×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

SCADA Hacker: Water District Used 3-Character Password

samzenpus posted more than 2 years ago | from the abc-easy-as-123 dept.

Security 213

Trailrunner7 writes "In an e-mail interview with Threatpost, a hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long. The hacker, using the handle 'pr0f' took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. 'This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

213 comments

duh (4, Funny)

stoolpigeon (454276) | more than 2 years ago | (#38124104)

the upside is if you can't afford your own truck landing robot helicopter, it shouldn't be too hard to steal one. access to truck landing robot helicopters should be an inalienable right.

i bet the password was h2o

Re:duh (5, Insightful)

NeumannCons (798322) | more than 2 years ago | (#38124250)

H2o. Need at least one uppercase, one lower case and one non-letter.

Re:duh (5, Funny)

stoolpigeon (454276) | more than 2 years ago | (#38124274)

Of course [xkcd.com], you are correct.

Re:duh (0, Insightful)

Anonymous Coward | more than 2 years ago | (#38124416)

That comic is retarded and I don't know why people quote it

Re:duh (3, Insightful)

Runaway1956 (1322357) | more than 2 years ago | (#38124518)

The comic probably does look retarded, to someone who doesn't grasp the concept. You better go now, I can hear the short bus honking for you!

Re:duh (1, Offtopic)

stoolpigeon (454276) | more than 2 years ago | (#38124648)

I spent the last couple hours trying to get first post on stories so I could make comments with the subject of "Duh" and a joke about a uav helicopter landing on a truck. And you wonder? Really?

Re:duh (1, Insightful)

rubycodez (864176) | more than 2 years ago | (#38124482)

Except Randall Munroe underestimated how good that is. If there are 6000 "common words", then a four word password is out of 6000 * 5999 * 5998 * 5997 = 1.3 * 10^15 combinations. That's more than 50 bits of entropy (2^50 = 1.1 * 10^15), his time to guess should be multiplied by 2^6, or 35,000 years by his 1000 guesses a second (and no login will allow that many, multipy by a thousan more for 35 million years!)

Re:duh (3)

Moryath (553296) | more than 2 years ago | (#38124736)

Except that there aren't going to be 6000 "common words" as the base. You're going to see the same inanity as current passwords, you're going to see dictionary file attacks using an actual kiddy dictionary with 1000 words or less. This will break through most passwords. You're going to see users allowed to create their own password, which means "jebusisgodone" and "onelittlefishyswim" followed "jebusisgodtwo" and "twolittlefishyswim" and so on and so forth.

"Bitwise", it sounds secure, until you realize it can trivially be attacked on the token level rather than the bit level.

Re:duh (2)

rubycodez (864176) | more than 2 years ago | (#38124934)

Nope, the computer generates the password from the easy words. you memorize the easy words. problem solved

Re:duh (1)

RandomAvatar (2487198) | more than 2 years ago | (#38125060)

This is why, when I create a password I come up with a non-famous phrase, take 1 letter from each word, and add symbols and numbers. That way all I really have to remember is the symbol and number placement, and I have a password that is all but random, yet easy to remember.

Re:duh (1)

Cyberia (70947) | more than 2 years ago | (#38124868)

pffffffft... Nah, I'm betting a nerdy guy who can't bring himself to swear set the password. A woman would most likely chosen H2O. My money is on poo (or some l337 derivative therein).

Predicting Government Response (5, Funny)

itchythebear (2198688) | more than 2 years ago | (#38124140)

A child who knows how the HMI that comes with Simatic works could have accomplished this...

The obvious course of action to prevent future attacks against SCADA systems is to ban all children. Problem sovled.

Re:Predicting Government Response (0)

Anonymous Coward | more than 2 years ago | (#38124242)

A child who knows how the HMI that comes with Simatic works could have accomplished this...

The obvious course of action to prevent future attacks against SCADA systems is to ban all children. Problem sovled.

Soooo many problems solved ;)

Re:Predicting Government Response (1)

Anonymous Coward | more than 2 years ago | (#38124350)

The obvious course of action ... is to ban all children. Problem sovled.

Soooo many problems solved ;)

No kidding, but who's going to open the bottle of ibuprofen for me?

Ooh, CAPTCHA = pattern. Yeah, I see a pattern too, now be a good boy and give daddy his pills.

