SCADA Hacker: Water District Used 3-Character Password

duh by stoolpigeon · 2011-11-21 03:12 · Score: 4, Funny

the upside is if you can't afford your own truck landing robot helicopter, it shouldn't be too hard to steal one. access to truck landing robot helicopters should be an inalienable right.

i bet the password was h2o

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?

Re:duh by NeumannCons · 2011-11-21 03:25 · Score: 5, Insightful

H2o. Need at least one uppercase, one lower case and one non-letter.
Re:duh by grasshoppa · 2011-11-21 03:26 · Score: 1

It's distressing how often it's `h2o`.

--
Mod me down with all of your hatred and your journey towards the dark side will be complete!
Re:duh by stoolpigeon · 2011-11-21 03:28 · Score: 5, Funny

Of course, you are correct.

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Re:duh by somersault · 2011-11-21 03:33 · Score: 1

In the 90s, I used to use "water" for everything..

--
which is totally what she said
Re:duh by Anonymous Coward · 2011-11-21 03:40 · Score: 0, Insightful

That comic is retarded and I don't know why people quote it
Re:duh by rubycodez · 2011-11-21 03:44 · Score: 1, Insightful

Except Randall Munroe underestimated how good that is. If there are 6000 "common words", then a four word password is out of 6000 * 5999 * 5998 * 5997 = 1.3 * 10^15 combinations. That's more than 50 bits of entropy (2^50 = 1.1 * 10^15), his time to guess should be multiplied by 2^6, or 35,000 years by his 1000 guesses a second (and no login will allow that many, multipy by a thousan more for 35 million years!)
Re:duh by Runaway1956 · 2011-11-21 03:46 · Score: 3, Insightful

The comic probably does look retarded, to someone who doesn't grasp the concept. You better go now, I can hear the short bus honking for you!

--
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Re:duh by stoolpigeon · 2011-11-21 03:54 · Score: 1, Offtopic

I spent the last couple hours trying to get first post on stories so I could make comments with the subject of "Duh" and a joke about a uav helicopter landing on a truck. And you wonder? Really?

--
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
Re:duh by ddd0004 · 2011-11-21 03:54 · Score: 1

Water? Like from the toliet? Brawndo's got what plants crave.
Re:duh by Moryath · 2011-11-21 03:59 · Score: 3

Except that there aren't going to be 6000 "common words" as the base. You're going to see the same inanity as current passwords, you're going to see dictionary file attacks using an actual kiddy dictionary with 1000 words or less. This will break through most passwords. You're going to see users allowed to create their own password, which means "jebusisgodone" and "onelittlefishyswim" followed "jebusisgodtwo" and "twolittlefishyswim" and so on and so forth.
"Bitwise", it sounds secure, until you realize it can trivially be attacked on the token level rather than the bit level.
Re:duh by Cyberia · 2011-11-21 04:09 · Score: 1

pffffffft... Nah, I'm betting a nerdy guy who can't bring himself to swear set the password. A woman would most likely chosen H2O. My money is on poo (or some l337 derivative therein).
Re:duh by masternerdguy · 2011-11-21 04:15 · Score: 5, Funny

3 letter password? I guess not everything's bigger in Texas.

--
To offset political mods, replace Flamebait with Insightful.
Re:duh by Reverand+Dave · 2011-11-21 04:16 · Score: 1

Brought to you by Carl's Jr.

--
I got here through a series of tubes
Re:duh by rubycodez · 2011-11-21 04:16 · Score: 2

Nope, the computer generates the password from the easy words. you memorize the easy words. problem solved
Re:duh by RandomAvatar · 2011-11-21 04:25 · Score: 1

This is why, when I create a password I come up with a non-famous phrase, take 1 letter from each word, and add symbols and numbers. That way all I really have to remember is the symbol and number placement, and I have a password that is all but random, yet easy to remember.
Re:duh by mcgrew · 2011-11-21 04:44 · Score: 1

This is the second one I've heard of in a week, there was one a few miles from here last week (it was covered in slashdot). SCADA operators better start smartening up or there'll be some serious trouble.
Someone should at least get a reprimand out of this. Three letters? WTF?

--
Free Martian Whores!
Re:duh by AngryDeuce · 2011-11-21 04:45 · Score: 1

That reminds me, it's time for my daily coffee and hand job at the local Starbucks...
Re:duh by Anonymous Coward · 2011-11-21 04:48 · Score: 0

Fuck you, I'm eating!
Re:duh by camperdave · 2011-11-21 04:49 · Score: 1

One of my former bosses used the initial letters of the first ten digits (eg one, two, three... ->ottffssent) except he didn't use English.

--
When our name is on the back of your car, we're behind you all the way!
Re:duh by Anonymous Coward · 2011-11-21 05:00 · Score: 0

Munroe is calculating at the token level, not at the character level, and is assuming a dictionary with 2048 appropriate words. Note as well that Munroe specifies that the four words must represent unrelated concepts. With that token dictionary, assuming that obvious four word sequences are not used, at the token level you have 2^11 * 2 ^11 * 2^11 * 2^11, for 2^44 - over eight trillion combinations. If you insist, you can subtract 2^20 for the million or so obvious four-word sequences like "jebusisgodone" or "(Word)\1\1\1" that should be excluded by a libcrack-style dictionary. If you do that - use a million-phrase dictionary to exclude obvious sequences - then you'll have something which is no less trivial to attack than any other "44-bit" sequence.
Re:duh by Anonymous Coward · 2011-11-21 05:01 · Score: 0

So that's your venti skinny mocha handy?
Re:duh by Anonymous Coward · 2011-11-21 05:21 · Score: 0

I prefer http://xkcd.com/538/
Re:duh by DMUTPeregrine · 2011-11-21 05:24 · Score: 1

This is why I use diceware. 7776 words.

--
Not a sentence!
Re:duh by McGruber · 2011-11-21 05:34 · Score: 1

H2o. Need at least one uppercase, one lower case and one non-letter.
They should change it to H2Oiswater, in order to meet the new 10-character minimum requirement.
Re:duh by Anonymous Coward · 2011-11-21 05:54 · Score: 0

Cool, I just changed all my passwords to "correct horse battery staple". No one will ever get in now!
Re:duh by Anonymous Coward · 2011-11-21 06:14 · Score: 0

You didn't ask aboutthe font size...
Re:duh by rb12345 · 2011-11-21 06:18 · Score: 2

If you let users pick all four words in the password, yes, but that's not the suggestion. The actual idea is that the password is a 44-bit random number created by a cryptographically secure RNG. You can hex-encode this in 11 hex digits (difficult to remember), or use 4 base 2^11 digits. Since we don't have 2^11 easy to remember/type symbols, we use one word per symbol, defined in advance. The end user does not pick the alphabet/word-set used for this.
Re:duh by MartinSchou · 2011-11-21 06:39 · Score: 0

If you let users pick all four words in the password, yes, but that's not the suggestion.
Not necessarily a problem.
A friend of mine used to use the password "Itjtmjtlstx2". A short form of:

"In the jungle the mighty jungle the lion sleeps tonight" repeat twice
He couldn't grasp the concept that not only is it easier to remember and type out "In the jungle, the mighty jungle, the lion sleeps tonight", but it's also a hell of a lot harder to brute force.
Re:duh by JonWan · 2011-11-21 06:46 · Score: 1

3 letter password? I guess not everything's bigger in Texas.
Just the idiots.
Re:duh by HereIAmJH · 2011-11-21 06:48 · Score: 1

Three letters? WTF?
Damn it, now they're going to have to change the password again.
Serious trouble, like turning a pump off for a 54" main...
Water Hammer

--
Another day, another update to a Google android app.
Re:duh by Anonymous Coward · 2011-11-21 07:03 · Score: 0

Easily padded. Even spaces add complexity. My password sucks a$$ There. 4 words.
Re:duh by CBravo · 2011-11-21 08:03 · Score: 1

or h20h30+oh-

--
nosig today
Re:duh by TheCRAIGGERS · 2011-11-21 08:51 · Score: 1

If I got that with my tea, I might not mind paying $5.
Re:duh by wickedskaman · 2011-11-21 10:38 · Score: 1

~:-O That's mean!

--
Sand's overrated... it's just tiny little rocks.
Re:duh by fatphil · 2011-11-21 13:36 · Score: 2

I would hope that he wouldn't just not grasp the concept, but would shun it for the nonsense that it is. Assuming he's not a touch typist, and makes an error about once every 30 characters, he'll very rarely be able to type your absurd suggestion correctly. Tough luck on those 3-failures and you're locked out sites.

And you apparently haven't got a clue about unicity distance - if someone shoulder-surfs a quarter of your phrase, there's a bloody good chance he'll be able to guess what the whole phrase is, as it's an incredibly-low entropy phrase. A quarter, 3 characters, from the shortened form would do little more than remove about 15 bits of entropy from it, rather than practically reducing the entropy to zero. All you'd need to see is "In the jung", and you're basically left with only about 6 more things to try.

--
Also FatPhil on SoylentNews, id 863

Predicting Government Response by itchythebear · 2011-11-21 03:16 · Score: 5, Funny

A child who knows how the HMI that comes with Simatic works could have accomplished this...

The obvious course of action to prevent future attacks against SCADA systems is to ban all children. Problem sovled.

--
If what I just said sounded like a troll, it was probably just a failed attempt at humor.

