100 comments

[ 5.8 ms ] story [ 177 ms ] thread
I found that part much more .. interesting:

> As an example, Hypponen said he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit.

What....? Seriously, wtf? Is it really that hard to provide outlets to charge your phone?
Or alternatively, how about WTF are you doing plugging your phone into this fucking cockpit? You're here to do your job and if you want to carry your phone around with you in the factory all day that's up to you, but plugging your phone into the fucking cockpit you're meant to be working on will result in demotions, suspensions and unemployment all round.

More politely put, I see no obligation on employers to provide employees with the means to recharge their personal phones :)

(comment deleted)
(comment deleted)
I see no obligation on employers to provide employees with the means to recharge their personal phones

What makes you so sure it isn't (also) their work phone? Lots of people I know don't have a personal phone and a work phone, they just have a phone.

> More politely put, I see no obligation on employers to provide employees with the means to recharge their personal phones :)

This is a classic "design a better human" problem - sure, you can try to 'persuade' people by threatening them with demotions, suspensions and unemployment. And then you can hope that this will work in every single instance. Or ... you can provide a few usb ports in a convenient location, so people use these instead of the usb port in your multi million dollar cockpit to charge their phones. Take your pick.

For another example decide if it's easier to provide waste bins or to threaten people who litter streets.

(comment deleted)
They were working in a cockpit factory. They had many other options for charging their phone in a USB socket, and they still chose to charge it by plugging it into the cockpit. Your solution, in this situation, already existed and people still plugged phones into the cockpit.

Why would they NOT do this, under your system? If I can plug my phone in right where I am, in the cockpit, or somewhere less convenient for me, why would I not just do it where I am, in the cockpit? There are no penalties for it, so why wouldn't I do it?

Following the what, 11 different plug standards commonly in use for power internationally? Or provide a USB port that every phone in the world can use, and is smaller and more efficient to boot. I know which I'd pick.
Anything installed in an aircraft is subject to a regulatory avalanche of paperwork, testing, and approvals.
The next sentence pretty much confirms my impression that this claim is almost certainly bullshit:

> Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.

That's just...not how computers work.

I could maybe understand it if it was a USB hub, and the phones all had a defect that meant rogue USB signals could infect them. So if 2 people plugged into the same hub at the same time, it could spread.

But if the claim is that the virus lie 'dormant' in the uninfectable plane OS, then I can't understand that.

USB devices cannot contact each other, only the master can communicate with the devices on the bus. It is a tree with one device at the root.
nice catch. can't help but think of Independence Day when Jeff Goldblum and Will Smith infect alien mothership with a mac virus from a 3.5 floppy which specifically disabled its protective shield. "will give it a cold"

Edit: corrected it's its

There's a deleted scene that explains that all of our computer technology has been covertly based on the results of the Area 51 research into the crashed ship. It makes that bit a little less silly.
If behind the USB port is some (writeable) data storage (for PDF manuals etc) this is quite possible.
Or some infectable USB controller is involved.
What on here is able to store malware? https://learn.adafruit.com/minty-boost/parts-list

If the USB chargers in cockpits are any more complex than the above, why?

They almost certainly aren't USB chargers. Probably USB ports for inserting thumb drives to update the navigational charts. These kinds of USB ports are [mis]used for charging phones all the time, and the phone can end up being mounted as a mass-storage device.

No idea how the rest of the exploit would work in this scenario though, I have a hard time believing it.

It's true that that scenario is not relevant, but the fact that there is a direct connection between the usb ports for charging stuff and the planes' computer is obviously a point of intrusion for attacks like Stuxnet.
Might be the case that the USB ports are for interacting with the plane's computers, and the charging being done by the pilots is against the rules.
I think the sentence "But it would pass the virus on to other devices that plugged into the charger." comes from the reporter, showing that he does not understand computers. It is plausible that malwares were copied without being executed.
A virus is something that copies itself. If something is copying a virus, it is infected.

So the virus would have to infect both android and the cockpit to spread from phone to cockpit to phone.

