You know what, my buddy was driving last night and I had the luxury of having a couple more than usual. I was being an … well the rules of this forum don’t allow for the description, but you seem smart enough to fill in the gray area here. For that I apologize.

That being said, it seems to me that if someone hacked into the grid of a European country and shut it down, there would be more coverage from more news outlets (Fox, CNN, ABC, NBC, CBC, TASS, Saturday Night Live), and that the coverage would be more complete. It would at least cite a country. The article referenced stated that Estonia’s “Russian Hackers had been blamed” but it failed to mention who was doing the blaming, and made mo mention of an attack on their power grid. The article on California stated that the attack did not affect power distribution.

Of course none of this really matters. When I lived in Boise, all of the power downtown was shut down by a squirrel that found its way into a substation.

Is a malicious attack on the power grid possible? I’m sure it is. But If I lived in a community that was fifty or so miles north of the Gulf, twenty or so miles south of the San Jacinto river, a hundred feet or so above sea level, on three highway arteries that are notoriously clogged with traffic, and I felt that the hacking was a risk, logic would dictate that I be worried about infectious diseases (bird flu is but one) because of the constant presence of stagnant water and global climate change (because I would be potentially hemmed in between the gulf and a river near the gulf with no reliable way north) because they to would be a risk as well.

I’m not trying to argue here, I’m honesty interested in how one (not just you, but anyone) calculates threat, and then decides how to insulate one’s self from it. What information does one retain, what information does one discard? How does one attach a value to the risk (perceived or actual)? I look forward to a discussion on the subject if you are interested.

Respectfully,
Biscuits

Since we're on the topic of electric plants, hackers aren't the only thing they're worried about.



Wow. Thats cutting it pretty close.


http://my.earthlink.net/article/top?guid=20080123/4796c9d0_3ca6_1552620080123139565434

Dumb question. Why can they not use seawater?

LED,

Two reasons. First, salt in sea water is VERY corrosive to metal. If the alloys used in the system weren't designed to handle sea water then they'd be perforated with holes in a matter of weeks.

Second, the salt would also build up scale deposits on places, especially heat exchangers and anywhere the flow rate changes. This would ruin the effeciency or completely plug up the system in a manner that would be very difficult to un-plug.

-Blast

Oh man, lucky you! I'm usually stuck being the responsible one. Hmmm, though that might be because things tend to blow up when I get drunk.

My response was also a bit sharp. I wasn't drunk but I had had an excellent day at work and was feeling really, really smart. Yesterday I applied for another patent and also solved an unrelated chemistry problem that has been stumping people for over ten years. Definately not the time to question the intelligence an egotistic Ph.D.

The idea of a thread on threat assesment is a good idea indeed.

-Blast, still high on success

Lack of investment in electrical power generation and distribution rather than 'a hacker in a cave in Afghanistan' is much more likely cause of electrical power going down. Those countries that have a lack of investment in their electrical power distribution networks seem to have the most problems with blackouts and brownouts especially when having to cope with adverse weather conditions.

I don't remember any blackout in Britain after the North East American incident in 2003 , but some 500,000 Londoners had a 34 minute blackout on the 28th August 2003. I think that this might be what your probably refering to. As with anything that happens in London, it soon becomes a national emergency and is blown out of all proportion by the London based media.



The Estonian incident was a distributed denial of service DDoS attack on certain web servers based in Estonia. The webbots being mostly distributed in unsecure computers from US networks. This is completely different to a hacker gaining access by logging in to a secured network which may possibly have some controlling function within a power station or even the control room of the electrical distribution network. The chances of this are pretty remote without someone breaching the electricity companies strict security measures i.e someone with super user admin rights within the organisation.

But then again this reminds me of the story of a British hacker who wrote a simple cgi script which scanned through all the US Pentagons military .mil websites looking for login scripts and then reported back the ones which accepted UN=admin and PW=password. Even he was surprised how many Pentagon .mil websites/secure networks he was able to access.

The moral of the story is - If your using a wireless router turn on the wireless security and in addition if using a non-wireless router turn of the remote access to the router and change your routers default access Username and Password.

Install a firewall and monitor the programs and ports the programs are attempting to use to gain access to the internet.

Install a anti-virus prgram.

Install a spyware program.

