Tag Archives: security

Blog

Oil rigs are vulnerable to hacking

1 Comment

oil rigIt shouldn’t come as a huge surprise – after all, anything that uses networked computing is at risk without the proper precautions – but independent researchers have declared oil rigs to be extremely vulnerable to hacking attempts.

While oil companies have made huge improvements in offshore safety and environmental protection, their efforts to secure important data have been poor, the SINTEF team says.

The group says that the current “integrated operations” model, which uses onshore workers to control processes carried out on the platform via networked PCs, leaves communications open to attack.

According to Science Daily, the team interviewed “key personnel in the petroleum sector” to get a sense of the data protection measures currently in place. The interviewees confirmed “that the number of safety incidents on production systems (platforms) has risen during past few years.”

Researchers said that hackers have already made their presence felt on oil platforms.

The worst-case scenario, of course, is that a hacker will break in and take over control of the whole platform,” says SINTEF scientist, Martin Gilje Jaatun. “Luckily, this has not happened yet, but we have heard of a number of incidents that could have turned into something quite dramatic. For example, virus attacks have led to process electronic equipment becoming unstable.

Frankly I’m surprised there haven’t been any major incidents so far, but it’s safe to assume that the inevitable resurgence of oil prices (not to mention the increasingly politicised nature of the fossil fuel industry) will make unmanned rigs into highly appealing target for hackers interested in protest or profit. [image by ccgd]

In fact, the profit motive is probably the stronger of the two… profit, or the prospect of free fuel. Any terrorist group or pirate nation looking for a ready source of the black gold would find it easy enough to hire some disaffected code-kiddie, then pay (or threaten) them enough to get them to bypass the security on an unmanned rig and then fiddle the telemetry for long enough to allow a physical invasion of the platform. Hey presto – a big base in offshore waters with all the oil you could ask for, and a target that even a major government is going to think twice about simply bombing to smithereens

Blog

The Red Dragon has no head – China’s citizen hackers

4 Comments

Chinese flagsThere’s been plenty of press recently about the threat of Chinese hackers undermining infrastructure in the West, and about the GhostNet network, which may or may not be a covert espionage tool of China’s government.

The trouble is that the line between state-sponsored or military hackers and young patriots with time and talent isn’t clear; it may be that the bulk of the “red hackers” aren’t employed by their government, and are just hobbyists with a convenient target. Some folk do it “for the lulz”; these people are allegedly doing it for their nation. [image by parrhesiastes]

From China, where I’ve lived for four years, this assessment looks spot-on. Hackers are pervasive, their imprint inescapable. There are hacker magazines, hacker clubs and hacker online serials. A 2005 Shanghai Academy of Social Sciences survey equates hackers and rock stars, with nearly 43 percent of elementary-school students saying they “adore” China’s hackers. One third say they want to be one. This culture thrives on a viral, Internet-driven nationalism. The post-Tiananmen generation has known little hardship, so rather than pushing for democracy, many young people define themselves in opposition to the West. China’s Internet patriots, who call themselves “red hackers,” may not be acting on direct behalf of their government, but the effect is much the same.

Is this, perhaps, the new emergent youth politics? Going out and fighting for what you believe in out in the digital trenches – even if the thing you’re fighting for isn’t quite what you think it is. And hey – if you get powerful enough, maybe it’ll start changing to be more like what you want to keep you sweet, as it becomes increasingly dependent on your leverage beyond the border. Talk about grass-roots change, right? [via Bruce Sterling]

What’s interesting to me is that patriotism can motivate these kids to hacking. Here in the UK, the most that nationalist sentiment can seem to stir up in young folk is the desire to thump brown people, and those easily swayed by such desires aren’t often in the possession of a mentality that would lend itself to 00b3r-1337 computer skillzorz; as a general rule, Western hackers tend to work against governments and authority (how much is that due to the influence of cyberpunk literature?), so it’s a cognitive dissonance moment for me to read about kids voluntarily furthering the cause of their nation rather than their own interests.

Which is one of the things that makes me wonder just how true all of these stories are. As a general trend, the last twelve months have seen a big increase in news stories that give us reason to fear an amorphous and distant conceptual bundle labelled “China”, in inverse proportion to coverage of the previous faceless multiplex global enemy, namely Muslim extremism. The economic crisis has made this particularly easy (China is buying up western debt! China is stockpiling commodities!), and climate change is a nice lever too (China won’t stop polluting, so why should we?).

While I understand the need for political rhetoric (and the media that feed from it, remora-like) to set up ideological opponents against which to rally the diminishing regiments of Western patriots, I sincerely hope we’re not headed for some sort of Cold War re-run. We’ve enough problems on our plate as it is.

Blog

Pupil-dilation stress-scanner: You’re walking through an airport…you come across a tortoise…

2 Comments

pkdThe Guardian reports that the U.S. government is looking for a way to spot evildoers by scanning for “physiological abnormalities.” A call for proposals says:

Early research has shown that pupil size varies with changes in a person’s cognitive processing load. Current but unproven studies suggest that a cognitive decision to deceive or practise deception will result in an increased pupil size due to the greater cognitive processing required in comparison to truthful recall.

Sounds more than a bit like the Voight-Kampff replicant-detector test from Blade Runner (it was Philip K. Dick’s idea, Guardian, not Ridley Scott’s). The reporter adds an appropriate note of skepticism:

I wonder how often a system might raise a false alarm, since a lot of people are pretty stressed going through airports even when they’re not up to anything mischievous.

[Image: Torley]

Blog

Spam ubiquity – even your Lexus is no haven

1 Comment

Lexus concept carOnce again, the physical space in which you can expect (or even hope) to avoid being relentlessly marketed at contracts in a dying spasm… that’s right, not even your car is a scared space any more, as
Lexus has announced plans to send targeted messages to owners of its cars based on the buyer’s zip code and vehicle type. Knowing how dependent on customer goodwill the luxury car brands are, I’ll be very surprised if this plan actually makes it to market. [via SlashDot]; image by SecondPrint Productions]

Speaking of spam, computer security researchers in Germany reckon they’ve found a serious chink in the Storm botnet’s armour that means it’s nowhere near as impregnable as previously thought. So why haven’t they smashed it up like a box of cheap crockery, then?

The team has not yet taken the final step of putting the whole thing into action with a genuine Storm Worm botnet in the wild. From a legal point of view, that could involve many problems. Any unauthorised access to third-party computers could be regarded as tampering with data, which is punishable under paragraph § 303a of the German Penal Code. That paragraph threatens up to two years’ imprisonment for unlawfully deleting, suppressing, making unusable or changing third-party data.

Oh, the irony. [also via SlashDot]

Blog

Schneier slams quantum crypto as ‘pointless’

bank vault doorSecurity maven Bruce Schneier (who’s an active science fiction fan, by the way) has a column up at Wired that gives quantum cryptography a vigorous kicking. Evidently he’s been noticing the same stories as myself, because he points out that “headlines like the BBC’s “‘Unbreakable’ encryption unveiled” are a bit much.” O RLY?

The big difference between Schneier and me, though, is that he really knows how this stuff all works… and as such, he’s not seduced by quantum cryptography’s golden promises:

Security is a chain; it’s as strong as the weakest link. Mathematical cryptography, as bad as it sometimes is, is the strongest link in most security chains. Our symmetric and public-key algorithms are pretty good, even though they’re not based on much rigorous mathematical theory. The real problems are elsewhere: computer security, network security, user interface and so on.

Let’s not forget the weakest link of all, either – the users themselves… [image by the anonymous collective]