TWIT 822: Five Pounds of Mortadella

I tried to turn it into a TinyCam CCTV behemoth and that didn’t work well. Next project is MAME-ish machine

Yeah I feel bad about not mentioning the Colonial Pipeline story - it just slipped my mind - but honestly there’s not much to say about it. And I knew Steve Gibson would cover it today, as he did.

Don’t feel bad, but I hope you discuss it in the next episode. I’m guessing Steve mostly stayed on the technical side of the attack. I’ll find out tomorrow when I listen to Security Now. What I would like to hear a discussion on is the following:
How do we as a country defend ourselves from this?
What do you think our response will be?
What do you think our response should be?

We need to start looking at actually running companies properly, not just cutting every corner possible to give share holders more profit.

They need to invest in real security and training, and they need to stop doing stupid things, like putting critical infrastructure on networks that are connected to the Internet.

Comfort or security, which do you want? They are mutually exclusive and most people and companies are too comfortable these days.

Access my system from home? Super. But that also means everybody else in the world can also gain access to it.

The only way that happens is more restrictive regulation - we’ll see if that ever happens.

This. Stunned somebody has ended up with a risk of ransomware on their SCADA (they were vague, said they stopped ops as a precaution - but you need a very good reason to stop your operations).

And being offline since Friday suggests their resilience/continuity is not fit for purpose - or that was compromised too and they’re having to rebuild.

Do you think you turn a 5500-mile pipeline on like a light switch?

I just saw a story that said two months ago they were looking for a cybersecurity manager.

So no one thinks we should go after these hacker groups? We should just try our hardest to protect ourselves and let these groups take pot shots at our infrastructure.

We should go after the morons in charge that have infrastructure control devices on the public network. Give them some jail time for public endangerment and then watch the rest of the morons at other public utilities suddenly decide they can do better.

Colonial have a job ad on LinkedIn for a SCADA Manager too.

You do both, get CISA/FBI involved, but secure your systems. And yes, bringing a pipeline back online won’t be simple, with knock-on impacts to refiners etc.

CIA - find them, render them ineffective

What do you propose that would be more efficient than making it prohibitively hard to manipulate the systems? Especially if the groups operate from outside the US?

Retribution does work as revenge, but not too much as a deterrent - if (you think) you’re smart enough to compromise a nation’s strategic resource and benefit from it, you surely think you’re smart enough to avoid getting caught.

Strong regulation on IT security for operating strategic resources would be the best path to take, in my book. Make it both highly profitable and painful to fail.

I would designate them terrorist organizations and have their members arrested preferably, tried, and sent to prison for a long time. What this group did is an act of war.

Sure, nuke Russia… and while you’re at, don’t forget China and North Korea… and maybe Cuba too, just for good measure.

If you fail to lock your doors, and someone manages to take advantage of that, it’s not clear to me who is more at fault… certainly your insurance company probably wouldn’t cover such a loss. North American’s have been VERY lax at “locking doors” on critical infrastructure and kind of deserve to pay for their stupidity until they learn to be better at protecting what needs to be protected.

They aren’t a nation state and they didn’t attack a country or its government - although enough government and city systems have been hacked in the last couple of years - so they can’t commit an act of war.

Criminal attacks against private companies are not acts of war. Despicable? Yes. Abhorrent? Yes. Act of war? No.

At the end of the day, this wasn’t critical government infrastructure, it was a privately owned pipeline that got shut down - and it sounds like the company shut it down as a precaution, because they didn’t have any/up-to-date documentation on the interaction between IT and OT. That is a huge failure on the part of the company. Not only didn’t they bother to adequately secure their IT networks, they didn’t even bother documenting their systems and the interactions between the company IT equipment and the operation equipment. This was a disaster, of their own making, waiting to happen.

That is the problem with 21st Century capitalism, it has gone beyond ensuring a business is fit to survive and provide a long term return on investment to ensuring the share holders are happy for the next quarter and anything, like ensuring the business is in a good condition to survive, is pushed out as far into the future as it can.

The stock exchange has become a game of Russian Roulette, keep pumping companies for more profit and push up the stock prices, but jump off the bandwagon at the right time, so that when the company is hit by the lack of required investment over the previous years, you have already dumped their shares and moved on to your next target.

Security, sustainability and environmental impacts are dirty words that have no place in the modern corporate boardroom.

Yes, we should be going after these criminals who walk in through the open doors left by (mis-)management and disrupt the company. But they usually operate in countries with no extradition treaties with the USA or Europe and they don’t have anti-hacking laws or they are very lax about enforcing them, so the criminals can’t be charged locally either, in many cases.

And, as long as insurance companies provide insurance against cryptomalware and pay the ransoms, this problem isn’t going to go away.

In the Apple case, they were blackmailed for $50M to get the data stolen from Quanta back. Hiring a bunch of ex-special forces to go and hunt the bad guys down would probably cost a fraction of that, but it would be hugely negative PR.

Where I used to live, people never locked their doors, I got home tired from work on a few occasions and forgot to lock the car doors or left the windows open. My car and its contents were still there the next day. Nowadays, the number of criminals living in the area means that my old neighbours can no longer leave their vehicles parked on the street at night, they have to park them in their garages, if they don’t want to find that the mirrors or aerials have been ripped off, the bodywork scratched, windows broken or the tyres slashed… Not every car, every night, but often enough that nobody takes any chances any more.

Yes, the police should do something about it, but until they can get the scum off the streets, the residents are left with having to ensure they have protected their property to the best of their abilities.

Businesses, in the face of malicious attacks, have no option but to do the same. Until now, they have used the Ostrich trick of sticking their heads in the sand and saying it couldn’t happen to them, whilst gutting the company for the profit of the shareholders. This attitude needs to change.

It’s a challenge every company faces. We were viewed as wasteful, were always fighting for budgets to implement the tech and designs we wanted. Bit like pandemic preparedness I guess, why invest all that money in something that likely won’t happen. And then it does. WannaCry was in our enterprise systems when the NHS trusts were hit, but at no point did we have concerns about the ops side, other than reinforce what staff should not be doing when working on the ops systems.

I never said to nuke anyone. We took out Bin Laden without a nuke. Send in special forces and kidnap the bad guys. If they can operate freely they will continue to do so with each attack being worse than the last one. I think it would only take two or three hacking groups to disappear before the other hacking groups get wise and stop attacking the infrastructure.

It’s not critical government infrastructure, but it is critical infrastructure. Most of the infrastructure in the US is privately owned. In Las Vegas where I live only the water and sewer is government owned. Electricity, Internet, Telephone, and Natural Gas are all privately owned.

So now if the press reports are true this hacking group is $5 million richer and have incentive to stop.

9/11 wasn’t an attack by a government on another government. The airplanes they hijacked were private and 2/3 of the buildings they hit were private as well. If you think we wouldn’t have invaded Afghanistan if they had targeted something other then the pentagon then you have made a big mistake. In my mind this is the digital equivalent of 9/11.

Preach! As with anything, if we don’t put some guardrails up to protect society/the world, people will do what they’ve always done and act selfishly in their own interests or the interests of the groups they identify with, everything else be damned.

I can’t see sending special forces into Russia or China to kidnap folks resulting in any kind of positive long term outcome. Especially if those folks are receiving some sort of protection from their governments.

Then we do nothing and allow them to keep taking shots at us and these attacks will only increase. I don’t think we have enough equipment and technical expertise for every utility in the country to properly protect themselves in a timely enough manner.