So... what does this mean? I mean, if there are so many hydropower plans et al vulnerable for VNC, how come we didn't have some major catastrophe? Is it simply more common to have a "read only" VNC vulnerability? (which is still a huge problem). Is VNC by default not password protected for read only viewing (and requires password for taking control?)
Obviously nothing should be password-less by default, and should not have a "changeit" password (I'm looking at you glassfish) but I really hope that even if VNC lets you be in "guest view only mode" without a password by just knowing an IP (who does that?!) then at least I hope they still require a password to also take control, right? please tell me they do. (otherwise I'll be surprised we are all still alive to be honest)
I mean there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom.
And there is no shortage of people out there who would not think twice to blow things up.
So yes, this is scary, but also makes me be very surprised that statistically we are probably not supposed to be alive by now if so many critical control systems have VNC exposed like that in a way that allows full control on the system and not just viewing.
Perhaps it's just selection bias, if the world have ended by now then I would be able to type this.
But still seriously, with all these screenshots, I assume this is not something new, so how come I didn't hear yet on a major real world damage due to a VNC vulnerability?
Is this really most likely to be a read only privacy issue? (which is not to be taken lightly, but not the same as being able to press "shutdown" on some power plant controls)
And there is no shortage of people out there who would not think twice to blow things up.
I think this may be the essential flaw in the logic that says we should be dead by now. Maybe there is a shortage of people who want to blow things up without thinking.
Agreed. Given that airports have been closed because of an empty cardboard box with BOMB written in marker, if a lot of people wanted to mess up with everybody else they could have done so easily.
Hah! People always say this sort of stuff, and while I don't believe it, I could never come up with an answer simpler than "go read that Better Angels book." I never looked at it like that before. I am going to use this line now, I hope you don't mind!
I think survivorship bias is the central flaw in "why aren't we dead by now". If survival depends on an event not occurring, I'd be extra careful in estimating its odds.
How many nuclear power plants have been blown up by hackers?
For whatever reason, civilizations suffer incredibly small damage relative the amount of technical insecurity. The worst destruction comes from large scale war, not attacks.
That only seems to apply to "why wasn't I hit by a SCADA exploit". Unless an exploit that affects everyone in one fell swoop is given a material likelihood.
Judging by the continuous stream of people convicted for buying what they think are explosives from undercover FBI agents posing as jihadists, there are a lot of people that want to blow things up. Or take the 53,000 to 258,000 people that are estimated to be part of ISIS's military forces and allied groups. Thankfully, most of them are pretty stupid, but there are also plenty of highly educated terrorists and they tend to be engineers.
The flaw in the argument is likely GP's inference that "there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom." Critical infrastructure tends to be better engineered than that. Cybersecurity threats are newer, less widely understood, and inadequately guarded against, but human error is an age-old problem.
> Judging by the continuous stream of people convicted for buying what they think are explosives from undercover FBI agents posing as jihadists, there are a lot of people that want to blow things up.
Well. If it were the case that there are lots of people trying to buy explosives from fbi agents posing as jihadists, I would go so far as to conclude that there are a lot of people who want _the ability_ to blow things up.
If there were a lot more office bombings, infrastructure bombings, etc, then I would agree that there appear to be a lot of people who want to actually blow things up.
By running these stings, the FBI has made it very hard for real terrorist plotters to get in contact with real would-be foot-soldiers. If someone agrees to carry out a bombing when a fake terrorist is asking, what makes you think they wouldn't do it when a real terrorist asks?
There's also this: "For months, the FBI used a confidential source to get close to Cornell, who allegedly said he wanted to hatch a plot inside the U.S."
"Get close to" in law enforcement parlance means "encourage criminal activity". If you read the details in these court cases, you repeatedly see an almost universal pattern of activity on the part of law enforcement to egg their targets on towards the criminal act. Drug "dealers" hassled for months to purchase LSD and repeatedly being told "no", only to finally give in and then get arrested. "Terrorists" being repeatedly contacted by informants or agents and plugged pro-terrorist encouragements for months until they agree to a part in some kind of "plot".
