Henry Dalziel | General Hacking Posts, Hacker Hotshots, Latest InfoSec News | April 26, 2013
Mr. Vice President, Mr. Speaker, Members of the Senate, and of the House of Representatives:
Yesterday, December 7th, 2014 – a date which will live in infamy — the United States of America was suddenly and deliberately attacked by cyber armies of [fill-in the blank hostile nation].
The United States was at peace with that nation and, at the solicitation of [fill-in the blank hostile nation], was still in conversation with its government and its government looking toward the maintenance of peace in the Internet.
OK, we have paraphrased the memorable speech given by Franklin D. Roosevelt at 12:30 p.m. on December 8, 1941, when the U.S. President stood before Congress and gave what is now known as his “Day of Infamy” or “Pearl Harbor” speech, but we imagine that if a Cyber Pearl Harbor happened today that is what President Obama would have said.
There has been much talk this year about an imminent Cyber Pearl Harbor – compounded by the discovery of a building in Shanghai, occupied by China’s military, which was the epicenter of cyber attacks on more than 150 companies. The confirmation of this hacking den generated a question: is the US prepared to defend itself against a nationally-sanctioned cyber threat?
Whether or not we are prepared to defend ourselves is open to debate, but one thing is for sure: we are are currently living in a Cyber War. Lets face it. Look at Stuxnet, DuQu and all her merry friends that have created mayhem on critical infrastructures in Iran and other sovereign nations. Israel is bombarded by cyber attacks – as is every nation. We had G Mark Hardy on our Information Security web show ‘Hacker Hotshots’ giving a presentation titled: “Hacking as an Act of War!”, in which we asked the question: “What are your predictions? Where are the future threats that really need to be focused on?” G Mark, (who has been providing information security expertise to the military for over 25 years) replied:
Big threats? Targets continue to be data systems – they continue to be attacked. Critical infrastructure that can be used to disable or disrupt target nations. Obviously, if you can blind the control networks then proceed to roll the tanks in as we saw in 2008, that’s going to be one particular factor. So there’s constantly going to be this low level, if you will, spying as well as the extraction of information from one company, or one country to another due to lack of cyber security.
And again the problem is if we spend a tremendous amount of money developing a particular product or capability, and then somebody else can build exact the same for zero R&D costs then you’re at a disadvantage right off the bat.
We at Concise Courses have a particular interest in this ever since we became actively involved in offering SCADA training and courses. Having researched the SCADA space it is immediately obvious just how screwed we are with our aging vulnerable SCADA systems. We had another excellent Hacker Hotshot event with Justin Searle titled: “Pentesting Smart Grid Web Apps” (who is a well-known SCADA Security Expert) in which he confirmed the urgency the US needs to place on firming up SCADA systems.
SCADA really came into the limelight (as did all security) in the aftermath of 9/11 – and the term “cyber terrorism” became common jargon within the security community. Key to this worry was the vulnerability of SCADA systems – systems which are used to monitor and control our water distribution systems, our oil and gas pipelines, electrical grids and transportation systems etc. Point is this: it seems that most SCADA systems are more or less susceptible to a cyber assault. The architecture of these systems has matured but there are still hundreds, if not thousands, of systems that are still weak and Internet facing. Hacking technologies evolve and the tools to deliver blows become more evident and prevalent. To demonstrate this we have a live demo May 21st titled: “Warning: Hackers Can Destroy Your Automation Plant (SCADA Malware Infection In 2 Simple Steps)” with Marcelo Branquinho, a SCADA security expert, who spoke at RSA 2013. In this live 15-minute demonstration you will see how easily a hacker can create a payload with Metasploit 4.0 and infect a SCADA supervision station using a USB stick. Yes, scary stuff…
Congressman Mike Rogers, R-Mich said something interesting and perhaps what should sum up this post, quote:
“There are two companies left in America, one is those companies that have been hacked and know it and two, the companies that have been hacked and don’t know it.”
Furthermore, in researching this post, we discovered that most US media leans towards a notion that that virtually all government agencies, military and think tanks have been infiltrated by cyberspies.
However not all agree on an imminent Cyber Pearl Harbor
Spy Chief James Robert Clapper, Jr. who is is a retired lieutenant general in the United States Air Force and is currently the Director of National Intelligence told a senate committee that there was little chance of a major cyberattack against critical infrastructure in the next two years.
DNI James Clapper firmed his comment by saying that cyber attackers lack the necessary skills and therefore the ability to override attacks on critical infrastructure. He also suggested that nation-states that might have the skills (China, Iran, North Korea and Russia) do not have a clear motive at this point. He did however acknowledge that destructive attacks were more likely to come from less-skilled, non-nation-state attackers who could cause damage on a smaller scale.
One thing is for sure though, that is that corporate theft has been occurring on a huge scale. As G Mark Hardy told us, it is estimated that the entire volume of the U.S. Library of Congress (equivalent information) is being stolen every year!
In any event, we hope that our Concise Courses SCADA training package coming this June 2013 will go someway to train security professionals to better defend our nation and mute any ‘day of infamy’ speech to be regurgitated by President Obama in the next few years.
What are your thoughts? Do you agree with us? Should we be scared, worried or concerned or is this all a bunch of stuff as Joe Biden would say?