Re:Predicting Government Response by Anonymous Coward · 2011-11-21 03:25 · Score: 0

A child who knows how the HMI that comes with Simatic works could have accomplished this...
The obvious course of action to prevent future attacks against SCADA systems is to ban all children. Problem sovled.
Soooo many problems solved ;)
Re:Predicting Government Response by Anonymous Coward · 2011-11-21 03:26 · Score: 2, Informative

Credit where credit was due: It was a Siemens system, of Stuxnet fame. Great for launching false-flag attacks to drum up support against "terrorists" and our civil rights.
-- Ethanol-fueled
Re:Predicting Government Response by Anonymous Coward · 2011-11-21 03:32 · Score: 0

Hooray! No more children to think of!
Re:Predicting Government Response by Anonymous Coward · 2011-11-21 03:36 · Score: 1

The obvious course of action ... is to ban all children. Problem sovled.
Soooo many problems solved ;)
No kidding, but who's going to open the bottle of ibuprofen for me?
Ooh, CAPTCHA = pattern. Yeah, I see a pattern too, now be a good boy and give daddy his pills.
Re:Predicting Government Response by Anonymous Coward · 2011-11-21 04:06 · Score: 3, Funny

A child who knows how the HMI that comes with Simatic works could have accomplished this...
Well, yeah, I mean, who doesn't have fond memories of studying the Simatic HMI on SCADA systems back in preschool?
Re:Predicting Government Response by TheCarp · 2011-11-21 04:16 · Score: 4, Funny

no, our teacher was a doody head. He was too lazy to teach the modules on SCADA and just had us spend extra time "playing with blocks".

--
"I opened my eyes, and everything went dark again"
Re:Predicting Government Response by bmo · 2011-11-21 04:34 · Score: 4, Interesting

You think this is funny, eh?
Richard Feynman had a story about how his hobby was safe cracking. He cracked a cabinet that had a combination lock on it and then told the people who mattered the security hole. Did they upgrade the security on the cabinet? No, they banned him from the room. Problem solved.
--
BMO
Re:Predicting Government Response by Anonymous Coward · 2011-11-21 05:31 · Score: 0

or just to ban all knowledge of how the HMI that comes with Simatic works. That seems like a more likely scenario given how things are going these days IMO. Anyone who posses that knowledge must be a TERRORIST!
Re:Predicting Government Response by DrBoumBoum · 2011-11-21 05:48 · Score: 2

"Why a four year old child could understand this. Run out and get me a four year old child, I can't make head or tail out of it." -- Groucho Marx
Re:Predicting Government Response by Anonymous Coward · 2011-11-21 06:44 · Score: 2, Interesting

Oh that's just illogical and silly. Obviously they needed to ban all safe crackers from the room, not merely Richard Feynman.
Re:Predicting Government Response by Anonymous Coward · 2011-11-21 09:41 · Score: 0

Why do you write "\n--\nBMO\n" in all your comments? There is already a by-line, but you could use the .sig field in your preferences, as well.
Re:Predicting Government Response by bmo · 2011-11-21 11:02 · Score: 2

I do it to piss you, personally, off. Specifically. Indeed, I've been doing it since 1986 to piss you off, even before I met you.
--
BMO
Re:Predicting Government Response by Anonymous Coward · 2011-11-22 03:02 · Score: 0

This code is so easy, a 5 year old child could understand it.
Quick, someone find me a 5 year old child, I cant make heads or tails of this.

How much more proof do we need? by AngryDeuce · 2011-11-21 03:20 · Score: 5, Insightful

The weak point is always going to be the human being. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable. Thousands of jobs in the tech support industry depend on it.

Re:How much more proof do we need? by fragfoo · 2011-11-21 04:01 · Score: 1

You do realize you are asking for Skynet to be created, wright?

--
Sig? Heil
Re:How much more proof do we need? by Anonymous Coward · 2011-11-21 06:02 · Score: 0

It's human beings all the way down. ;)
There is not (yet) any computer security created by aliens. What you mean to say is the weak point is always going to be the user.
Well if we're done our job right as techs, then that's how it should be. But I can't say we did the job right here if the system allowed a 3-character password. We botched the design and/or botched communicating to the user what to expect from this design. (No security at all.)

The password? by Anonymous Coward · 2011-11-21 03:20 · Score: 0

GOD

Password? by Anonymous Coward · 2011-11-21 03:21 · Score: 1

It was h2o wasn't it? Come on, you can tell! It'll be our little secret...

LOL! Captcha: draught

Comment removed by account_deleted · 2011-11-21 03:22 · Score: 1, Funny

Comment removed based on user account deletion

Effective passwords? by Anonymous Coward · 2011-11-21 03:22 · Score: 5, Funny

Damn it Jim, im a water guy not a computer expert!

Re:Effective passwords? by bill_mcgonigle · 2011-11-21 03:29 · Score: 4, Insightful

Yeah, thar's yer problem. Just because these things are second nature to us, doesn't mean that non-experts are any good at making these decisions.
I'd like to see the investigation focus on who approved putting a SCADA system directly on the Internet, why, and then see structural changes to ensure that that sort of person can't make those sorts of decisions anymore.
Yeah, all SCADA systems should use ssh-quality authentication, but in the meantime we have millions of units deployed that need to be secured.
Hey, maybe I should market the pfSense firewalls I sell as SCADA secure access controllers... :P

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Re:Effective passwords? by WaffleMonster · 2011-11-21 04:00 · Score: 1

Yeah, all SCADA systems should use ssh-quality authentication, but in the meantime we have millions of units deployed that need to be secured.
I don't want brown turds floating in my water cause the "leap of faith" failed coupled with lack of crypto binding between session and user credentials.

Hey, maybe I should market the pfSense firewalls I sell as SCADA secure access controllers... :P
Maybe you shouldn't.
Re:Effective passwords? by Anonymous Coward · 2011-11-21 04:26 · Score: 0

Just because these things are second nature to us, doesn't mean that non-experts are any good at making these decisions.
Except much of the blame also comes on the so-called "experts". In my company (and we do work in critical infrastructure) there are several admins who deliberately circumvent the password rules because they are fucking lazy and simply don't care about security. Our rules are not onerous, but these arrogant pricks decide that they're above the rules and leave their admin passwords unchanged for months on end, even a year or more.
What's the answer to that?
Re:Effective passwords? by aaarrrgggh · 2011-11-21 04:42 · Score: 1

It's an improvement. Slight, but an improvement none the less. I personally prefer the SEL 3620 and similar devices for this type of task (ethernet gateway for up to 16 serial links).
The biggest problem with most systems is that they need device-level passwords vs user-level passwords (and the default management passwords are almost always in place). If you at least set up a VPN with certificate-based authentication you have created a significant barrier to the network, without complicating response times for service technicians.
Re:Effective passwords? by GameboyRMH · 2011-11-21 05:18 · Score: 1

Use keyfiles w/ passwords & cryptknock, problem solved. It can all be made into one handy script that runs from a flash drive to make it easy for users.

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:Effective passwords? by Anonymous Coward · 2011-11-21 05:30 · Score: 0

I worked for a 911 call center which had a SCADA system for sending information to fire / ambulance halls. I warned severely against it, but after I left, they put their whole system live to the internet. But no worries, they only did it for two weeks, then after it got hacked and pulled down, they were 'down' for two weeks, then they got it back up. They didn't put it on the 'net again. I left because I got tired of them not listening to any of my good advice. Smart people learn from other peoples mistakes. Stupid people learn from their own.
Re:Effective passwords? by Patch86 · 2011-11-21 06:06 · Score: 1

I would have assumed that a major water utility would have employed some IT specialists to run their IT systems (that is, "some of us"). I sincerely doubt that the SCADA system was installed and administered by a sewage treatment chemist.
There really is no excuse for it; I very much hope the idiot in charge of their IT security is fired.
Re:Effective passwords? by AB3A · 2011-11-21 06:08 · Score: 2

Would you believe that the SCADA system that runs the water utility I work for has such a button on the screen? You would? Cool. I have this used bridge I'd like to sell you in New York City.
You criticize people for not having an effective password and then promptly say something so ignorant that any plumber, civil engineer, or a fifth grader could tell you you're wrong. Ignorance happens. If you need proof, look in a mirror.
Now as for the password, yes, it is foolish. There is more truth in the character of Homer Simpson than any of us would like to admit. However, the vast majority of passwords are easy to crack with a decent rainbow table. So in that perspective, the password itself isn't the issue.
The real issue is why the HMI was accessible on the internet in the first place.

--
Nearly fifty percent of all graduates come from the bottom half of the class!
Re:Effective passwords? by Anonymous Coward · 2011-11-21 06:37 · Score: 0

Already being done: the Secure Crossing Zenwall series, which are DIN rail mountable and rack mountable versions available: http://www.securecrossing.com/
Who said BSD was dead?
Re:Effective passwords? by Locutus · 2011-11-21 08:29 · Score: 1

the reason is that the mouse driver needed a connection to the internet to get updates. To think that there would have to be a server on an isolated LAN where tested and approved updates would reside is just silly talk and paranoia. And besides, everyone else does it this way. I've heard that one too.

LoB

--
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus

How many... by nitehawk214 · 2011-11-21 03:22 · Score: 2

How many children know how Simatic works?

--
I'm a good cook. I'm a fantastic eater. - Steven Brust

Re:How many... by Anonymous Coward · 2011-11-21 03:40 · Score: 0

The ones that RTFM?
Re:How many... by vlm · 2011-11-21 03:56 · Score: 1

How many children know how Simatic works?
Lets just say that management has had a focus for decades on taking a sewer plant worker off the streets and having them be "productive" within a couple days despite no previous computer experience.
If you had to write JCL card decks for SCADA work, that would be fairly child proof, but it wouldn't be "user friendly" enough for anyone to buy it.

