DHS Asked Gas Pipeline Firms To Let Attackers Lurk Inside Networks 114
wiredmikey writes "According to reports, which were confirmed Friday by ICS-CERT (PDF), there has been an active cyber attack campaign targeting the natural gas industry. However, it's the advice from the DHS that should raise some red flags. 'There are several intriguing and unusual aspects of the attacks and the U.S. response to them not described in Friday's public notice,' Mark Clayton wrote. 'One is the greater level of detail in these alerts than in past alerts. Another is the unusual if not unprecedented request to leave the cyber spies alone for a little while.' According to the source, the companies were 'specifically requested in a March 29 alert not to take action to remove the cyber spies if discovered on their networks, but to instead allow them to persist as long as company operations did not appear to be endangered.' While the main motive behind the request is likely to gain information on the attackers, letting them stay close to critical systems is dangerous. The problem lies in the complexities of our critical infrastructures and the many highly specialized embedded systems that comprise them."
NEWSFLASH: (Score:5, Funny)
Re:NEWSFLASH: (Score:5, Funny)
Re: (Score:2, Insightful)
They should just rename it "Department of lets see if we can get more funding" Because in reality that is all they are trying to do. DOLSIWCGMF
Yea, but then they might end up getting mistaken for all the other 'alphabet agencies,' since that's essentially the purpose of, well, all of 'em.
Two possible source of attackers (Score:2, Interesting)
1. Attackers who are from abroad, or hired by foreign governments, seeking information on how to disrupt/destroy gas distribution networks in USA, in order to destroy USA.
2. Attackers sent by DHS itself, seeking ways to destroy/disrupt gas distribution networks in USA, in order to justify EVEN MORE URGENT FUNDINGS from the congress
Re: (Score:1)
2) Just like the DEA then.
Re: (Score:2)
Department of Inland Cash Kleptocratic Services.
And who were the attackers? (Score:3, Insightful)
Re:And who were the attackers? (Score:5, Informative)
Yes, it couldn't possibly be adversaries, and people want to do harm to the United States, in an environment where people like you firmly believe that everything must be a "false flag" operation designed to somehow take away your rights.
Or, it could be this:
Capability of the People’s Republic of China to Conduct Cyber Warfare and Computer Network Exploitation
http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf [uscc.gov]
Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage
http://www.uscc.gov/RFP/2012/USCC%20Report_Chinese_CapabilitiesforComputer_NetworkOperationsandCyberEspionage.pdf [uscc.gov]
How China Steals Our Secrets
http://www.nytimes.com/2012/04/03/opinion/how-china-steals-our-secrets.html [nytimes.com]
China's Cyber Thievery Is National Policy—And Must Be Challenged
http://online.wsj.com/article_email/SB10001424052970203718504577178832338032176-lMyQjAxMTAyMDAwOTEwNDkyWj.html [wsj.com]
FBI Traces Trail of Spy Ring to China
http://online.wsj.com/article_email/SB10001424052970203961204577266892884130620-lMyQjAxMTAyMDAwNzEwNDcyWj.html [wsj.com]
NSA: China is Destroying U.S. Economy Via Security Hacks
http://www.dailytech.com/NSA+China+is+Destroying+US+Economy+Via+Security+Hacks/article24328.htm [dailytech.com]
Chinese Espionage Campaign Targets U.S. Space Technology
http://www.businessweek.com/news/2012-04-18/chinese-espionage-campaign-targets-u-dot-s-dot-space-technology [businessweek.com]
Report: Hackers Seized Control of Computers in NASA’s Jet Propulsion Lab
http://www.wired.com/threatlevel/2012/03/jet-propulsion-lab-hacked/ [wired.com]
http://oig.nasa.gov/congressional/FINAL_written_statement_for_%20IT_%20hearing_February_26_edit_v2.pdf [nasa.gov]
Chinese hackers took control of NASA satellite for 11 minutes
http://www.geek.com/articles/geek-pick/chinese-hackers-took-control-of-nasa-satellite-for-11-minutes-20111119/ [geek.com]
Chinese hackers suspected of interfering with US satellites
http://www.guardian.co.uk/technology/2011/oct/27/chinese-hacking-us-satellites-suspected [guardian.co.uk]
Former cybersecurity czar: Every major U.S. company has been hacked by China
http://www.itworld.com/security/262616/former-cybersecurity-czar-every-major-us-company-has-been-hacked-china [itworld.com]
China Attacked Internet Security Company RSA, Cyber Commander Tells SASC
http://defense.aol.com/2012/03/27/china-attacked-internet-security-company-rsa-cyber-commander-te/ [aol.com]
Chinese Counterfeit Parts Keep Flowing
Re:And who were the attackers? (Score:4, Insightful)
Re: (Score:2)
That makes no sense as a rebuttal. I mean Hannibal didn't tell the Romans "let me hang out in the Italian countryside for a while" either. That doesn't mean he wasn't working towards Rome's downfall, or that Fabius didn't have a plan to counter him obliquely (or that Fabius wanted to enslave his fellow Romans with made up stories about Carthaginian boogeymen*).
