42 comments

[ 4.4 ms ] story [ 108 ms ] thread
> They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals.

Why are passenger trains loaded with lethal chemicals in the first place?

Due to the recession, the train companies have taken to making money on the side by turning every fourth carriage into a traveling meth lab.
This comment reminds me of an awesome episode of Breaking Bad in season 5, I won't ruin it but those who've seen it will know what I'm talking about. Are these passenger trains carrying Methylamine by any chance?
Even worse! They could derail passenger trains loaded with lethal chemicals and nuclear weapons!
And lions and tigers and bears! Oh my!
And, these nuclear weapon chemistry lab trains could derail ONTO CHILDREN. Won't somebody please think of the children?

(And BTW, trains derail even without evil cyber hacker criminals. First YouTube result: http://www.youtube.com/watch?v=xCbOUgr_r-E)

Saddam did it first with his mobile rail-based chemical weapons labs.
I always knew Rails was evil!
No, it's the chemicals that make it evil. Organic rails are good for you.
Mock him if you must.

Panetta raises the issue that a combination of attacks could cause loss of life and a new sense of vulnerability among the public. (From the article: "...would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.")

The last time the public had that sudden sense of vulnerability, on 9/11 of course, there was a tremendous and partly counterproductive reaction that we're still dealing with.

It could be smarter to put in place laws to force private companies to report cyberattacks, so the government can understand the scope of the problem, than to pay for the reactive spasms that would follow a successful attack.

The last time the public had that sudden sense of vulnerability, the government did everything in their power to stoke those anaphylactic fires. Panetta wants more money, pure and simple, and he knows that fear of the unknown is the best way to get sound bites and the Congressional ear.

They don't want smart - otherwise we'd already be doing the smart thing.

"government ... stoked": yes, I agree. It's a shame.

I think Panetta partly wants money, but even more, wants laws changed so that privately-operated infrastructure has to have certain security provisions. His agency can't compel it without a law.

History has shown that market forces are not always sufficient to guard against catastrophic events.

He Can always testify before congress...No? Every political fundraising memo is form of "Guy X warns of Doom...Act Now...send your $$$" Where was he for Bhengazi?
>partly counterproductive

Partly? We've managed to destroy two countries, waste billions of dollars, lose essential human rights and fall into a recession. What part of that was productive, exactly?

“I’m not sure they’re going to volunteer if they don’t feel that they’re protected legally in terms of sharing information. So our hope is that ultimately we can get Congress to adopt that kind of legislation,”

Translation: Before we loot their databases, we have to reassure them that they are not liable.

The money wasted on these pork bills and civil rights violations that will probably pass with flying colors regardless of who wins the election could be better spent buying every 0day for sale. Imagine a few billion in a fund just for buying zero days for sale and forcing the companies with the vulnerable product to tell its customers that it had vulnerabilities and that they've now been patched. Heck, tax companies that write insecure software more.

Instead, we'll see some federal guidelines that do nothing but enrich connected defense IT contractors milking the endless cow of defense spending.

I wish that every headline of this type had windows in parentheses ... "Panetta Warns of Dire Threat of (Windows) Cyberattack on U.S."

How many years ago were we up on that stage at defcon while bo2k was demoed ? And 12 years later nation states (Iran) are getting owned by the same old autorun.inf.

Humans are still humans. Software security can increase but people are still weak and convenience versus security is a common trade off.
What the hell is a "defensive" "cyberweapon"? Are we going to shoot down an incoming SSH session? Poison a compromised SSL session? Like screaming aircraft in space, these people have no idea what cyber warfare looks like.

How do they expect to defend against it?

I'd use honeypots. Or maybe write viruses designed to infect and nullify IRC sessions. Or write viruses which install software updates and patches.

Wait, no. I'd call tptacek.

How do they expect to defend against it?

I'd start with good design and engineering with due diligence, multiple redundancy, identification and delinking of potential failure points and well trained and equipped emergency response teams.

But they'll probably just hire lots of goons and get them to sit on facebook and stalk the insane.

He admitted he is pushing a bill, and in all probability, there is a defense company that is selling some network monitoring, firewall-ing, or anti-virus software has probably asked for his "help" and is "sponsoring" both him and the bill
If you look closely at what they are proposing, the new bills and the new budgets almost always go into "offensive cyber capabilities" not defensive ones. So while they keep the fearmongering about cyber attacks, all they are doing is building better weapons to attack others themselves, and has nothing to do with protection, which also creates a loop where if the US does get attack because the networks are not protected, they get to demand for even more funding, and continue the cycle.
Exactly. This is a ploy to spend money building our offensive weapons. Pork for a campaign contributor, sharp sticks for the intelligence agencies.
Good network monitoring, clever firewalls, that kind of thing. "Cyberweapon" is a bandwagon, of course, but there are devices and services that you can buy that do tend to make networks more secure, and having more of those is not a bad thing.

