The event caught the eye of a number of local politicians, who gathered to shake hands at the official unveiling. "I've been to lots of ribbon-cuttings," county executive Rob Astorino was quoted as saying. "This is my first sluice gate." But locals apparently weren't the only ones with their eyes on the dam's new sluice. According to an indictment handed down late last week by the U.S. Department of Justice, Hamid Firoozi, a well-known hacker based in Iran, gained access several times in 2013 to the dam's control systems. Had the sluice been fully operational and connected to those systems, Firoozi could have created serious damage. Fortunately for Rye Brook, it wasn't.
Computers display the Google Desktop search engine
Hack attacks probing critical U.S. infrastructure are nothing new. What alarmed cybersecurity analysts in this case, however, was Firoozi's apparent use of an old trick that computer nerds have quietly known about for years. It's called "dorking" a search engine — as in "Google dorking" or "Bing dorking" — a tactic long used by cybersecurity professionals who work to close security vulnerabilities. Now, it appears, the hackers know about it, as well.
Hiding in open view
"What some call dorking we really call open-source network intelligence," said Srinivas Mukkamala, co-founder and CEO of the cyber-risk assessment firm RiskSense. "It all depends on what you ask Google to do." Mukkamala says that search engines are constantly trolling the Internet, looking to record and index every device, port and unique IP address connected to the Web. Some of those things are designed to be public — a restaurant's homepage, for example — but many others are meant to be private — say, the security camera in the restaurant's kitchen. The problem, says Mukkamala, is that too many people don't understand the difference before going online. "There's the Internet, which is anything that's publicly addressable, and then there are intranets, which are meant to be only for internal networking," he told VOA. "The search engines don't care which is which; they just index. So if your intranet isn't configured properly, that's when you start seeing information leakage."
The sluice gate of the Boman Avenue Dam is pictured in Rye, New York, December 23, 2015. Iranian hackers breached the control system of a dam near New York City
While a restaurant's closed-circuit camera may not pose any real security threat, many other things getting connected to the Web do. These include pressure and temperature sensors at power plants, SCADA systems that control refineries, and operational networks — or OTs — that keep major manufacturing plants working. Whether engineers know it or not, many of these things are being indexed by search engines, leaving them quietly hiding in open view. The trick of dorking, then, is to figure out just how to find all those assets indexed online. As it turns out, it's really not that hard.
An asymmetric threat