Fake News: Relentless, Predatory FOX
The Market Ticker - Commentary on The Capital Markets
2016-12-31 12:54 by Karl Denninger
in Technology , 558 references Ignore this thread
Fake News: Relentless, Predatory FOX
 

Well now, it appears there is actually a story in here regarding malware tied to Russia:

BURLINGTON, Vt. –  Malware code linked to Russian hackers and found on a Vermont electric utility's computer is further evidence of "predatory" steps taken by that country against the U.S., a Vermont Democratic congressman said Saturday.

....

"This attack shows how rampant Russian hacking is. It's systemic, relentless, predatory," Rep. Peter Welch said in a statement. "They will hack everywhere, even Vermont, in pursuit of opportunities to disrupt our country."

Welch said the breach also underscores that sanctions President Barack Obama took against Russia this week were warranted. Russia, which has denied hacking U.S. systems, has been accused of interference in the U.S. presidential election by hacking American political sites and email accounts.

In other news the person who used that laptop was known to prefer pornographic video of sex with goats (sarc).

First off, said laptop was apparently owned by said utility but, the utility claims at least, it was not in any way connected to any part of their network, especially the parts that actually control its operations.  This leads one to wonder exactly what purpose said laptop had -- perhaps it was part of a meter-reading system in a company vehicle, for example.

"Vermonters and all Americans should be both alarmed and outraged that one of the world's leading thugs, (Russian President) Vladimir Putin, has been attempting to hack our electric grid, which we rely upon to support our quality-of-life, economy, health, and safety," the governor said in a statement.

Meh.  There's zero evidence to support that allegation.  First, we don't know how the malware got in there.  The most-common means by which it "gets in there" is the installation of a program that someone thought would do something else -- like, for example, play videos of people having sex with goats.

This is the dirty little secret when it comes to "rootkits" and other forms of persistent malware -- it has to get into the machine somehow, and the "somehow" on modern computers requires that you give it permission to install.

Installation on most modern machines is inherently an act that requires elevated privileges to some degree.  These privileges are (sadly) not usually very granular, so when you get the permission to do the installation if the installer has evil code in it that installer can put the evil code into the computer and protect it from being seen through normal means (and removed through normal means!)  This frequently includes corrupting one or more of the system's internal files so that absent a complete reload of the device in question it is virtually impossible to cleanly remove the evildoer's work.

Yes, there occasionally are vulnerabilities discovered that allow "unsanctioned" installations of this sort.  They're called "privilege escalation" attacks and the really ugly part of them is not only how many of them are discovered but that the places they're discovered are in pieces of code that execute with system privileges and thus can modify other, unrelated parts of the system and its software.  Most, but not all, of these pieces of software should not be written to require that sort of privilege but software vendors do it because they're lazy while government, commercial and individual users repeatedly give the vendors a pass instead of bending them over the table and destroying them.

Incidentally, this sort of malware is literally everywhere.  It's used by the people who "cryptolock" files and demand ransom, it is used by those who corrupt machines for the purpose of using them for "denial of service" attacks and as a means of relaying further data without being detected as the source and, sometimes, it is also used to directly target someone for data theft or corruption.

We don't know which was the case here, but it's a fairly good bet that this wasn't exactly a "targeted" attack as if it was it was rather poorly-executed.

Let me remind you that there certainly have been targeted and effective attacks in recent memory allegedly traced to actual state actors.  The OPM data heist is an example of a series of not only massive acts of stupidity inside our government it also illustrated active and intentional covering up of the breach once detected, including lying under oath -- which is a crime.  Yet the number of people prosecuted for said lying under oath and intentionally covering up said breach, which I remind you included fingerprints of millions of individuals along with detailed background check information related to virtually everyone who has held a security clearance in the last 20 years numbers zero.

There has also been no formal claim of "blame" laid on any foreign actor in this regard, although there certainly is more evidence pointing to who was responsible for that breach than either the DNC's hack or this laptop incident in Vermont.

