Poisoning Your Own Well

Thriller Novel: It’s the scene from the opening of a Tom Clancy novel:  An advance team of cyber hackers from an unnamed enemy of the USA, strikes first in the upcoming WWIII.  This war won’t be started with a rifle shot, it is digital warfare with deadly results.  The hackers infiltrate the control systems of a water treatment plant where 15,000 people get their drinking water in Smalltown, America.  They take control of the chemical dosage, flooding the town’s water with poison.  Thousands die before authorities determine what happened.

Not So Fictional: It sounds like a fiction action-thriller novel, but something similar happened in Oldsmar, FL last month.  It could have been tragic, were it not for an alert staff member of the water treatment facility.  A hacker gained access to the chemical controls of the water treatment facility for less than five minutes.  In that time, he was able to change the level of sodium hydroxide from 100 parts per million to 11,100 parts per million.  The staffer was at his computer, monitoring the facility when a remote user took control of his mouse and attempted to poison the water.   Once the attacker relinquished control, the staffer reduced the level back to 100 before the water was impacted.  

Utilities as Cyber Targets: All around the country there are thousands of gas, electric, and water facilities that are part of the critical infrastructure of the country.  You may ask “How did this happen to such a critical resource?”   I know I did.  It turns out, this small facility had a small budget, and cybersecurity was not included. 

Forget the Rules: The organization broke just about every principle of basic cybersecurity imaginable.   The system was running on an unsupported version of Windows.  The organization used a desktop-sharing software package called TeamViewer, which allowed the staff to monitor the system remotely.  Everyone shared the same password, and the password was the manufacturer’s default password.  It’s hard to say which cyber bumble was the worst, but it could have been the fact this critical infrastructure was connected directly to the internet without any type of firewall protection.  One more thing – six months prior to the attack, the facility stopped using the tool, TeamViewer, but neglected to uninstall it. This is the very tool the hacker used to infiltrate their system.

Convenience over Security: This is what happens when functionality and convenience trump security. These lessons apply to every business.   Password hygiene is critical.  Disable the default account on all devices.   Use unique passwords per user.  This enables proper access control to the devices and auditing of the system.  Otherwise, you don’t know who did what.  Always keep your systems updated with the latest patches for both the operating system and the applications that are in use.  If you are no longer using a piece of software, remove it. When someone leaves the organization, disable their account.  Close your firewall, so only the required applications can pass. 

Wake Up: This is a wake-up call to all the small and medium-sized utilities, letting them know they are a target.  In most cases, the larger utilities do have more regulations to follow and subsequently, a larger budget.  They understand their critical systems have to be separated from the rest of the organization’s network, and it is best practice to have no direct internet access. 

Be Prepared: The attack on the Oldsmar Water Facility did not require the skill and resources of a major world power.  It could have been a disgruntled employee who had the password.  It could have been a low-grade terrorist organization that researched industrial control systems.  Oldsmar made this hack extremely easy.  We don’t want to live in the first chapter of a Tom Clancy novel.  Our utilities and our businesses need to beef up their cyber defenses.  Our lives may depend on it.

The Stuffing Will Make You Sick

The Conflict: For years, my mother-in-law insisted on stuffing the turkey – with stuffing. She wanted the stuffing to get all the turkey deliciousness by absorbing the juices. I didn’t really like it because the stuffing was soggy, and we had to cook the bird longer. That meant dry breast meat.

The Solution: Now, our family is in charge of the thanksgiving meal. We don’t stuff the turkey. We brine it. Then smoke it. The result? Juicy turkey breast, and crisp, fluffy stuffing. I win.

The Concern: The problem is with putting stuffing in the bird, you can end up with salmonella poisoning if you don’t get the center of the bird up to 160 degrees. That’s what the experts say, anyhow. I’ve never felt like it was worth the risk to test that hypothesis. So, I just kept my mouth shut and soaked the dry breast meat in salty gravy.

Credential Stuffing: There is another stuffing that will make you sick. It’s called “Credential Stuffing.” It works like this: You read a really captivating Cyber Tripwire article about passwords. You’re instructed to make them long. Thus, you create a portmanteau of the first name of every grandchild and their birth year. Then to make it really strong, you put an exclamation point at the end. NO ONE will ever guess that! You have your new favorite password.

Just One Password: Next, you proceed to change all of your passwords to that new, really strong one. Instagram, Facebook, Bank of America, Linkedin, Gmail… the list goes on. Every website you use regularly now has a really strong password—the same password.

The Opening: All it takes is for a threat actor to get the password database from one of those sites, and they will have your email address and password for every other site, especially your email account.

Textbook Scams: What they do next is textbook. They log into your email account and send spam emails to everyone in your address book, straight from your account! One of my clients received an email this week from the victim of an attack just like this.

The email read something like, “Hey, when you get a second, I have something important to talk about. Let me know your availability.” If the recipient replied, there was an immediate response. It read, “Thanks for getting back with me. My daughter was diagnosed with cancer. I’m hoping you can help out financially. Just send me some Google Play gift cards.” This was a classic gift card scam.

The Process: Gift card scams and their variations, “The Refund Scam,” the “Fake Tech Support Scam,” almost always involve gift cards. Here are a few characteristics to watch out for:

  1. Someone CALLS YOU on the phone promising an unexpected monetary award (refund or sweepstakes).
  2. Maybe you get a scary pop-up screen on your computer notifying you of several viruses detected. The screen has an 800 number prominently displayed (Remember: Emotion shuts down the logic center of your brain.).
  3. The person on the phone almost ALWAYS has a non-American accent (No prejudice here. Just fact.).
  4. The person on the phone, or the fake tech support person “accidentally” refunds you too much money.
  5. They need you to “help them get that overpayment back or they will lose their job” (Preying on your natural goodness.).
  6. They instruct you to buy several thousand dollars in gift cards.
  7. Or, they may instruct you to use Western Union to wire money.
  8. Or, they may instruct you to get physical cash from the bank and ship it via FedEx.

Notice the Signs: No matter what the person tells you, or what you see on the computer screen, these are tell-tale signs of fraud. If you find yourself in a situation like this, immediately hang up the phone and contact the cyber guys from CyberEye BEFORE any transactions take place.

Cyber Food Poisoning: Undercooked stuffing can make you sick. Credential stuffing leading to a gift card scam is no less annoying than food poisoning.