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger

Re:abc by Chris+Mattern · 2011-11-21 03:25 · Score: 5, Funny

That's the same combination I have on my luggage!

and why... by Lumpy · 2011-11-21 03:25 · Score: 5, Insightful

Is a FRACKING SCADA system on the internet?

The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.

An airgap for data is standard operating proceedure for these things. Hell even crap SCADA software like "wonderware" supports a unidirectional ethernet cable and UDB broadcasting of the data stream so that you can airgap it from the administrative computers doing data collection.

Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
No hacker on this planet can crack a system that is at the other end of this type of cable, unless he has physical access.

--
Do not look at laser with remaining good eye.

Re:and why... by Anonymous Coward · 2011-11-21 03:27 · Score: 0

Thanks for answering what a unidirectional ethernet cable is. I was about to ask until I saw your last paragraph :)
Re:and why... by L4t3r4lu5 · 2011-11-21 03:37 · Score: 2, Funny

Unicycle = One wheel bike
Unique = One of
United = Made into one

Stop me if you see a pattern.

--
Finally had enough. Come see us over at https://soylentnews.org/
Re:and why... by Dan+East · 2011-11-21 03:48 · Score: 0

Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
I don't see how TCP could possibly work over a unidirectional ethernet cable. Only UDP. And even then only if the higher level network code was designed to handle generic broadcast to an IP address without anything initiating the connection or any kind of handshaking, etc. My point being that virtually no software would work with such a cable unless it was specifically designed to handle that scenario.

--
Better known as 318230.
Re:and why... by Crudely_Indecent · 2011-11-21 03:49 · Score: 4, Insightful

Understanding what the term means is completely different from understanding how it is accomplished.
I've been building and maintaining networks for over a decade and have never even considered a uni-directional connection before I read this today. Of course, the systems I'm familiar with are specifically for internet access, so bi-directional communication and firewalls had become my norm.
Thanks for the education Lumpy!

--

"Lame" - Galaxar
Re:and why... by Nidi62 · 2011-11-21 03:51 · Score: 4, Insightful

Is a FRACKING SCADA system on the internet?
The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.
But how else is the plant manager or a supervisor going to get to read his favorite blogs and news sites, or see that email with the newest picture of a cute kitten doing something funny?

--
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
Re:and why... by Anonymous Coward · 2011-11-21 03:51 · Score: 0

No one can hack it? Yeah right, until someone stuffs some firmware into the ethernet driver that reverses the RX and TX lines.
It's even easier for "one-way" serial cables. No firmware required to reverse those.
Re:and why... by rubycodez · 2011-11-21 03:52 · Score: 1

sadly, what is common is for so-called "isolated SCADA network" to be hooked to a card in a PC that also is also on LAN, and then the guy install remote access software so he doesn't have to come into work if there is a problem at 3am....... or just cracking the PC into a router is all it takes to p0wn the works
Re:and why... by RMingin · 2011-11-21 03:56 · Score: 0

Thanks for not reading. From the post you are replying to:
"and UDB broadcasting of the data stream"
Nobody said TCP but you.

--
The preceding comment is my own, and in no way construes an opinon of the Emperor of Mankind.
Re:and why... by canajin56 · 2011-11-21 03:57 · Score: 1

Oh really, when he says that virtually all of the SCADA software is designed to handle blind UDP broadcast over that kind of cable, your counter is "TCP wouldn't work and the software would have to be specifically written to handle it"? Astonishing.

--
ASCII stupid question, get a stupid ANSI
Re:and why... by vlm · 2011-11-21 04:00 · Score: 1

I don't see how TCP could possibly work over a unidirectional ethernet cable. Only UDP. And even then only if the higher level network code was designed to handle generic broadcast to an IP address without anything initiating the connection or any kind of handshaking, etc. My point being that virtually no software would work with such a cable unless it was specifically designed to handle that scenario.
syslog, in continuous use since the 80s. The advantage of being old is everything old is new again. I'm sure someone will reinvent syslog and sell it for millions to SCADA operators.
And yes, having done this, you do have to hard code the ARP table entries in the sender on the local lan, hence the appeal of putting a router in front of the doctored up cable such that it's the only device than need be configured with the MAC address of the syslog sink machine.

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Re:and why... by Sesostris+III · 2011-11-21 04:01 · Score: 1

and why Is a FRACKING SCADA system on the internet?
Possible answer - to allow the support team (in India?) to remote in when there are out-of-hours problems.

--
You never know what is enough unless you know what is more than enough. - Blake
Re:and why... by GameboyRMH · 2011-11-21 04:04 · Score: 3, Interesting

No one can hack it? Yeah right, until someone stuffs some firmware into the ethernet driver that reverses the RX and TX lines.
And they would install this firmware on the PLC how?

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:and why... by L4t3r4lu5 · 2011-11-21 04:29 · Score: 1

That's funny, because it's the second idea that came to my mind, and I don't work in networking specifically. The first idea was a diode, but that seemed like a lot of work for something done simply by not crimping one wire.

I'm kind of glad, really. It would be very interesting to be in a meeting with someone as seasoned as yourself offering thousands of $currency's worth of new kit as the best solution, and for a "Lumpy" like me to say "Why not cut the Tx pair?".

I guess formal education really can get in the way of learning.

--
Finally had enough. Come see us over at https://soylentnews.org/
Re:and why... by Anonymous Coward · 2011-11-21 04:39 · Score: 0

Get over yourself dude.
Re:and why... by Anonymous Coward · 2011-11-21 05:05 · Score: 0

Tell that to Kevin Mitnick and a cell phone.
Re:and why... by Crudely_Indecent · 2011-11-21 05:11 · Score: 2, Informative

I was referring to the person who had something constructive and informative to say.
Simply cutting the TX pair won't do the trick, there are many more configurations necessary for the network to accept this type of connection. Negotiation is a process where two end points determine the capabilities of the other end and "negotiate" a connection. Without bi-directional communication, you must configure the transmitting end with static values, then inform the receiving end what those values are. Simply cutting wires won't work. The work involved takes more than a pair of side cutters.
"Lumpy" isn't a nickname I gave to you, it is the name of the person who originally suggested the uni-directional cable method. I was not referring to you.

--

"Lame" - Galaxar
Re:and why... by chill · 2011-11-21 05:20 · Score: 2

Yeah, but this could have just as easily been one of those *Monster* unidirectional cables. You know, the ones with the arrows printed on them telling you which way the bit flow. These only have one arrow printed.

--
Learning HOW to think is more important than learning WHAT to think.
Re:and why... by Anonymous Coward · 2011-11-21 05:21 · Score: 0

Some SCADA systems are connected to the Corporate Network to acquire GIS Data from the systems.
That being said, there should still be a firewall in place that prohibits access from anything BUT the GIS system back to the SCADA system from the Corporate Network.
and as to the AirGap---that's why you have a second PC that is on the Corporate Network..
Re:and why... by atisss · 2011-11-21 05:24 · Score: 1

One day in water plant.
New Operator - Internet is not working on this computer - let's call administrator..
Oops, we don't have administrator - let's call my friend.
Tech friend - Try replacing cable.
Operator - umm, where do I get the cable?
Tech friend - buy it in any computer shop for $2.
Operator - ok
Re:and why... by atisss · 2011-11-21 05:28 · Score: 1

Install it on connected device and force SCADA system to flip MDIX on it's network adapter, thus receiving data. repeat reinstalling firmware for two way half duplex communication :p
Re:and why... by Anonymous Coward · 2011-11-21 05:29 · Score: 0

Ok I told it to my cellphone... Siri had no answer.
I emailed Kevin mitnick and he agreed with lumpy and not you.
His response was, "Only a no clue poser would think they can hack a system that can not receive packets. UDP broadcast is a... broadcast.. not a two way communication stream that can be hacked... Who though it could be? someone who learned hacking from Hollywood and 4chan?"
So there is your answer.
For grins I also emailled it to staff@2600.com as well. I am waiting for their response with baited breath. But from what I can tell the consensus from all the experts is so far that you know nothing at all about computers let alone hacking. The entire world is collectively laughing and pointing at you... Even star-wars-kid takes pity on how you made a complete fool of yourself in this instance, He just texted me about it. I have not heard from hit in the groin man yet.
Re:and why... by GameboyRMH · 2011-11-21 05:33 · Score: 1

Shit, good point 8-(
http://www.transition.com/pshelp/cross.html
Assuming that it can run commands when receiving traffic only, this could work...