You have to remember that the vast majority of people won't take action by themselves. Even the crazy people that want to blow something up won't go out of their way to do it. It's the leaders you should be worried about. People that coordinate or incite others. Part of my career as an infantryman involved "riot police" training. The number one thing for arrest teams to do is to isolate and detain the people inciting the others. And this is why the powers that be are so hungry for mass surveillance: It's actually pretty easy to make giant relationship graphs of these networks to find the leaders. Remember the military talking about dropping five hundred pound bombs on phone numbers? They don't know who the person is, but they know he's a leader. Those people are easy to identify with enough information (and no, they don't need to unlock our iPhones to get at it).
It is in their best interest to keep pushing this idea that any random anti-government person is capable of an Oklahoma City bombing. The fact is, they're not.
OK, does that sound like the FBI's marketed image of a guy hanging around a playground giving out free samples to get kids hooked? They pick people who aren't dealers, and pressure them into dealing.
Exactly! Because that is what our system incentivizes! Those law enforcement and intelligence organizations have grotesquely enormous budgets and let's face it: They are shit-awful at stopping legitimate threats. That means they need to offset that terrible lack of efficiency with some number of "busts", even if they involve people that otherwise wouldn't be "dealers" or "terrorists" without the police egging them on. There is a huge incentive to go out and find dealers and terrorists, even in places where there actually aren't any.
>"Get close to" in law enforcement parlance means "encourage criminal activity". If you read the details in these court cases, you repeatedly see an almost universal pattern of activity on the part of law enforcement to egg their targets on towards the criminal act.
Do you think that real terrorist plotters just ask nicely once and then leave you alone?
Also, we're talking about mass murder here, not selling some acid. Maybe you're right about some of these drug cases crossing over into entrapment. A lot of people feel that drugs "aren't that bad" and if a friend bugged them enough, maybe they would try to find some. I don't know the facts sufficiently to conclude either way. But that's not what we're talking about here.
Right. It's all about people with power targeting people susceptible to those kinds of pressures. We have this habit in the developed world of shunning and shutting out people that are in or have been to prison. But you would do well to talk to those kinds of people. Our justice system takes the word of law enforcement over anyone else. That is a pretty precarious amount of trust in what is nothing more than another human being.
"Out of the crooked timber of humanity, no straight thing was ever made."
That's a myth. The FBI radicalizes mentally unstable people (which frankly most people are to some extent) (where radicalize means basically getting to say the kind of shit people spam Facebook and reddit with all the time) and then arrest them. The reality is vanishingly few people are both radical and have any notion of initiative and means to perpetrate an attack.
They target people who have said things online or in person, or have met with certain people, indicating their support for terrorism. Voicing support for terrorism is not illegal in this country, so you're totally wrong that that's what they're arresting people for. They then run the sting to see if the person is willing to carry out an attack, and takes concrete action toward that, like acquiring "explosives" or guns. At that point, they're guilty of a conspiracy.
How would a real terrorist find recruits inside a Western country? They'd find people that posted something indicating their support, and then they'd try to talk them and coach them into carrying out attack.
People do all kinds of things under peer pressure and coercion they wouldn't do otherwise
There's plenty of stories of tptb totally overstepping the bounds of peer pressure and coercion. I'd even argue that most people will choose to follow the crowd to fit in, not rock the boat, rather than go against their peers.
>People do all kinds of things under peer pressure and coercion they wouldn't do otherwise
So should we wait for the real terrorists to apply this "peer pressure and coercion" instead?
We're talking about mass murder here, not pushing a little dope. Under what possible logic is an FBI agent able to convince someone to kill people, but a real terrorist isn't?
The only conclusion we can draw is that there are more FBI agents in a given part of the US than real terrorist recruiters. FBI agents also have training in persuasion (watch a segment from Last Week Tonight about interrogation to see an example).
As other comments have suggested, there are plenty of "ordinary" people who could easily be radicalized if 5/6 of their friends were actually agents telling them they had to do something for God and Country. We don't round them up in stings because they function just fine in society with nobody trying to push them over the edge. What the FBI is doing is entrapment.
Have any of the attacks in the US since 9/11 been caused by people recruited on the ground in the manner used by the FBI stings? No, they come from people acting spontaneously. The challenge isn't recruiters on the ground, it's extremist ideology. And FBI entrapment fuels that ideology, rather than tempering it.
>Have any of the attacks in the US since 9/11 been caused by people recruited on the ground in the manner used by the FBI stings?