Not at all, that's like saying floppy disk viruses happened because both PCs and floppy disks were vulnerable. Just imagine the cockpit to be a floppy disk. You plug your phone in, and your infected phone puts a file in the cockpit. Then someone with a vulnerable phone plugs into the cockpit, reads the file and is infected.

Not saying that's how it happened, just that it's possible.

I think they mean "because the computers that fly the plane run a different OS than the computers that control the in-flight entertainment". The malware isn't going to cause the plane to crash, but it could still execute and spread itself via those little seat-back touch screens with their USB ports.
Bullshit, I've watched Independence Day. You can easily take down advanced alien warships with some objective-c.
See the recent BadUSB attack [1][2] for how this sort of attack can work; the firmware of the USB microcontroller itself can be infected.

[1] https://srlabs.de/badusb/ [2] http://www.wired.com/2014/07/usb-security/

Doesn't badusb have to pwn the host OS to propagate?
Nope, and reinstalling it wont help it..
Can work is irrelevant. And mostly wrong, since can is not do.

They claim it is happening.

Callback to 2008 :

Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.

The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.

Boeing spokeswoman Lori Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.

"There are places where the networks are not touching, and there are places where they are," she said.

http://www.wired.com/2008/01/dreamliner-security/

http://cryptome.info/faa010208.htm

It'll be EADS - I've experienced their infosec first hand. Heavy on process and inquisatorial panels - yet they do stuff like emailing parts lists and schematics over the Internet, no protection.
Yeah, it's sad that so many people actually use USB ports at airports to charge their devices, without knowing what they are connecting their devices to. I don't expect them to know better, but all their data could be copied, stuff could be modified. Isn't there an adapter which limits the active lines to just what's needed to pass power, no data, or is charging without some data exchange impossible?
The data lines are used for signalling which charging speed the device supports. You can cut them, but then you get the lowest denominator charging specs, which is quite slow.
I wonder what scale of disaster will have to occur before information security is placed under the same legal and regulatory scrutiny as physical security?
I think it won't happen until everyone in society has good "computer literacy".
The number of people who have no idea how their car works, despite them being fairly ubiquitous for nearly 100 years makes be think that that will never happen. There will always be people who know only just enough about the technology around them to get by.
That's not a reasonable requirement, it's just that there is no consequence for people administrating (installing, maintaining) systems and the software writers. If fines were involved, how long do you guess would it take for people to stop writing in C or system integrator setting up random software. Critical systems may only use software written and certified years ago, not be constantly updated.
Developing and maintaining software with a sufficiently large focus on information security will almost certainly cost so much money, that people will reconsider whether the investment is worth it.

It probably takes several relatively large and frequent disasters not just to put the issue on the map politically but also to show that it's worth investing in information security besides the cost.

I think you're right, and I think it will have to take some obvious loss of life at least once.
No disaster necessary. NERC CIP regulations have been in place (and enforced) at electric utilities since 2007:

"In 2007, FERC designated NERC the ERO in accordance with Section 215 of the Federal Power Act, enacted by the Energy Policy Act of 2005. Upon FERC’s approval, NERC’s Reliability Standards became mandatory within the United States. These mandatory Reliability Standards include CIP standards 001 through 009, which address the security of cyber assets essential to the reliable operation of the electric grid."

Source: http://www.nerc.com/pa/CI/Comp/Pages/default.aspx

(Edit: clarification)

Possibly important to note the timing of this admission right on the heels of the announcement of our defense minister that she wants to build a 'cyber' division in the army with 13500 people working there. Thats almost 10% of our armed forces.

I could only find decent reporting about this in german: http://www.tagesspiegel.de/politik/plaene-der-verteidigungsm...

Here in Germany that only means that 13000 people print out reports for the minister, while 500 people look at screens. 10 of them program the stuff that happens on the screens.
You have that many Australians working in Germany?
I don't get the reference.
He just means that it's the same everywhere. In Australia, Germany, etc.
Classic joke: "Wow, that's a huge building. How many people work here?" - "Maybe half of them."
(comment deleted)
Yeah, totally agree. They also have aggressive print advertising everywhere (here in Munich) for this campaign.

