Sunday, April 19, 2009

Espionage & Passwords

“Every one is a moon, and has a dark side which he never shows to anybody” - Mark Twain
Here is an unsettling story published in the Wall Street Journal, Electricity Grid in U.S. Penetrated By Spies.

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and
former national-security officials. The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven't sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.
As a computer programmer I understand that hackers would try to break into our infrastructure systems. But what concerns me is that they succeeded and could leave behind sleeping programs waiting for activation. “Many of the intrusions were detected not by the companies in charge of the infrastructure but by U.S. intelligence agencies, officials said.”

The WSJ reports, “Intelligence officials worry about cyber attackers taking control of electrical facilities, a nuclear power plant or financial networks via the Internet.” I cannot for the life of me understand why a nuclear power plant should be accessible via the Internet. Perhaps workers want to push buttons from far away in case the plant starts to meltdown? I’ve worked at several companies with restricted Internet access. At one, there was no access, period. At two others they used VPN (Virtual Private Networks) to restrict access. VPN uses a token that displays a new “random” number every minute. To login I need my password and the current number on the token registered to me.

Sadly in many secure systems the weakest link is the human element. At one of my internships, the top executives (with the most data access) hated to memorize long passwords and asked for an exception so they could use two letter passwords. One hacker trick I’ve read about includes getting inside a company and then sitting down at computers where workers have left for lunch but left the PC logged on and connected to the company network. (Screen savers with passwords help protect against this). Another clever hacker passed out a survey to workers asking for names of pets, children, spouse, etc. He then checked to see if any worker had used a family name as their password; very common unfortunately. (A solution to this is requiring numbers and or special symbols in the password.)

Now it would be nice to think espionage would never happened but the WSJ describes two recent cases outside the US:
  • In 2000, a disgruntled employee rigged a computerized control system at a water-treatment plant in Australia, releasing more than 200,000 gallons of sewage into parks and rivers.
  • Last year the CIA told utility company representatives that a cyberattack had taken out power equipment in multiple regions outside the U.S. The outage was followed with extortion demands.
Bottom LineTwo points I’d like to emphasize here.
1. Water or electricity could fail at a moments notice with a hostile attack. Do you have backup water and a power generator or means to cook/light without electricity? ABC News did a follow-up story called What if Russia or China Cut Off Your Electricity? It goes through a typical day showing how pervasive electricity is...
  • Your alarm clock
  • Your laptop (when the batter dies) & wireless router
  • Your landline phone perhaps work but not VOIP
  • Your hot water heater (if not gas)
  • Your gas oven (most have an electric starter instead of a pilot light)
  • Traffic lights
  • Gas station pumps
  • Frozen/refrigerated food at the grocery store
  • Cash Registers, Credit Cards
2. Always use a strong password. Studies have shown that longer is better. Password hackers are well aware of L33T, the trick of substituting letters with symbols like 9ary or G@ry for Gary. So don’t think you are safe with a short but clever password. One easy password method is to use the letters from a favorite hymn, bible verse, poem, etc. For example “tbontbtitq” for “To be or not to be, that is the question” (but please choose something less obvious). You can strengthen this by creating a personal pattern where you always capitalize the same letters (say 2nd and 3rd) “tBOntbtitq”

Labels: , , , , , , ,

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home