Re:Predicting Government Response (2, Informative)

Anonymous Coward | more than 2 years ago | (#38124254)

Credit where credit was due: It was a Siemens system, of Stuxnet fame. Great for launching false-flag attacks to drum up support against "terrorists" and our civil rights.

-- Ethanol-fueled

Re:Predicting Government Response (0)

Anonymous Coward | more than 2 years ago | (#38124310)

Hooray! No more children to think of!

Re:Predicting Government Response (3, Funny)

Anonymous Coward | more than 2 years ago | (#38124822)

A child who knows how the HMI that comes with Simatic works could have accomplished this...

Well, yeah, I mean, who doesn't have fond memories of studying the Simatic HMI on SCADA systems back in preschool?

Re:Predicting Government Response (4, Funny)

TheCarp (96830) | more than 2 years ago | (#38124936)

no, our teacher was a doody head. He was too lazy to teach the modules on SCADA and just had us spend extra time "playing with blocks".

Re:Predicting Government Response (4, Interesting)

bmo (77928) | more than 2 years ago | (#38125154)

You think this is funny, eh?

Richard Feynman had a story about how his hobby was safe cracking. He cracked a cabinet that had a combination lock on it and then told the people who mattered the security hole. Did they upgrade the security on the cabinet? No, they banned him from the room. Problem solved.

--
BMO

How much more proof do we need? (5, Insightful)

AngryDeuce (2205124) | more than 2 years ago | (#38124178)

The weak point is always going to be the human being. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable. Thousands of jobs in the tech support industry depend on it.

How about passwords that don't have to charged 30 (4, Interesting)

Joe_Dragon (2206452) | more than 2 years ago | (#38124272)

How about passwords that don't have to charged each 30 days and you can't use the last 4 passwords.

Re:How about passwords that don't have to charged (5, Informative)

Dare nMc (468959) | more than 2 years ago | (#38124902)

That is annoying, forcing me to change my password at the end of the month from H@cker1 to H@cker2 to H@cker3, and H@cker4 before I can go back to the password I like, but they IT work preventers at my work are really good, so when I am working on the road for 2 weeks, they make sure I can't change my login password without being on the intra-net, and once I am 2 days passed the expire date, the prevent me from launching VPN, joining web meetings... So then I have to use gmail to email a co-worker my passwords so he can change them for me on connected laptop first. Lots of fun.

Re:How about passwords that don't have to charged (1)

WarlockD (623872) | more than 2 years ago | (#38125086)

Before I left Unisys, I think mine got from 01 to 18. For some reason I was excited about reaching the big 2-0.:P

Re:How about passwords that don't have to charged (1)

Anonymous Coward | more than 2 years ago | (#38125022)

A password is either compromised or it is not. Age doesn't have anything to do with it.

The password? (0)

Anonymous Coward | more than 2 years ago | (#38124184)

GOD

Pretty sure it was better than that... (2)

SuperKendall (25149) | more than 2 years ago | (#38124266)

H2O

Re:Pretty sure it was better than that... (1)

reboot246 (623534) | more than 2 years ago | (#38124352)

I work in the utilities business and most of the people aren't the brightest.
I bet it was probably 123.

Re:Pretty sure it was better than that... (1)

Moryath (553296) | more than 2 years ago | (#38124762)

...4...5.

That's the kind of password an idiot would have on his town's water control system!

Re:Pretty sure it was better than that... (1)

rubycodez (864176) | more than 2 years ago | (#38124572)

I've seen "wtr" used, my cousin had part time job at village water works. he didn't get to choose or change the passwords.....however, on the bright side that was only for monitoring, the pumps actually were so very old they had the old "knife throw swiches", the wood panel with those was roped off lest someone touch the open metal and get zapped

Password? (1)

Anonymous Coward | more than 2 years ago | (#38124190)

It was h2o wasn't it? Come on, you can tell! It'll be our little secret...

LOL! Captcha: draught

Effective passwords? (5, Funny)

Anonymous Coward | more than 2 years ago | (#38124210)

Damn it Jim, im a water guy not a computer expert!

Re:Effective passwords? (4, Insightful)

bill_mcgonigle (4333) | more than 2 years ago | (#38124284)

Yeah, thar's yer problem. Just because these things are second nature to us, doesn't mean that non-experts are any good at making these decisions.