This, I remind you, is despite the fact that China claims to have arrested people involved in same.

Yeah.

Folks, we have a major security problem throughout government and private-sector systems ranging down to the mundane such as your car, TV and cellphone.  We have agencies of our governmental units along with other critical private sector parties (like power companies) that intentionally and willfully ignore known protocols that are highly effective in preventing such attacks.  Among these acts of willful and intentional ignorance include using public email provider accounts or "private" (and poorly constructed) servers (a.k.a. Hillary), allowing corporate and government machines to have installed on them software that has not been vetted, allowing the attachment of external devices without authorization and vetting (e.g. USB drives, etc), continuing to allow the of software that has known security exploits in the field and more.  In the OPM case there were multiple critical breaches of security protocol any one of which would have likely been effective in preventing the attack from succeeding.  Taken together they would have almost-certainly not only prevented the attack but detected the attempts.

Folks, this stuff really isn't all that hard but it does mean that a certain amount of "convenience" has to be foregone.

That's the real problem, you see.  It's convenient to not lock your front door but if you do that the odds of a robber stealing your television go way up because now he can just walk in and take it!  Likewise, an email system that cannot have its storage accessed except via a VPN connection that requires a certificate to connect is extremely secure.  It now is not a matter of simply having someone's password now you have to steal a device and break into itand if you do your access is only good until the person realizes the device was stolen and the key is revoked.  If you configure a machine that is supposed to do a business or government-related thing (e.g. obtain usage data from electric meters and then transfer that to a central site for billing) so that no other connections than the authorized ones work then it becomes very hard to get the malware on the computer in the first place that would then be used to circumvent those controls.  Of course if you do that then the meter reader can't access Amazon, some news site or blog, or the gay sex with goats site using said business computer in the electric company vehicle.

Yeah.

In other words security when it comes to data access is a process, not a product.  You have a bunch of companies running around these days claiming to provide "security solutions" that are in fact nothing more than vendors of software that can easily be put together for free, who package it up and call it a "solution."  It is not.  These same firms then use break-ins as advertising; in other words they are very interested in seeing actual compromises happen because that "increases demand" for their products and services!

An example: Several years ago I raised hell about the so-called "advanced keyless entry" systems on automobiles, which by the way, are now the rule rather than the exception.  It was blatantly obvious to me with only a few minutes of thought that a pair of no-licence-required radios and a relatively small amount of effort (an effort I could trivially make myself) would allow a thief to repeat the signals from your key and car to each other over distances that would make theft trivial.  The key to making such thefts possible is the convenience factor of you not having to press a button on the keyfob -- that is, the car senses the key is near it and acts without a positive action being taken on your part. These systems normally only work within a couple of feet of one another and use a "rolling" code that leads people to "think" they're reasonably secure -- but if I can pick up the signal from one and repeat to the other end and do likewise for the response then I can pretend you are sitting in or standing next to the car when you're actually in the shopping mall!  It now becomes not only trivial to steal the car there is exactly no evidence of how I did it after the fact.

The stupidity of such a design is that if you have to push a button then it goes from trivial to very hard to exploit because now I have to capture you actually using the keyfob and then figure out the encryption so I can determine what the next code is because as a thief I cannot cause the fob to emit the next code by myself.  That's hard.  But if you don't have to push a button then I can simply ask the key for the next code and send it as if the key was sitting next to the car, and....... your nice new car is GONE!

In short we took what was a reasonably-secure system and made it insanely insecure just for the pleasure of your "convenience" in not having to push a button to unlock the damn door!  We took two-factor authentication to open the door (you must have the fob and you must perform the act of pushing the unlock button) and turned it into one-factor and then on top of that made the one factor something you both have and that can be queried without your direct knowledge.

I don't -- and won't -- own a vehicle equipped with such a "convenience" feature -- and that's why.  And what did we see this year? A demonstration.  Oops.

How many of the people reading this are stupid enough to have something like Alexa in their house?  Or a smart TV that responds to voice commands?

