Tuesday, June 22, 2021

Security Smorgasbord, vol. 13 no. 2

Here's a collection of security news I found interesting (and horrifying).

US nuclear weapon bunker security secrets spill from online flashcards since 2013

Details of some US nuclear missile bunkers in Europe, which contain live warheads, along with secret codewords used by guards to signal that they’re being threatened by enemies, were exposed for nearly a decade through online flashcards used for education, but which were left publicly available.

The astonishing security blunder was revealed by investigative journalism website Bellingcat, which described what it found after “simply searching online for terms publicly known to be associated with nuclear weapons.”

The flashcards “detail intricate security details and protocols such as the positions of cameras, the frequency of patrols around the vaults, secret duress words that signal when a guard is being threatened and the unique identifiers that a restricted area badge needs to have,” Bellingcat reported.

No doubt the education battalion was up to date on gender pronoun policy, though.

Food giant JBS Foods shuts down production after cyberattack

JBS Foods, a leading food company and the largest meat producer globally, had to shut down production at multiple sites worldwide following a cyberattack.

The incident impacted multiple JBS production facilities worldwide over the weekend, including those from the United States, Australia, and Canada.

JBS is currently the world's largest beef and poultry producer and the second-largest global pork producer, with operations in the United States, Australia, Canada, the United Kingdom, and more.

This story is a little old but underlines the importance of having food on hand for potentially extended emergencies.  Which leads us to the next item ...

How Cyber Safe is Your Drinking Water Supply?

(Spoiler alert: not very)

The Water Sector Coordinating Council surveyed roughly 600 employees of water and wastewater treatment facilities nationwide, and found 37.9 percent of utilities have identified all IT-networked assets, with an additional 21.7 percent working toward that goal.

The Council found when it comes to IT systems tied to “operational technology” (OT) — systems responsible for monitoring and controlling the industrial operation of these utilities and their safety features — just 30.5 percent had identified all OT-networked assets, with an additional 22.5 percent working to do so.

“Identifying IT and OT assets is a critical first step in improving cybersecurity,” the report concluded. “An organization cannot protect what it cannot see.”

It’s also hard to see threats you’re not looking for: 67.9 percent of water systems reported no IT security incidents in the last 12 months, a somewhat unlikely scenario.

Security in the water purification infrastructure isn't an afterthought - it hasn't been thought of at all.  You should have a plan for a week with no water, and you really should have a plan for two weeks with no water.  Err, and food.

The Army wants to be sure teleworkers aren’t letting smart devices in their home listen in on any government work.

In a May 25 memo, Army CIO Raj G. Iyer laid out mandatory procedures remote workers must use to mitigate leaks of official government information. They apply to all military components, civilian employees and contractors.

Effective immediately, the memo states, the remote work environment for all approved teleworkers must free of internet-of-things devices. That includes more than 70 types of devices, from Bluetooth speakers, fitness trackers, smart kitchen appliances, TVs and gaming consoles and home security systems. The memo makes particular mention of personal home assistants – like Alexa and Siri -- from Amazon, Google, Microsoft, Apple and others. 

Well, yeah for sure.  Alexa, are you listening to secret nuclear missile training?

And here's some (rare) good news: City of Tulsa thwarts ransomware attack

Most residents of Tulsa are being prevented from paying their water bills after the city shut down its computer network as a security measure following an attempted ransomware attack, a city official said Friday.

The attempted breach was stopped before any personal data was accessed, city spokesman Carson Colvin said. Tulsa detected malware in its network May 6 and immediately started shutting it down to prevent hackers from accessing anything sensitive.

“It didn’t get far enough into the system to get personal data,” Colvin said.

The primary effect of the shutdown — which could last from several more days to about a month — is payment for city water services, either online or in person, because the city cannot process credit or debit cards with computers inoperable.

Residents will have five days after online payments are again possible to pay their bills without penalty, Colvin said.

The city said Thursday that police and fire responses continue, but issues such as uploading police body cameras are slowed because of the computer shutdown.

Mayor G.T. Bynum on Thursday said the hackers told the city to pay a ransom or else it would publicize that it had broken into the network, but Bynum said Tulsa didn’t pay and instead announced the breach on its own.

Well, mostly good news.  Well done, Tulsa.  Oh, and you know what also is great to have after a Ransomware attack?  Good backups.


The Lab Manager said...

I'm baffled as to why some of these water and electric systems are not simply on a POTS network for communication. Or an independent radio network. It would seem some sort of physical security would be a first step to some of these critical systems. Granted, we can't do without real time monitoring, but surely there are some cost effective ways to secure things like water and electric.

I make it a point not to have bluetooth/internet connected thermostat or anything else in my house. The DSL connection to the TV and computer is more than enough. Or a smart anything for that matter. And I'm an engineer, and can do without some technology.

Richard said...


Yeah, however did we deliver water and electric services before the web. Part of the problem is probably mangers wanting to be cool but I also think it is labor issues. It takes more people to do this stuff more hands on and that costs money. While it lowers the costs of the service (at least until the data breach occurs), it also eliminates blue collar jobs that previously provided access to a middle class lifestyle. Not a good trade, in my opinion.

You didn't mention it but I am very wary of home security systems. I want one but they are (as near as I can tell) all a web application. Given their function, this strikes me as a bad idea.

Richard said...

Captcha gets ever more dysfunctional. The blurry picture of a truck partially hidden in the bushes was over the top. Isn't there some other system you can use.