Is hacking just a bit of a lark, or should we take it more seriously?

Having been at the wrong end of a number of people who hacked and stole my data, I’m clearly not someone who thinks hacking is just a bit of a lark.  In fact, when used against companies and governments, these attempts to disrupt are classified as cyber terrorism and cyber war.

Unknown hackers have inflicted ‘serious damage’ to a German steel mill this year by breaking into internal networks and accessing the main controls of the factory, the German Federal Office for Information Security (BSI) revealed in its annual report.

The report says that the intrusion into the mainframe system caused significant damage to a blast furnace as the attackers managed to manipulate the internal systems and industrial components, causing outages that disrupted the controlled manner of operation.

The BSI’s didn’t mention which plant was targeted nor gave any reference to the time of the attack. The Office did note the “very advanced” capabilities of the hackers.

To penetrate the security, the intruders used a “sophisticated spear phishing” method to gain access to the core networks of the plant. Using this method, which involves targeting specific individuals within an organization, the attackers first penetrated the office network of the factory. From there, they managed their way into the production networks.

The bottom line is that if there is a sophisticated and sustained attack to get into a system, there is no way it can be kept truly safe.   There are small elements of luck, but more of then than not, access is achieved eventually.

Benjamin Sonntag, a software developer and digital rights activist told RT that cyber war has been going on for a long time. And while it is nothing new, Sonntag says, the “biggest problem” at the moment is the work of the NSA, “which handle both the defensive approach which is enhancing security of the infrastructure and the offensive approach which is attacking others with mass surveillance.”

The steel mill incident, Sonntag says, reminds him of the most famous attack on industrial control systems – Stuxnet. The trojan attack, which was first uncovered in June 2010 was allegedly used by the US and Israel to penetrate a number of Iranian facilities, most notably the Natanz uranium enrichment plant. Stuxnet was responsible for destroyed hundreds of the Iranians’ centrifuges.

“The people who do these kinds of attacks are usually either paid by the state, or mafia, or a big company,” he said. “We do not expect a nuclear power plant or steel plant to be connected to the Internet. To be computerized, but to be connected to the Internet and to be hackable that was is quite unexpected.”

Sonntag says the best way to insure the “safety” of information systems is to make attacks “public and transparent,” so the electronic community can react and protect itself against these types of threats.

The problem is that our law enforcement and judicial systems are way behind the eight ball here.  Some pretty insiduous and disasterous things are happening, but because there is no body in the library lying in a pool of blood with a candle stick nearby, people in general can’t see where the harm is in someone typing some commands on a keyboard somewhere.

I suspect there will have to be more high profile cases with some unintended consequences before the public and the authorities will start to consider cyber crimes seriously.

Until then, the criminals are almost always anonymous.  The damage is irreversible.  Nobody can get arrested, no countries can get invaded.  It’s all rather… surreal.

 

– Russia Today

 


THANK YOU for being a subscriber. Because of you Whaleoil is going from strength to strength. It is a little known fact that Whaleoil subscribers are better in bed, good looking and highly intelligent. Sometimes all at once! Please Click Here Now to subscribe to an ad-free Whaleoil.

  • Jaffa

    To be computerised, but not connected to the internet, should be the aim of all infrastructure, and big business.

    • Korau

      As I understand the stuxnet attack on the Iranian nuclear facilities, the computers hacked were not connected to the internet. Rather, they were connected to an internal net (intranet). The hack was done by an infected usb drive being inserted into a computer on this intranet, then Abdullahs your uncle. If an intranet has a computer connected both to the intranet and the internet then the security value of the intranet is nullified.

      Many of the current hacks are being carried out with spear phishing. This is a phishing email sent to a specific target within an organisation, and is largely a failure of both training and common sense.

      Cyber crime is a huge problem, the losses and costs worldwide are truly staggering. This report http://au.norton.com/cybercrimereport/promo from several years ago puts a dollar value on it (for 24 countries only).

