[conspire] (forw) Re: [skeptic] Ransomware and rotten doors

Rick Moen rick at linuxmafia.com
Thu Jul 6 21:52:21 PDT 2017 

----- Forwarded message from Rick Moen <rick at linuxmafia.com> -----

Date: Thu, 6 Jul 2017 21:46:47 -0700
From: Rick Moen <rick at linuxmafia.com>
To: skeptic at linuxmafia.com
Subject: Re: [skeptic] Ransomware and rotten doors
Organization: If you lived here, you'd be $HOME already.

Quoting Marcus Harwell (skeplisty at gmail.com):

> I'm sure this won't at ALL be a problem for the bafflingly outdated
> systems and now alarmingly understaffed State Dept. 

Quite.

But seriously, losing large collections of valuable data because of
ransomware?  Anyone who keeps significant data sets without proper 
(periodic, normally detached, sufficiently scoped, periodically tested) 
backup is implicitly saying 'I don't mind if all of this work goes pfft
without notice' -- if only because hard drives and SSDs fail and because
users accidentally delete or screw up files.

Heads should roll at any institution, public or private, that isn't 
taking that seriously, and blaming 'malware' misses the point:  That
data was dangerously exposed, and not just to software.

Reading between the lines, I suspect that the recent ransomware 'attack'
damage was primarily to end-user workstations -- but that raises another
point; Everywhere I've worked, it's been a serious no-no to leave any
significant amount of work product solely on one's workstation -- and
there are two individually compelling reasons for this:  (1) In general,
workstations aren't regularly backed up, don't have redundant storage
devices, etc.  (2) Any work you're paid to produce ought to be
accessible to your manager.  (If you want the freedom to give all others
access to what you're doing only on your own terms, that's fine but it's
then a hobby, not a job.)


Web-searching 'Davis-Besse slammer' finds some interesting retrospective
articles about the 2003 nuclear plant SQL Slammer incident:

http://www.securityfocus.com/news/6767
http://large.stanford.edu/courses/2015/ph241/holloway2/
http://large.stanford.edu/courses/2015/ph241/holloway1/docs/SI-v10-I1_Kesler.pdf

Quoting from that:

  The Davis-Besse incident highlighted the fact that most nuclear power
  plants, by retrofitting their SCADA systems for remote monitoring from
  their corporate network, had unknowingly connected their control
  networks to the internet. At the time, the NRC did not permit remote
  operation of plant functions. That policy would change by 2008.

No. Airgapped, dammit!

  Stuxnet even traveled on portable thumb drives to infect computers
  that were not connected to the internet.

On that issue, the Stanford paper, like most others and essentially all
news coverage, doesn't cover how the Stuxnet worm got onto the Natanz
lab PCs that drove the PLCs that drove the centrifuges: a human agent
working for the US or Israeli intelligence agencies deliberately loaded
it from a USB flash drive.  Code by and large does not run itself, and
it's extremely unlikely the Natanz managers were stupid enough to permit
any old person to run any old program off any old flash drive, on those
macihines.  So, in-person sabotage was an essential ingredient, and the
spook agencies took care to ensure that as few people talked about that
as possible, to protect their human asset in place.

(Neither academics nor reporters are typically quite cynical enough
about the available official story, and don't look hard enough for the
carefully omitted key details.)


https://www.washingtonpost.com/news/the-switch/wp/2016/01/15/should-you-be-afraid-of-cyberattacks-on-nuclear-power-plants/

2016 article says a Nuclear Threat Initiative report says 'Twenty
countries with nuclear weapon materials or nuclear power plants "do not
even have basic requirements to protect nuclear facilities from cyber
attacks"'.  Nuclear Energy Institute disagrees, says 'nuclear power
plants in the United States keep their systems disconnected from the
Internet or use hardware that separates business computer systems at
plants from those that control nuclear operations to protect them from
being attacked through the Web'.  But a report by Chatham House in
London sas 'Often, nuclear facilities will have undocumented connections
to the internet.'   Which was the Davis-Besse problem.

My estimate:  Nobody learned a goddamned thing.



_______________________________________________
skeptic mailing list
skeptic at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/skeptic
To reach the listadmin, mail rick at linuxmafia.com 

----- End forwarded message -----

More information about the conspire mailing list