*which is what I gather many slashdotters would have said back in the day.
Re: (Score:2)
Re: (Score:2)
The reason people are suspicious is that a group with a bad track record is encouraging something dangerous.
You might be total unaware of this, but police at all levels often to not make arrests as soon as they uncover a crime. When it is a major crime that is part of a criminal network, they often instead seek to get survailance in place without tipping off the suspects. Many times they catch a much bigger criminal this way. The person originally investigated might even end up as a witness for the prosecution. Your "something dangerous" is standard police technique.
Now, go upstairs and see if your mom subscribes
Re: (Score:2)
Re: (Score:2)
Waiting to see a repeat of the crime while it is in action, and watching in secret sometimes for years while additional felonies are being committed... is the normal way that crime is investigated. If there is not an immediate danger to people, they often prefer this more thourough approach.
If you don't know that already, it means you are ignorant of the topic. Knowing you are ignorant, then when something sounds "wrong" and you actually don't know, that is called a "learning opportunity."
Re: (Score:2)
Yeah. When the cops think a car is used in a crime, towing it is not usually the first thing they do. Instead, they follow or track it, aquire sightings of the driver, etc. Only much later when they know who is driving, where they drive, who they visit, and if they can follow this car to a bigger bust, then they tow it.
Re: (Score:1)
Yeah, but China and Iran aren't the ones saying to let the attackers hang out for a while.
Yeah, but China and Iran aren't the ones saying to let the attackers hang out for a while.
Does anyone remember "Operation Fast and Furious"? The DHS let a Border Patrolman be killed through their incompetence. We here in Arizona are familiar with the competence of our former Governor Janet Napalireno. A middle aged bureaucrat in comfortable shoes.
Re: (Score:3, Insightful)
The odds of death by terrorist are lower than death by a spacerock falling from the sky & hitting you on the head. Stop being afraid of unlikely events.
Re: (Score:2)
Ok, I'll stop being afraid of unlikely events.
Since the events linked in my post have all actually occurred or are ongoing right now, and are easily provable to any reasonable person who takes an objective look at reality and the known doctrinal Chinese cyber warfare strategies advocated by the PLA's senior leadership [infosecisland.com], I suggest we respond and defend appropriately.
That, or continue pretending they don't exist, or that when they do it's all a secret US government plot to oppress its citizens. Yeah, I'm sure
Re: (Score:2)
K.....you first.
Re: (Score:2)
And I'll sell you a rock that is 100% guaranteed to keep saber tooth tigers away.
I've never seen one the whole time I've owned one.
Re:And who were the attackers? (Score:4, Informative)
The odds of death by terrorist are lower than death by a spacerock falling from the sky & hitting you on the head. Stop being afraid of unlikely events.
Source? Well over 3000 people have been killed by terrorists since 2000. How many have been killed by falling space rock?
Re: (Score:3)
When you don't specify a time span, or the direct cause of death it gets more complicated. I've read a lot of conflicting numbers, but on a given day a person might easily be more at risk from terrorist attack, since there may be more data available to support that possibility. In the future the reverse could be true since we likely will have the means to know with certainty if t
Re: (Score:2)
Lots of people have been killed in airplane crashes too, but your odds of being in one are still pretty damn low.
Re: (Score:2)
Since we're talking about a LIFESPAN of a human being, not just one decade...... YES the number of Americans killed by falling meteorites over the last 80 years does exceed the 3000 killed on 9/11.
And of course your odds of death-by-terrorist go down dramatically if, like me, you rarely fly. Just as if you don't play baseball, you're less likely to get killed by a ball than if you are a professional player. Or if you live on a mountain, your odds of dying from tsunami are near-zero.
Let's face it: Most of
Re: (Score:2)
Since we're talking about a LIFESPAN of a human being, not just one decade...... YES the number of Americans killed by falling meteorites over the last 80 years does exceed the 3000 killed on 9/11.
Where in the hell do you get this stuff, the odds of being fatally hit by a meteorite is infinitesimal. There have only been a very small handful of individuals hit by meteorite in recent history and all of them survivors.
Re: (Score:2)
Zero is larger than three thousand? What?!