I'd like to see the investigation focus on who approved putting a SCADA system directly on the Internet, why, and then see structural changes to ensure that that sort of person can't make those sorts of decisions anymore.

Yeah, all SCADA systems should use ssh-quality authentication, but in the meantime we have millions of units deployed that need to be secured.

Hey, maybe I should market the pfSense firewalls I sell as SCADA secure access controllers... :P

some PHB who does not want to pay for on site staf (2)

Joe_Dragon (2206452) | more than 2 years ago | (#38124640)

some PHB who does not want to pay for on site staff say make so the work can be done remotely.

Re:Effective passwords? (1)

WaffleMonster (969671) | more than 2 years ago | (#38124754)

Yeah, all SCADA systems should use ssh-quality authentication, but in the meantime we have millions of units deployed that need to be secured.

I don't want brown turds floating in my water cause the "leap of faith" failed coupled with lack of crypto binding between session and user credentials.

Hey, maybe I should market the pfSense firewalls I sell as SCADA secure access controllers... :P

Maybe you shouldn't.

Re:Effective passwords? (0)

Anonymous Coward | more than 2 years ago | (#38125070)

Just because these things are second nature to us, doesn't mean that non-experts are any good at making these decisions.

Except much of the blame also comes on the so-called "experts". In my company (and we do work in critical infrastructure) there are several admins who deliberately circumvent the password rules because they are fucking lazy and simply don't care about security. Our rules are not onerous, but these arrogant pricks decide that they're above the rules and leave their admin passwords unchanged for months on end, even a year or more.

What's the answer to that?

How many... (2)

nitehawk214 (222219) | more than 2 years ago | (#38124212)

How many children know how Simatic works?

Re:How many... (0)

Anonymous Coward | more than 2 years ago | (#38124412)

The ones that RTFM? [siemens.com]

Re:How many... (1)

vlm (69642) | more than 2 years ago | (#38124690)

How many children know how Simatic works?

Lets just say that management has had a focus for decades on taking a sewer plant worker off the streets and having them be "productive" within a couple days despite no previous computer experience.

If you had to write JCL card decks for SCADA work, that would be fairly child proof, but it wouldn't be "user friendly" enough for anyone to buy it.

and why... (5, Insightful)

Lumpy (12016) | more than 2 years ago | (#38124246)

Is a FRACKING SCADA system on the internet?

The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.

An airgap for data is standard operating proceedure for these things. Hell even crap SCADA software like "wonderware" supports a unidirectional ethernet cable and UDB broadcasting of the data stream so that you can airgap it from the administrative computers doing data collection.

Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html [stearns.org] and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
    No hacker on this planet can crack a system that is at the other end of this type of cable, unless he has physical access.

Re:and why... (0)

Anonymous Coward | more than 2 years ago | (#38124268)

Thanks for answering what a unidirectional ethernet cable is. I was about to ask until I saw your last paragraph :)

Re:and why... (2, Funny)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38124360)

Unicycle = One wheel bike
Unique = One of
United = Made into one

Stop me if you see a pattern.

Re:and why... (4, Insightful)

Crudely_Indecent (739699) | more than 2 years ago | (#38124574)

Understanding what the term means is completely different from understanding how it is accomplished.

I've been building and maintaining networks for over a decade and have never even considered a uni-directional connection before I read this today. Of course, the systems I'm familiar with are specifically for internet access, so bi-directional communication and firewalls had become my norm.

Thanks for the education Lumpy!

Re:and why... (1)

L4t3r4lu5 (1216702) | more than 2 years ago | (#38125108)

That's funny, because it's the second idea that came to my mind, and I don't work in networking specifically. The first idea was a diode, but that seemed like a lot of work for something done simply by not crimping one wire.

I'm kind of glad, really. It would be very interesting to be in a meeting with someone as seasoned as yourself offering thousands of $currency's worth of new kit as the best solution, and for a "Lumpy" like me to say "Why not cut the Tx pair?".

I guess formal education really can get in the way of learning.

Re:and why... (0)

Anonymous Coward | more than 2 years ago | (#38125230)

Get over yourself dude.

Re:and why... (0)

Dan East (318230) | more than 2 years ago | (#38124548)

Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html [stearns.org] and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.

I don't see how TCP could possibly work over a unidirectional ethernet cable. Only UDP. And even then only if the higher level network code was designed to handle generic broadcast to an IP address without anything initiating the connection or any kind of handshaking, etc. My point being that virtually no software would work with such a cable unless it was specifically designed to handle that scenario.

