Isn't it about time that people controlling important computerized systems, started taking them OFF the Internet?
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
Yes, much of "hacking" is actually just getting people on the inside to do dumb things. Often over the phone.
If you've got the budget of the DoD you could do something like their NIPRNet, SIPRNet, and JWICS. But those also gets breeched...by well meaning people in trusted positions.
There's no putting the genie back in the bottle. Companies need to invest more in security.
There is a huge difference between having to physically infiltrate a system, defeating whatever physical security measures are in place, then hacking the hardware, then making a clean getaway, and a few Russian script kiddies hiding in putin's basement hitting "run" on a script they downloaded off the dark web.
The only difference is you need to leave your chair.
How do you secure 5,500 miles of pipeline? You'd need armed guards every 1/4 mile to prevent physical access. If you use CCTV you're going to lose access and see a loop, even with guards, someone can just pay a hooker to go offer a BJ and slip in while they're occupied.
Your ignorance is duly noted. Those Russian "script kiddies" are the people who dropped those files on the web. Or maybe the NSA, who lost their surveillance suite down the plughole.
Quote:
Originally Posted by MattCW
So why not disable USB ports for non human interface devices? Or just physically lock the USB ports with a key kept by IT? At my job, we have no need to use flash drives for anything. I've never tried plugging one in (I'm a programmer, cybersecurity is second nature to me) but I certainly wouldn't mind if the ones on our workstations were disabled for all but keyboards and mice (which could also be hiding flash drives, but there really is a limit to how far you can go).
Because to transfer a couple of Gb of data without network or USB would take a month manually typing, or 30 people a day.
Clearly your overestimating your abilities, to the point its quite hilarious.
One reason it took a decade to find Bin Laden is because he was offline. He'd work on his computer, then place his latest video or text onto a flash drive. His couriers would then drive hundreds of miles to varying internet cafes to upload the video.
Fun fact (and it didn't come out until quite a bit later): It wasn't Colonial's actual pipeline control system that got ransomwared, it was their accounting system. The pipeline could move product just fine, Colonial just couldn't charge for it.
Yep, but because their pipeline systems were connected to the internet they shut it down "as a precaution." If they weren't connected, no need to shut down.
Quote:
Originally Posted by Gungnir
The only difference is you need to leave your chair.
How do you secure 5,500 miles of pipeline? You'd need armed guards every 1/4 mile to prevent physical access. If you use CCTV you're going to lose access and see a loop, even with guards, someone can just pay a hooker to go offer a BJ and slip in while they're occupied.
How can you not see the difference? What you're talking about would require them to crawl out of their basement, go to the airport, board a plane, fly over here, be admitted into the country, make their way to the pipeline, break in, do their thing, leave without being followed, fly back, etc. Do you not understand the point of layered security? Do you not understand that security is about making it impractical to attack vs impossible? If your whole argument is "why disconnect from the internet since they can be hacked anyways?" then why not do away with security of any kind since it's still possible to hack something?
Quote:
Your ignorance is duly noted. Those Russian "script kiddies" are the people who dropped those files on the web. Or maybe the NSA, who lost their surveillance suite down the plughole.
So? There's still a difference between them just hitting a few keys half a planet away and having to physically show up!
Quote:
Because to transfer a couple of Gb of data without network or USB would take a month manually typing, or 30 people a day.
Clearly your overestimating your abilities, to the point its quite hilarious.
Do you understand that if you need to transfer GBs of data, that unlocking the USB port is possible? I didn't say weld a metal plate over the ports, just lock them. If you have to, you could still momentarily connect the machine to the network. If it's only connected for one hour of the year for whatever transfer, that's 8,759 times less opportunity for hackers than a fully connected machine. Again, security is about making it impractical to attack. Even something like AES-256 isn't impossible to crack, just highly impractical.
Yep, but because their pipeline systems were connected to the internet they shut it down "as a precaution." If they weren't connected, no need to shut down.
Yep, but because their pipeline systems were connected to the internet they shut it down "as a precaution." If they weren't connected, no need to shut down.
I think the fact you're overlooking is that without accounting for the pipeline flow, the system needed to be shut down, otherwise who pays? It was precautionary fiscally not for security.