Oh, you say, it only records when you say "Heh Alexa" first?  How do you know that to be true, how do you know that the code in that device is secure and has neither a back door or a security problem that has allowed some malignant third party to turn the damn microphone on all the time?

You do know that the cops are testing the claim that Alexa (and Amazon) doesn't have that data, right?  Wanna bet on that?

What the hell is wrong with you?

The same thing that was and is wrong with the government, with the utility in Vermont and elsewhere -- you wish to have so much convenience that you simply don't give a good damn about the fact that you are leaving your front door unlocked and a big "steal my TV" sign in the window.

I've raised a ton of Hell about this over the years, going back to my days writing code for others as a wage slave.

It's a fight that's almost not worth writing about anymore -- except to post great big "Told You So" signs when your car is stolen or your fingerprints (which you can't change like a password, incidentally) are ripped off from the government.

And with that I leave this for the utility in Vermont:

smiley

Go to responses (registration required to post)
 
Main Navigation
MUST-READ Selection:
2016: What Was And a Preview of 2017

Full-Text Search & Archives
Archive Access

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info Fake News: Relentless, Predatory FOX in forum [Market-Ticker]
Lobo
Posts: 353
Incept: 2013-12-25

Report This As A Bad Post Add To Your Ignored User List
The company that I work for has had several instances of viruses getting loose on the network because someone installed software that they shouldn't have. In every case, it has been an executive, typically traveling through China, that insisted that they had to have admin access during the trip.

I'm currently shopping for a new truck. Toyota has a system where you have to put your hand on the door handle in addition to having the transmitter in your pocket in order to unlock the doors, which really isn't any different from just unlocking them because you're standing there. Everything is going pushbutton ignition as well, which just requires that the transmitter be inside the vehicle in order to start it.

Hmm. Gen, you've probably already thought of this, but how about selling little Faraday cages for transmitters? Drop the transmitter in the pouch, seal it and there's no signal to be captured. Seems like it would work best for women with purses.
Tickerguy
Posts: 147632
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
My Mazda is push button start BUT you have to unlock the door with a button press on the remote (or key if the fob battery is dead). This makes it a LOT harder since you have to physically break into the car first.

I didn't want the higher trim model's "no button required" to unlock the door system and this is why.

----------
Winding it down.
Thesev
Posts: 1596
Incept: 2007-10-30

Louisiana
Report This As A Bad Post Add To Your Ignored User List
The problem I noticed is that we've lost CHOICE in the matter.

Try and find new "old school" products anymore.


----------
The reason the republic isn't working is that it's being run as a democracy.

It doesn't matter who you are, or who you Think you are, the Math is Going to Win.
Tickerguy
Posts: 147632
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Yep.

----------
Winding it down.
Tinman
Posts: 278
Incept: 2008-02-16

Report This As A Bad Post Add To Your Ignored User List
While back I took my 2002 Ranger in for a problem I could not figure out (I can still more or less work on this era vehicle). Rented a modern Ram truck. It had no key (FOB). So I could not mechanical disconnect the electrical system, I had to ask the computer. After I got it started it took me two minutes searching for the gear shift to find that it was a knob like a volume dial on the dash. I drove down the road with my foot on the pedal and turning it to neutral. Nope... engine still engaged. I'm keeping the Ranger and then falling back to the barned 71 Riviera. Gotta look like a pimp with a 455 in my old age.
Azengrcat
Posts: 392
Incept: 2010-05-31

Report This As A Bad Post Add To Your Ignored User List
Delete system32, that will fix all of his problems
Flyanddive
Posts: 1895
Incept: 2008-10-10

Detroit
Report This As A Bad Post Add To Your Ignored User List
This is the elite Russian hacking email chain right here.
https://wikileaks.org/podesta-emails/ema....

But, I don't know why they went to the trouble to even ask, obviously his password was probably 12345 anyway.