Re:and why... (0)

RMingin (985478) | more than 2 years ago | (#38124688)

Thanks for not reading. From the post you are replying to:

"and UDB broadcasting of the data stream"

Nobody said TCP but you.

Re:and why... (1)

canajin56 (660655) | more than 2 years ago | (#38124712)

Oh really, when he says that virtually all of the SCADA software is designed to handle blind UDP broadcast over that kind of cable, your counter is "TCP wouldn't work and the software would have to be specifically written to handle it"? Astonishing.

Re:and why... (1)

vlm (69642) | more than 2 years ago | (#38124748)

I don't see how TCP could possibly work over a unidirectional ethernet cable. Only UDP. And even then only if the higher level network code was designed to handle generic broadcast to an IP address without anything initiating the connection or any kind of handshaking, etc. My point being that virtually no software would work with such a cable unless it was specifically designed to handle that scenario.

syslog, in continuous use since the 80s. The advantage of being old is everything old is new again. I'm sure someone will reinvent syslog and sell it for millions to SCADA operators.

And yes, having done this, you do have to hard code the ARP table entries in the sender on the local lan, hence the appeal of putting a router in front of the doctored up cable such that it's the only device than need be configured with the MAC address of the syslog sink machine.

Re:and why... (4, Insightful)

Nidi62 (1525137) | more than 2 years ago | (#38124604)

Is a FRACKING SCADA system on the internet?

The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.

But how else is the plant manager or a supervisor going to get to read his favorite blogs and news sites, or see that email with the newest picture of a cute kitten doing something funny?

Re:and why... (0)

Anonymous Coward | more than 2 years ago | (#38124606)

No one can hack it? Yeah right, until someone stuffs some firmware into the ethernet driver that reverses the RX and TX lines.

It's even easier for "one-way" serial cables. No firmware required to reverse those.

Re:and why... (3, Interesting)

GameboyRMH (1153867) | more than 2 years ago | (#38124800)

No one can hack it? Yeah right, until someone stuffs some firmware into the ethernet driver that reverses the RX and TX lines.

And they would install this firmware on the PLC how?

Re:and why... (1)

rubycodez (864176) | more than 2 years ago | (#38124610)

sadly, what is common is for so-called "isolated SCADA network" to be hooked to a card in a PC that also is also on LAN, and then the guy install remote access software so he doesn't have to come into work if there is a problem at 3am....... or just cracking the PC into a router is all it takes to p0wn the works

Re:and why... (1)

Sesostris III (730910) | more than 2 years ago | (#38124776)

and why Is a FRACKING SCADA system on the internet?

Possible answer - to allow the support team (in India?) to remote in when there are out-of-hours problems.

Most of those links are gone... (0)

Anonymous Coward | more than 2 years ago | (#38124952)

More than half of the URLs referenced by the webpage you posted regarding unidirectional ethernet cables do not load. I've never heard of anyone selling these, and it's obvious that knowledge of it is sparse and vanishing. Maybe this is why the fellas setting up the SCADA systems never thought of it? Also, keep in mind the reason these systems are hooked up to the internet is that the managers are lazy and don't want to have to go to each location, so they set these systems up for remote access. Lazy people aren't going to bother with a sophisticated solution like this, it requires too much effort. Seems like there should be a company that sells them easy to use cables, ready-made. Even then, they probably won't use them because it takes less effort not to address the problem at all and just hope nothing ever happens. Hope is cheap.

Re:Most of those links are gone... (0)

Anonymous Coward | more than 2 years ago | (#38125082)

Sell?

Sorry, are you incapable of "making" things?

Ooh, ooh! (1)

Rik Sweeney (471717) | more than 2 years ago | (#38124296)

I want to have a guess! It would probably have been something relevant to what they do, and then they'd have removed the vowels (cunning), so:

wtr

Password not the problem (5, Interesting)

brxndxn (461473) | more than 2 years ago | (#38124326)

I'm in this line of work.. The password was not the problem. Even the hacker is thinking like 'corporate IT' would think in terms of security. The plant floor is different.

Here's the rule: A computer that controls industrial machinery should not be connected to the Internet. The only part of an industrial process that can even possibly be connected to the Internet is historical data and alarming.

