social factors that come into play that the education budget itself can't fix. The teachers unions don't help much either.

          You don't really have this right either.

          I dunno, perhaps if we moved from offense to defense, these things wouldn't be issues?

          If platitudes could solve things they wouldn't be issues either.

      • ... they're gonna need some lebensraum. Long term could be 4 generations. Look how far China has come in the last 4.

  • by grantspassalan (2531078) on Thursday May 02, 2013 @07:06PM (#43615977)

    I don't understand why anyone would want to connect really important things such as power plants and dams to the Internet. We have been running such things for about a century now and they work just fine. Anything behind a barbed wire fence should never be connected to the Internet. Why do people do this? Just for the convenience of some fat executive or lazy engineer who doesn't want to get his fat @$$ out of this office and see what is really going on with the machinery?

    • by Anonymous Coward on Thursday May 02, 2013 @07:30PM (#43616129)

      Anything behind a barbed wire fence should never be connected to the Internet.

      Earl! Unplug the cows!

      • Anything behind a barbed wire fence should never be connected to the Internet.

        Earl! Unplug the cows!

        Ahh, spring... When a young AC's thoughts turn to love...

        If only I had mod points... Well crafted.

    • I don't understand why anyone would want to connect really important things such as power plants and dams to the Internet. We have been running such things for about a century now and they work just fine. Anything behind a barbed wire fence should never be connected to the Internet. Why do people do this? Just for the convenience of some fat executive or lazy engineer who doesn't want to get his fat @$$ out of this office and see what is really going on with the machinery?

      The issue isn't that individual devices are connected to the Internet per se, the problem is that many of these networks are not designed to isolate the sensitive systems from "vanilla" office computers. The problem is people in operations centers need access to weather, news etc and while they have news channels on video wall with various other readouts, sometimes they need to confirm stuff. If it really is going to freeze suddenly, that will require extra capacity as heaters, water heaters, and engine block-heaters get switched back on by some people.

      They could run parallel LANs, with separate workstations and networks for the "sensitive" operational machines and the "regular" vanilla workstations where people do email and crap.

      The risk is at the touch points, and good luck shutting them all down. How will the administrators receive alerts if the "sensitive" systems can't send SNMP pops to a monitoring system outside the virtual-wire--or to one inside of it that then emails you outside the wire. At some point, PEOPLE become the touch point and sneaker net with USB tokens becomes a problem. You can shutdown and cement over the USB ports but some applications require dongles somewhere and eventually something gets plugged into something and autorun.exe happens and the next thing you know, they're hacked by Chinese.

      This problem runs many, many layers deep. If only "unplugging it" was that easy.

      • by sirsnork (530512)

        Firewalls can and do block incoming traffic. The only machine allowed to make outbound connections is the SMNP trap server, and it can only connect to internal SMTP server.

        Sneakernet is the problem, electronically securing systems that must send electronic alerts, not so much

      • by Gogo0 (877020)
        quick clarification, in the Army (even CoE), SENSITIVE information is what is on the "vanilla" computers 99% of the time. it is a designator for information that is classified higher than PUBLIC, lower than SECRET, and for use at work only.

        SENSITIVE data could be anything between a list of unit personnel's home telephone numbers to a comprehensive list of vulnerabilities across the entire unclassified network. anything deemed too-sensitive is classified higher and resides on a different network.

        odds are bet
      • So how did these power plants and dams and refineries all get run before the Internet was invented that enables hackers from China to possibly control such industries? Don't they still have people in the control rooms of these places? Do they still have telephones? Do they know how to use them to call someone higher up if there is trouble? All of these things worked reasonably well before, so why can't they now? Why should there be any Internet connection into any of these critical places? If a plant opera

      • by ceoyoyo (59147)

        Hm. Seems like the sensitive bits of the dam should have it's own computer(s) and network. There are no USB ports. You get alerts on a screen because somebody is sitting in front of it, and picks up the phone or types out an e-mail on a different computer, if necessary. There are no dongles - those are security hazards.

        When you built a dam you used to build an entire, monolithic control room to go with it, hardware and all. There really isn't much excuse for using software with dongles and connecting t

    • Fat ass engineer actually, I would assume. Also he's probably offsite and a 3rd party contractor for cost reasons.
      I have an idea! Make a local-only computer. Have a display of all settings and readings. Point a webcam at it. Tada, read-only access to all the settings and readings, lol.
  • by gweihir (88907) on Thursday May 02, 2013 @07:08PM (#43615991)

    The vulnerabilities of the dams are the real problem, but for some reason the government prefers to lie about that. Most of these vulnerabilities are probably pretty obvious to an expert (and, yes, the Chinese have experts on damns and these can go to the US for vacation), so hiding these problems is pretty stupid in the first place.