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
Re:and why... by robot256 · 2011-11-21 06:13 · Score: 1

You are assuming that the SCADA system has the hardware capability to swap TX and RX. It would be extremely easy for the hardware designers to leave that feature out by using an ethernet controller with it disabled via hardware config pins or completely absent. Plus I reckon that most of the systems already deployed use humble 10Mbps ports designed before autoswitching was even a standard.
Re:and why... by X0563511 · 2011-11-21 06:38 · Score: 1

Maybe I'm missing your meaning. But syslog works fine via UDP.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:and why... by X0563511 · 2011-11-21 06:39 · Score: 1

Lets not forget that this would instantly become obvious too, because the data flow would stop. Generally you've failed if they notice something happened.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Re:and why... by jd · 2011-11-21 06:51 · Score: 1

It depends on what GIS data is meant. Live sensor data is about the only geographically-related data likely to change and be needed by control systems. However, most of that data should be coming in off a non-public network. It should also be protected from corruption, with corrupt data logged but never sent to the SCADA system.
Sensors have little interest in lolcats or e-mail, so providing direct access to the outside is stupid. Any access to any port on the system that is not to do with sensors aught to be funneled through an intermediate server that is, itself, only reachable via VPN. Sensor access should be isolated and be via a proxy.
In either case, direct access is a no-no.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re:and why... by Anonymous Coward · 2011-11-21 07:38 · Score: 0

and why... Is a FRACKING SCADA system on the internet?
Your intellectual outrage truly proves your genius. Yeah, FRACKING SCADA! I mean, it's just so obvious. It's so obvious what that even MEANS.
Damn, we all should be as smart as Lumpy.
Re:and why... by CBravo · 2011-11-21 08:22 · Score: 1

Like any service (i.e. preventing bad voodoo) you cannot guarantee service levels without monitoring. Service == monitoring. Nice story: A Dutch army base had a lot of anti-nucleair protesters around an they often came in. It turned out that they changed the lock at one of the (never used) break-away doors. Monitor the lock.

--
nosig today
Re:and why... by Anonymous Coward · 2011-11-21 10:43 · Score: 0

Also you are missing that many of these systems have dialup access such as RTU's in power generation to speed up / slow down spin basedon market demand. Been a couple years since I audit'ed a fossil plant, I forget the exact name of the system.
Re:and why... by AHuxley · 2011-11-21 11:29 · Score: 1

For the US workforce it has so many good points.
Remote experts can cover wide areas of the state at night. Local staff can be of a lower cost, ready to report, shut down or just open the front gates.
No more local union experts with skills, security clearances and labour laws on their side.
One well paid, skilled young person with a laptop has replaced 10's of on site 'lifer' technicians.

--
Domestic spying is now "Benign Information Gathering"
Re:and why... by mug+funky · 2011-11-21 12:02 · Score: 1

"No hacker on this planet can crack a system that is at the other end of this type of cable, unless he has physical access."
physical access...
Re:and why... by mug+funky · 2011-11-21 12:05 · Score: 1

it wasn't a fracking SCADA. it was a water works SCADA.
when fracking SCADA goes wrong, water catches fire.
Re:and why... by Anonymous Coward · 2011-11-21 14:41 · Score: 0

LOL and no one said UDP either!
Re:and why... by strikethree · 2011-11-21 15:05 · Score: 1

But how else is the plant manager or a supervisor going to get to read his favorite blogs and news sites, or see that email with the newest picture of a cute kitten doing something funny?
By using the computer system sitting right next to the computer system (on an isolated network) monitoring the SCADA stuff? I am sure a water company can afford the extra thousand dollars that it could cost.

--
"Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
Re:and why... by Lumpy · 2011-11-22 00:40 · Score: 1

"One well paid, skilled young person with a laptop has replaced 10's of on site 'lifer' technicians."
and that "skilled young person" is completely stupid and used a 3 digit password.
Sounds like the whole idea falls over pretty hard.

--
Do not look at laser with remaining good eye.
Re:and why... by vaporland · 2011-11-22 01:38 · Score: 1

but how else is the plant manager or a supervisor going to get to read his favorite blogs ...
Uhh, on his blackberry ?

--
Ask Me About... The 80's!

Pretty sure it was better than that... by SuperKendall · 2011-11-21 03:27 · Score: 2

H2O

--
"There is more worth loving than we have strength to love." - Brian Jay Stanley

Re:Pretty sure it was better than that... by reboot246 · 2011-11-21 03:36 · Score: 1

I work in the utilities business and most of the people aren't the brightest.
I bet it was probably 123.
Re:Pretty sure it was better than that... by rubycodez · 2011-11-21 03:49 · Score: 1

I've seen "wtr" used, my cousin had part time job at village water works. he didn't get to choose or change the passwords.....however, on the bright side that was only for monitoring, the pumps actually were so very old they had the old "knife throw swiches", the wood panel with those was roped off lest someone touch the open metal and get zapped
Re:Pretty sure it was better than that... by Moryath · 2011-11-21 04:01 · Score: 1

...4...5.
That's the kind of password an idiot would have on his town's water control system!

How about passwords that don't have to charged 30 by Joe_Dragon · 2011-11-21 03:28 · Score: 4, Interesting

How about passwords that don't have to charged each 30 days and you can't use the last 4 passwords.

Ooh, ooh! by Rik+Sweeney · 2011-11-21 03:30 · Score: 1

I want to have a guess! It would probably have been something relevant to what they do, and then they'd have removed the vowels (cunning), so:

wtr

--
Summation 2

Password not the problem by brxndxn · 2011-11-21 03:34 · Score: 5, Interesting

I'm in this line of work.. The password was not the problem. Even the hacker is thinking like 'corporate IT' would think in terms of security. The plant floor is different.

Here's the rule: A computer that controls industrial machinery should not be connected to the Internet. The only part of an industrial process that can even possibly be connected to the Internet is historical data and alarming.

HMI software is typically a set of screens representing the automation parts of a plant process. This means that in order to start/stop a motor or energize a valve, the screen is required. It is insecure to put a password on that screen. Yes.. insecure. The priorities at a plant are different. It is always the most secure to allow control of the plant to the people at the plant. There are physical E-stop buttons on control panels in case of emergency, but the E-stop is not the end all to prevent industrial disasters. For example, if a person has his hand caught in a valve, hitting the E-stop may cause the valve to move. Another example would be an exothermic process where explosive gases could accumulate in the wrong parts of the process, hitting the E-stop may not get rid of the gas. The operator at the plant is in charge of the process - it is critical that he or she always have control over the system.

Therefore, don't connect your plant floor to the Internet.. unless you want China to be able to control it. If white-collar executive-type people want to see pretty screens, give them historical data.

--
--- We need more Ron Paul!

Re:Password not the problem by Thud457 · 2011-11-21 03:43 · Score: 1

what's wrong with using physical keys for this kind of situation -- proves you're there at the console, proves you've been entrusted with access (or took a wrench to somebody who had been entrusted with access).

Everybody understands keys. And what happens if you lose them.

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re:Password not the problem by vlm · 2011-11-21 03:52 · Score: 5, Informative

Its just engineering malpractice, pure and simple. No different than trying to claim we don't need those OSHA required safety guards because no one would ever do something stupid or malicious in the plant.
The other way to hook up to the internet, as described to me by a guy who works at a "real" chemical plant where dangerous stuff is done, is you use two separate systems both of which would have to be hacked to cause damage, plus non-SCADA automatic control.
In this scenario, where they blew the water pump up by power cycling it, there are two series control relays supplying power to the VFD and if EITHER scada system decides there is a problem with the plant or the other SCADA, that scada cuts input power to the VFD until its convinced its OK. Most VFDs like a 0-10 volt DC input to control their output, and its not all that difficult to hard wire a physical time delayed relay that says you need to output more than a volt for more than a minute to close the relay contacts connecting the VFD to the SCADA and start the pump, so the SCADA literally cannot physically turn the pump on and off more often than once per minute. You can also drive the time delayed relay off the other SCADA system, so one system decides to turn on the pump, while the other decides how fast to run the pump, and either can shut down the pump if they feel the need. Most VFDs can be configured to not allow operation outside certain limits, like drawing more than X amps where X is larger than normal but less than theoretical VFD limit, and not to turn on if a thermocouple says its too hot or a pressure gauge somewhere has an open loop signal. Similar design such that NPSH and output pressure have to be within certain limits or again, the time delayed relays open circuit the AC input to the VFDs and/or the control input to the VFDs. Finally its no heroic effort to wire up two safety bypass relays in series so that if you have control of both SCADA systems, and both independent scada systems agree, you can bypass the safety relays (and the enabling of this bypass also turns off a green light inside the safety directors office, resulting in management involvement, formal written reports and investigation, etc)
This is cheaper to install and operate than you think, because both suppliers know darn well they can be replaced individually with no real impact to plant operations, unlike the traditional "one ring to bind them all" scada design where the consultants and suppliers know they've got you over a barrel and can charge what they want.

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Re:Password not the problem by vlm · 2011-11-21 04:20 · Score: 4, Interesting

And a guy I know at another plant described "adversarial SCADA" to me where two separate systems from two separate mfgrs and two separate consultants, one run by an "operator" and reporting up the operations management chain all the way to the board, and another run by "safety" and reporting up the safety management chain all the way up to the board.
The operations guy and his SCADA system do whatever they want whenever they want, but if the safety guy and his SCADA detect an overspeed or an overtemp or underpressure then safety guy and his scada cuts power to the operations guy and his scada. Also operations guy can "get even" with safety guy because he has relays installed that can simulate sensor failure, and the safety guy has to respond within X minutes following whatever procedures, and the operations guy is presumably intelligent enough to only perform those tests when operationally convenient.
Also although technically either the safety guy OR the operations guy can punch the "give up" buttons, because the safety guy does not answer to the bean counters, that means the dump tank and suppression buttons are for all intents and purposes exclusively operated by the safety guy... The operations guys have training issues in not bothering to even know how to operate the fire suppression valves, for example. Which is bad, because the centers are geographically separate, so if a tornado wiped out the safety center, or even just a failure or a hack event took it out, the ops guys might literally not know how to put out a fire at the plant, even though they are technically capable.
This is a fail when weird plant conditions require jury rigging and close coordination, and also a financial failure because the independent supplier of the operations scada knows the plant shuts down if they try to change out, so he's free to charge as much as he pleases.
Hack our safety scada yesterday? who cares, ops will safe the plant. Hack our ops today? who cares, safety will safe the plant. Hack both separate systems with separate designs and separate manufactures tomorrow at the same time? who cares, that has to be an inside job...