There have been way more attacks in Europe, and people have been recruited with those tactics. Coincidentally, these kinds of sting operations aren't very common in Europe, and are even banned in many countries. If we want to win this battle, there's no room for bleeding-hearts. We must be methodical, cunning, and ruthless against those who would kill us.
This same bleeding-heart attitude is what leads to people serving a measly four years in prison for shooting at police officers with an AK-47 while trying to get away after committing a bank robbery. No one should be surprised that this same person was one of the Brussels bombers.
>The older brother, Ibrahim el-Bakraoui, robbed a Western Union branch in Brussels in 2010, spraying gunfire at police from a Kalashnikov as he attempted to flee, according to his lawyer at the time and government officials. Mr. Bakraoui was caught and sentenced to 10 years in prison. In 2014, he was released with an obligation to contact his parole officer once a month.
> Then, a shock wave hits the Enterprise and Timothy says that his ship was also hit by a shock wave. Picard tells Worf to raise shields but a new shock wave is even stronger than the first one. More power is diverted to the shields and another wave hits and is even stronger. Picard and Geordi discuss putting the energy of the warp engine to the shields. Timothy states that is what they said on his ship.
> Data suddenly asks Picard to lower shields and Worf does so. The next shock wave is harmless and the Enterprise is safe. Data realized that giving energy to the shields caused even heavier shock waves (the more power the ship generated, the heavier the shock), and these were ultimately responsible for the destruction of Timothy's ship.
The lesson learned is that a strong and more vicious front may be met by an even stronger response. Obviously analogies and metaphors are only illustrations, not arguments, but judging from what I know of human nature amidst intense opposition, I don't think that a "ruthless" approach will do anything but breed more ruthlessness.
I loved TNG, but it is also one of the most outrageously politically correct and moral relativist shows I've ever watched. And Voyager was even worse. One particularly sorry episode featured Janeway willing to sacrifice members of her crew, just to avoid turning off a holodeck that spawned interesting characters. In another episode, the captain would again rather let crewman die than use a medical treatment derived from historical unethical research. One episode of TNG comes to mind, where Picard is unwilling to beam a kid from his crew out of prison on some ass backwards totalitarian planet, where they are planning to execute him, because of the prime directive and "respect for their laws". Are you kidding me? Of course in the show, there's always some deus ex machina that saves the day and none of the good guys have to die. In fiction, you can have your cake and eat it too. In real life, bad decisions have real consequences, like people dying.
Another line comes to mind now, where Picard wonders in amazement about how silly we were to let differences about "economic systems" drive us apart during the Cold War. Star Trek is like the poster child for wishy-washy moral relativism.
I'll take my political and moral cues from reality, not fun scifi shows written by an eccentric with a political agenda.
I'm sick and tired of this "realpolitik" bull. The reason we can't have nice things is because people give up on trying to have nice things. It's this bizarre combination of defeatism and selfishness that leads to bad foreign policy decisions and people dying.
I already pointed out that I was using TNG as an illustration, not an argument. But if you want reality, here's reality: people get pissed off when you attack and marginalize them and their friends and family. It's the role of the greater power to deescalate and try to integrate the oppressed, not wipe them out. Reality is that ruthlessness begets ruthlessness, and if your best counterargument to that is to call a TV show "wishy-washy", then you already know it's true.
Yeah, the issue has existed for years and is widely documented in the security community. There are a few reasons why we haven't seen more widespread chaos:
1. Lack of network visibility by the owners of ICS
2. Availability > Forensics
3. VNC interfaces don't always provide full access
And keep in mind that there aren't a huge number of these anonymous VNC instances to begin with. We're talking less than 10,000 instances of servers that don't have any authentication and only a fraction of them are ICS-related.
I've written/ presented on the topic a few times, see:
It's important to understand that VNC is an open standard implemented by hundreds of different client and server packages. VNC does specify a password-authentication mechanism, but whether or not it's used, or how it's used, is entirely up to the implementation. Likewise with whether or not clients have control of the mouse and keyboard.
Historically, open VNC servers have been relatively difficult to find. I don't really mean difficult, just that you had to put some concerted effort into it and very few people did. It's a reasonably modern phenomenon that things like Shodan and other large-scale network scans (including accidental ones, like Google sometimes) can be used to quickly find them, and it's quite recent that someone has nicely packaged it into a website. So this is a problem with very little visibility until today. And it still doesn't really have that much visibility in the right place, which is the somewhat insular ICS industry (and a couple dozen other industries to a lesser extent).