HMI software is typically a set of screens representing the automation parts of a plant process. This means that in order to start/stop a motor or energize a valve, the screen is required. It is insecure to put a password on that screen. Yes.. insecure. The priorities at a plant are different. It is always the most secure to allow control of the plant to the people at the plant. There are physical E-stop buttons on control panels in case of emergency, but the E-stop is not the end all to prevent industrial disasters. For example, if a person has his hand caught in a valve, hitting the E-stop may cause the valve to move. Another example would be an exothermic process where explosive gases could accumulate in the wrong parts of the process, hitting the E-stop may not get rid of the gas. The operator at the plant is in charge of the process - it is critical that he or she always have control over the system.

Therefore, don't connect your plant floor to the Internet.. unless you want China to be able to control it. If white-collar executive-type people want to see pretty screens, give them historical data.

Re:Password not the problem (1)

Thud457 (234763) | more than 2 years ago | (#38124472)

what's wrong with using physical keys for this kind of situation -- proves you're there at the console, proves you've been entrusted with access (or took a wrench to somebody who had been entrusted with access).

Everybody understands keys. And what happens if you lose them.

Re:Password not the problem (5, Informative)

vlm (69642) | more than 2 years ago | (#38124616)

Its just engineering malpractice, pure and simple. No different than trying to claim we don't need those OSHA required safety guards because no one would ever do something stupid or malicious in the plant.

The other way to hook up to the internet, as described to me by a guy who works at a "real" chemical plant where dangerous stuff is done, is you use two separate systems both of which would have to be hacked to cause damage, plus non-SCADA automatic control.

In this scenario, where they blew the water pump up by power cycling it, there are two series control relays supplying power to the VFD and if EITHER scada system decides there is a problem with the plant or the other SCADA, that scada cuts input power to the VFD until its convinced its OK. Most VFDs like a 0-10 volt DC input to control their output, and its not all that difficult to hard wire a physical time delayed relay that says you need to output more than a volt for more than a minute to close the relay contacts connecting the VFD to the SCADA and start the pump, so the SCADA literally cannot physically turn the pump on and off more often than once per minute. You can also drive the time delayed relay off the other SCADA system, so one system decides to turn on the pump, while the other decides how fast to run the pump, and either can shut down the pump if they feel the need. Most VFDs can be configured to not allow operation outside certain limits, like drawing more than X amps where X is larger than normal but less than theoretical VFD limit, and not to turn on if a thermocouple says its too hot or a pressure gauge somewhere has an open loop signal. Similar design such that NPSH and output pressure have to be within certain limits or again, the time delayed relays open circuit the AC input to the VFDs and/or the control input to the VFDs. Finally its no heroic effort to wire up two safety bypass relays in series so that if you have control of both SCADA systems, and both independent scada systems agree, you can bypass the safety relays (and the enabling of this bypass also turns off a green light inside the safety directors office, resulting in management involvement, formal written reports and investigation, etc)

This is cheaper to install and operate than you think, because both suppliers know darn well they can be replaced individually with no real impact to plant operations, unlike the traditional "one ring to bind them all" scada design where the consultants and suppliers know they've got you over a barrel and can charge what they want.

Re:Password not the problem (4, Interesting)

vlm (69642) | more than 2 years ago | (#38124994)

And a guy I know at another plant described "adversarial SCADA" to me where two separate systems from two separate mfgrs and two separate consultants, one run by an "operator" and reporting up the operations management chain all the way to the board, and another run by "safety" and reporting up the safety management chain all the way up to the board.

The operations guy and his SCADA system do whatever they want whenever they want, but if the safety guy and his SCADA detect an overspeed or an overtemp or underpressure then safety guy and his scada cuts power to the operations guy and his scada. Also operations guy can "get even" with safety guy because he has relays installed that can simulate sensor failure, and the safety guy has to respond within X minutes following whatever procedures, and the operations guy is presumably intelligent enough to only perform those tests when operationally convenient.

Also although technically either the safety guy OR the operations guy can punch the "give up" buttons, because the safety guy does not answer to the bean counters, that means the dump tank and suppression buttons are for all intents and purposes exclusively operated by the safety guy... The operations guys have training issues in not bothering to even know how to operate the fire suppression valves, for example. Which is bad, because the centers are geographically separate, so if a tornado wiped out the safety center, or even just a failure or a hack event took it out, the ops guys might literally not know how to put out a fire at the plant, even though they are technically capable.

