General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsLets be clear, Russian malware code was found on a Vermont utility company laptop
Several states around the country on Saturday asked cybersecurity experts to re-examine state and utility networks after a Vermont utilitys laptop was found to contain malware that U.S. officials say is linked to Russian hackers. The Burlington Electric Department, one of Vermonts two largest electric utilities, confirmed Friday it had found on one of its laptops the malware code used in Grizzly Steppe, the name the U.S. government has given to malicious cyber activity by Russian civilian and military intelligence services.
As a former network administrator I can tell you that anyone who has admin rights can easily access a password on a laptop to capture WIFI or network settings and then add the computer to any existing network. Its a pretty basic and simple thing to do for anyone with basic IT knowledge and access. So yes finding a standalone company laptop at the site with code that has been identified as Russian software code is a VERY big deal! And to hammer away at an initial article by a major newspaper that then pulled back due to being labeled as FAKE NEWS! and who then reworded their title in response does not take away from the seriousness of the initial report.
http://www.dailykos.com/stories/2016/12/31/1616052/-Let-s-be-clear-Russian-malware-code-was-found-on-a-Vermont-utility-company-laptop
shraby
(21,946 posts)throughout the system in nothing flat.
It was an extremely serious event.
karynnj
(59,504 posts)My guess, and it is a guess, is that a utility would have two 100% separate networks. This comes from having worked in various analytical groups at Bell Labs and AT&T. There is no way that the network operations center, which controlled the network was connected to any of the computers that were used for accounting, network planning, marketing or research etc.
The reason is simple. There is absolutely no way that anyone would have thought it useful to do so -- and many reasons to think it was a terrible idea.
I suspect that if this malware was used against the DNC as well and if it can be spread by email, that piece of email may be rather common if many DNC computers were contaminated. In fact, someone in liberal, Democratic Burlington may have downloaded something sent from the DNC using a laptop that he used working for Burlington Electric. NOTE : THIS IS COMPLETELY MADE UP, but as probable as the op. There are many companies where there is one and only one computer system - like the one this person who wrote the Daily Kos article was administrator on.
bettyellen
(47,209 posts)karynnj
(59,504 posts)a system with a very strict protocol -- and where email is severely constricted and certainly no personal email is allowed on any part of that system.
bettyellen
(47,209 posts)Could be used against any utility. I just watched a Herzog documentary on the net describing hackers methods and it really a combo of cons that allowed them to get into systems or have info sent to them. Using a address books and emails you've read (for info you parlay to look like an insider) to pretend you spoke to someone else - like someone who is on vacation- and get others to email you and then you get in. Strict procedures are needed.
karynnj
(59,504 posts)I do not know how the networks were set up at the electric company, but I do know how completely separate they were at another utility -- AT&T. I know that the network that controlled the network, could "speak" to switching machines and reroute calls over the network was completely separate from the various AT&T networks that were used for other purposes. This was true even in the 1990s.
I KNOW that hacking can occur easily. However, from all the statements from the Vermont authorities and the electric company, it sounds like they actually did have things set up right and the laptop affected was NOT on the system that governs the Grid. It sounds like they do have different systems that have no connection.
Yo_Mama_Been_Loggin
(108,035 posts)If a field technician used it to access their system remotely then yes it could affect the grid.
karynnj
(59,504 posts)I do not know if the statements are written to appear strong without being untrue OR if people are looking for loop holes in what was said. I think we will know at some point.
Hortensis
(58,785 posts)breech and plant malicious code in electrical grids across the nation. The question is, where and to what degree have they succeeded. This is merely the only utility that has publicly reported Russia's successful but mercifully partial breech of their security.
Cha
(297,322 posts)And, I don't know why some are trying to deny it.
Thank you for this, LaydeeBug
sarah FAILIN
(2,857 posts)He says it goes a lot further than 1 laptop This link was shown to me by a deplorable trying to blame Obama , but I pointed out we had been getting hacked for years all the way back to Palo Alto. I followed the story and it comes from other sources.
http://www.glitch.news/2015-09-22-russian-hackers-have-burrowed-into-critical-u-s-infrastructure-like-the-electric-power-grid-says-intelligence-director.html
karynnj
(59,504 posts)sarah FAILIN
(2,857 posts)If our DNI says we have had the issues for some time.
There are other sources covering the testimony he gave.
karynnj
(59,504 posts)A September quote is not speaking of something that was just learned in December.