    • Re: (Score:2, Troll)

      The vulnerabilities of the dams are the real problem, but for some reason the government prefers to lie about that. Most of these vulnerabilities are probably pretty obvious to an expert (and, yes, the Chinese have experts on damns and these can go to the US for vacation), so hiding these problems is pretty stupid in the first place.

      Right, but we don't want no more liberal big gubmint!" And so the dams go unrepaired. As go the bridges. And waterways. And embankments. And highway offramps...

      Every great many years something fails spectacularly, and a few dozen commuters get splashed into the river. See also Minneapolis... Then lip service is paid, asses are kissed, and in the end only the absolutely worst bridges are fixed, the rest simply get "back-burnered" until the next stimulus bill comes along. And millions of commuters drive over

      • by gweihir (88907)

        Indeed. What I find truly fascinating is the double standards. Terrorism kills quite small numbers of people in comparison, yet billions are spend (or better: wasted) to "fight" it. Yet this clear and present danger to critical infrastructure is ignored. Typically, you should not attribute to maliciousness what can be adequately explained by stupidity, but I think the state of the US infrastructure problems have exceeded what stupidity can explain some time ago.

  • Article translation (Score:5, Informative)

    by hugg (22953) on Thursday May 02, 2013 @07:18PM (#43616053)

    According to http://www.wired.com/threatlevel/2013/05/hacker-breached-dam-database/:

    "Chinese hackers" = “the Chinese government or military cyber warriors” according to unnamed officials

    "sensitive U.S. army database" is a database where users are emailed their username and password in cleartext

    "Non-government users can query the database but cannot download data from it" (???)

  • just fix the vulnerabilities?

    • Moneeeeeeey. A $50 billion fighter jet to bomb 3rd world countries is far more beneficial than a 99.9999% secure electrical grid.
  • Does everything these days have the security of a sheet of toilet paper? Either the Chinese are excellent hackers or we suck at security.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Either the Chinese are excellent hackers or we suck at security.

      The software was probably written by a Chinese outsourcing firm in the first place.

  • quick draft it up so the regular citizens can be blamed and punished.

  • by Tablizer (95088) on Thursday May 02, 2013 @07:36PM (#43616185) Journal

    Oh Dam!

  • Public Information (Score:5, Insightful)

    by edibobb (113989) on Thursday May 02, 2013 @07:51PM (#43616285) Homepage
    The U.S. Army Corps of Engineers doesn't keep classified information on civilian projects online, do they? Electrical distribution control systems are not accessible over the internet, are they? It looks to me like someone, whether Chinese, Lebanese, or Portuguese, got some not-so-sensitive information from the Corps of Engineers site, and the U.S. government is using it in its publicity campaign to pass laws giving the government (gasp!) more control over the internet.
    • by AK Marc (707885)
      That, and I think that you could make a good bit hosting a hack-jump box. Log in and hack from China. Guaranteed zero response. No investigation, no evidence. It came from a Chinese IP, so we'll assume it is the government and not investigate any further.

      Hacking the US government from China is a heck of a lot safer than doing it from the UK.
    • by rahvin112 (446269)

      The corp doesn't do electricity. They do water. Dams, canals, dikes, etc. The information is likely sufficiency reports that include known weaknesses of the system, such as small foundation cracks in a dam that are a potential future issue that is being monitored but has not presented sufficient information to warrant repair.

      Information such as that can be used to plan and execute attacks on system weaknesses. Another example would be ultimate capacity of a dam, which is the point at which an inflow would c

  • Chinese hackers have infiltrated a sensitive U.S. Army database that contains information about the vulnerabilities of thousands of dams located throughout the United States. The U.S. Army Corps of Engineers'...

    ...got an immediate increase in budget, nothing was done to fix the vulnerabilites, and SOPA, CISPA, TPP, and a bunch of other crap got turned into law.
  • and some nation can take out the 3 gorges dam and make for big time flooding.

  • Dam Hackers!
  • Take our power grid OFF THE FUCKING INTERNET! Our power grid, air traffic control system and rail control system should all be on their own SIPERNET-grade secure network. There is no way in hell you can justify any part of these systems being accessible from the friggin internet. If Joe Blow the power grid manager wants an iApp to monitor what's going on, tell him to shove his iPhone up his iDiotic ass and call someone to find out.

    • by Fjandr (66656)

      That won't happen as long as the Federal government is throwing money at power companies to implement Smart Grid.

  • by Coren22 (1625475) on Friday May 03, 2013 @08:21AM (#43619251) Journal

    In soviet Russia, dams damn you.

    From the article:

    In addition to causing a major disruption to the national power grid, hackers could access the systems that control a dam’s turbine generators. A computer mistakenly started one in a Russian damn in 2009, killing 75 people and destroying eight of the nine other turbines in the dam.

"There is nothing new under the sun, but there are lots of old things we don't know yet." -Ambrose Bierce

Working...