Network News

X My Profile
View More Activity

Digital Pearl Harbor, Cyber 9/11, and E-Qaeda

From today's print edition of The Washington Post come a pair of alarming stories about how Chinese hackers and terrorist groups have infiltrated our electric power grid and are using our own digital infrastructure against us.

A piece on page A4 talks about cyber spies having left behind software backdoors on networks connected to the U.S. power grid. A story on the front page warns that terrorist groups who have sworn to destroy the United States are taking full advantage of Web site hosting and registration services here in our backyard.

The stories each are a fascinating read, but both have been told before. Hackers motivated by financial gain have been both infiltrating power networks and using our Internet infrastructure against us for years. The main differences these stories highlight are in attribution -- that is, who's responsible -- and intent, or their implied goals.

For example, most malicious software, regardless of who wields it, opens backdoors on infected hosts that allow bad guys to get back in whenever they want. In fact, this is a standard feature of all bot programs, those used to turn otherwise healthy PCs into spam-spewing zombies.

I mention this because at any one time, computers at dozens of power companies throughout the United States are compromised by bot programs. And this has been so for years. In 2007, I wrote about penny-stock spam being blasted out of computers at American Electric Power that was confirmed to be the result of a bot infection there.

If you simply examine the list of Internet addresses flagged by anti-spam groups as blastiing junk e-mail, you can find dozens of systems that currently are or very recently were infected with bots and backdoors.

To illustrate this concept, I took a few minutes to peruse the Composite Block List as published by Spamhaus.org (the CBL lists Internet addresses that appear to be acting as open relays for other Internet traffic, or infected with a spam Trojan or some other security compromise).

All I did was sort the CBL list by U.S.-based Internet addresses, and then have a look through them for those assigned to American power companies. One caveat: It is not possible just from looking at this list to say how many -- if any -- of these backdoored systems have access to critical power control networks. Still, this is just from one public source. What's more, these are mostly opportunistic infections, caused by attacks that are random in nature. Now, just imagine the access that a determined adversary could gain.

Spamhaus reports that it found 106 different infected Internet addresses assigned to Conway Corp., a power and telecommunications provider in Arkansas.

Forty-one of the addresses on the CBL trace back to Internet addresses belonging to City Utilities of Springfield, Missouri.

For the rest, I'll just list the name of the provider, its location, and the number of Internet addresses assigned to the company that showed up on Spamhaus's block list:

KAMO Electric Cooperative, Vinita, Okla. (6)
Cobb Energy, Marietta, Ga. (4)
Pulaski Electric System, Pulaski, Tenn. (2)
Arizona Public Service Co. (3)
TXU Energy, Texas (2)
Electric Fiber, NY, New York (2)
Baltimore Gas & Electric, Baltimore, Md. (1)
Florida Power and Light (1)
Hopkinsville Electric System, Ky. (1)
Southern Company, Atlanta, Ga. (1)
Newnan Utilities, Newnan, Ga. (1)

Regarding the fact that terrorist organizations are using U.S. based Web hosting companies to blast their messages of hate and destruction to the world, this also is nothing new. In March 2008, I wrote a piece about groups such as Hezbollah, Islamic Jihad, and Al-Aqsa Martyrs Brigade that were using our nation's infrastructure.

Got a comment about these articles, or a question about anything tech, security or privacy related? Please consider dropping your question in the queue in advance of our Security Fix Live online chat tomorrow at 11 a.m. ET. See you then and there.

By Brian Krebs  |  April 9, 2009; 3:34 PM ET
Categories:  From the Bunker  | Tags: cyber terrorism, eqaeda, power grid hack, taliban  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft: Dramatic Rise in 'Scareware' Infections
Next: Conficker Worm Awakens, Downloads Rogue Anti-virus Software

Comments

I wonder if these guys, who were quoted in the page A4 article, have bot programs running on their systems?

North American Electric Reliability Corp.

Wouldn't that be a hoot! Now that would be a story!