      As Cameron points out, there will be more, many more. Two major problems. It’s often a cross border crime which is very hard to prosecute. And it’s difficult to even pin done who the criminal was. You can do a cyber crime within NZ and be largely immune by using public facilities (library, hop spot, cyber cafe for instance).

      The better defence is at the victim end. Training, up to date software, shunning Microsoft Windows for Linux, good firewall, common sense and good internet habits are just some of the steps. Separating internet and intranet, strong encryption etc are also steps that business/government should be taking.

      • SlightlyStrange

        A large NZ company I worked for had a similar issue a few years ago, where someone (unintentionally, I gather) inserted a virus-laden USB into a work computer. Thousands of hours work was required to fix the problems it caused across the network.
        In came a “no USB’s” rule, pretty quick-smart.

  • Pluto

    We live in a world where we have no option but to place our faith in the minders of defence systems, nuclear power plants, communications etc including the www itself.
    However if North Korea can hack Sony then any properly motivated organization stands a chance. Are the cleverest minds with the hackers or the safekeepers ?

  • intelligentes candida diva

    To answer the topic heading question > SERIOUSLY:
    My rationale is: being on line in many contexts is private and the sharer of information ought to have the right to decide how, who to, when, or where the information is dispersed if at all.

  • Hedgehog

    I think we need to break the hacking into 2 components – those that want to do physical harm – eg: the power plant, and those who want to do intellectual or personal harm. For the former, we need to rely on the minders as Pluto comments. But the later we need to let a complicit media know that disseminating hacked material makes them just as bad as the hacker. As we have seen with our media who have put rawshark (hacker) and Hager (disseminator) on a pedestal.

    • our media who have put rawshark (hacker) and Hager (disseminator) on a pedestal.

      Indeed.

      They are celebrated for their actions, and when (if?) they have to face the consequences, they’ll be martyrs.

  • Jas

    Much like with burglary until people stop buying stolen goods it wont stop, people who use hacked information will mean hacking keeps on happening
    It also doesn’t help that most people think it is ok to say you are someone you are not to get access to content and download stolen content and have no issue whatsoever with it.

  • JC

    A thousand years ago St Thomas Aquinas recognised the inevitability of war so he gave it a lot of thought and came up with the concept of “The Just War” in which he laid down the requirements for a moral country to follow in deciding to go to war.. he pointed out that war, terrible as it is may sometimes be the lesser evil. He also codified the morality to be used in the “conduct” of war.

    That doctrine has worn well.. so well that George Bush relied on it to justify invading Iraq and his political opponents held him to the Aquinas doctrine of his conduct of the war.

    You can apply this doctrine to cyber warfare as well, eg, if they did it both Israel and the US had a moral right to insert the Stuxnet virus into the Iranian nuclear programme because the consequences of allowing the Mullahs nuclear weapons is worse than applying Stuxnet.

    You can also apply just war theory to the release of the Climategate emails in 2009, climate science fraud was being used to initiate a transfer of trillions of dollars to the third world.. that is a crime of vast proportions.

    Now we come to theft of personal emails.. IMO it would be justified to release them if they uncovered a threat or actuality of murder of an innocent or some other crime of sufficient seriousness that the public should know about.. but remember it has to be only of details of the actual crime itself.. personal chit chat does not meet the doctrine defence of just war and conduct. Possibly you could do a bit of hand waving and say the chit chat indicated a frame of mind that suggested the actual criminal behavior but there are limits to how far you could go because chit chat is not proof.

    JC

    • Pharmachick

      Thank you for posting this. I made a ham-fisted attempt at saying something similar on another WO thread about half an hour ago. I agree so much with what you have said – in the current climate I feel that we need real conversations around the *reasons* for going to war. Your points are well taken in the contexts of the current hacking by Korea, but they also apply demonstrably to other flash points in the world and to actual militarized (as opposed to virtual) wars that are underway in the world.

22%