Next you'll tell me that id two million wasn't born yesterday.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Who is? (Score:2)
Re:And who were the attackers? (Score:4, Insightful)
"According to reports, which were confirmed Friday by ICS-CERT, an active Phishing campaign is responsible for the U.S. Department of Homeland Security (DHS) issuing three warnings since the end of March that the natural gas industry has been under ongoing cyber attack."
A phishing campaign. Because companies shouldn't already be protecting against these.
More, "The specter of a cyber attack against critical infrastructure is a reality, but not because the DHS is guarding the Internet, but because the networks running the critical infrastructure are so poorly protected. It’s gotten to the point that simple Phishing attacks, things that proper email protection and awareness training cover, rate three separate warnings and alerts."
So it's obvious we need widespread and over encompassing legislation like CISPA that bypasses any and all existing laws and regulations regarding privacy, and that grants the NSA a legal mandate and access to any and all information collected... to protect against phishing attacks.
More: http://www.isights.org/2012/04/cispa-is-not-about-copyright-its-about-your-privacy-on-the-internet.html [isights.org]
Re: (Score:2, Troll)
Just because content owners have their own motives doesn't invalidate legitimate cyber threats, nor does it mean that very real military [uscc.gov], industrial, and academic [bloomberg.com] cyber threats don't exist. Also, anyone paying attention realizes that the lines between governments, criminals, espionage, and activists blurs in the cyber realm. Responding to cyber threats, no matter where they originate or why, takes the same form.
I'm sure it's better to have zero coordination because the slashdot crowd thinks it's a plot to t
Fast and furious (Score:1)
I'm sure it's better to have zero coordination because the slashdot crowd thinks it's a plot to take away their ability to pirate copyrighted content.
Wrong thread, bub.
Re: (Score:2)
CISPA and other poor policies won't protect the infrastructure any better than what we have now. I worked at a DOD site for 8 years. We had weekly security bulletins, and very informed users. We had several well crafted spear phishing attacks every month, and 1 account was compromised out of 8,000 in roughly 4 years. That one breach was caught within a couple minutes, because the person and their coworkers communicated.
Is the infrastructure an absolute mess and disaster waiting to happen? Sure it is, n
Re: (Score:2)
Laws certainly can fix that. It's called strict criminal liability. You hold out funds in such a way that it causes a critical system to be built without proper security, and you go to jail when somebody compromises it. If the people responsible for the money could be held liable for damages when withholding that money causes loss of life or limb, we would have a lot fewer problems (and a lot fewer rich people walking the streets).
Re: (Score:2)
While it sounds good, there is much wrong with your statement in practical terms. First point: There is well over 20 years of infrastructure to secure. Think about that for a while, laws won't fix that. Money will, and right now the US is broke. Second point: I like your idea, just like I think that the executives that got rich off the financial collapse (and continue to get richer) should be jailed. In reality, you won't pass anything of the sort. Just like there are no criminal actions against thos
Re: (Score:2)
Sorry to keep linking to my own articles, but this was covered too.
"Have a hacker steal millions of financial records, health records, or credit card numbers, and as long as they were participating in CISPA, they were acting in "good faith" to secure their networks, and as such can not be sued for failing to protect their customer's personal data."
Complete and total excemption from privacy lawsuits? All for sharing a bit of data with the Feds?
That legal "out" more than pays for the "security" systems needed
Re: (Score:2)
"Just because content owners have their own motives doesn't invalidate legitimate cyber threats..."
Content owners? Did I mention content owners? Doesn't the linked article say that CISPA is NOT about content?
Yes, there are legitimate threats. But let's craft legislation that actually helps to protect against those threats AND that's crafted with privacy concerns at its core. With safeguards. That require and demand warrants and due process. And let's not past hasty, thinly veiled attempts at allowing the go
Re: (Score:1)
Re: (Score:2)
CC.
Re:"Hainan Island Incident" (Score:4, Insightful)
"A US military spy plane illegally entered Chinese airspace and collided with a Chinese interceptor, killing the Chinese pilot."
Really?
That's not exactly correct. US surveillance aircraft do not violate China's sovereign airspace, but Chinese fighters would routinely harass US aircraft in what China claims as an "exclusive economic zone" in the South China Sea, not recognized by the US, and not considered sovereign airspace. "The PRC interprets the Convention as allowing it to preclude other nations' military operations within this area, while the United States maintains that the Convention grants free navigation for all countries' aircraft and ships, including military aircraft and ships, within a country's exclusive economic zone."