This is a fail when weird plant conditions require jury rigging and close coordination, and also a financial failure because the independent supplier of the operations scada knows the plant shuts down if they try to change out, so he's free to charge as much as he pleases.

Hack our safety scada yesterday? who cares, ops will safe the plant. Hack our ops today? who cares, safety will safe the plant. Hack both separate systems with separate designs and separate manufactures tomorrow at the same time? who cares, that has to be an inside job...

Re:Password not the problem (1)

statusbar (314703) | more than 2 years ago | (#38125016)

Most likely no one DID connect a computer that controls industrial machinery to the internet.

They probably connected a DIFFERENT computer on the same network to the internet.

Wait... (2)

evil_aaronm (671521) | more than 2 years ago | (#38124328)

Weren't we told that this did -not- happen? I distinctly recall seeing a denial from the authorities that any water system was compromised at any time.

The default password could have been stronger... (1)

FBeans (2201802) | more than 2 years ago | (#38124340)

I assume that a tech guy set up the system: "here your current password is 'Password1' Please change it, for security reasons...

By contrast... (4, Interesting)

RogueWarrior65 (678876) | more than 2 years ago | (#38124356)

Some government sites have these onerous password requirements e.g no fewer than 15 characters, no consecutive characters even if they are a different case, at least one numeric and at least one punctuation. It's not surprising that coming up with something you can remember that fulfills these requirements is a bitch. Oh, and you have to change it periodically. IMHO, this naturally leads to writing the damn thing down somewhere.

Re:By contrast... (1)

ILongForDarkness (1134931) | more than 2 years ago | (#38125250)

A password difficult enough not to get cracked is a password difficult enough that it can't be remembered. Smart card and relatively simple password is probably better but that costs money (readers and cards but also lost time because "I left my card at home") where as password complexity requirements are just a simple software configuration away.

WTF (0)

Anonymous Coward | more than 2 years ago | (#38124374)

Why the hell is something of this importance accessible from the internet???

Re:WTF (1)

FBeans (2201802) | more than 2 years ago | (#38124492)

For usablility reasons. Remember Buisness Requirements are more important than technical ones. This way the security guard for the building could sit at his desk, with solitare on screen and IE open with the web client in the other. Clearly they got caught knapping!

Epic Fail & no-win situation (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38124422)

Network admin for another city govt in Texas here... albeit a very much smaller city.

1) first of all, it's absolutely nuts to place your water purification SCADA (or even your wastewater plant's SCADA) onto any network segment that's accessible from the public Internet, and we in the IT department know that all too well, however we're not "in charge" of the SCADA systems and have essentially zero authority to do anything about it. Part of the problem here is that the folks who *are* in charge of these systems are thoroughly aware that we in IT know how to better secure their systems, but do not want us involved in any way because our security will "make things too hard for them to do their jobs".

2) The folks who run the SCADA systems on a daily basis know only two things about systems security: 1) diddly and 2) squat. They are water process and industrial chemistry people, not computer people, and it shows big time.

3) The vendors who supply and support the SCADA systems feverishly demand that the SCADA systems be easily accessible over the Internet for their convenience for remote support, and frankly do not give a rat's ass about the customers' security... their response is that security is not their problem it's ours.

So, it's no wonder these systems are getting hacked and it's going to get worse as time progresses.

Re:Epic Fail & no-win situation (1)

vlm (69642) | more than 2 years ago | (#38125258)

3) The vendors who supply and support the SCADA systems feverishly demand that the SCADA systems be easily accessible over the Internet for their convenience for remote support, and frankly do not give a rat's ass about the customers' security... their response is that security is not their problem it's ours.

Can't allow VPNs instead of wide open access? Even the place I'm at now, has exclusively VPN access for "outside engineering suppliers"

Historically, back when dial up support was the way to go, I worked at a place where IBM had remote access to "our" multiple mainframes only when a orange cable was draped across the desk of our security officer (this is before orange meant fiber, it was just orange "silver satin" 4 conductor modular phone wire).... Being a "mahogany row" level management position, this cable was only installed when absolutely necessary with the sec officers personal involvement. The jack leading to the modem was inside a cheap walmart-ish safe, which could be bypassed if you wanted to get fired... I donno who could open the safe, but it had to be someone with access to the security officer's palatial office, not a peon like I was.