Posted by: pmorlan1 | April 9, 2009 7:01 PM | Report abuse

By the way I forgot to say that I think these scare stories are running again because the Senate will soon be debating a massive cybersecurity bill that Rockefeller & Snowe have been putting together. They have to have a fearful public in order to get away with all of the privacy violations they want to include in their legislation. I hope you will be following that debate closely.

Posted by: pmorlan1 | April 9, 2009 7:04 PM | Report abuse

I have a question about email. If someone just has your email address is that enough information for them to be able to do something to your computer? I didn't think so but I'm no expert.

Posted by: pmorlan1 | April 9, 2009 7:06 PM | Report abuse

pmorlan1: yes and no. With only your e-mail address, the only thing most attackers can do is send you a malicious e-mail that either has an executable in it that will compromise your computer, or has a link to a web site that will infect you, or (more unlikely) has a link to an image on one of their servers so that they can figure out exactly where you are when you fetch the image. If and only if you're savvy about NEVER executing any unsafe attachments that you receive via e-mail, NEVER clicking any links in e-mail unless you're positive its a legit e-mail, and NEVER viewing images in HTML-formatted e-mail you receive unless again you're positive it's legit, then there's little the run-of-the-mill hacker can do to you. However, 99%+ of users are not savvy enough to do all of the above (it's not uncommon for attackers to forge an e-mail that really looks like it came from a colleague/friend, complete with very convincing subject and text based on information about you they looked up on the web), so yes, as a practical matter, you can get hacked if the attacker knows only your e-mail address.

In addition, if the hacker is well funded (e..g. government or Russian mafia) and wants YOU bad enough, then they will just "ask" (either legally, or via a corrupt insider, or via hacking) your ISP for your current IP address based on your e-mail, and then all bets are off; if you think that someone powerful wants you that badly, you should be in hiding somewhere :)

Bottom line: if you're on the Internet, your computer is only secure if no one is targeting YOU specifically. Once a smart hacker is after YOU (and not just the easiest random target they can find), you're probably toast if they want you bad enough.

Posted by: DupontJay | April 9, 2009 10:11 PM | Report abuse

But to get back on topic: as a previous poster said, this just smells like a PR campaign to get us all to accept huge privacy violations in the name of "security." Specifically, the US Government is probably salivating at the prospect of passing the same kind of laws that have recently been put in place in the European Union, where ISPs must retain identifying information about all internet connections for 12 months, and provide that information to national/local governments upon request (not a warrant or anything, just a request).

No doubt the scare tactics will work as planned. After all, the Founding Fathers never intended the 4th Ammendment to apply to the Internet, did they?

Heck, if they'd known that one day there would exist terrorists and pedophiles, then I doubt the Founding Fathers would have written the Bill of Rights at all :)

Posted by: DupontJay | April 9, 2009 10:20 PM | Report abuse

As far as "scare tactics:"

If you're not concerned, you're not paying attention. BTK didn't make up the list of compromised IP's, and it would have been no surprise if he'd found some computers belonging to the Department of Defense on the list today, as they show up sometimes, too.

And the risk to the power grid is just one sector of our infrastructure and economy at risk. If the nine million bots currently infected with Conficker, now showing signs of alliance with the thousands infected with Waledac, all decided to DDoS banks, how many US banks would be out of commission simultaneously? Entire governments have been taken down by far fewer machines.

The problem isn't new, though it's grown to the point where it's harder to ignore. There is an open letter at InboxRevenge.com to FTC Chairman Jon Leibowitz regarding the threat to national security, as well as the fact that was pointed out well here: Spammers, using botnets to mail spam and host spamvertised sites, leave behind a mountain of evidence that can be used to address those threats. The entire letter is at http://ksforum.inboxrevenge.com/viewtopic.php?f=9&t=2574

Posted by: AlphaCentauri | April 9, 2009 11:07 PM | Report abuse

They way to protect rights is to be proactive - keep in contact with your elected representatives, donate to the aclu, write op-eds and letters to newspapers. Sticking your head in the sand and denouncing reports of security concerns as "scare tactics" will do nothing to protect the rights of law-abiding citizens or to help bolster our national security interests.
This is an article about specific, recognized threats. If any of the "scare tactics" posters know of specific threats to civil liberties associated with these security threats, then by all means enumerate them here. Otherwise, you are the ones practicing "scare tactics".