China's fighters routinely buzzed US EP-3's, and if you're actually asserting that an EP-3 is maneuverable enough to cause a collision with a Chinese J-8 fighter, then you are either deluded, or a member of the PRC's 50 Cent Party. The US EP-3 had to enter Chinese airspace in order to conduct an unauthorized emergency landing on Hainan Island, after which NSA's secure operating system was completely compromised by China [newyorker.com], with a US Admiral later observing, “It was grim," and a US official responding to a question of whether China could be "that good" by saying, “they only invented gunpowder in the tenth century and built the bomb in 1965. I’d say, ‘Can you read Chinese?’ We don’t even know the Chinese pictograph for ‘Happy hour.’"
So yeah, go ahead and assert that China would somehow be a better global steward of human rights.
Re: (Score:3)
I just wonder how the US would react if China sent a bunch of aircraft carriers and started doing reconnaissance flights in the Gulf of Mexico of off the coast of Florida or New York or DC (in International waters).
Do you think the US would just leave them alone?
Re: (Score:2)
Obvious question is obvious (Score:1)
How the hell are "cyber attackers" getting into NATURAL GAS CONTROL NETWORKS in the first place?
Headline (Score:5, Funny)
Realworld equivalent: "Terrorist shows up at airport with bomb strapped to chest. Security waves him through, asks only that he not threaten anyone prior to detonation."
Re: (Score:3, Insightful)
And then when something bad happens they'll blame it on incompetence and say they need better tools to prevent attacks like this and roll out the next round of cyber laws they have sitting in the drawer targeted at domestic citizens.
Re: (Score:1)
And then when something bad happens they'll blame it on incompetence and say they need better tools to prevent attacks like this and roll out the next round of cyber laws they have sitting in the drawer targeted at domestic citizens.
The government controls the media, and the media is the only way the citizens can keep tabs on the government, then they don't really even have to lie; They can do whatever they want, right out in the open, and anyone who provides evidence can simply be arrested for 'homeland security'.
Re: (Score:3, Insightful)
Re: (Score:2)
Real-world equivelent:
Police identify suspected thief and ask victim not to publicise report or scare off thief so they can follow her and catch the fence.
Wrong reason? (Score:4, Interesting)
Re:Wrong reason? (Score:5, Insightful)
Not reacting immediately to advanced, targeted intruders is standard tactics, and recommended by most experts in the field. This is news to Slashdot because folks here usually only deal with mass criminal attacks, which are a different beast entirely.
This isn't a DHS conspiracy, not even one for new funding. It's just the government advocating reasonable measure even though I'm sure they knew they'd get pilloried for it. I rarely respect the DHS, but in this case I may make an exception.
Re: (Score:2)
Not reacting immediately to advanced, targeted intruders is standard tactics, and recommended by most experts in the field. This is news to Slashdot because folks here usually only deal with mass criminal attacks
I thought it was because they have 6 or 7 digit IDs, and know nothing about real security practices because they were born yesterday!
hmmm.. what I find interesting.. (Score:1)
Re: (Score:3)
Because some of the targeted companies discovered the attacks and alerted the DHS. These reports have been shared with gas companies for months, including details about the phishing emails, the malware processes, and the C&C domains involved.
Never heard of a honey pot? (Score:1)
Re: (Score:2)
Just a suggestion looking at your signature - shouldn't it be "Two of my imaginary friends were fruitful and multiplied with negative results."
Sounds like Fast & Furious (Score:2, Interesting)
"Don't check your customers for IDs. Just sell them and we'll track the criminals across the Mexican border." - This policy resulted in many, many deaths that could have been prevented by not encouraging stores to break gun laws and sell to criminals.
Now it sounds like DHS is trying the same stupid strategy. Read more here: http://www.forbes.com/sites/realspin/2011/09/28/fast-and-furious-just-might-be-president-obamas-watergate/ [forbes.com]
does actually make some sense (Score:4, Insightful)
If you think about it, this could provide more information on your opponents. Though it is a bit of a gamble - can you get valuable information without too much risk? Or, is it worth the risk?
Think about the whole process of infiltration. Once you get your foot in the door you start gathering information and testing the waters to see what you can do. If you don't think you've been discovered, but you have, then the defenders have some good opportunities. They can feed you false intelligence, make you think you are burrowing into an important control system that's actually a honeypot, give them a false sense of accomplishing their goal, waste their time and resources. Done properly, this is very useful counter-intelligence.
Fooling the other guy is valuable. Tricking the other guy into thinking he's fooled you can be even more valuable. I think that's the core of what this is about. But as I said before, it's a risk, and could get out of control.
Re: (Score:1)
Agree, it's not obvious from the summary that DHS acted in an irresponsible manner.