SCADA HMIs and other ICS systems of that sort do often expose a VNC interface with no mouse and keyboard control - effectively a 'read-only' interface as you say. This is certainly less of a concern than allowing people on the internet control, but it is a significant and unnecessary security exposure. The kind of information revealed there can be very helpful to an adversary in finding a way to gain control.
In most cases, access to change configuration is protected, although it's often not protected well. I expect common vandalism against internet-exposed ICS to become more and more common going forward. In most cases it doesn't really have the potential to cause permanent damage, only reduced productivity or mere irritation to the real operators. This is not always the case, though. Idaho National Laboratories conducted a notable demonstration of causing permanent and disabling damage to a diesel generator via unauthorized access to a SCADA interface (the Aurora demonstration).
FYI: Websites like this have actually existed since late 2013 when Paul McMillan scanned the Internet for VNC images live during his talk and made the results available via a website in real-time. He did it again in 2014 at Defcon together with Dan Tentler and Rob Graham. Later that year people at CCC released a VNC roulette and they did the same again in 2015. And Shodan has been grabbing VNC images as well since 2014, made available at https://images.shodan.io
I consider this timeframe to be quite recent, for the reason that most of these systems, in ICS especially, have been installed for quite a bit longer. One of the biggest problems in that industry, as I'm sure you're aware, is the relatively very long lifecycle of equipment, and low rate of in-the-field updates.
Yes, you're right. Compared to how long these systems have actually been connected to the Internet it's only recently that we've started measuring the extent of their exposure.
Not saying VNC is to blame, but there are a number of folks very gravely concerned about the insecurity of most SCADA systems. When your infrastructure and operations are built on hardware and software expected to last 30+ years, it's hard to consider the security implications so far out.
I think it is unreasonable to expect networked software to stay secure for that long. If it isn't networked in any way then sure, that might work but then again, 30 years is a long time.
Adding remote software control to physical things like water treatment and electrical systems adds a lot of convenience, safety, and saves loads of money but perhaps some of that savings should be spent on more vigilance in regards to security.
> if there are so many hydropower plans et al vulnerable for VNC, how come we didn't have some major catastrophe?
> And there is no shortage of people out there who would not think twice to blow things up.
From my observation, those people tend to be those that care more about doing "flashy" things (i.e. be seen), rather than solving problems and bypassing protections. People that get access to important systems or acquire the skills to mess things up tend to be satisfied by having solved a puzzle and being able to mess things up.
Of course, some have. See Stuxnet (actually somewhat serious). The point is that this intersection is fairly small and only a fraction of compromised systems will actually get things messed up.
I hope I'm wrong but I feel that if a group like ISIS could do some major damage using a click of s button, then they would. And they are probably actively trying.
They can kidnap / recruit hackers and force them / brainwash them into doing anything.
They are not stupid and we saw they have no red lines. Instead of banning encryption the FBI and Interpol should force dangerous infrastructure to close their security gaps first.
I just browsed around a bit (with a VNC client) and while most are closed now maybe about one out of five-ten are still open. And they are not just read-only access. Some of them are demo systems though.
I didn't even know read-only vnc was a thing, and I feel a lot less mortified about the various control panels with instrument status we're seeing. I dont give a crap if the wider Internet can see the temperature of the walk-in fridge at the lab.
I just found a PracticeFusion machine at a pediatrics' office, with patient names, addresses and dates of birth. Not quite the same scale as taking down a dam, but I would surely be unhappy if my daughter's credit score tanked before her age hit single digits.
I mean there are some controls there that I'm sure if the wrong person pushes that red button, something will go kaboom.
And there is no shortage of people out there who would not think twice to blow things up.
So yes, this is scary, but also makes me be very surprised that statistically we are probably not supposed to be alive by now if so many critical control systems have VNC exposed like that in a way that allows full control on the system and not just viewing.
Perhaps it's just selection bias, if the world have ended by now then I would be able to type this.
But still seriously, with all these screenshots, I assume this is not something new, so how come I didn't hear yet on a major real world damage due to a VNC vulnerability?
Is this really most likely to be a read only privacy issue? (which is not to be taken lightly, but not the same as being able to press "shutdown" on some power plant controls)