Monday, March 23, 2009

Unauthorized changes

Unauthorized changes are a symptom of bad security, not a cause. Something that shouldn't change does - there's a ghost in the machine, and that means a bad day for the security guy.

The TXJ incident where millions of credit cards were exposed is a good example: a server somewhere at TXJ all of a sudden got a new bit of software running on it. 50 million cards later, someone fixed it.

Now there's news about the "smart" power that's going to come to your house over the next few years - the one where the power company can remotely configure things, to maximize efficiency and "help the environment." Seems that these devices are vulnerable to Bad Guys who can turn your power off:
Is it really so smart to forge ahead with the high technology, digitally based electricity distribution and transmission system known as the "Smart Grid"? Tests have shown that a hacker can break into the system, and cybersecurity experts said a massive blackout could result.
Other than that, it's an awesome system. And people are in a hurry:
The Smart Grid will use automated meters, two-way communications and advanced sensors to improve electricity efficiency and reliability. The nation's utilities have embraced the concept and are installing millions of automated meters on homes across the country, the first phase in Smart Grid's deployment. President Obama has championed Smart Grid, and the recent stimulus bill allocated $4.5 billion for the high-tech program.
Once the Bad Guys are done shutting off your power, you'll get an idea what Change can look like. But your problems will be minor compared to the Power company's:
Experts said that once in the system, a hacker could gain control of thousands, even millions, of meters and shut them off simultaneously. A hacker also might be able to dramatically increase or decrease the demand for power, disrupting the load balance on the local power grid and causing a blackout. These experts said such a localized power outage would cascade to other parts of the grid, expanding the blackout. No one knows how big it could get.
Let's see: millions of angry customers, a damaged electrical power grid that would take weeks to repair, the country paralyzed by (possibly foreign) adversaries.

Lord save us all.

UPDATE 23 March 2009 08:30: More at Slashdot, especially this:
The problem that could arise from a large number of Smart Grid computers being pwned is if a worm triggered them off at exactly the same time, this is called a "load rejection" event. It would cause oscillations in the power flow which could end in a blackout but, generally, load rejection is not as bad as generation rejection, which happens when a power plant is cut off.
One way to deal with this vulnerability is to make the power companies and device manufacturers liable for damage in the event of unauthorized use. Actually, that would just keep the technology from being deployed, since you can never guarantee that. However, that might be an improvement over what we'll very likely get. And this really gets to the heart of the stupidity around things:

Let me get this straight. Pennell wants the bug to kept undisclosed because it will be too expensive for the utilities to fix. Yet, someone whose clever, maybe those folks who hacked into the grids in other countries, may do it to the utilities here in the US; which will be vulnerable because the bug is "too expensive" to fix. Meaning, that the grid is vulnerable and subject to the damage that everyone is afraid might happen since the bugs exist. I guess if the bugs are kept secret, no one else is capable of discovering them because nobody is as smart as the researchers?

OooooooKaaaaay. Riiiiiiight.

Like you can keep something like this secret from the people who are most dangerous.


TOTWTYTR said...

Several years ago, when the web was new, someone talked about the perils and pitfalls of "Security by Obscurity". If it wasn't a good idea then, when hacking wasn't nearly as pervasive or sophisticated, can it possibly be a good idea now?

AnarchAngel said...

Yaknow, people are so focused on the C in CIA, they forget about the I and the A.

What good is the C without the I and the A?