In September, he could have been speaking of the DNC hack, the Sony attack, and maybe the stupid Podesta attack. There were many many articles, including in technical journals. The Obama administration had actually hired many of the top people, who understood hacking because they were computer geniuses who used their skills to alert the government of potential problems.
Yet it seems that most government web sites and servers have been hacked - some by hostile governments and some likely because someone thought it would be fun to try.
This is not new, the Senate Commerce committee had hearings back in the 1990s that warned that it would be easy to take down the entire internet -- in less than an hour.
sarah FAILIN
(2,857 posts)I am saying I don't think it matters if they didn't know about this particular incident at that time. As of September, Russians hacking into the grid was already known. If this hacked laptop had anything to do with it is not on the table.
All this quibbling back and forth on the wording if the issues is pointless. The facts are that we are being hacked. Not being a united front against it, trying to keep blame from being directed at any certain victim is giving the bad guys the advantage.
karynnj
(59,504 posts)1) Note that none of the direct quotes from Clapper say that the grid was compromised.
2) They site a hearing -- did you consider going to the House site to see what Clapper actually said?
If you had, you would have found that these were the first 4 paragraphs that Clapper said in his prepared statement.
and severity of impact. The ranges of cyber threat actors, methods of attack, targeted systems, and
victims are also expanding. Overall, the unclassified information and communication technology (ICT)
networks that support US Government, military, commercial, and social activities remain vulnerable to
espionage and/or disruption. However, the likelihood of a catastrophic attack from any particular actor is
remote at this time. Rather than a Cyber Armageddon scenario that debilitates the entire US
infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level
cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic
competitiveness and national security.
Several nationsincluding Iran and North Koreahave undertaken offensive cyber operations
against private sector targets to support their economic and foreign policy objectives, at times
concurrent with political crises.
Risk. Despite ever-improving network defenses, the diverse possibilities available through remote
hacking intrusion, supply chain operations to insert compromised hardware or software, actions by
malicious insiders, and mistakes by system users will hold nearly all ICT networks and systems at risk for
years to come. In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed.
Moreover, the risk calculus some private sector entities employ does not adequately account for foreign
cyber threats or the systemic interdependencies between different critical infrastructure sectors.
Costs. We continue to witness an increase in the scale and scope of reporting on malicious cyber
activity that can be measured by the amount of corporate data stolen or deleted, personally identifiable
information compromised, or remediation costs incurred by US victims.
If you want to read the entire statement, here is the link to Clapper's statement - http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/clapperopening09102015.pdf
If you want to watch the entire hearing , it is on line here - http://intelligence.house.gov/calendar/eventsingle.aspx?EventID=661
Have fun, I did not listen to the entire hearing because had the electric power grid actually been compromised, I would assume that until the government knew that good fixes to prevent that from happening again, the information would have been in a CLOSED hearing. I would assume that the lack of direct quotes or the link above rather than their own biased reporting is because he did not say what they put in their headline.
BEWARE of Right Wing Sources - especially when you can get the actual primary source. The sentence I bolded in his first paragraph certainly differs from the electric power grid was compromised.
sarah FAILIN
(2,857 posts)I thought they were quoting a different article and that source was supposed to be reputable.
karynnj
(59,504 posts)sarah FAILIN
(2,857 posts)We still need to look into these sites sources some don't like. What they do is selectively combine different words that are true with other words that are true from another source... What results may or may not be totally factual, but even a broken clock is right twice a day. I still think there is some value in the sources. Without looking at these sources I wouldn't have found this about "Black Energy malware" from the DHS. I told the person that used it on me that we've been getting hacked for years, since Palo Alto..
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01B
Crash2Parties
(6,017 posts)and there is payload still sitting out there?
sarah FAILIN
(2,857 posts)pnwmom
(108,980 posts)to the network. All they clearly say is that they took steps to "isolate" it now.
pnwmom
(108,980 posts)HoneyBadger
(2,297 posts)The article is talking about admin rights to the network. Even if it is an administration laptop, it does not have admin rights. For instance, you probably have a company laptop, that connects to the company network, but you and your laptop do not have admin rights, because you are not the admin. In the same way that you do not have the rights to buy a new office building because you are not the CEO, even though you work in an office building.
TexasProgresive
(12,157 posts)uponit7771
(90,347 posts)... the LT user is admin OF the network.
The malware can spread easiER once on the network, admin rights or not
HoneyBadger
(2,297 posts)That is exactly the point of admin rights.