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Re:Password not the problem by statusbar · 2011-11-21 04:22 · Score: 1

Most likely no one DID connect a computer that controls industrial machinery to the internet.
They probably connected a DIFFERENT computer on the same network to the internet.

--
ipv6 is my vpn
Re:Password not the problem by tlhIngan · 2011-11-21 05:31 · Score: 1

Here's the rule: A computer that controls industrial machinery should not be connected to the Internet. The only part of an industrial process that can even possibly be connected to the Internet is historical data and alarming.
Therefore, don't connect your plant floor to the Internet.. unless you want China to be able to control it. If white-collar executive-type people want to see pretty screens, give them historical data.
Tell that to Iran. I heard their nuke program was set back a few years, even though their nuke control systems WERE isolated from the Internet.
It was a pretty brilliant hack as well.
Tell that to the USAF, whose UAV control stations managed to get infected despite not being connected to the internet.
No, isolating the networks is part of the solution. It's not the only solution and relying on that these days is like relying on security through obscurity. They both work, but they shouldn't be your ONLY source of protection. Hell, besides crap like USB keys and CDs introducing malware onto secure networks, there's also roving laptops (especially impotrant when the systems need reconfigurating).
The other big element is the human one. And time and time again, Dancing Pigs will win over security, always. Hell, Facebook shows the honor system virus is pretty damn virulent.
Heck, it's only a matter of time before SCADA systems move back to highly proprietary interfaces. Perhaps even per-facility proprietary so the only way to update them would be to call the vendor in at $10,000/day/person to update the system. And they're all going to sell it as a security enhancement.
Re:Password not the problem by brxndxn · 2011-11-21 06:46 · Score: 2

Physical keys are used for the lockout/tagout procedure during maintenance cycles. But, there is usually no reason for physical keys at the operator terminal. Usually, you have to check in at a guard shack before you enter the plant. Then, often, you have a key card that swipes you into the area you are authorized to be. After that, further security starts to just get in the way of plant operations. Plants can typically trust the people that have physical access to the area.

--
--- We need more Ron Paul!
Re:Password not the problem by brxndxn · 2011-11-21 06:59 · Score: 1

We dealt with the USB key problem at a chemical plant. They got Conficker in one of the distributed systems my company installed. (Rockwell FactoryTalk) Even though our computers were configured with group policies to ignore thumb drives, other infected computers (different systems integrator) infected ours as well. We ended up sending group policies to the rest of the computers on the network and then removing the infection..
Operators had been plugging in their cell phones into the HMI computers to charge.. They got recognized (windows default) as a removeable disk.
So, yes.. there is more than just keeping plant networks off the Internet.. Plants also need to keep skilled IT people around to maintain their control systems just like they keep instrument technicians and electricians. However, most plants I have seen are severely understaffed in the IT arena.

--
--- We need more Ron Paul!
Re:Password not the problem by jd · 2011-11-21 07:06 · Score: 1

I'd require a one-time password. The system issues a challenge, you use an OTP calculator to add the password to the challenge and you enter the response. Serves much the same purpose as a key, except a thief can't be sure of getting the right password. If you need something physical, then a tamper-proof card with a digital certificate is good.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re:Password not the problem by k6mfw · 2011-11-21 08:04 · Score: 1

>Here's the rule: A computer that controls industrial machinery should not be connected to the Internet.
I agree. I've not completely read the article and I have very little experience setting up networks but I've read enough to know that simply connecting something (can be any computer system) to "The Internet" and you will get all kinds of surfing/phishing/probing crap. Most likely hackers were simple thiefs or marketing types wanting to "find customers." It has been said, "stupidity before malice and ignorance before stupidity."

--
mfwright@batnet.com
Re:Password not the problem by ThatsMyNick · 2011-11-21 08:37 · Score: 1

the safety guy and his SCADA detect an overspeed or an overtemp or underpressure then safety guy and his scada cuts power to the operations guy and his scada

Hack our safety scada yesterday? who cares, ops will safe the plant.

But cant the safety scada override the ops scada, which means if safety scada is taken over, the hacker is pretty much in complete control.
Re:Password not the problem by mug+funky · 2011-11-21 12:08 · Score: 2

shit! fuck! my hand's stuck!
hang on, lemme get my OTP calculator out.

Wait... by evil_aaronm · 2011-11-21 03:34 · Score: 2

Weren't we told that this did -not- happen? I distinctly recall seeing a denial from the authorities that any water system was compromised at any time.

Re:Wait... by sjames · 2011-11-21 07:37 · Score: 1

We can neither confirm or deny that we neither confirmed nor denied the alleged hack that you allegedly allege.

The default password could have been stronger... by FBeans · 2011-11-21 03:35 · Score: 1

I assume that a tech guy set up the system: "here your current password is 'Password1' Please change it, for security reasons...

By contrast... by RogueWarrior65 · 2011-11-21 03:36 · Score: 4, Interesting

Some government sites have these onerous password requirements e.g no fewer than 15 characters, no consecutive characters even if they are a different case, at least one numeric and at least one punctuation. It's not surprising that coming up with something you can remember that fulfills these requirements is a bitch. Oh, and you have to change it periodically. IMHO, this naturally leads to writing the damn thing down somewhere.

Re:By contrast... by ILongForDarkness · 2011-11-21 04:40 · Score: 1

A password difficult enough not to get cracked is a password difficult enough that it can't be remembered. Smart card and relatively simple password is probably better but that costs money (readers and cards but also lost time because "I left my card at home") where as password complexity requirements are just a simple software configuration away.
Re:By contrast... by Anonymous Coward · 2011-11-21 04:58 · Score: 1

Your sentence
"A password difficult enough not to get cracked is a password difficult enough that it can't be remembered."
Used as a password is completely uncrackable yet memorable. Typing it correct with no typos is a bitch though.
Re:By contrast... by nschubach · 2011-11-21 06:25 · Score: 1

Your password requires at least one numeric character and must be changed once every 30 days. You are not permitted to use the same password twice.
Now, go back to some machine you were at 6 months ago and try to remember what password you used.

--
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.

WTF by Anonymous Coward · 2011-11-21 03:38 · Score: 0

Why the hell is something of this importance accessible from the internet???

Re:WTF by FBeans · 2011-11-21 03:45 · Score: 1

For usablility reasons. Remember Buisness Requirements are more important than technical ones. This way the security guard for the building could sit at his desk, with solitare on screen and IE open with the web client in the other. Clearly they got caught knapping!
Re:WTF by jd · 2011-11-21 07:10 · Score: 1

The security guard was smashing rocks together?

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)

Epic Fail & no-win situation by Anonymous Coward · 2011-11-21 03:41 · Score: 5, Interesting

Network admin for another city govt in Texas here... albeit a very much smaller city.

1) first of all, it's absolutely nuts to place your water purification SCADA (or even your wastewater plant's SCADA) onto any network segment that's accessible from the public Internet, and we in the IT department know that all too well, however we're not "in charge" of the SCADA systems and have essentially zero authority to do anything about it. Part of the problem here is that the folks who *are* in charge of these systems are thoroughly aware that we in IT know how to better secure their systems, but do not want us involved in any way because our security will "make things too hard for them to do their jobs".

2) The folks who run the SCADA systems on a daily basis know only two things about systems security: 1) diddly and 2) squat. They are water process and industrial chemistry people, not computer people, and it shows big time.

3) The vendors who supply and support the SCADA systems feverishly demand that the SCADA systems be easily accessible over the Internet for their convenience for remote support, and frankly do not give a rat's ass about the customers' security... their response is that security is not their problem it's ours.

So, it's no wonder these systems are getting hacked and it's going to get worse as time progresses.

Re:Epic Fail & no-win situation by vlm · 2011-11-21 04:42 · Score: 1

3) The vendors who supply and support the SCADA systems feverishly demand that the SCADA systems be easily accessible over the Internet for their convenience for remote support, and frankly do not give a rat's ass about the customers' security... their response is that security is not their problem it's ours.
Can't allow VPNs instead of wide open access? Even the place I'm at now, has exclusively VPN access for "outside engineering suppliers"
Historically, back when dial up support was the way to go, I worked at a place where IBM had remote access to "our" multiple mainframes only when a orange cable was draped across the desk of our security officer (this is before orange meant fiber, it was just orange "silver satin" 4 conductor modular phone wire).... Being a "mahogany row" level management position, this cable was only installed when absolutely necessary with the sec officers personal involvement. The jack leading to the modem was inside a cheap walmart-ish safe, which could be bypassed if you wanted to get fired... I donno who could open the safe, but it had to be someone with access to the security officer's palatial office, not a peon like I was.
This was at a company that was tangentially involved in about 1-5% of stock exchange transactions that happen in this county, depending how you do the numbers, at least way back then before high freq trading became cool. Should be good enough solution for a small town water-pump.

