|
Avenging_Mikon posted:I mean, I guess if you mandate lethal-to-remove brainstem PAN auth implants and global location tracking collars then giving out your password wouldn't matter.
|
#
?
Mar 15, 2018 22:59
|
|
|
|
| # ? May 19, 2024 22:39 |
|
|
loving hell. https://www.nytimes.com/2018/03/15/us/politics/russia-cyberattacks.html quote:The Trump administration accused Russia on Thursday of engineering a series of cyberattacks that targeted American and European nuclear power plants and water and electric systems, and could have sabotaged or shut power plants off at will.
|
|
#
?
Mar 15, 2018 23:01
|
|
|
Proteus Jones posted:loving hell. WW3 will be fought online as well as on the battlefield. And the networks will be just as important as strategic victories/cities.
|
|
#
?
Mar 15, 2018 23:06
|
|
|
Ahahahah so let me guess they can also override and overload them Unghhhh love my perspectives of future. Also, why are nuclear plants connected to the internet like at all
|
|
#
?
Mar 15, 2018 23:07
|
|
|
orange sky posted:Ahahahah so let me guess they can also override and overload them Outsourced lowest-bid vendors just chucking DSL modems in to monitor their vending machines or air conditioners or whatever and then somebody trips over some wires and just shoves them back in anywhere they fit.
|
|
#
?
Mar 15, 2018 23:14
|
|
|
Proteus Jones posted:loving hell.
|
|
#
?
Mar 15, 2018 23:23
|
|
|
anthonypants posted:Dang, how long has it been since we had a good ol "our critical infrastructure is at risk from poor infosec practices" scare If you're familiar with modern SCADA systems, Stuxnet and related drama, it's a very real concern to have. The systems are very robust, but do exactly what you tell them to, and a great many of them have weak or nonexistent permissions preventing remote modification. Add in the fact that a great many plants have several internet links for out of band management, and poor if any air gapping procedures, and you have a fun target to point at. Near as I can determine, any generation facility can be damaged if you have access to the SCADA system. You can completely wreck the turbines in a generator facility in a dozen different ways, ranging from 'this is bad' up through 'cheaper to build a new one'. Disabling the turbine or generator bearing oiling mechanism, and spoofing the bearing temp data, disconnecting the breakers and forcing the turbine and genset to fail via overspeed, and a few others that are more complex. Despite costing millions of dollars and taking months to build, they're not exactly super complex devices, and much like the turbo in a car, no oil or going to fast will break it just as surely as if you took a hammer to it. Unlike the turbo in the car, when it comes lose after melting the bearings, it tends to do a great deal of damage, Temple of Doom rolling boulder style to anything around it. It's a serious as gently caress issue, because you can more or less brown out or black out huge sections of the national grid more or less on a whim if you can damage or destroy 10% of it's generation capacity. Not to mention the incredible loss of life and environmental damage if an actual reactor is induced to fail.
|
|
#
?
Mar 15, 2018 23:43
|
|
|
Methylethylaldehyde posted:If you're familiar with modern SCADA systems, Stuxnet and related drama, it's a very real concern to have.
|
|
#
?
Mar 15, 2018 23:58
|
|
|
Don't worry, Trump will just pretend the hack never happened and we won't have to do anything about it.
|
|
#
?
Mar 16, 2018 00:01
|
|
|
anthonypants posted:I'm aware, I don't believe it's not a real threat. What I don't believe is that now, today, this time, the people in charge are going to buckle down and do something about it. It's entirely pageantry to either distract from something, or to advance an agenda by putting it forward. That agenda might actually be 'make these things safer' if we're really lucky! Hell if I know the specifics behind it being done today. Cup Runneth Over posted:Don't worry, Trump will just pretend the hack never happened and we won't have to do anything about it. The lights going out tends to be something harder to wish away.
|
|
#
?
Mar 16, 2018 00:09
|
|
|
Methylethylaldehyde posted:The lights going out tends to be something harder to wish away.
|
|
#
?
Mar 16, 2018 00:24
|
|
|
https://twitter.com/imjayhay/status/974335393595183104
|
|
#
?
Mar 16, 2018 05:00
|
|
|
Methylethylaldehyde posted:Near as I can determine, any generation facility can be damaged if you have access to the SCADA system. This was touted as the first "cyber incident" that caused physical damage, but the guy had stolen SCADA gear in his car: https://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/ I guess it's true to say he had a laptop in his car that was used, but the software in question, iirc, was Putty or similar to talk to the radio equipment.
|
|
#
?
