Malware on oil rig computers raises security fears – Houston Chronicle

This article from the Houston Chronicle highlights the need for layered security including proper VLAN design to segregate & contain malware as part of security:

Malicious software unintentionally downloaded by offshore oil workers has incapacitated computer networks on some rigs and platforms, exposing gaps in security that could pose serious risks to people and the environment, cybersecurity professionals told the Houston Chronicle.
The worst-case scenario could be catastrophic: A malfunctioning rig and safety systems could cause a well blowout, explosion, oil spill and lost human lives, experts said.

The way the article reads it seems like these platforms have large flat LANs, where employees’ personal equipment is on the same network as the production equipment. I’m a fan of placing SCADA systems in their own VLAN with non-routable IP addressing – Internet and the rest of your local network. Place a physical firewall device between the SCADA LAN and the regular LAN, but lock that firewall down. Selectively open ports for maintenance and restrict when done. Monitor the heck out of the thing.
InfoSec professionals, how would you handle this type of situation?
via Malware on oil rig computers raises security fears – Houston Chronicle.

Published
Categorized as I84D

The Determination of Idiots

It is hard to impossible to stop a determined idiot.
This axiom came to mind as I read the story of the man who leapt from a zoo’s train. His athletic jump cleared a sixteen foot tall protective fence and landed right in the pen of a Siberian tiger. The tiger attacked the man severely.
I’ve been trying to think of valid reasons why the man would do that. From the reports I read the man seemed intent upon clearing the safety fence, so this was no accident. He wasn’t trying to escape a giant space scorpion or an icky bug or a girlfriend he was trying to break up with. Even if he was trying to commit suicide I imagine there are ample other avenues available, avenues less elaborate and ultimately more effective. This seems to me more in the field of a frat prank or a dare or drunken misplaced determination or a desperate ploy to get famous.
I think the guy is an idiot. If one applies Hanlon’s Razor, i.e. “never attribute to malice that which is adequately explained by stupidity”, he’s an idiot. Even if he’s not, even if there’s a valid reason for this bizarre chain of events, let’s assume for the sake of this post that he is an idiot.
We’re left with an idiot that did, deliberately and with malice of forethought, jump into a Siberian tiger’s pen. The tiger did what tigers do: the man was mauled. The man was rescued by zoo staff.
I’m sure that some people read the stories and were appalled that a tiger would do such a thing. They might demand the animal’s destruction for daring to harm homo sapien in such a blatant way.
Others might read that story and say, “How can we let people jump from a moving train over a 16-foot fence into a wild animal’s pen? We must implement laws and elaborate security systems to prevent this.”
The zoo did neither. The zoo’s director, Jim Breheny, handled the situation, in my humble opinion, appropriately based on the actual risk.
The Associated Press quoted Breheny as saying, “When someone is determined to do something harmful to themselves, it’s very hard to stop that. … The tiger did nothing wrong in this episode”.
The most telling part from both a risk management and incident handling perspective is the other statement from the Associated Press article I read: “Zoo officials said they would review safety procedures but stressed that the situation was unusual.” By the way, they’re not going to euthanize the tiger.
“We review everything, but we honestly think we provide a safe experience,” Breheny said in the Associated Press article. “And this is just an extraordinary occurrence. … Somebody was deliberately trying to endanger themselves.”
The lesson: don’t make more out of an isolated incident than is there. If the particular ingredients to a problem are all unlikely to rare, then the response should be proportional. This isn’t to say that there aren’t lessons to be learned from every event. Rather, a rational and judicial
The corollary: given enough resources a determined person can defeat security measures. As my Dad said to me after my childhood home was broken into, “If someone wants to get in bad enough they’ll find a way”.
The same is true for determined idiots.
Published
Categorized as I84D

Penny Wise & Pound Foolish

No, this is not a Steven King’s IT related post.

The other day I took 100 bottles and cans to the local liquor store for a refund. Here in Michigan we pay a ten cent deposit on every soda pop, beer, and other beverage containers. It has been this way for as long as I can remember. The deposit makes a difference. After having spent 5+ years in a no deposit state (Oklahoma), a $0.05 state (Connecticut), and the afore mentioned ten cent Michigan, I follow the deposit refund options far more religiously in the Great Lakes State.

But that’s not the point of this post, either.

The point is that the other day I took 100 bottles and cans, some beer and some soda pop, to the local liquor store for a refund. That is $10 in a refund that I invariably spend on more soda pop and beer. I like high quality local breweries, so $10 will often not quite cover a six pack just in that. After having dropped the containers off the store employee in charge of returns, Robert, chased me down to admonish me for my containers.

