U.S. oil pipeline shut down by ransomware

[mtnbkr]

That's sort of what I'm getting at - why is the system vulnerable to me clicking a strange link? Why is it my responsibility to detect a genuine email or a legitimate attachment? If a system can be compromised that easily, maybe it's the system's fault?

My company puts all employees through regular training to detect these sorts of attacks. They're generally quite easy to spot. But, a perfectly written piece of software can be vulnerable to poor implementation or lax user environment standards.

Think of it this way, your entire enterprise IT environment is set up to a reasonable standard, but VP Snowflake demands admin access on his workstation so he can install whatever he wants whenever he wants. A direct violation of policy, but he's VP Snowflake, so he compels the poor IT guy to make it happen. VP Snowflake then gets a Spearphishing/Whaling email containing a suspicious file. Because he's important and doesn't do his yearly user security training, he opens the email, opens the file that is a poorly disguised attack, and has his system compromised. Because he's a VP, the attackers now have access to all sorts of data, as well as access to other systems. Because the organization hasn't implemented inter-system controls, such as Zero Trust (because it makes it slightly tedious for VP Snowflake to get to a document on a server in another department), the attack starts spreading horizontally throughout the enterprise, infecting other systems. Then there is a weakness in a boundary security system between the IT environment and OT environment because the OT systems weren't designed with security in mind because they were purchased 30 years ago, not intended to be connected to the IT network, and haven't been replaced because "we can't afford the investment or downtime". Now the attacker has access to systems that can actually impact human safety or critical operations...

That's not science fiction, but how it happens day in, day out. An easy mitigation would be to not allow VP Snowflake to have admin rights and to enforce user security training even for the "important" people. Not connecting OT to IT or making sure there are strong controls and monitoring in place would reduce the risk.

I'm sincerely asking these questions and not trying to poke at anything or anyone. These are just questions I've had for a while. My computer science education ended in the punch-card era. I'm sure it's not as simple as I'm making it, because I know there are a lot of very smart people on the good side.

Things have changed very significantly in the last decade alone. The stakes have increased and technology is being weaponized like never before. I'm starting to see why there are prohibitions against computers in the Battlestar Galactica and Dune universes. You can't hack what isn't connected.

Chris

[littlejerry]

In a private business there is often a struggle between IT and the res of the Org. IT can easily lock everything down and make it 99% secure, but then no one can actually do their job. It's a careful balance between letting people do their job quickly and with autonomy vs. taking no risk and slowing down the entire business.

Unfortunately there's no good answer. As tempting as it is to say we'll just lock everything down and remove all privledges, it's not in any way practical. That type of strategy makes the Fed Govt look lean and fast.

[whomever]

... Is it truly impossible to build a bulletproof system?

It's pretty hard:

1)Why do people escape from prison? Why not build escape proof prisons? And the answer, of course, is that prisoners get to set there year after year thinking up that one complicated improbable way out. The designer has to think of all possible attacks up front.

2)Even with a perfect design, doing bug free software is hard, as in expensive. I have toured the Boeing avionics dev facility, and the rigorousness of their testing almost makes even a long time computer nerd willing to fly in their planes :-). But people don't want to pay the costs to put that kind of QA into the next release of their browser or Candy Crush app.

For one example, security cameras are usually a huge security hole. Today they typically run a linux kernel that is never patched (if you have one, when did you last apply security patches? ... right, never, the manufacturer doesn't even publish them).

So, for example, our security cameras are hard wired to the DVR/controller box, but that isn't connected to any other network. But that's not how people run them, they want to be able to see the video on their phones, etc, so they connect the security cams to their wifi, and now you have a bunch of unpatched systems running inside your firewall.

3)As mentioned above, people click on links, etc. The more sophisticated attackers will e.g. look at the corporate org chart, and the hacked link will come in an email that is ostensibly from your boss.

4)My 2 cents (with the disclaimer that I was a computer nerd, not a security specialist): you can't make any single piece of software hackproof. You can make the system as a whole harder to compromise in a bad way. For example, I'm typing this on my 'general purpose' computer that I use for 97% of things ... but not for financial stuff. If someone slips in a funny cat video with a zero day exploit, this machine will get hacked. I keep an older (hardware older, software up to date) linux box that is only powered on when I'm messing with money - online banking or the brokerages that have retirement money. That box never goes to p-f or LOLCats dot com or whatever, only to the financial places. So that's less convenient, but more secure. That's the usual tradeoff.

Nothing is perfect - stuxnet spent a couple of years, IIRC, to get across the air gap - but if the process control stuff in your industrial facility can be controlled from a general purpose computer where a bored graveyard shift guy is surfing lolcats sites, or clicking on random email spam, that's a risk you can avoid.