Quote:
Originally Posted by MattCW
How can you not see the difference? What you're talking about would require them to crawl out of their basement, go to the airport, board a plane, fly over here, be admitted into the country, make their way to the pipeline, break in, do their thing, leave without being followed, fly back, etc. Do you not understand the point of layered security? Do you not understand that security is about making it impractical to attack vs impossible? If your whole argument is "why disconnect from the internet since they can be hacked anyways?" then why not do away with security of any kind since it's still possible to hack something?
There is a difference, what you don't seem to get is that the cost of that security will be passed on, and it's not going to prevent the seriously determined. I'm actually talking layered security, because you may recall I'm suggesting armed guards every 1/4 mile on the Colonial, not just dropping it off the internet, and that's still not fixing the problem, with 22,000 armed guards.
No someone doesn't need to get on a plane, doesn't need to be admitted, they just chat with someone in Cleveland, for example, who agrees to do it. These aren't lone wolf attacks, they're carefully targeted and coordinated by groups.
The difficulty is counterbalanced by the reward, if you can achieve a 50:50 chance of success with a high enough reward the risk is worth it. So ransomware will still be a problem, just, the cost of unlocking it will go up. Do you want the base cost of various commodities to increase 100% or more so that they can be effectively secured and insured against intrusion?
Quote:
Originally Posted by MattCW
So? There's still a difference between them just hitting a few keys half a planet away and having to physically show up!
But the person leading the attack doesn't show up, someone in the locale does. It's that teamwork thing.
Quote:
Originally Posted by MattCW
Do you understand that if you need to transfer GBs of data, that unlocking the USB port is possible?
Which opens that network up to an attack via Trojan USB. Thanks for illustrating why your original idea is an epic failure. You've never heard the statement "any exploit is a total exploit"
Quote:
Originally Posted by MattCW
I didn't say weld a metal plate over the ports, just lock them. If you have to, you could still momentarily connect the machine to the network. If it's only connected for one hour of the year for whatever transfer, that's 8,759 times less opportunity for hackers than a fully connected machine.
I didn't suggest you'd weld metal plates to your USB and Thunderbolt ports, I figured you'd just disable the hardware.
OMG no if it's connected for 1 hour per year, it's the same risk of compromise as being connected 8760 hours. Because the software that can compromise the system will just sit and wait, it doesn't care how long it might take.
Quote:
Originally Posted by MattCW
Again, security is about making it impractical to attack. Even something like AES-256 isn't impossible to crack, just highly impractical.
Wow, next you'll be telling me it's an NP complete problem. However it shows again ignorance, you don't hack Rijndael you hack the person who holds the keys. In general most HW/SW can be exploited, but its way easier to exploit people, and people are hard to secure, they object to just being told to stay home, not mix with people and wear a mask. So it's never more impractical whenever you move to a manual process, and having an airgap network results in many manual processes in place of automated. There are places and uses for airgaps, but this isn't one of them.
Ok, what are you even getting at? I say keep them offline, you say they could just be hacked locally and what about file transfers? I say so limit the connection time, you freak out and say BUT THAT'S RISKY TOO!!!!1111!!! So what exactly is your point other than coming up with ways around every security apparatus in place?
Please register to post and access all features of our very popular forum. It is free and quick. Over $68,000 in prizes has already been given out to active posters on our forum. Additional giveaways are planned.
Detailed information about all U.S. cities, counties, and zip codes on our site: City-data.com.
Please register to participate in our discussions with 2 million other members - it's free and quick! Some forums can only be seen by registered members. After you create your account, you'll be able to customize options and access all our 15,000 new posts/day with fewer ads.
How can you not see the difference? What you're talking about would require them to crawl out of their basement, go to the airport, board a plane, fly over here, be admitted into the country, make their way to the pipeline, break in, do their thing, leave without being followed, fly back, etc. Do you not understand the point of layered security? Do you not understand that security is about making it impractical to attack vs impossible? If your whole argument is "why disconnect from the internet since they can be hacked anyways?" then why not do away with security of any kind since it's still possible to hack something?