I wonder if they can attract any real talent though? Only people I know willingly wanted to work for the Bundeswehr eiter did not have the grades to study elsewhere or went to Afghanistan for the money.

They have pamphlets that pretty much say "hey, you could earn more money and have better working conditions from a real employer but that would be boring right?". So I guess not.
That's the same as GCHQ say here in the UK, it seems every goverment is much the same!
I'm glad somebody joins them, though, or they would make up a law to legalize what drug cartels are doing with IT (and other) talent. Laws can be passed in parliament and be in use and need to go through trial at supreme court to be ruled invalid. I really wish passing laws was super had, super laborious, and took a very long time (at least 5 years). Then, the government, which needs to be reelected every 4 years, cannot pass all kinds of stupidity.
Hell, if they would accept foreigners like the US military does and provide a path to citizenship I'd be all over it.
Also just after the 30th anniversary of Chernobyl.
That program is completely misguided. You don't need thousands of "cyber soldiers", just a few good computer scientists, mathematicians and engineers. Because a system built from trusted and provably correct components (hardware and software) is infinitely better than a swiss cheese with dozens of people attempting to keep it from falling apart. And from that point on, you only need to teach soldiers to operate their equipment correctly.

The challenges of information technology w.r.t. warfare are fundamentally different from usual war tactics. You can't solve them by throwing lots of personel or big guns at them. If midst-fight your equipment or infrastructure fails because of security flaws, it's not because there's no personel to deal with it (for that it's already too late): it's because its designers failed at the drawing board.

It'd be better they concentrated on quality instead of quantity and the resignative "anything can be hacked" myth a lot of popular media is putting forward, as if information technology operated according to the same rules the physical battlefield does. These analogies only go so far...

(of course the same applies to non-military contexts as well)

You'd need a lot more for offensive operations.

And although the article says only a few of those thousands will be used for offensive ops, I suspect that many more will be.

I think you can make a better effort with more people; the critical thing is the quality of the people.

Of course there's a good chance more will be less valuable!

Yes, I was focussing more on the defensive aspect. In offense the situation may be different, but in that case, if your enemy is in large-scale possession of technology that would make it susceptible to this in the first place, bad things have happened...
As someone who works in security operations, there is absolutely a need for people. Yes, a small number of experts could, given enough time, produce some small amount of thoroughly secure components. But that's not the situation we're facing.

In real life, governments are some of the largest enterprises that exist, and use the same software and systems as everyone else. Complete replacement with provably correct systems is such a large task that it would never be completed, for just the same reasons as in private industry. The attack surface of a government ranges from sophisticated military hardware to mobile apps.

Deterring, detecting, and remediating security incidents is thus done the same way the private sector does it: testing, continuous monitoring, hunting, forensics, etc. All of these activities are person-hour intensive, and I don't think there's a security operations center in the world that wouldn't tell you right now that they are limited by the size of their staff.

That said, full-service security departments will include technical auditing and software security components, and I suspect the German government intends to include this. Of course, these functions are quite limited by being on the client end of the relationship, as I doubt the German government produces any more of its software in-house than the US government does (which is not very much).

These viruses are very serious and should be considered as a "near misses" in terms of critical power plant software malfunctioning.

After the US, Israel is #2 in Cyber security and is very dependent on Germany for military needs such as submarines and engines for their tanks. Since these nuclear power plants have nothing to do with national security directly, Germany should employ Israelis to help them if they have not already done so.

It's more alarming to me that, apparently, critical infrastructure in a nuclear plant is running old versions of Windows.
> It's more alarming to me that, apparently, critical infrastructure in a nuclear plant is running old versions of Windows

Don't worry, the most important parts are running on DOS or OS/2, so we're saved from doom!

"Nuclear is safe", they said.