----------
"I've seen people go into real poverty trying to pretend to be rich."
Tickerguy
Posts: 147632
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
It was "password" .. smiley

----------
Winding it down.
Lemonaid
Posts: 10326
Incept: 2008-01-20

Metro Detroit
Report This As A Bad Post Add To Your Ignored User List
WaPo just added an Editor's note:

Quote:

Editors Note: An earlier version of this story incorrectly said that Russian hackers had penetrated the U.S. electric grid. Authorities say there is no indication of that so far. The computer at Burlington Electric that was hacked was not attached to the grid.


Beyond pathetic smiley

----------
"There is no means of avoiding the final collapse of a boom brought about by credit expansion. The alternative is only whether the crisis should come sooner as the result of a voluntary abandonment of further credit expansion, or later as a final and total catastrophe of the currency system involved." Ludwig von Mises
Elkad
Posts: 263
Incept: 2009-09-04

Report This As A Bad Post Add To Your Ignored User List
Wife's Suzuki has the "Transmitter in pocket" ignition and doors (you touch a button on the door)

Damn if it isn't handy as hell, but I'm well aware of the risks.

At least hers has terrible range. Nowhere near the 3m mentioned in the video. If the keys are arms-reach (1m) from the door, it won't open, even with a new battery in the fob. A year on the battery and it's a third of that distance. So I have some hope that a thief will need to be VERY close to me to get a repeat. That's no help in the grocery store, but at least it probably means in the house with the keys in their typical place (upstairs and 15' from any exterior walls), the thieves will need a very good antenna on the equipment.

I'd considered looking for a way to disable it (probably just disable the pushbuttons on all 3 doors), but I think the risk of losing a car is offset by the fact my wife can get into it much quicker in an emergency. Even before this car, she let the fob drift to the bottom of her purse regularly, requiring many seconds of digging to find it every time.

Hmm. Best option. Add a mechanical switch (inside the car) to the door(s) pushbutton circuit. I'd be able disable the doors at will (requiring you to push the button on the fob instead), but the sensor for the ignition would still function.
Idiom
Posts: 76
Incept: 2015-02-20

New Zealand
Report This As A Bad Post Add To Your Ignored User List
When state actors are after juicy targets it looks a lil more sophisticated than porn malware.

If I recall, Stuxnet relied on something like 20 zero-day exploits to do what it did. That is very expensive to but together and doesn't show up on a virus scan of a random laptop. You find it because your machinery destroys itself while reporting normal operations.

Whats Russia even going to do with the power grid? People think the Ruskies are going to start a war???
Vernonb
Posts: 1707
Incept: 2009-06-03

East of Sheol
Report This As A Bad Post Add To Your Ignored User List
Quote:
These systems normally only work within a couple of feet of one another and use a "rolling" code that leads people to "think" they're reasonably secure .... It now becomes not only trivial to steal the car there is exactly no evidence of how I did it after the fact.


God forbid if you lose the keys or have the keys damaged to a point where they no longer function. My keys became damaged within 1 year and they charged me $230.00 to re-update the system to start the whole thing all over again. All it takes is another key or objects pressing on these cheap chinese fobs in your pocket to damage them to the point they will not function!

Toyota claims they can only update the system 3 times - an artificial barrier designed to******the consumer for thousands of dollars passed off as a "security" feature? Really? Once a thief has stolen the vehicle he's going to gut the security likely before chopping it up for parts!

If I knew the facts on these "pre-packaged" options I would never have purchased a vehicle with such a system.

As far as Alexa or these smart phones with google or samsung voice recognition I soon discovered how easily they activate. My mom had such a phone. For some reason it would instantly key in on my voice in conversations while she often had to repeat at all times. I found it to be quite unnerving.

No one is allowed onto my property with one of these devices any longer. If business managers were smart they'd also keep these portable recorders off of their property too!

Goto to a restaurant or public venue and you are being spied upon. Walk by street lamp - it may have a camera and microphone.

Now we have accusations of the DHS hacking states as Georgia? WTF....