Because if a terrorist is going to bring down the national electricity grid you don't want the Feds turning up at your door after tracking down your IP address.

I have always been curious - why do so many people refer to terrorists living in "a cave in Afghanistan" to poo-poo the notion that terrorists are capable of doing anything that requires advanced logistics, co-ordination, or technical expertise? Osama Bin Laden may have been holed up in a cave in Afghanistan, but he was certainly not some technically incompetent troglodyte.

As for cyber-warfare/cyber-terrorism, it's been known for quite a while that both military organizations and terrorist groups are very interested in using the Internet, not just for communications, propaganda and recruiting, but for launching attacks on critical infrastructure.

Many computer security experts (not just Bruce Schneier, he's just the most vocal about it) believe that the 2003 North American blackout was caused by the Blaster worm, which they suspect an employee - either maliciously or carelessly - introduced into the system.

Aum Shinrikyo, the friendly Japanese cultists who brought you "Sarin on the Subway", make a special effort to recruit computer science and mathematics students into their ranks. The cult is known to own at least five computer companies. In 2000, it was discovered that "A female member of the AUM Shinrikyo cult was involved in the development of online systems at Kiyo Bank", where she "was believed to have had access to the names of clients, as well as data on their assets, annual incomes and transaction records".
(http://findarticles.com/p/articles/mi_m0XPQ/is_2000_March_6/ai_59998378)

Plans to implement a computer system developed for the Japanese national police authorities were delayed indefinitely after it was discovered some of the software had been developed by a subcontractor that was owned by Aum Shinrikyo.

"...why do so many people refer to terrorists living in "a cave in Afghanistan"..."

Because it minimizes them as a threat emotionally.

Underestimating your enemy doesn't seem very smart, to me.

Sue

After my first roadside bomb strike, which left one of our 3 million dollar armoured vehicles burning on the side of the road while we gathered the pieces of our friends and stuffed them into bags…….. I quickly realized just how well organized, efficient and downright smart our Enemy could be. Even with our state of the art equipment and extensive training this happened to us almost every week . As fast as we could invent a way to counter what they were doing, they in turn would invent a new way to counter us. Any one who makes the mistake of thinking these terrorists are not as well organized as we are obviously doesn’t pay much attention to the news. This may be my own opinion buts it’s just a matter of time before they figure out how to take the fight to North American soil in a way worst than 911. If there is a way for them to shut down power or worst, via computers or any other means, they will find it and they WILL try it. They are smarter than most of us give them credit for.

Hi aardwolfe,



That really wouldn't surprise me at all. The first Blaster worm started making an appearance on the 11th August with the North Eastern Rolling Blackouts occouring on the 14th. The Blaster B variant worm was rewritten/modified by 18 year old Jeffrey Lee Parson from Hopkins, Minnesota. What is surprising in the fact that Jeffrey didn't have the intelligence not to get caught launching his modified worm.

The Blaster worm was a real pain at the time, but the problem wasn't really Jeffrey Lee Parson (why he didn't just email bill.gates@microsoft.com to tell him to get his windows security holes fixed instead, I don't know ), it was the fact that so many people using computers didn't really have any idea about even the most basic understanding of computer security, not even the folks at Microsoft whose XP SP1 and 2000 OS's were vunerable to worms such as the Blaster B. XP SP2 was released a year later, which then had the OS firewall turned on by default. Even more surprising is the fact that critical network infrastructures such as water, electrical power etc are using Microsoft OS's which were well known to be so full of security holes at the time.

My point from my earlier post was that if people are going to leave their computers vunerable to be hijacked and be used for DDoS attacks and for email spamming or left open becuase changing a default password was to much of a pain etc then there is a responsibility by everyone not make it easy to aid organised crime and terrorist organisations. Sorry to say, but most of the spam (the worm and virus vector) being generated world wide is from organised crime operating from within US network users.

The problem of the mole working on the inside is a much more difficult problem to solve. Most of these companies (including ISPs) now use outsourced companies based in countries such as India to manage their customers accounts and even IT backoffice functions purely to save on operating costs.

If the electrical power grid goes down because of a 'cyber attack', don't blame the 'terrorist', it really is just the electrical power companies fault, simply because of their lack of investment, their greed, their lack of personnel training, their lack of IT security procedures and their incompetence.