I'd rather have my local solar power plant infected with viruses or hit by cyberattacks.

Modern nuclear reactor design is such that you cant cause a meltdown without violating the laws of physics.
Unfortunately most nuclear reactors aren't modern.
As far as I know there isn't even a single one of those designs which was successfully built somewhere yet (as in: Is able to generate more power than it uses).
The being able to generate more power than it uses is a problem for nuclear fusion reactors.

The problem with modern nuclear reactor designs is that they're just that, designs. Great ideas people in comment sections love to mentally masturbate about. In reality almost all nuclear reactors are decades old.

Politics alone ensure nuclear reactors with the exception of maybe fusion (which will be way too late for climate change) will never get off the ground. In the meantime renewables, solar especially, get cheaper and more efficient every day, not designs but actual installations.

I wouldn't be so sure - you know the joke about fool proof designs and nature inventing bigger fools ;).

Few years ago, Westinghouse tried to kick out Rosatom from VVER power plants in Eastern Europe as a supplier of the fuel. They pulled very heavy levers to do that, but in the end, they were still refused due to their pellets not being up to the task and being a security hazard.

And yet they still try that in Ukraine...

you can melt down any reactor. Perhaps you mean it can't create a nuclear explosion? in that you are right.
Not quite. Doom installs just fine on DOS. It's just one of the games I would install...
There are Windows computers in there. They are not connected to any outside network "to be safe". Therefore they are protected, even protected from updates. Software that runs on them is validated for that specific OS version with a specific state of updates applied.

Regulations say you can't just ran any random device (including software) there, that's unsafe.

Unfortunately regulations weren't being made with PCs in mind where anybody can plug in an infected USB stick. Or needs to in case he's a service technician. (Yes, those ports are not available for "anybody" who is there, but somebody needs to install software on those machines).

There are things I have seen I wish I could unsee to feel safe.

They shouldn't be using Windows at all. Whoever had that idea should be thrown in jail for attempted mass murder. Keeping Windows off a network doesn't make it safe: Stuxnet proved that.

Windows has no business being used in any application that is life or safety critical. Its license even says so. Doing so should be a crime. There are much better OSes out there for this kind of thing: just ask anyone who builds jet aircraft.

Don't worry. There are still PDP-11 controlled nuclear power plants out there with custom software built in the 70s. Hope you feel better now!?
Let's just say it's not new.

Operators mostly watch the plant during the weekend while the engineers are not there. It is a security job: check if something turns red and pick up the phone if it goes bonkers. The operator has a limited access to the core process. Boring, and they get busy by going to the Internet and downloading random stuff. And yes they do have access to the Internet...

Remember saw a job ads for PDP11 programmer to work on Nuclear power related project a few months ago.

One thing for sure: you can't infect a PDP11 system with Windows or Dos Virus, nor can one plug in an USB.

I wonder if the new hire raises eyebrows constantly talking about "core memory", "dumping core", etc.
We have to be more concerned about the things that are not reported. And why is it even technically possible to infect the control system of a power plant at all, or was this just a virus in some auxilliary sytem like, say, the machines only connected to another network, totally decoupled from the control system? Without details, this is just fear mongering on the heels of recent media outbreak regarding Belgian reactors.
The article said the virus was on "a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods".

Control systems generally have two components; the actual controllers that interface with the machine or equipment and then an HMI for the operator to interface with the controller (ignoring completely hard wired systems consisting of lights, buttons, chart recorders, etc). The majority of the HMI software runs on windows.

Once an attacker is on the HMI system they can probably easily do anything the operator can do, and possibly have full access to the controller and make things happen that Should Never Happen.

What am I even reading?

A nuclear power plant has computers on its airgapped network infected with a computer virus from 8 years ago for an operating system which expired from support two years ago.

At least the nuclear power plant near me runs on a PDP-11.

Virus claims german nuclear power plant run down by underfunded operators. "Cant spread, if you are all on old breaking down hardware on outdated systems that nobody bothers to update." says virus.