Russian "hackers" are the least of our concerns. It's Big Brother and little brother flushing this country down the toilet with all the privacy invasion perpetrated on ordinary citizens.



----------
"Mass intelligence does not mean intelligent masses."
Canadian-loon
Posts: 8
Incept: 2010-04-08

Vancouver
Report This As A Bad Post Add To Your Ignored User List
Karl, have you posted a list of apps that you use and trust?

I'm on a blackberry priv, have downloaded a few apps like WhatsApp, but when it asks for permission to my location and pic files I always say no, and as a result I don't have many apps I trust or use.
Mabman
Posts: 64
Incept: 2009-11-08

toronto
Report This As A Bad Post Add To Your Ignored User List
good article on this topic here http://www.zerohedge.com/news/2016-12-31....
Jymm
Posts: 411
Incept: 2012-01-22

Wisconsin
Report This As A Bad Post Add To Your Ignored User List
Remember, everyone on every side of the political divide has an agenda. News will always be slanted to their agenda. I did figure from the start that the story was at the very least an exaggeration. The biggest threat is from USB drives brought in by vendors. There are procedure to scan any USB drive before it can be inserted into the control system.

I have worked in power plants for the last 20 years, both utilities and IPP's (Independent Power Producer). There have always been two systems, the control system and the system for time slips, e-mails, and other company records, information and correspondence. Some companies have an intranet, and others allow you to access the internet depending on your job duties. Most companies have porn filters, and you will be fired if you try to get around them. Not worth the risk at all.

I would think if you really want to go after the grid you would go after the distribution system, like MISO (https://www.misoenergy.org/Pages/Home.as.... in the Mid-west. In the past most control systems were Unix based, although now Windows is making major inroads into control systems (which I do find more vunerable personally). Utility companies are very aware of cyber threats and very active against them. Reliability is a major concern in the power industry.

Mannfm11
Posts: 5317
Incept: 2009-02-28

DFW, Tx
Report This As A Bad Post Add To Your Ignored User List
It appears the entire MSM has become nothing but propaganda. These people are insane, blaming the hacks on the Russians. I doubt the McCarthy mess was this extreme. I understand he was actually right on many accounts, including the Communists in the State Department. The email stuff is pure nonsense. So much nonsense they are now trying to have the government brand them as legit. The country has been led into extreme danger, by Obama and the Nuts.

----------
The only function of economic forecasting is to make astrology look respectable.---John Kenneth Galbraith
Travanx
Posts: 3991
Incept: 2007-11-07

Near Downtown Los Angeleez, Killafornia
Report This As A Bad Post Add To Your Ignored User List
We have a newer car with the keyless start. But after having a car stolen almost 100% using a dealer cut key, what does it matter. Nearly worth double now 5+ years later to give an idea why an older car was stolen. If someone wants it even a garage won't stop a thief. My car was a 993, but read stories about Integra Type-R's. Car forums have detectives with nice cars watching and PMing when people make a stink about something. I know for a fact the police do not care about car theft stuff, besides busting the chop shop.

I have tried to lock down our home internet big time. The only real way to understand what's going on is act like a hacker and see what they are doing.

Russian hackers on a laptop for a small electric company? That seems silly. I have friends in other infrastructure fields and that's more scary than electricity. Another specific infrastructure was tested a month or two ago. Keep lots of bottled water for emergencies.

----------
Ow my balls!
Rufust445
Posts: 728
Incept: 2007-08-11

Emerald City
Report This As A Bad Post Add To Your Ignored User List
My current ride was purchased used two years ago and has solenoid operated locks, but did not come w. the key fob clicker. I could buy a clicker and have it programmed for about $100, but have chosen not to for fear its radio signal could be intercepted. This car is my ninth since 1969, all with manual transmission, which these days is something of an anti-theft device.



----------
"The stock market isn't bullish, it's bull$hit." -- Alan King
Login Register Top Blog Top Blog Topics FAQ