Posted by: lostinthemiddle | April 10, 2009 8:43 AM | Report abuse

Ummmm. Let's see... which would I prefer, a slight imposition on my privacy, or a continuing tsunami of "manhood enhancement" spam, or even a batch of hateful badware designed to destroy me? Let's see, let's see. I guess I go with a slight breach of my privacy, of which there is litle darn left anyway these days. Anyone read "the Numerati" by Stephen Baker?

Posted by: peterpallesen | April 10, 2009 10:03 AM | Report abuse

I don't see it as either/or.

Our privacy is being massively invaded by all the malware being distributed. No matter how well we protect our own computers -- and admittedly, 100% security is impossible -- we have no control over the computers of all the businesses, financial institutions and government agencies which have legitimate reasons to store the data.

Part of the reason this is so prevalent is that the criminals can operate quite openly without so much as being inconvenienced by anyone trying to stop their abuse of internet resources.

If you try to report a domain being used for criminal activity, half the time you get responses like "we will only respond to a subpoena from law enforcement." If the only thing that gets action is government involvement, then don't complain the government is intruding.

There's no reason responsible internet companies can't educate their employees to police a lot of this activity themselves. It shouldn't require a court order for them to understand that anyone distributing malware isn't going to register his domain using his real name, and therefore he is in violation of their registration agreement.

Many companies have already become proactive at shutting down criminals, and the scammers avoid them, undoubtedly saving those companies a lot of hassle from credit card chargebacks.

Posted by: AlphaCentauri | April 10, 2009 10:52 AM | Report abuse

My goal of is to help industry stakeholders, government regulators, and the public better understand and address the mounting information security threats inherent in the current financial crisis.

My concern is centered around the failure of organizations to adequately protect regulated systems and data. Our current focus is on the exposure of private info and sensitive systems during the financial meltdown, including identity theft, privacy breach, info stolen, credit card fraud, and other enormous liabilities.

In addition to the obvious threat to market stability, the financial debacle has the added element of national and global security concerns. We believe we are among the very first working to highlight this national security problem.

I believe this is the next national security, shareholder derivative, D&O liability, regulatory, consumer product safety, and class-action issue.

http://information-security-resources.com/

Posted by: anthonymfreed | April 10, 2009 12:17 PM | Report abuse

I'm not sure if the article alleging Chinese and Russian attempts to penetrate the U.S.'s electrical grid are connected to S.773 (Rockefeller's bill to give the president the authority to "shut down" the internet, as if that were actually possible), but it does have that element of hysteria. Sort of like Judith Miller and Iraq's weapons of mass destruction.
You have to read the Wall Street Journal article carefully. How do they know it's the Chinese and the Russians? Well, who else *could* it be? That's the level of analysis. Then they point to an incident in Australia, where a disgruntled employee caused a city's sewage treatment system to run in reverse (sort of). So we mix inside jobs with outside attacks.
Here in New England, National Grid has leased use of its rights of way to Lightower, a fiber optic company. That's how National Grid controls its electrical substations and generators, with a direct, point-to-point fiber optic hookup. Virtually untappable via the internet (but physically breakable, cf. San Diego).
The power companies may have internet-connected desktops and laptops, but they're separate from the computers that control the power grid. But don't take my word for it--ask someone from the power companies listed in today's article.
The takeaway from the addresses listed on Spamhaus is that Conway should think about firing their IT staff for incompetence. But it still doesn't mean that their power control systems are compromised.

Posted by: skoper1 | April 10, 2009 5:29 PM | Report abuse

It would be interesting to find out if those utility computers have Chinese software in them? I would think it would be possible to engineer a back door in each piece!

Posted by: asclepious2 | April 14, 2009 1:54 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company