This was at a company that was tangentially involved in about 1-5% of stock exchange transactions that happen in this county, depending how you do the numbers, at least way back then before high freq trading became cool. Should be good enough solution for a small town water-pump.

Idiots (0)

Anonymous Coward | more than 2 years ago | (#38124444)

ANYBODY who connects critical infrastructure control systems to the internet should be locked up for criminal incompetence..

IT IS NOT NECESSARY.

And, yes, I do know what I'm talking about.

Well that makes it OK, then! (3, Interesting)

xyourfacekillerx (939258) | more than 2 years ago | (#38124464)

As usual, blame the owners and operators of the target, not the hacker. Because if I don't lock my front door, it's totally OK for you to come in and run up my utility bill and eat out of my fridge, help yourself to my stereo and tv while you're at it... and if I have a spare key under my hood that you find on my car, by all means, how could anyone be held accountable if they take it for a joy ride and/or steal it?

Re:Well that makes it OK, then! (1)

FBeans (2201802) | more than 2 years ago | (#38124576)

If I see you bent over, I'm guna kick you up the ass. That's just how this world works. It's my fault, but your at some fault for bending over so easily. Good and Bad in black and white forms doesn't exist, in reality there a number of parties at blame for this.

Re:Well that makes it OK, then! (0)

Anonymous Coward | more than 2 years ago | (#38124684)

I'd say if your bank left all vault doors unlocked, turned off their security cameras and left their front door wide open, hell yes they are as much at fault as the robbers.

Re:Well that makes it OK, then! (1)

Runaway1956 (1322357) | more than 2 years ago | (#38124714)

If you walk down the street, dropping hundred dollar bills from your pocket, are you going to demand that the kids running after you, and rescuing the bills be locked up?

Re:Well that makes it OK, then! (1)

canajin56 (660655) | more than 2 years ago | (#38124876)

Yeah, if your car gets stolen and you say to your insurance company "Yeah I keep the keys in the ignition and never lock it, don't you fucking assholes blame the victim here, he had no right to steal my property!" you're not getting your claim approved. Just like if, say, a prison's doors aren't designed to be kick-proof, and a prisoner kicks one down and escapes, that's his fault, not the prisons! Don't blame the victim!

3 characters can be enough (1)

Anonymous Coward | more than 2 years ago | (#38124558)

It is possible to design a system that uses 3 character passwords that would still be relatively secure. 3 characters using 0-9A-Za-z and special characters would still yield 20 bits worth of entropy. If this is joined with a very low max-tries tied to the attempted username and enforced across all systems using this login, this is pretty tight. If your chances are 3/2^20 before the account permanently locks, odds it won't be broken. Remember ATM passwords are typically 4-6 digit numeric. This low entropy (13, 20 bit) is mitigated by eating your card if you screw up your password more than a few times.

I'm not condoning the use of pathetically short passwords here. I'm just highlighting the importance of other password related security measures that need to always be taken into account. I've broken into a major academic portal system (yes authorized) used by multiple large institutions before because of shitty implementations.

Re:3 characters can be enough (3, Interesting)

MadKeithV (102058) | more than 2 years ago | (#38124804)

I'm no security expert, but humor me and point out the flaws in my logic below.

Disabling access after X tries might be enough where the token to uniquely identify access is relatively well-defined, like say your ATM card, and disabling access for that user doesn't de-facto terminate the system (i.e. other ATM users can still use the machine with their credentials after it eats your card).
For admin-access to such systems over the internet it's dangerous to disable the admin account after X tries, because then you lose remote administration functionality of a potentially critical system. "Ah, but you can reset with physical access" you will say - yes, true, but this is a critical system they put *on the internet* in the first place, for better or worse, probably because physical access to that system is pretty difficult for the poor sod designated the "administrator" (disused lavatory, beware of leopard, etc.). Who knows how long the system will be offline for administration until the first opportunity for physical access.
The disabling of (admin) access after X tries also effectively creates a DOS attack against that system. I don't know the login procedure of this particular type of system, but assuming it's username/password, you could DOS the system by spamming all kinds of *usernames* with X repetitions of the wrong password to disable them. Preventing the DOS attack would require hard-to-brute-force usernames - the username becomes the secret, not the password.
It's probably also possible to spoof session identifiers for a hacker to evade repetition detection.
I think the SCADA system can only lose in this kind of scenario, unless they have a password that is very hard to crack within its valid timespan. Or until they finally figure out that putting critical systems online with weak passwords or account disabling is probably not such a good idea.

