David Kirkpatrick

August 27, 2010

US military hacked in 2008

Hacked by a compromised USB thumb drive. Just goes to show you can worry all day about technical threats and software backdoors and plain old network hacking, but all those assets out in the wild — people’s heads with sensitive passwords, unattended laptops, USB drives, et al. — can be hard to lock down and are usually the easiest way into a network.

From the link:

It was a USB drive loaded with malware.

That’s how U.S. defense networks were compromised in 2008, according to U.S Deputy Defense Secretary William Lynn, who today offered the first official confirmation of a data breach that led to restrictions on the use of removable USB drives in the military.

In an article written for Foreign Affairs magazine, Lynn said the breach occurred when a single USB drive containing malicious code was inserted into a laptop computer at a U.S. base in the Middle East. The malware, placed on the drive by a foreign intelligence agency, was uploaded to a network run by the U.S. Central Command.

The malware then spread — undetected — on both classified and unclassified systems, essentially establishing a “digital beachhead” from which data could be transferred to servers outside the U.S, “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” Lynn wrote.

Here’s additional coverage of this story.

Update 8/30/10: And even more coverage. Looks like the actual threat was very low-level and involved the W32.SillyFDC worm.

August 2, 2010

“Smart grid” electric meters and hackers

Food for uneasy thought.

I have a smart grid meter on my house. At the time it was installed I liked the idea because they more easily allow you to sell electricity back to the grid, you know like if you have a solar array on your roof and produce more than you use (if you read this blog often at all you know I’m very interested in solar and I’d love to have an array on my sun-drenched roof right now). This news gives me quite a bit of pause on smart grid meters.

From the link:

The hurried deployment of smart-grid technology could leave critical infrastructure and private homes vulnerable to hackers. Security experts at the Black Hat conference in Las Vegas last week warned that smart-grid hardware and software lacks the necessary safeguards to protect against meddling.

Utilities are being encouraged to install this smart-grid technology–network-connected devices to help intelligently monitor and manage power usage–through funding from the U.S. government’s 2009 stimulus package. The smart systems could save energy and automatically adjust usage within homes and businesses. Customers might, for example, agree to let a utility remotely turn off their air conditioners at times of peak use in exchange for a discount.

But to receive the stimulus money, utilities will have to install new devices across their entire customer base quickly. Security experts say that this could lead to problems down the road–as-yet-unknown vulnerabilities in hardware and software could open up new ways for attackers to manipulate equipment and take control of the energy supply.

Smart enough? This image shows the interior of a smart grid meter tested by Mike Davis of IOActive.
Credit: Mike Davis