My employer sells a device that permits one-way connections only: http://www.fox-it.com/en/products/datadiode/. The "one-way" part is trivial, of course - the clever part is in making standard protocols work over such a link.

I think we can safely assume that these bureaucrats know nothing at all about Cyber-anything. I don't think we even need to ask where this statement ultimately leads. It leads to a total loss of internet anonymity. It may take a generation for that to be a given, but that's clearly the goal. That goal provides about as much value to the nation as the "war on terror." The end of the cold war sure left quite a vacuum. It took about a decade to find something to take its place.
Well then take those systems off the internet. Problem 100% solved.

Why the heck are they on the internet in the first place?

unfortunately i think 100% is quite an overstatement. (given that we're talking about people dying, and all).
i'm sorry. the downvotes would suggest when your network is not connected to the internet you are invulnerable to cyber attacks? lol
Now taking them off the internet is not going to sell overpriced, over-engineered, ineffective products designed to "fix" these "issues" ;-)

If Panetta is talking about specific "cyber-defense" capability, L3, or Lockheed (etc.) probably already have a product in the making and fulfills some of these requirements. They just need the law to be passed and the purchase order signed.

I get your point but, while offline you could still get infected via physical media USB, CD, FLOPPY.

What I'm trying to say is that if a nuclear facility got hit and their machines where offline (from the internet) its still possibly to infect the rails using the Stuxnet attack vector.

But yes the claims are sensationalist, a better solution would be to increase security protocols and make standards out of those and have companies follow those in a more strict way.

Modern witch doctor has things he wants.
I have a genius plan to protect computers and networks from cyber attacks, I plan on selling it to the Government I really think it's a good idea. My asking price will be at least $1.2 billion for a minimum 10 year contract, but I'd be willing to negotiate a little bit to stay competitive with competitors like Lockheed.

1) Disconnect any computer from the Internet that controls anything that can be compromised.

2) Keep the computers disconnected.

BAM! no Internet connection, no cyber-security threat. Now if you'll excuse me, I'm just going to fire up my Ubuntu terminal and derail a passenger train full of chemicals whilst simultaneously breaking down a dam wall in another terminal window.

Seriously though, I think we're all doomed if dams, nuclear reactors, airports and passenger train networks are as accessible from the Internet as Panetta says they are in the first place...

I wonder if autonomous Internet surveillance understands sarcasm. You're probably on some watch list now, sad as that may be.
I thought the exact same thing as you after posting and re-reading my comment. If they come after me, I guess I'll have to open up another terminal window and hack into their car computer system and make them drive in the wrong direction, after I hack all traffic lights to slow them down of course ;)
Unfortunately, it's not that simple. Stuxnet showed us that offline networks can be attacked and have real-world consequences (e.g., exploding enrichment plants).

Almost all of our critical infrastructure is offline, and many of our infrastructure companies air-gap their critical networks. Yet we are all still vulnerable simply because we are using computers.

Good thing we didn't provoke Iran by attacking with cyber-warfare.
I have a friend who works for Saudi Aramco. They tried to play down the effects of the attack, but they had to replace 30,000 hard drives. My friend's work for the past year was wiped out. The only people who were saved were those who made local back-ups on USB drives which were not connected. In most large companies, there are strict rules about connecting personal hard drives to the company's network, but in this case, those who violated the rules were able to survive the attack best. Back-ups were compromised as well. It is not clear why Aramco did not have back-ups which were offline and accessible.
Probably spoken for the law makers.
Since when is it ok for a US official to talk about China and Russia as "adversaries"?
This article appears to expose a serious violation against the International Olympic Committed by the inappropriate use of "Olympic Games".

While it is possible that a proper license was obtained, it seems extremely unlikely that the IOC would permit there trademark to be used for an operation instigating a terrorist attack against one of its members countries and I am currently unaware of the IOC adopting hacking as a completive sport.

The article states "Mr. Obama ordered sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment plants, according to participants in the program. He decided to accelerate the attacks, which were begun in the Bush administration and code-named Olympic Games,"