The way the MI law is written, stores only have to accept containers that they sell. The stores with automatic return machines enforce this. That’s why I take mine back to this store – no machines policing the returns. The store itself offers a decent beer selection, albeit smaller and a little more expensive than the other stores where I shop. I always end up spending more in the store after a return run than the refund.

When Robert flagged me down and lectured me loudly in the store on how hard it is for him to get $0.10 on a bottle they don’t carry from the store’s distributor, I argued. Uninterested, he dug through every neatly packed bag (and I do rinse and orderly arrange things). After everything was reviewed only 12 bottles out of the 100 were questionable. Since I had in my hands two six packs of beer and one 12 pack of pop worth $23 before tax and deposit, Robert was arguing about 5% of my total spend with them on that trip, $1.20.

Again, Robert was not wrong. A store’s obligations under the program are laid out. While I argue that such limitations negatively impact the effectiveness of the law, the law is plainly written.

Nevertheless I put the $23 of stuff back on the shelf and walked out with $8.80 in deposits. I let Robert keep the extra bottles. I spent that $8.80 plus more at another store. That was a loss of $31.80 (the $23 I was going to buy plus the deposit I was entitled to) instead of a $21.80 in sales (presuming the store had to eat the $1.20).

Since I was treated so poorly I later returned another 27 containers for cash at that store on my way to another store where I spent $23 in more of the same. That’s over $50 dollars lost for the sake of $1.20. Once I exceed $120 dollars I will talk with the owners.

For me I spent next to nothing on the extra fuel since the other options are less than a mile away. I saved about $1.50 on my purchases.

This illustrates “Penny Wise & Pound Foolish” very well.

I would be a fool if I didn’t cast a critical eye on myself. What have I done that, in retrospect, was penny wise & pound foolish?

At work the big thing that leapt out at me, fit for public consumption, was being so far behind on my expense reports. It always takes more time to complete them the longer it takes me to do them. It takes money out of my pocket both in covering the expense in a timely fashion as well as in any late charges that I have to absorb.

At home I just went through a big refresh in various parts of my life, so it is too early to tell there.

“Penny Wise & Pound Foolish” is another way of describing the Law of Unintended Consequences. How much time and effort would it cost to ask “What happens if …?” before making a decision?

Published
Categorized as I84D

Retail: The Joys and the Sorrows

My professional career started in retail. Specifically, I started in food service. I was a fill in for three weeks, then discarded.

I then went to Best Buy. I quickly climbed the ladder there in the computer department from part time sales associate to department manager.

I left Best Buy for personal reasons, then found myself back at the same store one year later. I was hired back in as a sales associate. Two weeks later I was promoted to assistant supervisor. Two months later I was promoted to supervisor. I was moved from department to department where I was needed. Eight months later I was promoted to manager.

I did the manager thing until I found myself at the top of a step ladder during the Christmas shopping season directing people to the 14 or so checkout lanes we had running. My department, the cashiers and customer service, processed well over a million dollars worth of transactions that December of ‘96. From atop my perch I herded the customers like cattle, each into their own financial abattoir. I dealt with people returning new-from-the-factory computers with bricks in them, people with electronics infested with insects and vermin, people with equipment we never sold demanding us provide them with satisfaction.

By January, the return season, I had quit and moved my family to Michigan. That story is one for another day.

Sitting in the Apple store in Troy, Michigan today I was reminded why I hated working in retail. It’s loud. It’s crowded. Customers are crazy. At least Apple has incredible margins that PCs don’t have.

The retail plus was the immediacy of the numbers. You didn’t have to wait for month’s end to see how you were doing. You didn’t have to wait for the end of the week. Every morning a fresh set of numbers were ready to great you on your previous day’s performance. You knew about that day in the week’s context, the month’s, the year’s, and the previous year’s day.

As a supervisor or manager, it meant that you could immediately adjust your approach, and your team’s, to the numbers. That was also the drawback if you only relied on the numbers.

The numbers wouldn’t tell you that the University of Oklahoma was in a crucial game, keeping attendance down. The numbers wouldn’t tell you there was an ice storm last year. The numbers wouldn’t accommodate for half the staff laid up with the flu.

The numbers certainly weren’t forgiving in cases of fraud or outright theft. That was what the twice-annual inventory audits were for. Back in the day there was a department supervisor taking tens of thousands of dollars of gear out the back door. As is often the case with thieves, the supervisor got greedy and took enough to get noticed. Even though that person was prosecuted to the full extent of the law, store management was held responsible for the loss, or shrinkage.

There are things that I miss from my retail days, but they are few. I am still extremely happy not to be in that space any more.

Have you worked in retail or still do? What do you like or miss about retail?

Published
Categorized as I84D