5)The place I worked had a couple of people whose full time job was to monitor for important exploits and decide whether getting out the patch on next weeks regular update cycle was good enough, or if we needed everyone to drop what they were doing and help patch everything today. They had spent the money to be able to patch a few thousand systems overnight if they had to, They spent the money to put minimal configurations on everything, i.e. each box only ran the software needed for its limited role, instead of every box running the whole suite of stuff the OS vendor enabled by default. They spent the money to have tightly controlled firewalls. They spent the money to do careful monitoring of logs and so on so hacking attempts would get noticed.

All that is hard to do if you just have one poor sysadmin at AcmeCorp trying to keep up with everything on his own.

It's sort of like 'why don't we all keep our guns in theft proof places'. And there is a big range of 'theft proof', from 'in the glove box parked on the street' to 'in a Stack-On box screwed to the studs' to 'in a TL-30 safe in a house with a monitored alarm' to 'in a bank vault' to 'in Fort Knox' (the place, not the brand of safe). AFAIK, Fort Knox is the only one of those that has never been successfully broken into. But most of us have to settle for something cheaper. Which doesn't mean the glovebox is smart :-).

[mtnbkr]

Another point, related to the one previously made about Y2K...

If you do everything correct and the environment is never compromised, never suffers and outage, and always just "works", guess what?

Your IT department gets slashed because why do you need such an expensive team when nothing goes wrong?

Y2K was like that. Folks in my line of work put in a LOT of work to patch everything, update code, etc. The end result was...nothing. Virtually everything worked. As a result, "experts" today claim Y2K was a big overreaction. Oh really?

Damned if you do, damned if you don't.

Chris

[DC_P]

The only good hacker is a ...

Send in James Reece and Raife Hastings for a HAHO from a Gulfstream.

[Chance]

Related news today, from Wall Street Journal:

Volue AS A, a Norwegian company that provides technology to European energy and infrastructure firms, is working to restore critical software services to customers after a ransomware attack on May 4 and 5, days before Colonial Pipeline Co. disclosed a ransomware attack that shut down the largest fuel pipeline in the U.S.

Ransomware shut down Volue's applications providing infrastructure to water and wastewater facilities in 200 Norwegian municipalities, covering around 85% of the country’s population. Seeking to prevent the ransomware from spreading to other computer systems, the company shut down all other applications that it hosts and quarantined around 200 employee devices. Volue says it has 2,000 customers in 44 countries.

Unfortunately, the full article is behind WSJ's paywalled-paywall (they have lots of paywalls...), so I don't have many details.

[whomever]

"In a private business there is often a struggle between IT and the res of the Org. IT can easily lock everything down and make it 99% secure, but then no one can actually do their job."

Indeed. Kevin Mitnick relates a hack in one of his books: the attackers wanted to send a fax from inside the corporate system. So they dress someone up in a suit with a briefcase and he walks around the corp. headquarters for a while. Then he comes out in the lobby, rushing like he's late for a flight or something, stops at the door, and goes back to the lobby receptionist. His story is he's running late for a flight and forgot to fax/scan/whatever something for the multimillion dollar Acme deal. Well, receptionists are generally selected to be helpful to harried executives, so she volunteers to fax/scan/whatever it for him ... on the company network. And of course, whoever got the fax/scan/whatever assumed it was legit, because it came through the corporate system.

Now, you can say 'well, we need to train company receptionists to treat everyone like hostile attackers'. But that isn't cost free ... more often than not, it will be a perfectly legit request and if the receptionist refuses to send it, you will miss out on some of the Acme deals. This is a classic problem in places where security really matters, like intelligence agencies. You can compartmentalize things so tight that one hand doesn't know what the other is doing. It may be worth the cost, or not, but it is a cost. Or, one reason that the Manhattan Project got a working bomb before the war ended was that, at Los Alamos, they were really loose with compartmentalization, so open collaboration speeded everything up. And that came at the cost that some fairly junior people could spill the beans to the Soviets. Tradeoffs everywhere.

[Stephanie B]

The only good hacker is a ...

I'll bring the shovels.

I'll swing by the garden supply place and pick up a bag of quicklime.

[Stephanie B]

I knew a law firm that had an isolated intranet. If you wanted to do research or email, you went to the computer room and used computers that were dedicated for those uses.

[Caballoflaco]

Looks like they’re going starting to bring everything back online.

Colonial Pipeline says it is restarting operations

By Will Englund
Colonial Pipeline announced that it has launched the restart of pipeline operations as of about 5 p.m. Eastern time. The company said “it will take several days for the product delivery supply chain to return to normal.” There will probably continue to be service interruptions. “Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal,” the company said.

https://www.washingtonpost.com/busin...DFEUW4EPOAGSGM