Removing admin rights mitigates 97% of critical Microsoft vulnerabilities
Annual "Patch Tuesday" report shows YoY growth of critical Microsoft vulnerabilities
97% of all critical security vulnerabilities reported by Microsoft can be mitigated by removing admin rights, according to new research from security software company, Avecto.
Avecto analyzed data from security bulletins issued by Microsoft throughout 2014, and found that the number of Microsoft vulnerabilities (242) with a critical severity rating increased 65% over the previous year. Furthermore, 80% of all Microsoft vulnerabilities - regardless of severity ranking - could be mitigated by removing admin rights.
The results also revealed that removing admin rights would mitigate 98% of critical vulnerabilities affecting Windows operating systems, 95% of critical vulnerabilities affecting Microsoft Office and 99.5% of vulnerabilities in Internet Explorer.
Microsoft bulletins are issued on the second Tuesday of each month, a date commonly known as Patch Tuesday, and provide solutions for known security issues.
User accounts with admin privileges are primary targets for exploit, as they provide unrestricted access to an endpoint, enabling malware to bury itself deep inside the operating system, cloak itself from detection and then spread more readily across the network. Employees with admin rights have the ability to install, modify and delete software and files. They can also change system settings, potentially introducing even more vulnerabilities.
"Our 2014 analysis highlights the continued benefits of stripping away admin rights," said Paul Kenyon, EVP of Avecto. "Time and time again, the removal of admin rights proves to be a simple and effective threat mitigation strategy - and yet many businesses are still overlooking this fundamental practice."
"There is a misconception that passive tools, like detection technologies, can provide adequate protection, and yet evidence clearly demonstrates that organizations can no longer afford to rely on reactive strategies to deal with the advanced nature of so many attacks."
Kenyon concluded: "Privilege Management is the first step that every organization should be taking to improve the security posture of all of their endpoints. It can mitigate the majority of advanced cyber-attacks, especially when layered with other proactive approaches, such as application control, patch management and sandboxing."
uponit7771
(90,347 posts)... and that should be a fact that's not in dispute.
smirkymonkey
(63,221 posts)I think this was just a little experiment. What happens when major cities get shut down?
LaydeeBug
(10,291 posts)smirkymonkey
(63,221 posts)I was just thinking that if a tiny state like VT could be hacked then what is to stop them from shutting down major metropolitan areas.
marked50
(1,366 posts)Could this have been some attempt to disrupt Bernie Sanders Campaign by the Russians if needed?
karynnj
(59,504 posts)If there is any connection at all, it might be that someone opened a DNC email to their personal account and downloaded something affected by this malware. (Reports say it is the same malware - assuming this (unlike other claims) is true, this is a logical path.
NightWatcher
(39,343 posts)but we did.
Let's connect the dots. They've hacked and infiltrated our power grid as well as our elections, installed a loser megalomaniac as President, and there's no telling what they've done that we might not know about yet.
AngryAmish
(25,704 posts)1. US arranging the looting of Russian assets to the Oligarchs.
2. Moving NATO into Eastern Europe. They truly believe in geopolitics as a field and fear the loss of strategic depth.
Eliot Rosewater
(31,112 posts)The same people will downplay every horrible thing Trump does, you just watch.
They exist here and everywhere.
bettyellen
(47,209 posts)Kingofalldems
(38,458 posts)Hortensis
(58,785 posts)already. We'll see how Breitbart, Infowars, etc., handle the news of new discoveries at other companies, but downplay will definitely be a technique.
"WASHINGTON POST STIRS FEAR AFTER FALSE REPORT OF POWER GRID HACK BY RUSSIA." and "MYSTERY: DID CNN AIR FOOTAGE FROM VIDEO GAME DURING RUSSIA HACK REPORT?
Did CNN really use footage from a video game?" Infowars, of course.
Swede
(33,257 posts)It spread throughout their systems.
LaydeeBug
(10,291 posts)Swede
(33,257 posts)How is it false equivalence. That is how this stuff spreads.
LaydeeBug
(10,291 posts)sarcasmo
(23,968 posts)Squinch
(50,955 posts)Scurrilous
(38,687 posts)HoneyBadger
(2,297 posts)Response to HoneyBadger (Reply #44)
LaydeeBug This message was self-deleted by its author.
AngryAmish
(25,704 posts)So we have to thank Putin every morning when the lights go on. Way to go, Trump!