DHS Response (5, Insightful)

TheRedSeven (1234758) | more than 2 years ago | (#38124580)

I first found this incident via Bruce Schneier & Wired [wired.com].

The most telling thing, for me, was this section of the linked article:

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois,” according to a statement released by DHS spokesman Peter Boogaard. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

So...in the instance of a single shoe bomber, stopped by his own stupidity and the efforts of other airline passengers, TSA (a section of DHS) responds by calling it a systemic risk to air travel, and we must all take off our shoes. In the instance of a plot to use liquid explosives, which probably wouldn't have worked and was stopped in the planning stages, TSA responds by calling it a systemic risk and we must all limit ourselves to 3oz bottles of liquids that fit in a quart size bag. In the instance of a single underwear bomber, stopped by his own stupidity, TSA responds by calling it a systemic risk to air travel, and we must all be subject to X-ray/millimeter wave scanners and/or the big Grope.

In the instance of SCADA hacking, which could conceivably harm our infrastructure on a significant and systemic level from afar, with little/no risk of the perpetrators being caught, DHS responds by saying, "No big deal."

There's something very...wrong here.

Re:DHS Response (0)

Anonymous Coward | more than 2 years ago | (#38124794)

Why do people always claim that the liquid bomb probably wouldnt work?
It has in fact been successfully used in an airplane attack. And someone actually died as a result. That was simply a test run too.

Re:DHS Response (1)

Jeng (926980) | more than 2 years ago | (#38125024)

It has in fact been successfully used in an airplane attack. And someone actually died as a result.

Mind linking some proof of that?

I've done some googling for that and the closest I can come is 4 failed bombings on buses in the UK where one person died of an asthma attack.

Re:DHS Response (1)

Anonymous Coward | more than 2 years ago | (#38125218)

http://en.wikipedia.org/wiki/Bojinka_plot#Test_bombs:_mall.2C_theater.2C_747_airliner

A lot of people seem to think those bombs are not possible. That must be a great comfort to: Haruki Ikegami who was killed by one.

That was just a small scale test also, and it did quite a bit of damage to the airliner.

Re:DHS Response (0)

Anonymous Coward | more than 2 years ago | (#38125122)

Actually, Napolitano is on record for the underwear bomber(or shoe, can't remember) as saying "this is proof the system worked"

Child knows (5, Funny)

jones_supa (887896) | more than 2 years ago | (#38124720)

A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail.

And a child knows too that you shouldn't break into other people's property...

Hackers? (1)

JadeAuto (935739) | more than 2 years ago | (#38124922)

The most common passwords are god, love, sex, and password. Doesn't surprise me. Why was god on the mainframe this late at night, anyhow? Zero cool would have done better.

The real problem (0)

Anonymous Coward | more than 2 years ago | (#38124966)

The password, the isolation, the technobabble is not the problem. Bad people are the problem. Start hunting down and exterminating bad people. If the prize for hacking into a water plant is 15 minutes of fame followed by an early grave we'll see the population of scumhackers nosedive.

aggie? (0)

Anonymous Coward | more than 2 years ago | (#38125196)

I would say the odds were pretty good they made the mistake of hieing an aggie.

not uncommon (2)

ILongForDarkness (1134931) | more than 2 years ago | (#38125210)

Things that need external service technicians often have very simple passwords. For example I work in health care and I know of at least two major companies who's components have the same login for every site for administrator access. You probably as a customer could insist on changing it but the vast majority of sites don't. So need to give someone some radiation? You know the password. That said it isn't going to affect a whole community but the 30-100 patients that get treated before the problem is detected? Very doable. Similarly wifi routers from ISPs almost always have a default password most people I know change the WPA key but don't touch the admin account password. So anyone allowed into the network (or who can plug a network cable into the back of the box for a couple minutes) can take it over pretty easy. Not a real big deal I realize because if they change the password to login (since they don't know yours presumably that is what they would do to get internet access) you'd realize it isn't working and work to set it back. But if you are running a wired network primarily but it is a wifi device could be an issue.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...