--
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Re:Epic Fail & no-win situation by Anonymous Coward · 2011-11-21 05:00 · Score: 1

Can't allow VPNs instead of wide open access? Even the place I'm at now, has exclusively VPN access for "outside engineering suppliers"
The vendor calls RDP remote desktop their "vpn". The best we can do is limit which IP addresses/netblocks are allowed to come in thru the firewall. The worst part of that is the vendor's techs often use ATT aircards so their ip addresses can come from almost anywhere.
Re:Epic Fail & no-win situation by Anonymous Coward · 2011-11-21 05:52 · Score: 1

If the vendor needs to access the SCADA over the 'net, then a guy at the plant can plug a network cable into the device after getting proper notification from the vendor that they need access - and unplug it the moment the support case is closed.
Re:Epic Fail & no-win situation by Anonymous Coward · 2011-11-21 15:26 · Score: 0

I also work in the water industry and yes, we too have 3 digit scada passwords (and 4 digit operator id numbers). But our scada system is not available on the internet!
Any alarms the system picks up are sent via text to motorola pagers. I often wish they'd just send me a text message on my smartphone instead, but put up with carrying the pager. We then call in and can clear the alert but must physically respond to either the office or to the facility in question to actually make any changes that will alter any processes or parameters. Would I rather be able to just do it on my smartphone? Sure. But for security purposes it makes much more sense for this to not be available. I do wish I could at least access the overall system data screen remotely so that when I do get an alarm I can see what's really going on right away instead of having to drive 20min first, but past management was way to paranoid to set the system up this way.

Idiots by Anonymous Coward · 2011-11-21 03:42 · Score: 0

ANYBODY who connects critical infrastructure control systems to the internet should be locked up for criminal incompetence..

IT IS NOT NECESSARY.

And, yes, I do know what I'm talking about.

Was it GOD? by bigredradio · 2011-11-21 03:43 · Score: 1

http://youtu.be/Xy0NU-rAlT8

4:40

--
Flexible bare-metal recovery for Linux/UNIX

Well that makes it OK, then! by xyourfacekillerx · 2011-11-21 03:43 · Score: 3, Interesting

As usual, blame the owners and operators of the target, not the hacker. Because if I don't lock my front door, it's totally OK for you to come in and run up my utility bill and eat out of my fridge, help yourself to my stereo and tv while you're at it... and if I have a spare key under my hood that you find on my car, by all means, how could anyone be held accountable if they take it for a joy ride and/or steal it?

Re:Well that makes it OK, then! by FBeans · 2011-11-21 03:49 · Score: 1

If I see you bent over, I'm guna kick you up the ass. That's just how this world works. It's my fault, but your at some fault for bending over so easily. Good and Bad in black and white forms doesn't exist, in reality there a number of parties at blame for this.
Re:Well that makes it OK, then! by Anonymous Coward · 2011-11-21 03:56 · Score: 0

I'd say if your bank left all vault doors unlocked, turned off their security cameras and left their front door wide open, hell yes they are as much at fault as the robbers.
Re:Well that makes it OK, then! by Runaway1956 · 2011-11-21 03:57 · Score: 1

If you walk down the street, dropping hundred dollar bills from your pocket, are you going to demand that the kids running after you, and rescuing the bills be locked up?

--
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Re:Well that makes it OK, then! by canajin56 · 2011-11-21 04:10 · Score: 1

Yeah, if your car gets stolen and you say to your insurance company "Yeah I keep the keys in the ignition and never lock it, don't you fucking assholes blame the victim here, he had no right to steal my property!" you're not getting your claim approved. Just like if, say, a prison's doors aren't designed to be kick-proof, and a prisoner kicks one down and escapes, that's his fault, not the prisons! Don't blame the victim!

--
ASCII stupid question, get a stupid ANSI
Re:Well that makes it OK, then! by Anonymous Coward · 2011-11-21 05:12 · Score: 0

If you leave the door to a Nuclear Power Plant unlock and unsecured, it is your fault (not that the terrorist is not still a terrorist).
Re:Well that makes it OK, then! by sjames · 2011-11-21 07:53 · Score: 1

There's plenty of blame to go around. Going to your analogies, if you don't lock your door and all your stuff gets stolen, the thieves are still to blame and if caught will go to jail, BUT your insurance may decide not to pay since you were negligent as well. This is encompassed in the legal term "reasonable care".
Re:Well that makes it OK, then! by DutchUncle · 2011-11-21 08:29 · Score: 1

No question the bad guy is the bad guy. But also no question that the good guys are supposed to take reasonable precautions against ignorance or stupidity. If the system was open to a real bad guy, then it was equally open to a script kiddie who hit that IP address by accident. That's more like leaving your car running with the doors open while it's parked on the street in midtown.
Re:Well that makes it OK, then! by T+Murphy · 2011-11-21 14:06 · Score: 1

If you decide not to lock your door, that puts you at risk and it's your choice. If some government bureaucrat ignores basic security for a water management system, he is deciding the citizens using that equipment take on risk, and everyone paying taxes for that system take on risk should they have to pay for repairs/replacement. Sure, the one breaking in takes blame too, but that doesn't absolve idiots in power from being deservedly called out for being idiots.

--
My webcomic

easy as 123 by Joe_Dragon · 2011-11-21 03:46 · Score: 2

easy as 123 it's so easy to hack the water system.

Re:easy as 123 by GameboyRMH · 2011-11-21 03:57 · Score: 4, Funny

ABC, 123, PLC baby, you and me girl!

--
"When information is power, privacy is freedom" - Jah-Wren Ryel

3 characters can be enough by Anonymous Coward · 2011-11-21 03:48 · Score: 1

It is possible to design a system that uses 3 character passwords that would still be relatively secure. 3 characters using 0-9A-Za-z and special characters would still yield 20 bits worth of entropy. If this is joined with a very low max-tries tied to the attempted username and enforced across all systems using this login, this is pretty tight. If your chances are 3/2^20 before the account permanently locks, odds it won't be broken. Remember ATM passwords are typically 4-6 digit numeric. This low entropy (13, 20 bit) is mitigated by eating your card if you screw up your password more than a few times.

I'm not condoning the use of pathetically short passwords here. I'm just highlighting the importance of other password related security measures that need to always be taken into account. I've broken into a major academic portal system (yes authorized) used by multiple large institutions before because of shitty implementations.

Re:3 characters can be enough by MadKeithV · 2011-11-21 04:04 · Score: 3, Interesting

I'm no security expert, but humor me and point out the flaws in my logic below.

Disabling access after X tries might be enough where the token to uniquely identify access is relatively well-defined, like say your ATM card, and disabling access for that user doesn't de-facto terminate the system (i.e. other ATM users can still use the machine with their credentials after it eats your card).
For admin-access to such systems over the internet it's dangerous to disable the admin account after X tries, because then you lose remote administration functionality of a potentially critical system. "Ah, but you can reset with physical access" you will say - yes, true, but this is a critical system they put *on the internet* in the first place, for better or worse, probably because physical access to that system is pretty difficult for the poor sod designated the "administrator" (disused lavatory, beware of leopard, etc.). Who knows how long the system will be offline for administration until the first opportunity for physical access.
The disabling of (admin) access after X tries also effectively creates a DOS attack against that system. I don't know the login procedure of this particular type of system, but assuming it's username/password, you could DOS the system by spamming all kinds of *usernames* with X repetitions of the wrong password to disable them. Preventing the DOS attack would require hard-to-brute-force usernames - the username becomes the secret, not the password.
It's probably also possible to spoof session identifiers for a hacker to evade repetition detection.
I think the SCADA system can only lose in this kind of scenario, unless they have a password that is very hard to crack within its valid timespan. Or until they finally figure out that putting critical systems online with weak passwords or account disabling is probably not such a good idea.
Re:3 characters can be enough by camperdave · 2011-11-21 05:07 · Score: 1

Yes, it can be made relatively secure, for example by only accept three character passwords from machines within the plant's control room, or by having a lock-switch and key along with the password.

--
When our name is on the back of your car, we're behind you all the way!

DHS Response by TheRedSeven · 2011-11-21 03:49 · Score: 5, Insightful

I first found this incident via Bruce Schneier & Wired.

The most telling thing, for me, was this section of the linked article:

“DHS and the FBI are gathering facts surrounding the report of a water pump failure in Springfield, Illinois,” according to a statement released by DHS spokesman Peter Boogaard. “At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

So...in the instance of a single shoe bomber, stopped by his own stupidity and the efforts of other airline passengers, TSA (a section of DHS) responds by calling it a systemic risk to air travel, and we must all take off our shoes. In the instance of a plot to use liquid explosives, which probably wouldn't have worked and was stopped in the planning stages, TSA responds by calling it a systemic risk and we must all limit ourselves to 3oz bottles of liquids that fit in a quart size bag. In the instance of a single underwear bomber, stopped by his own stupidity, TSA responds by calling it a systemic risk to air travel, and we must all be subject to X-ray/millimeter wave scanners and/or the big Grope.

In the instance of SCADA hacking, which could conceivably harm our infrastructure on a significant and systemic level from afar, with little/no risk of the perpetrators being caught, DHS responds by saying, "No big deal."

There's something very...wrong here.

Re:DHS Response by FBeans · 2011-11-21 03:58 · Score: 1

I hate airports: "Those our my shoes..."
Re:DHS Response by Anonymous Coward · 2011-11-21 04:03 · Score: 0

Why do people always claim that the liquid bomb probably wouldnt work?
It has in fact been successfully used in an airplane attack. And someone actually died as a result. That was simply a test run too.
Re:DHS Response by Jeng · 2011-11-21 04:23 · Score: 1

It has in fact been successfully used in an airplane attack. And someone actually died as a result.

Mind linking some proof of that?
I've done some googling for that and the closest I can come is 4 failed bombings on buses in the UK where one person died of an asthma attack.

