Hacked Dallas sirens serviced by office furniture makers shows the US is not taking critical infrastructure seriously – bobsullivan.net

Hacked Dallas sirens serviced by office furniture makers shows the US is not taking critical infrastructure seriously - bobsullivan.net

We’d better not ignore these sirens.

It is tempting to ignore the warning sirens that knocked Dallas out of bed on Saturday night – but that would be a very serious mistake.

We hear so much about the importance of securing America’s critical infrastructure systems. Then you discover that the company responsible for maintaining the Dallas outdoor warning siren network – which was hacked Saturday night – also operates as an office furniture removal company.

In case you missed it, the Dallas outdoor sirens screeched overnight on Saturday, pestering many of the city’s residents with the ultimate false alarm. Originally viewed as a malfunction, city officials admitted it was a hack until Sunday.

The sirens are designed to warn residents of imminent dangers such as tornadoes.

They did their job.

America has just received perhaps the clearest warning that our essential services are comically easy to attack, which puts our citizens in serious danger. Will we listen or will we just go back to sleep?

It couldn’t be easier said: If stones fall from a bridge into the water, repair the bridge. (Maybe.) We have that here.

Nobody died on Sunday morning. There was no blood, so no dramatic images. But there will be. It doesn’t take much imagination to see how easily this hacking prank (or was it a test?) Could have gone very wrong. For starters, it served as a denial of service attack on the city’s 911 system, which was overwhelmed with calls.

More than 4,400 911 calls were received between 11:30 p.m. and 3:00 a.m., the city said. About 800 came just after midnight, causing six minutes of waiting. As far as we know, nobody died from it. But that could have happened.

But that’s just the tip of the iceberg. Security experts I’ve spoken to have warned for years about a hybrid attack, which can easily panic in a big city. Imagine if this hack had been combined with some compelling fake news suggesting that there was an ongoing chemical attack on Dallas. It was easy to see real disasters without firing a shot. Take it a step further and combine it with some sort of physical attack and you have a serious, long-lasting incident on your hands. Death followed by massive confusion, then panic, then a bunch of sitting ducks stuck in traffic.

Playing the “what if” game sometimes leads to exaggeration. However, it is required if someone wants to ignore a warning sign. So I asked Treadstone71 Security Advisor Jeff Bardin to tell me why the Dallas incident should be taken seriously.

For one, it might have been a diversionary tactic.

“Test the emergency systems, get into a ‘screaming wolf’ state, put the authorities in a state of chaos and confusion while you hack and penetrate something else. Mix Kansas City, ”he said. “This seems to me to be a test of the systems. Could also be more than a test that means what was hacked during this fake emergency? “

Dallas has been hit by “prank” hacks before. Last year road signs were hijacked to display funny messages like “Work is Abandoned – Go Back Home”. Very funny. However, this means that we know that the city’s systems are being actively studied. Any intelligent person has to consider what other systems that person or gang has been playing with. More importantly, what other cities have you played with?

“If, as a hacker, I can control the emergency systems, alarms, building security, HVAC, traffic lights, first responder systems, interfaces for medical facilities, law enforcement agencies, etc., then I can control all normal physical systems that now have Internet interfaces, control the whole city Said Bardin. “What else was penetrated during this ‘test’? How many other major cities in the US work the same way? What was injected into these systems during the test for later access? “

Hopefully the Dallas siren hacker is a kid who found flaws in a very old, insecure system and had fun for a night, Bardin said. Perhaps it was someone trying to “prove a point”, albeit in a sloppy, dangerous way that put lives in danger.

Point not made. Life is full of catastrophes that are averted and then ignored. The planes that almost collided. The car accident could just be averted. The key that was lost (without a duplicate!) But was found.

It’s 48 hours after sirens went off all night in a major U.S. city. Have you heard of federal investigations? Have you heard of executive orders relating to critical infrastructures? (You did it. But then you didn’t.)

“It’s amazing that this doesn’t make the headlines,” said Bardin. “It’s not surprising that they have the uninitiated running the systems that have a part-time job on furniture. Perfect. Just perfect. “

As for the furniture moving company behind the sirens, it’s probably unfair to blame them. The Dallas Morning News reported that Michigan-based West Shore Services was responsible for maintaining the system.

In fact, here is the 2015 city council resolution approving the payment of $ 567,000 to West Shore over a six-year period. Yes, that’s roughly $ 100,000 a year for repairs and maintenance. And that’s a maximum. I suspect it includes the cost of replacing defective devices. I would think penetration testing is not included. I am sure it does not involve any overhaul of the system from its old, practically indefensible architecture.

No wonder the company needs a side business.

A West Short operations manager told Dallas Morning News that he was unaware of the incident. The company did not respond to my emailed questions.

But the biggest question of all, will anyone hear that warning siren? Or will we all go back to sleep like Dallas did?

UPDATE 6:30 p.m. 4/10/17 – Federal Signal Corporation, which made the Dallas sirens but doesn’t currently manage them, said it was working with authorities to see what happened.

“In the city of Dallas, Texas, there are several outdoor warning sirens installed throughout the Dallas area. The outdoor warning sirens were manufactured and purchased by Federal Signal Corporation. Although Federal Signal does not currently have the contract to maintain the City of Dallas’ outdoor warning siren system, the company is actively working with the Dallas Office of Emergency Management to resolve the cause of the inadvertent activation, “the company said in a statement via email me.

Dallas Mayor Mike Rawlings seemed to understand and called for serious investment after the attack.

“This is another serious example of the need to improve and better protect our city’s technology infrastructure,” he wrote on his Facebook page. “It’s a costly business, so every dollar of taxpayers’ money must be spent on critical needs like this. The necessary improvements are essential for the safety of our citizens. “

Let’s hope someone is listening and these sirens can be heard way outside of Texas.

Follow this story: Alert me

After reading this far, you may want to support what I am doing. It’s easy. Buy something from my NEW LIBRARY AND E-COMMERCE PAGE, sign up for my free email list, click on an ad, or just share the story.

Like this:

To like Loading…