Mar 16, 2018 05:10
|
|
|
anthonypants posted:I'm aware, I don't believe it's not a real threat. What I don't believe is that now, today, this time, the people in charge are going to buckle down and do something about it. So far all I've seen is DHS people out giving vague guidelines on things or being sticklers about stupid poo poo. Every SCADA system group I've ever interacted with has been engineers from other disciplines that just know enough computer stuff to "get by", heavily leaning on vendors trying to sell you commodity hardware to run a system with a 10-20 year lifespan.
|
|
#
?
Mar 16, 2018 05:14
|
|
|
Maneki Neko posted:So far all I've seen is DHS people out giving vague guidelines on things or being sticklers about stupid poo poo. Every SCADA system group I've ever interacted with has been engineers from other disciplines that just know enough computer stuff to "get by", heavily leaning on vendors trying to sell you commodity hardware to run a system with a 10-20 year lifespan.
|
|
#
?
Mar 16, 2018 05:50
|
|
|
Maneki Neko posted:So far all I've seen is DHS people out giving vague guidelines on things or being sticklers about stupid poo poo. Every SCADA system group I've ever interacted with has been engineers from other disciplines that just know enough computer stuff to "get by", heavily leaning on vendors trying to sell you commodity hardware to run a system with a 10-20 year lifespan. Setting up and implementing a SCADA system is a huge pain in the dick. You basically need to know everything there is to know about how the plant needs operate, down to the smallest valve and relay, design a system that's able to capture and control all of that, then connect it up in such a way that a sparky who barely knows how to use his phone can't gently caress it all up by plugging the wrong network cable in place, and staying proactive and on top of monitoring, patching and updating the back end network systems. Exactly no facilities actually do all of that, because it's way easier to leave a dusty old dell in the corner with a network card and CANBUS card and have the vendor remote in to fix things. Or they get sold on the unholy crossbreed of safety critical infrastructure and IoT, cloud managed PLC!
|
|
#
?
Mar 16, 2018 07:23
|
|
|
anthonypants posted:The real infosec fuckup is lowest-bidder contractors. How do you combat that though? I feel like getting rid of the lowest bidder requirement (is it formally one?) would just lead to a lot of companies contracting out to whoever buys them the best steak dinner.
|
|
#
?
Mar 16, 2018 17:22
|
|
|
You can still have somebody qualified providing oversight to the contractors to make sure that remote access is justified and implemented in a way that doesn't compromise the rest of the system, but that person will cost money. AFAIK bid processes are a lot more nuanced in public procurement than just going for the lowest cost - you need to give every bidder the same information and an idea of how their bids will be scored, any clarifications need to go to all the bidders, and the results of the scoring are made public. It's still open to people just blatantly grading responses wrong to favour their preferred option, but then that's public and can be challenged. Thanks Ants fucked around with this message at 17:26 on Mar 16, 2018 |
|
#
?
Mar 16, 2018 17:24
|
|
|
Boris Galerkin posted:How do you combat that though? I feel like getting rid of the lowest bidder requirement (is it formally one?) would just lead to a lot of companies contracting out to whoever buys them the best steak dinner. This seems like a perfectly reasonable criteria. Thanks Ants posted:You can still have somebody qualified providing oversight to the contractors to make sure that remote access is justified and implemented in a way that doesn't compromise the rest of the system, but that person will cost money. What we find is that the people crafting the RFP just tailor it so their preferred vendor is the only one who can win anyway.
|
|
#
?
Mar 16, 2018 17:30
|
|
|
Boris Galerkin posted:How do you combat that though? I feel like getting rid of the lowest bidder requirement (is it formally one?) would just lead to a lot of companies contracting out to whoever buys them the best steak dinner. uk has: gov.uk, public contracts scotland, sell2wales, esourcing ni and etendersni if you want to delve into what it looks like in practice
|
|
#
?
Mar 16, 2018 17:39
|
|
|
Boris Galerkin posted:How do you combat that though? I feel like getting rid of the lowest bidder requirement (is it formally one?) would just lead to a lot of companies contracting out to whoever buys them the best steak dinner. You develop strong policy that defines requirements for IT system security and maintenance and make sure your vendors are contractually obliged to abide by it by stating those requirements in the bid process.
|
|
#
?
Mar 16, 2018 17:58
|
|
|
Boris Galerkin posted:How do you combat that though? I feel like getting rid of the lowest bidder requirement (is it formally one?) would just lead to a lot of companies contracting out to whoever buys them the best steak dinner.
|
|
#
?
Mar 16, 2018 18:24
|
|
|
Maneki Neko posted:What we find is that the people crafting the RFP just tailor it so their preferred vendor is the only one who can win anyway.
|
|
#
?
Mar 16, 2018 22:48
|
|
|
The US nuclear industry is especially bad off due to NIMBYism, and I imagine a lot of the plants have things that haven’t been upgraded in ages.
|
|
#
?
