[Offers] Colonial pipeline hacked

[Shropshire Seagull]

If its got an IP address, it can be hacked. The IOT is a gateway on the network which allows you to pivit on to a machine to escalate privileges, leading to owning the domain.

Once you own the domain, you got full control.

That's like saying "wherever there is a door it can be opened and once inside you own the house" - whilst half true, we put locks on doors and for things like safes, we make the doors and locks out off especially tough materials, so not impossible to get in, but by no means easy either.

It the IT world [I'm sure you know this] we use things called firewalls. Admittedly these can be configured to be as secure as your garden shed door but they can also be designed to be like getting into Fort Knox. Depends on the value of what you are trying to protect as this will drive the effort you take to protect. I have some experience of "Crown Hosting" where our Government keep their most secure data and every device [inc the firewalls] have an IP address - good luck trying to break in to that - and if you should try - be prepared for a tap on your door and a stretch at Her Majesties pleasure.

Agreed, Fort Knox is not impossible to enter, but there aren't too many people who would know how - if there was, they'd be getting robbed every week.

All that said, I do agree that cyber-terrorism is probably fast becoming the greater threat over bombs and bullets. A scenario I read recently - imagine the carnage if Iran or North Korea [etc.] were able to hack the US Power Grid or drinking water filtration systems.

 

[dadams2k11]

That's like saying "wherever there is a door it can be opened and once inside you own the house" - whilst half true, we put locks on doors and for things like safes, we make the doors and locks out off especially tough materials, so not impossible to get in, but by no means easy either.

It the IT world [I'm sure you know this] we use things called firewalls. Admittedly these can be configured to be as secure as your garden shed door but they can also be designed to be like getting into Fort Knox. Depends on the value of what you are trying to protect as this will drive the effort you take to protect. I have some experience of "Crown Hosting" where our Government keep their most secure data and every device [inc the firewalls] have an IP address - good luck trying to break in to that - and if you should try - be prepared for a tap on your door and a stretch at Her Majesties pleasure.

Agreed, Fort Knox is not impossible to enter, but there aren't too many people who would know how - if there was, they'd be getting robbed every week.

All that said, I do agree that cyber-terrorism is probably fast becoming the greater threat over bombs and bullets. A scenario I read recently - imagine the carnage if Iran or North Korea [etc.] were able to hack the US Power Grid or drinking water filtration systems.

You can have the best firewalls, IDs, and IPS and spend millions on it, but they easiest way in, is the staff.

I could social engineer a member of staff at a company and get in. Craft and send an email to a staff member from another staff member with a link, picture, pdf, excel or word doc plus many other ways, and I have access. Why would they not trust a colleagues email?

Once I have them, I can look for ways to elevate privileges and I own it.

5 min job [emoji106]

 

[beorhthelm]

You can have the best firewalls, IDs, and IPS and spend millions on it, but they easiest way in, is the staff.

I could social engineer a member of staff at a company and get in. Craft and send an email to a staff member from another staff member with a link, picture, pdf, excel or word doc plus many other ways, and I have access. Why would they not trust a colleagues email?

Once I have them, I can look for ways to elevate privileges and I own it.

5 min job [emoji106]

put the operational controls on separate network. desktop with no office applications, preferably *nix based. you cant access it.

 

[lost in london]

I know nothing, but instinctively feel a failure / hack of banking systems leading to a complete lack of trust about how much money individuals, companies and states have could effectively be the end of the world. Almost makes you want to stick a few grand under the bed just in case. Feels horribly inevitable.

 

[dadams2k11]

put the operational controls on separate network. desktop with no office applications, preferably *nix based. you cant access it.

Of course you can. One of the first things you check once you have access is the arp table to see if there is any other networks.

There will be a rdp session opened on the separate network for remote access if something went wrong with it. You couldn't have a system that is that important just on one client on one network. What's the fail over?

 

[Shropshire Seagull]

You can have the best firewalls, IDs, and IPS and spend millions on it, but they easiest way in, is the staff.