--
Don't know something? Look it up. Still don't know? Then ask.
Re:DHS Response by Anonymous Coward · 2011-11-21 04:31 · Score: 0

Actually, Napolitano is on record for the underwear bomber(or shoe, can't remember) as saying "this is proof the system worked"
Re:DHS Response by Anonymous Coward · 2011-11-21 04:37 · Score: 1

http://en.wikipedia.org/wiki/Bojinka_plot#Test_bombs:_mall.2C_theater.2C_747_airliner
A lot of people seem to think those bombs are not possible. That must be a great comfort to: Haruki Ikegami who was killed by one.
That was just a small scale test also, and it did quite a bit of damage to the airliner.
Re:DHS Response by chrb · 2011-11-21 04:46 · Score: 1

I don't know what attacks the other poster was referring to, but the UK courts established that the liquid bomb plot would probably have worked, based on evidence from explosives experts, including testimony and video of experimental explosions.
Here's a pretty convincing video. Note the bomb is liquid held in one 500ml soft drinks container, which could be carried through most airport security checks. To make the point that 100ml was just as unsafe, the liquid for this particular bomb was actually combined from several individual 100ml containers as would be allowed through airport security at the time (more details here). Also note that no special measures or precautions were needed to mix the precursor liquids into the final solution, you can see him just pouring the liquids together into the larger bottle in the video, thus establishing that this could easily be done in a departure lounge toilet after security checks. Dr. Sidney Alford (the man who built that particular bomb) is a recognised improvised explosives expert who has carried out work for various Defense departments and governments around the world, including anti-IED work in Iraq and Afghanistan.
Re:DHS Response by Jeng · 2011-11-21 05:00 · Score: 1

Per that Wikipedia article they used nitroglycerin which is not what the binary liquid explosives would produce.

--
Don't know something? Look it up. Still don't know? Then ask.
Re:DHS Response by gknoy · 2011-11-21 05:11 · Score: 1

To elaborate, TSA is afraid that people could bring separated liquid components of a binary explosive, mix them together in flight, and end up with an explosive. Mixing TATP on an airplane would be very challenging, and likely to arouse suspicion before it could actually explode:
http://www.theregister.co.uk/2006/08/17/flying_toilet_terror_labs/
Re:DHS Response by TheRedSeven · 2011-11-21 05:14 · Score: 1

OK. I was unaware of that. From what I remembered, the whole binary liquid bomb had been debunked as 'difficult to mix ahead of time because it's unstable; impossible to mix on the plane because of the long times involved and the specific conditions needed to avoid premature detonation (which would not be explosive enough), and very hard to detonate without attracting a whole lot of attention.'

Apparently that notion was wrong.

Nonetheless, I stand by the rest of my statement. DHS/TSA responds to awkward attempts at terrorism with far-reaching overreaction, while honest-to-goodness systemic threats are treated as non-issues. This is a problem.
Re:DHS Response by misexistentialist · 2011-11-21 05:46 · Score: 1

The Yemeni cargo mail bombs were one of the best efforts. AFAIK DHS hasn't implemented plausible measures to prevent future bombings. Guess cargo holds and water systems are too behind-the-scenes to make for good security theater.
Re:DHS Response by Slayer · 2011-11-21 05:54 · Score: 1

Also remember that nitroglycerin would be detectable quite easily with regular explosive detectors (highly oxidized nitrogen compound), so just because of this incident where would be still no reason to continue confiscating water bottles.
Re:DHS Response by TubeSteak · 2011-11-21 06:37 · Score: 1

So...in the instance of a single shoe bomber, stopped by his own stupidity and the efforts of other airline passengers, TSA (a section of DHS) responds by calling it a systemic risk to air travel, and we must all take off our shoes. [...]
In the instance of SCADA hacking, which could conceivably harm our infrastructure on a significant and systemic level from afar, with little/no risk of the perpetrators being caught, DHS responds by saying, "No big deal."
In your airport examples, the cost is born by the tax payers.
In the SCADA example, the cost is born by private industry.
As I see it, there's one of two reasons this isn't being hyped:
1. There is no fix. No one makes a 'secure' SCADA system that can replace existing control infrastructures.
2. The threat is being downplayed because companies are successfully lobbying behind the scenes to avoid replacing/securing their control systems ($$$$).

--
[Fuck Beta]
o0t!
Re:DHS Response by mug+funky · 2011-11-21 12:39 · Score: 1

"That must be a great comfort to: Haruki Ikegami who was killed by one."
what kind of talk is that?
the guy's dead. he's not going to give a shit. about anything. ever again.

some PHB who does not want to pay for on site staf by Joe_Dragon · 2011-11-21 03:53 · Score: 2

some PHB who does not want to pay for on site staff say make so the work can be done remotely.

Child knows by jones_supa · 2011-11-21 03:58 · Score: 5, Funny

A child who knows how the HMI that comes with Simatic works could have accomplished this,' he wrote in an e-mail.

And a child knows too that you shouldn't break into other people's property...

Re:Child knows by Anonymous Coward · 2011-11-21 06:02 · Score: 0

How would a child know that....
By watching the police? How about corporations? Politicians? Tv? News? Priests? lol.
Who exactly are these paragons of virtue they would learn this from? I can't think of any left these days.
Re:Child knows by brantondaveperson · 2011-11-21 11:25 · Score: 1

From their parents.

Re:How about passwords that don't have to charged by Dare+nMc · 2011-11-21 04:13 · Score: 5, Informative

That is annoying, forcing me to change my password at the end of the month from H@cker1 to H@cker2 to H@cker3, and H@cker4 before I can go back to the password I like, but they IT work preventers at my work are really good, so when I am working on the road for 2 weeks, they make sure I can't change my login password without being on the intra-net, and once I am 2 days passed the expire date, the prevent me from launching VPN, joining web meetings... So then I have to use gmail to email a co-worker my passwords so he can change them for me on connected laptop first. Lots of fun.

Hackers? by JadeAuto · 2011-11-21 04:15 · Score: 1

The most common passwords are god, love, sex, and password. Doesn't surprise me. Why was god on the mainframe this late at night, anyhow? Zero cool would have done better.

Most of those links are gone... by Anonymous Coward · 2011-11-21 04:17 · Score: 0

More than half of the URLs referenced by the webpage you posted regarding unidirectional ethernet cables do not load. I've never heard of anyone selling these, and it's obvious that knowledge of it is sparse and vanishing. Maybe this is why the fellas setting up the SCADA systems never thought of it? Also, keep in mind the reason these systems are hooked up to the internet is that the managers are lazy and don't want to have to go to each location, so they set these systems up for remote access. Lazy people aren't going to bother with a sophisticated solution like this, it requires too much effort. Seems like there should be a company that sells them easy to use cables, ready-made. Even then, they probably won't use them because it takes less effort not to address the problem at all and just hope nothing ever happens. Hope is cheap.

Re:Most of those links are gone... by Anonymous Coward · 2011-11-21 04:27 · Score: 0

Sell?
Sorry, are you incapable of "making" things?
Re:Most of those links are gone... by mug+funky · 2011-11-21 12:03 · Score: 1

of course the pages didn't load! that's because of the unidirectional ethernet cables!

The real problem by Anonymous Coward · 2011-11-21 04:18 · Score: 0

The password, the isolation, the technobabble is not the problem. Bad people are the problem. Start hunting down and exterminating bad people. If the prize for hacking into a water plant is 15 minutes of fame followed by an early grave we'll see the population of scumhackers nosedive.

Re:The real problem by Gaygirlie · 2011-11-21 05:05 · Score: 1

Bad people are the problem. Start hunting down and exterminating bad people. If the prize for hacking into a water plant is 15 minutes of fame followed by an early grave we'll see the population of scumhackers nosedive.
Wow, you must be horribly short-sighted and ignorant. First of all, there is no universal definition of "bad" when talking about people. Different cultures, religions and even different kinds of families can have very different views on what it means to be "bad", and as such what would you do if someone just went to your mother's house, shot her, and said that she was deemed "bad" and that's why she was put down. And then the person who shot her was free to go. Would you then feel it was such a great idea?
If you want an example that is not just a theoretical one, well, think of the Crusades: non-Christian people were deemed "bad", and they were killed in MILLIONS. And why? Because the Christian church decided that one definition of "bad" is that a person is a pagan.
It is a terribly slippery slope you're aiming for, I'd choose some much safer slope myself.

Re:How about passwords that don't have to charged by Anonymous Coward · 2011-11-21 04:22 · Score: 1

A password is either compromised or it is not. Age doesn't have anything to do with it.

Huh by squidflakes · 2011-11-21 04:25 · Score: 1

I wonder if this is why my water pressure has been crap the last couple of days.

Re:How about passwords that don't have to charged by WarlockD · 2011-11-21 04:28 · Score: 1

Before I left Unisys, I think mine got from 01 to 18. For some reason I was excited about reaching the big 2-0.:P

aggie? by Anonymous Coward · 2011-11-21 04:36 · Score: 0

I would say the odds were pretty good they made the mistake of hieing an aggie.

not uncommon by ILongForDarkness · 2011-11-21 04:37 · Score: 2

Things that need external service technicians often have very simple passwords. For example I work in health care and I know of at least two major companies who's components have the same login for every site for administrator access. You probably as a customer could insist on changing it but the vast majority of sites don't. So need to give someone some radiation? You know the password. That said it isn't going to affect a whole community but the 30-100 patients that get treated before the problem is detected? Very doable. Similarly wifi routers from ISPs almost always have a default password most people I know change the WPA key but don't touch the admin account password. So anyone allowed into the network (or who can plug a network cable into the back of the box for a couple minutes) can take it over pretty easy. Not a real big deal I realize because if they change the password to login (since they don't know yours presumably that is what they would do to get internet access) you'd realize it isn't working and work to set it back. But if you are running a wired network primarily but it is a wifi device could be an issue.

