An amateur Chinese hacking group infiltrated several of the world's largest petrochem companies (BP, Exxon Mobil, Shell, and others). McAfee, no stranger to creating cute names for anything that can bring them a little media, dubbed the attack "The Night Dragon", and says they were "very unsophisticated" and "incredibly sloppy". They admit that the group has pwned the systems in question for as long as 5 years. And how were these naive slow-witted clods were able to maintain their pwnership of said systems with McAfee on hand monitoring them? McAfee, in their infamous defeatist style, suggest the reason is that "the environments and security controls these days are so complex it is very easy for them to slip under the radar of visibility".
Really, McAfee? Maybe we should all just give up now then. Perhaps the reality is that the petrochem industry simply do not have their security controls in check, with knowledgeable people supporting an effective set of standards, policies and procedures. Someone's been paying a lot of money for McAfee to hang around doing nothing but watching a bunch of Chinese kids hacking their customer's network.
In the 3 years Mcafee has been monitoring them, all they can really say about them is that the "sloppiness" that exposed the hacker's Asian heritage was the use of known chinese hacker tools, and the attacks all occurring during Beijing's 9-5 business hours. Brilliant sleuthing!
Surely they could have fixed the security issues instead, and helped built them a real security capable governance team. How about putting a stop to the attack back in 2009 when it was discovered, instead of waiting for the story to become newsworthy?
I call it a failure for both McAfee and the PetroChem industry.
No comments:
Post a Comment