I could social engineer a member of staff at a company and get in. Craft and send an email to a staff member from another staff member with a link, picture, pdf, excel or word doc plus many other ways, and I have access. Why would they not trust a colleagues email?

Once I have them, I can look for ways to elevate privileges and I own it.

5 min job [emoji106]

But invariably a change [to enable access] is never a one-person decision, there are change-control-boards so decisions to give access are made by a committee, not one person. Never will an email suffice - jeez, when I was at Rolls-Royce there was actually a change-request submitted for a fecking light-bulb, all because said light bulb was in the sever room and their policy [at that time] was anything electrical related within a server-room MUST go through change control - if you wanted so much as a firewall-change, that had to be signed off by God himself.

Don't get me wrong, I'm not saying its impossible, but processes and procedures are put in place to prevent a single person unilaterally getting themselves access.
Security clearance of DV and above helps to weed out the wayward employee - but as I keep saying, not impossible. But by no means easy either.
Your example above wouldn't get you very far with the organisations I've worked with in the past.

 

[Deleted member 22389]

You can have the best firewalls, IDs, and IPS and spend millions on it, but they easiest way in, is the staff.

I could social engineer a member of staff at a company and get in. Craft and send an email to a staff member from another staff member with a link, picture, pdf, excel or word doc plus many other ways, and I have access. Why would they not trust a colleagues email?

Once I have them, I can look for ways to elevate privileges and I own it.

5 min job [emoji106]

Out of interest this would be targeting Windows machines? What about Linux. I've been using Linux for years and I do know the more popular it gets the more it will become a target.

 

[dadams2k11]

But invariably a change [to enable access] is never a one-person decision, there are change-control-boards so decisions to give access are made by a committee, not one person. Never will an email suffice - jeez, when I was at Rolls-Royce there was actually a change-request submitted for a fecking light-bulb, all because said light bulb was in the sever room and their policy [at that time] was anything electrical related within a server-room MUST go through change control - if you wanted so much as a firewall-change, that had to be signed off by God himself.

Don't get me wrong, I'm not saying its impossible, but processes and procedures are put in place to prevent a single person unilaterally getting themselves access.
Security clearance of DV and above helps to weed out the wayward employee - but as I keep saying, not impossible. But by no means easy either.
Your example above wouldn't get you very far with the organisations I've worked with in the past.

Sorry, i think you may of miss understood me.

As an attacker, I would send an email with an undetectable, reverse tcp connection via a link, pdf, picture or word excel document from someone that they worked with so it would look genuine and as soon as that link or what ever as been opened, I'm in. The next challenge is to escalate privileges to become domain admin or NT Authority/System user (god rights) to own the network.

 

[Shropshire Seagull]

Of course you can. One of the first things you check once you have access is the arp table to see if there is any other networks.

There will be a rdp session opened on the separate network for remote access if something went wrong with it. You couldn't have a system that is that important just on one client on one network. What's the fail over?

And auto audit / intruder alerts will be pinging off all over the place with unauthorised access detected!.

I've no idea where you've worked in the past but it sounds rather like the most valuable data asset to protect was a sales ledger?
You make it sound so easy to hack, but properly secure systems really aren't an easy hack..
And we regularly pay big bucks for hacking professionals [returned from the dark side] to perform both infrastructure penetration tests and application penetration tests - and we give them an IP as a starter for 10.

 

[Gazwag]

If you've got a spare 10 minutes this is a great read: https://www.newyorker.com/magazine/2021/04/26/the-incredible-rise-of-north-koreas-hacking-army (about North Korea hacking banks and bitcoin exchanges to transfer money out).

Pretty much anything can get hacked if enough people are persistent enough to keep trying and don't have to worry about getting caught.

To be honest the amount of stupid people which are quite happy to answer facebook shares with their personal data makes it simple for hackers

 

[Shropshire Seagull]

Out of interest this would be targeting Windows machines? What about Linux. I've been using Linux for years and I do know the more popular it gets the more it will become a target.