One principal of warfare is to keep the enemy off guard. If the attackers can detect within hours that they've been discovered, that makes their jobs that much easier. They should be concerned that they've already been detected and may be under close watch.
Don't worry.... (Score:2)
Don't worry that they are trying to trim your pubic hair with a weed-wacker - as long as they are only touching pubes your fine!!!
Re: (Score:2)
Or as I call it, Thursday!
It is important that you don't flinch.
Makes sense to me (Score:2)
Trying to get more data from an intruder isn't a bad thing, and they did state as long as it was 'safe' to do so.. DHS was not asking the companies to let the attackers get into sensitive stuff and just twiddle their thumbs.
Fascinating (Score:2)
This could be taken in any number of ways, but I'd go for two here:
1.) (Giving DHS the benefit of the doubt) -> They *want* the cyber-spies (what name, Industrial Espionage would fit better here) to find and copy some of the firm's software. Why? Because they (DHS) are going to ensure that the copies the spies get will have some small, but interesting changes to them. Something the CIA pulled with the Soviets a while back. Though I would be surprised that they would think that strategy would work again.
2
Re: (Score:2)
Hmmmm. (Score:2)
So there are a lot of folks who think that DHS is causing trouble to justify their own budget... could be, a little too obvious and Hollyweird for my taste but not outside the realm of possibility. My only question is that if in fact they're asking to not disturb the black hats so they can zero in on them...
1. Why is this taking so long? Isn't this their specific mandate, aren't they armed to the teeth to detect cyber-terrorism in our nation's infrastructure, I would think that they'd be frog marching bad g
Re: (Score:2)
1. The spear phishing emails were sent five or six months ago but the attacks using the malware didn't start until about two months ago.
2. I imagine the story broke because someone at a gas company leaked one of the several emails sent to us the last week or so.
3. All reports thus far indicate that the attackers were merely poking around and doing nothing destructive or particularly intrusive.
Good vs bad reasons (Score:2)
There are two good reasons for doing this.
1) Just because you've identified attacker(s) in one part of the system, doesn't mean that they aren't in other parts. They could retaliate for that action.
2) You can gain valuable intelligence about who they are and how they're doing it.
Now the good reasons *not* to.
Items 1 through 1,000,000) They were in critical infrastructure equipment, and have retrieved an unknown amount of informatio
Re: (Score:2)
I don't get why they're accessible to **ANYONE**. Hell, on my personal servers, if they need to be reached by port 80, so be it. For machines that I do my own stuff on, they're locked down to specific IPs on an as-needed basis. If I need someone else on one, I open it up to their IP only.
I'm switching my stuff up, so you simply can't log into anything not specifically authorized. You can VPN in, but that list is strict (me and a couple friends).
I cringe ever
Re: (Score:2)
Have you checked the numbers on your cost-benefit analysis? Are you sure it's not 1,000,000,000,000,000,eleventygazillion reasons not to do this?
Re: (Score:2)
I lost count on the zeroes. You may be closer. :)
Cuckoo or not? (Score:3)
Precisely (Score:2)
Stoll was an individual, with few resources and no authority to require information from anyone. DHS is a large well-funded national agency with serious authority.
They should have left that intrusion alone just long enough to get it traced.
Re: (Score:2)
If you know much about network security, you know that it is not like CSI where if you have the right Authority, you can press buttons and get a "trace." All that gets you is to who they wanted the attack to appear to be from. To do any real tracing you need both Authority, and also persistence, and live action. Not every packet in the world is going to be archived for you. You have to carefully observe the attacker in the act to catch them, especially if they are coming in from and via other legal jurisdic
I have my doubts (Score:1)
While the main motive behind the request is likely to gain information on the attackers
I have my doubts about that, after all what's more important, catching these people (who are most likely in non-extradition countries) or protecting the people of this country?
I also have my doubts about the competence of the DHS, HLS, TSA and all the other "security" agencies that have suddenly sprung up after 9/11.
Now stare at your phone and step into traffic...
Starting the "cyberwarfare" (Score:2)
This is what happens when you treat hacking as warfare and make the military responsible for security.
Gas Companies' Response? (Score:2)
DHS wants a call ... (Score:2)
Where there's fire... (Score:1)
Advice dog says: (Score:2)
ENDANGER GAS PIPELINES
(picture of a dog)
CATCH SOME BORED IDIOT
Axis and Allies, quite a game (Score:1)
Sure it's dangerous. However, I'm sure the Allies let their own occasional ship get sunk rather than save it and thus reveal that they had cracked the enemies' codes.
You have to look at the bigger picture.
tl;dr (Score:1)
Critical infrastructure is accessible from the public internet. DERP DERP DERP DERP.