Re:abc by antdude · 2011-11-21 04:47 · Score: 1

And "123" (without quotation marks) is my password.

--
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).

Re:How about passwords that don't have to charged by ILongForDarkness · 2011-11-21 04:55 · Score: 3, Interesting

I think the goal is that even if it is compromised but they haven't realized it yet at least it will only be at most X days before it is changed again. Changing the password frequently removes some of the risk/incentive to hack it in that you as the hacker would have to know what you want and it would have to already exist. It also makes the hacking problem harder since you have to be able to cycle through the key combinations in X days not in an infinite number of days, so after the password reset you don't know if something you already tried is now the password or not, you pretty much have to start all over again. Once you've cracked the password you can't just camp out and see every engineering drawing that the company is working on forever. I realize in most cases this doesn't matter the hacker will be more than happy to grab the easy stuff first and see what is useful or use the password to delete/otherwise disrupt things. But an enemy camping on a whole collection of passwords and bringing whole systems down.

At a larger scale: say your China and you are hacking power plant passwords to be able to shut them off (not blow them up). If the passwords are cycled frequently you likely will always have some passwords you've cracked and some you haven't, but the chances that you'll get a sufficient subset of the passwords cracked so you could completely bring the power grid down in a geographical area is remote.

Coral cached link by gknoy · 2011-11-21 05:06 · Score: 1

http://threatpost.com.nyud.net/en_us/blogs/hacker-says-texas-town-used-three-digit-password-secure-internet-facing-scada-system-112011

Not only is the water system accessible... by Anonymous Coward · 2011-11-21 05:40 · Score: 1

So is the electrical grid. (Or at least some of the big windmills from Endurance Wind Power.)

Re:How about passwords that don't have to charged by nschubach · 2011-11-21 06:04 · Score: 1

At my previous employer we started using the month at the end of our passwords so IT implemented a 24 password history... I just moved to 'yydd'.

--
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.

I hate passphrases by roguegramma · 2011-11-21 06:14 · Score: 1

I hate passphrases because I once used one for PGP and then forgot which verbs were in the past tense and which weren't. I guess I could have hacked my passphrase easily, but I didn't really need it, so I gave up.

--
Hey don't blame me, IANAB

Yet it will cost billions by Anonymous Coward · 2011-11-21 06:35 · Score: 0

Security theatre:

This is a demonstration of how vulnerable crucial infrastructure is, and it will be used to justify the already bloated budget for "homeland security" and "cyberwarfare". Budgets will be increased by billions more to address this imminent threat.

Reality:

A bunch of incompetent idiots were too lazy to come up with a decent password or to isolate a critical system from the internet because they haven't been paying attention to the last 2 decades of security-related research and money spent to implement it. There's no sign this kind of incompetence will be cured by spending more money.

Re:How about passwords that don't have to charged by Anonymous Coward · 2011-11-21 06:58 · Score: 0

My employer does this, so every 30 days I go through the following routine:

8:00 AM - Change password to PASSWORD2
8:01 AM - Change password to PASSWORD3
8:02 AM - Change password to PASSWORD4
8:03 AM - Change password to PASSWORD5
8:04 AM - Change password back to PASSWORD

Sit back for another 30 days.

That's less of a worry by jd · 2011-11-21 06:59 · Score: 1

What IS a worry to me is that this is the SECOND SCADA system hacked in about as many days, despite Homeland Insecurity insisting the first case was a one-off.

Worry 1: We now know that there are many such systems connected to the Internet without even basic security. There's plenty of reprogrammable zombie networks and plenty of people with zero conscience, although the good news is that most of the latter are in politics and so safely isolated from reality.

Worry 2: At best, it means that those entrusted with national cybersecurity are clueless about people. At worst, it means that those entrusted with national cybersecurity are clueless about computers as well.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)

Please please please don't say... by Anonymous Coward · 2011-11-21 07:05 · Score: 0

the password was god, that'd be so corny since I heard it was a common password from the film Hackers

Two scenarios. by wganz · 2011-11-21 07:12 · Score: 1

First scenario. A group of disaffected youth break into a business with a crowbar. They steal the cash box and trade the list of credit card reciepts to the local dope dealer for a couple of lids. They trash the inventory and take what they want. The local police later arrest the group trying to fence the stolen goods at a local pawn shop. They goto court and their defense is that it was the shop owner's fault that he didn't have an infantry squad guarding his store. They are sentenced to 1-3 years in the penitentary and the community is glad that the group of thugs are off the street.

Second scenario. A group of disaffected youth gain entrance into the computer system of a business with a script. They take the database table of credit card users and sell it online to the Russian mafia then go buy a couple of lids. They truncate the database's table of customers and have online system ship electronic goodies to their Mom's basement. They go online and claim that it is the business owner's fault that he didn't have the latest and greatest security system. The Slashdot crowd acclaim their skillz and anxiously await their next exploit.

Re:Two scenarios. by orphiuchus · 2011-11-21 07:38 · Score: 1

Its that same old immature hacker mentality. All of the worst things about the internet and my generation rolled into one.
"If I can get away with it, then you deserve it!"

Re:some PHB who does not want to pay for on site s by Anonymous Coward · 2011-11-21 08:08 · Score: 0

More like some PHB who has to field calls on weekends/holidays w/o overtime pay and would like to do it remotely.

A password that was just three characters long... by Zemplar · 2011-11-21 08:27 · Score: 1

..used a password that was just three characters long.

Amazing, "1 - 2 - 3? That's amazing! I've got the same combination on my luggage!"

fingerprints by Anonymous Coward · 2011-11-21 08:36 · Score: 0

We need more fingerprint hardware instead of passwords.

After seeing my kids cellphone with a fingerprint reader I've come to realize that they should be everywhere so that we don't have to remember sets of pin numbers to check out groceries, etc.

Well not everywhere but in places which are generally public so that there is little chance of hanky panky (stealing prints, etc.)

That's Amazing! by Anonymous Coward · 2011-11-21 10:09 · Score: 0

Maybe using the same password that is used on your luggage was not such a great idea. Well at least it didn't control the air shield. :D

get rid of empty suites by Anonymous Coward · 2011-11-21 13:28 · Score: 0

Secure network management of remote systems, including SCADAs, is known for decades. To have a system disconnected from remote network management station is not an option from business operating point of view, unless wanting to stay in the stone age.

Promoting personnel on the basis of less competency, so as not to endanger own management position, is the core problem. In a short while all management are douchebags. Promoting at random, such as throwing dice would help.

Weak passwords should be a criminal offence. by Anonymous Coward · 2011-11-21 18:37 · Score: 0

They should honestly make weak passwords a criminal offence on national infrastructure.

Re:Weak passwords should be a criminal offence. by wye43 · 2011-11-22 00:08 · Score: 1

That is shortsighted. There are tons of situations where short passwords are not only OK, but they are a necessity. And strong password does not always equal more security.

They Missed This One by tmjva · 2011-11-22 00:15 · Score: 1

How about "OPE" = "Our Pure Essence" from Dr. Strangelove?

#1 The attack came from the former Warsaw Pact and

#2 Obviously, the Communist conspiracy is out to contaminate our "Precious Bodily Fluids"!

--
Tracy Johnson
Old fashioned text games hosted below:
http://empire.openmpe.com/
BT

Re:How about passwords that don't have to charged by Anonymous Coward · 2011-11-22 01:06 · Score: 0

We in IT understand that you are not interested in the security of your laptop and being able to sign in with the easiest password possible. You have things to do. We really do understand that. You however, need to understand that the data on that machine is not yours. It is the company's data. The company does not want to see their data compromised, damaged or pilfered in any way. The "IT work preventers" as you call them are tasked with the company's best interests, not yours. Having to remember to change your password every thirty days is not that bad. It is not your IT departments' fault that you are more concerned with password change time frames, than you are with your job. That constitutes pure laziness and arrogance on your part. You are also the type of user that visits questionable websites and allows family and friends to your your work machine, gets some kind of virus or malware and then tells IT that you have "...no idea how that stuff got on there..." We all know your type.

Re:How about passwords that don't have to charged by Anonymous Coward · 2011-11-22 02:58 · Score: 0

Winter or Spring?

Lock your front door by cuba_pete · 2011-11-23 03:42 · Score: 1

Instead of concentrating the cost prohibitive approach of trying to secure from the SCADA standpoint, more interest should be put into analyzing why these systems are accessible over the internet. Does each system really need to be accessed externally? If you put effective firewalls, password management, quotas and access controls on the web portal you won't have to worry about all of the internal workings. If you lock the front door to your home, there is no need to lock every interior door. Systems such as these shouldn't be easier to hack than a facebook page.

Re:abc by Anonymous Coward · 2011-11-23 15:44 · Score: 0

I've got the same combination on my luggage!
In soviet russia password cracks you!
xkcd reference
It's less than one Library of Congress
Have i missed any you insensitive clod?

Re:abc by Anonymous Coward · 2011-11-23 16:23 · Score: 0

ah crap! i forgot:
Your ideas intrigue me and I wish to subscribe to your newsletter.

password strength by volmtech · 2011-11-23 16:31 · Score: 1

After three wrong tries me bank locks me out. How difficult is this system to implement? You could also time password tries. 1000 times in one second might be a clue that a computer is trying to hack the account. Either that or someone can really type fast but has a very poor memory.

Slashdot Mirror

SCADA Hacker: Water District Used 3-Character Password

213 comments