[ISN] Hack raises fears of unsafe energy networks

From: William Knowles (wkat_private)
Date: Wed Jun 13 2001 - 23:00:17 PDT

  • Next message: InfoSec News: "[ISN] [defaced-commentary] PoizonB0x targets "security" sites"

    By Robert Lemos
    Special to CNET News.com 
    June 13, 2001, 9:15 p.m. PT 
    A recent attack on the heart of Californias power distribution center
    underscores the danger of connecting critical resources to networks
    that may never be truly secure from malicious hackers.
    An intruder who cracked the security of two Web servers at the
    California Independent System Operator (ISO)--the non-profit
    corporation that controls the distribution of 75 percent of the
    state's power--was inexperienced and benefited from human error and
    sheer luck, sources close to an investigation into the attack said
    this week.
    The breach, which came to light following a Los Angeles Times report
    last Saturday, should remind those responsible for critical systems
    that simple mistakes can lead to disasters.
    "We haven't learned to protect our critical infrastructure even though
    we have been working on this for a while," said Chris Rouland,
    director of internal research and development for network protection
    firm Internet Security Systems. "They did just about everything wrong
    in deploying systems in a hostile environment."
    California's power grid has come under increasing scrutiny as soaring
    utility prices and rolling blackouts throughout the summer threaten to
    disrupt business in the state. On a national level, the threat to
    power networks is not an idle one.
    In 1997, the National Security Agency--the United States' information
    watchdog--predicted such problems when a military exercise dubbed
    "Eligible Receiver" gained simulated control of the major power grids
    in Chicago, Los Angeles, New York and Washington in four days.
    How it happened
    The ISO hack took advantage of a security flaw in the agency's Solaris
    server systems, which was discovered in March. The attacker took
    control of two servers that were supposed to be protected by a
    firewall. In reality, the servers had not been secured and were
    connected directly to the Internet, according to sources close to the
    While the two Web servers were part of a development network, the
    attacker may have been able to work the initial breach into hacking
    more critical systems, said Rouland, who heads ISS's vulnerability
    assessment team, dubbed X-Force.
    "Once the attacker gets a hold of a perimeter system, it gets them in
    the door and they can frequently leverage that into accessing the rest
    of the network," he said.
    In addition to connecting the servers directly to the Internet, the
    Cal-ISO system administrators left the servers with all the software
    installed by the default set-up, leaving numerous other
    vulnerabilities open to exploitation.
    The system also lacked the ability to collect a record of events in a
    secure place, instead leaving them on the computers that the intruder
    could access. The investigators could not easily detect which files
    had been changed. A rudimentary root kit--a tool set used by Internet
    attackers to take total control of a system--had been installed, but
    other details could not be discovered.
    "There was an obvious attempt made to penetrate our systems," said
    Greg Fishman, spokesman for Cal-ISO, who would not give any more
    details. "They were able to achieve minimal penetration into a system
    that we use to demonstrate software. This was never a threat to our
    core operations."
    Even so, some questioned the Cal-ISO's wisdom of connecting a
    development system to the Internet, even if protected by a firewall,
    as originally intended.
    "Testing a system doesn't require that it be on the Internet," said
    Jay Dyson, senior consultant for online security firm OneSecure. "I
    don't know what they were thinking putting the test system live on the
    The security holes left the system wide open to any hacker of minimal
    skill--and the intruder in question, Dyson said, was an amateur.
    "There is no elegance to this intrusion," Dyson said. "This is just a
    case of throwing enough mud and hitting something. A skilled hacker
    would have been able to hide his tracks better."
    Turning up the heat
    The fact that even an amateur could get into the companys networks has
    officials in the state's capitol putting pressure on the Cal-ISO.
    "I think it is a matter of intense concern that we have an ISO that
    allowed a breach of security through what appeared to be sheer
    incompetence," said state Sen. Tom McClintock, R-Thousand Oaks.
    McClintock has issued a request under California's Open Records Act
    for all the documents concerning the break-in. The intrusion was
    discovered on May 11, but legislators werent informed even a month
    after the breach occurred.
    This fact had McClintock up in arms.
    "I am in the process of preparing a formal request to investigate this
    matter," he said. "Very soon we will know more."
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 23:36:15 PDT