philosecurity

I really loved Robert Graham’s article about the Brazilian power outages. He writes:

“Most rumors of hacker infiltrations are false. If you investigate computers in any large organization hard enough, you’ll find malware. This doesn’t mean hackers have broken in, because most viruses are not under control of the hacker who launched them. Also, things get on computers that trigger deep scans from anti-virus scanners that are not necessarily malicious malware. This malware becomes a distraction to finding the true cause of what happened. Thus, when investigating a power outage, finding malware on computers doesn’t mean hackers caused the outage.”

Sure, mankind created the Internet. That doesn’t mean we’re in charge.

When Robert Tappan Morris wrote the code for the first Internet worm, did he expect that it would spread? Sure. Did he expect that it would take down 10% of the Internet? No way.

When Chén Yíngháo wrote the very nasty Chernobyl virus back in 1998, did he expect that it would demolish over 700,000 systems worldwide, including the Korean Supreme Court and Turkish police departments? Nope. (And companies like IBM, Yamaha Corp. and Activision certainly didn’t intend to distribute it in their commercial products.)

People don’t control the Internet, just like the sun doesn’t go around the earth. A single computer sitting on your desk at work is the product of millions of people’s efforts, and the environment and the technology are constantly changing. Malware spreads like bacteria. Large networks of computers are like organisms which we can only generally predict.

Accidents, poor design and lack of maintenance are a huge contributing factors to cascading network disasters. A lot of networks are old, poorly maintained and getting more unstable by the day. I’ve seen systems in critical facilities crash when exposed to default nmap scans. Our most important systems are often the least frequently updated, because it’s hard to schedule down time and changing software or hardware is always risky. Unfortunately, lack of resources in government, utilities and other critical sectors is a big part of the problem.

“There is a risk,” writes Graham. “Hackers will eventually cause a major power outage. In the grand scheme of things, though, it’s not a big deal. Major power outages from accidental mistakes will always be a bigger threat.”

Destruction isn’t the greatest incentive. Viruses that kill their hosts don’t tend to spread, and similarly hackers who destroy their targets have a tough time generating profits.

As long as there are credit card numbers to distract them, we’ll all be fine.