Mar 17, 2018 07:09
|
|
|
When you’re sniffing traffic, how easy is it to tell what type of file is being transferred? It just occurred to me that on the rare instances I sync my password database I’m transmitting my master key as well  .Not sure how much it would matter even if someone was monitoring my traffic for some odd reason, I’d probably have to be more worried about logging in to stuff on WiFi. And my password is 25 characters of numbers, symbols, uppercase, and lowercase with no words, something like 2-300 entropy bits. So my original reason for wondering doesn’t make sense after typing it out, but I don’t really know how spying on WiFi works still.
|
|
#
?
Mar 19, 2018 17:15
|
|
|
If it is a concern, use a vpn service. You can get a subscription for something like Nord. But I'd recommend rolling your own with Algo
|
|
#
?
Mar 19, 2018 17:25
|
|
|
Roll my own crypto?  It’s really more curiosity than anything. It might not be a bad idea anyway. It would currently require tapping into the hard line 99% of the time since I never use my laptop and do almost everything involving important data on my desktop. Comcast encrypts the data going over their network, right? Or am I being overly optimistic?
|
|
#
?
Mar 19, 2018 17:29
|
|
|
how are you sending your master password over the network anyway?
|
|
#
?
Mar 19, 2018 17:33
|
|
|
lol, I fully expect comcast to be analyzing every single packet you are sending. But roll your own, I mean VPN Server. Algo is a pretty cool piece of tech and worth reading more about even if you don't think you'll use it. I personally don't worry about it too much on my home internet, just when I'm using public WiFi.
|
|
#
?
Mar 19, 2018 17:35
|
|
|
RFC2324 posted:how are you sending your master password over the network anyway? Resilio Sync. Syncs certain folders with designated connected devices on demand (you can pay for automatic, manual is free). Private key, not password. Sorry if I misspoke. I’ve got it secured both by key and password. It’s how I keep my passwords accessible on all my devices without having Lastpass give them away a couple times a year.
|
|
#
?
Mar 19, 2018 17:39
|
|
|
According to this page Resilio traffic is encrypted with AES-128 which is a lower level of security than their own website.
|
|
#
?
Mar 19, 2018 17:46
|
|
|
 Is there anything similar that’s better, or should I just be doing a manual transfer between the computers? Is there a good free way to do that securely? At previous jobs I used LogMeIn mostly, although I also did some copies through Powershl. Not sure if that was secure or just stupid, though. I guess we had firewalls, but I don’t know how they were set up. Wasn’t my responsibility.
|
|
#
?
Mar 19, 2018 18:18
|
|
|
just don't sync the key file? i wouldn't even keep it in the same online location, personally (i transfer mine manually when it needs to be transferred, either with a wire to my phone or with a jump drive between computers)
|
|
#
?
Mar 19, 2018 18:27
|
|
|
Yeah. If what you're doing works for you for all of your other files, and the only piece of sensitive data you're concerned about is you key file, just don't sync that file.
|
|
#
?
Mar 19, 2018 18:29
|
|
|
* Something you know * Something you own * Something you are Those are the standard 3 components for authenticating yourself. The keyfile is used as the "something you own" component, with your password as "something you know". You need to actually control its ownership for it to be any benefit - stick it on a USB stick that you carry along (plus perhaps a backup in the cloud encrypted with a password written down in your safe at your summer home).
|
|
#
?
Mar 19, 2018 18:39
|
|
|
Yeah, I should probably only transfer the database. I just had a lightbulb when I realized that I have been transferring both pieces at the same time for the past 2+ years. I guess I could carry it in a YSB stick as well. I’d be worried about losing it, but if I did I could just treat it like I lost my phone and change all the passwords.
|
|
#
?
Mar 19, 2018 18:40
|
|
|
Maybe generate a new key file when you stop syncing it, just in case someone managed to intercept it.
|
|
#
?
Mar 19, 2018 18:42
|
|
|
RFC2324 posted:Maybe generate a new key file when you stop syncing it, just in case someone managed to intercept it. If you are reacting to that scenario, you need to change all your passwords too.
|
|
#
?
Mar 19, 2018 20:59
|
|
|
Subjunctive posted:If you are reacting to that scenario, you need to change all your passwords too. He's just realizing that keeping his key file in the same location that he accesses on public wifi as the database itself needs to be fixed. https://www.youtube.com/watch?v=fA7LGqwjhYs
|
|
#
?
Mar 19, 2018 23:47
|
|
|
|
| # ? May 19, 2024 22:39 |
|
|
So this happened. I’m sure everything is fine. https://twitter.com/evacide/status/975862319472234496
|
|
#
?
Mar 19, 2018 23:48
|
|
