Now, it is not unusual for government agencies to share information and warn of potential threats to services or even general dangers (potential terrorist activity). It is also not unusual for some of these warnings to be confidential (the three Amber warnings were not intended to be released to the public). However, it is not normal at all to ask the people responsible for protesting these services at publicly traded companies not to do anything.
Another unusual thing about these warnings is the level of detail in them. According to one source the warnings contained exact file names, IP addresses of the system affected and more. If someone was suspicious it might seem like they were intended to ensure that the security teams would find the proof of the intrusions. The second request to leave any intruders detected alone was also very odd. The normal protocol is to block as soon as the intrusion is found, but for some reason DHS wants the intruders left alone. After having worked in security (both physical and IT) find this the most concerning and one that we would probably not comply with in any case.
So where do we stand with the release of these “confidential” alerts? Well let’s look at what we know.
It is a well-documented fact that SCADA (Supervisory Control and Data Acquisition) devices have been put on corporate networks for infrastructure services in the past and that these devices often have no encryption, are left with default passwords and in many cases are left exposed on the open internet. This was found after someone ran a Google search on these devices.
Intrusions into command and control centers for infrastructure services are not uncommon and usually take the form of a social based attack (a fake email, message, etc) to an employee or employees to compromise a single system. (Ok here we have to wonder WHY employees at critical infrastructure services are allowed online at all???) We have seen a few of these where the intruder got in, found out what they wanted and got out. To date there has not been a reported (important word here) of an outside intrusion that resulted in a shutdown of services (even temporary).
DHS has never asked security response teams (physical or IT) to not block attempts at access to critical services. This is an unprecedented request and one that raises serious concerns not only about the nature of the intrusion, but to its veracity. This ties in with the almost overabundance of information to confirm the intrusion and while all of this may indeed be above board, there are still some things that do not mesh properly here.
Congress (it has already passes the House of Representatives) is preparing to vote on a bill that would enhance the sharing of information about Cybersecurity threats between corporations and government agencies. The bill has passed the House despite heavy opposition from the public and even members of the House who say the bill is far too broad and grants too much power to agencies like the FBI and Department of Homeland Security. Bundled in the bill (CISPA) is an amendment that would grant DHS additional power to counter cyber threats and control the internet in times of crisis.
What we have here is a series of circumstantial evidence that could indicate that the DHS detected a common intrusion attempt, made sure the companies in question (the ones actually breached) found it, and now want to raise the stress level with the odd request to leave the intruders alone unless they are going to break something. All in an effort to show just how needed both CISPA and the amendment for DHS are needed. Believe me when I tell you that intrusions are taken extremely seriously for infrastructure services even in the corporate world. You do not simply let the attackers walk around the house one you find out how they got in. You might isolate the target system and leave dead-end links to keep suspicion low, but you never just leave them alone.
Our guess is that the intrusion is over and done so telling the companies that were affected (although DHS never did say how many companies were affected) leave the intruders alone will not have any negative impact. Instead it will get people in the Senate worried enough to push CISPA through despite the current concerns over privacy and civil liberties that go with it. If we see DHS or another agency try to tie this one to Anonymous, any other online activist group, or the always popular terrorists and foreign spies then we will know we have hit very close to the mark. After all nothing helps to push a bad law through like fear.
Picture credit Annys.com - Ministry of Fear (1944)
Discuss this in our Forum