In industry, Windows Server o/s is probably the most common for application servers but the move secure/critical stuff is either Red Hat, SUSI or Oracle Solaris based o/s.

Interestingly [maybe], I've never worked for any organisation that trusted their server o/s to Apple ios

 

[Cheshire Cat]

US consumer product safety have put this tweet out:

[Tweet]1392482092823502849[/tweet]

After this happened in 2019 during a previous fuel shortage

I think that is known technically as "creating a car bomb".

 

[dadams2k11]

Out of interest this would be targeting Windows machines? What about Linux. I've been using Linux for years and I do know the more popular it gets the more it will become a target.

If its got an IP address it can be hacked.

It's a myth that Macs and Linux can't be hacked. You just use a payload for them systems. Websites are usually hosted on Linux machines which then opens up different avenues of attack through manipulation of code or my favourite SQL injection. If a website is not set up properly you can gain admin access just by finding a login form and simply typing ' OR 1=1 in the username field. You can also see data tables printed out on the screen in front of you. It's very interesting and scary at the same time.

 

[dadams2k11]

And auto audit / intruder alerts will be pinging off all over the place with unauthorised access detected!.

I've no idea where you've worked in the past but it sounds rather like the most valuable data asset to protect was a sales ledger?
You make it sound so easy to hack, but properly secure systems really aren't an easy hack..
And we regularly pay big bucks for hacking professionals [returned from the dark side] to perform both infrastructure penetration tests and application penetration tests - and we give them an IP as a starter for 10.

I'm a pen tester my self [emoji16].

 

[Deleted member 22389]

In industry, Windows Server o/s is probably the most common for application servers but the move secure/critical stuff is either Red Hat, SUSI or Oracle Solaris based o/s.

Interestingly [maybe], I've never worked for any organisation that trusted their server o/s to Apple ios

I was admin for quite a large website many years ago now. I'm not up to speed with things these days, but I do remember installing our site on a dedicated server running BSD with Apache, Mysql, PHP, shall we call this a BAMP server lol.

As the site got bigger we went over to Red Hat. Yes we paid the price but we got decent support.

 

[beorhthelm]

Of course you can. One of the first things you check once you have access is the arp table to see if there is any other networks.

sure, but your approach relies on noddy windows land with a plethora of user applications and security vulnerabilities. if you start with operation applications only and on more secure OS, you've reduced your vectors to near zero. you'll have to show up on site to try your social engineering.

 

[dadams2k11]

sure, but your approach relies on noddy windows land with a plethora of user applications and security vulnerabilities. if you start with operation applications only and on more secure OS, you've reduced your vectors to near zero. you'll have to show up on site to try your social engineering.

No you don't have to be on site to social engineer... An email can be crafted from one user to another and it will look legitimate. It's not hard to find staff who work for companies, LinkedIn being the first port of call, then finding the naming convention companies use for user names and email addresses i.e. joe.bloggs@fake.com, jbloggs@fake.com or bloggsj@fake.com.

I'm not for one second suggesting its easy to hack because its not, but we've got some bloody good tools that make things easier.

Reconnaissance is the main part.

 

[beorhthelm]

In industry, Windows Server o/s is probably the most common for application servers but the move secure/critical stuff is either Red Hat, SUSI or Oracle Solaris based o/s.

Interestingly [maybe], I've never worked for any organisation that trusted their server o/s to Apple ios

Apple did do servers for a while, decent kit by accounts. lack the tools and applications to move out of the education, small office market, and of course expensive. with BSD under the hood no reason couldnt use MacOS except the hardware cost of a Mac. you can run it on generic hardware, once into "getting it to work" you might as well stick with a proper server OS.

 

[Lethargic]

Working in IT Security for 20 plus years I am only surprised that it has taken this long to happen, still thank god the USA banned Huawei network devices.

The Internet of Things will be an absolute battlefield over the coming years the only safe system is one that is turned off and that still carries some risks.

Sales of these will go through the roof when people start wrapping their fridge, car etc.