Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Modify Water Treatment Parameters By Accident (softpedia.com)

Posted by msmash on from the water-getting-hack-treatment dept.

An anonymous reader writes: Verizon's RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times. The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design, and the payments app contained an INI file with the administrative password for the central router, from where the hackers reached the water treatment SCADA equipment. Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.

7 of 139 comments (clear)

  1. And the worst of it? by wardrich86 · · Score: 5, Insightful

    If somebody had have died or gotten sick, the hacking party would be the ones to get in shit, not the asshat that put the admin password in a text file...

    1. Re:And the worst of it? by Anonymous Coward · · Score: 2, Insightful

      I just don't get this. I feel bad putting the admin password in a file on our demo VM that runs on a local workstation.

      I can't imagine sleeping at night putting it on an actual system somewhere.

    2. Re:And the worst of it? by tnk1 · · Score: 5, Insightful

      If somebody had have died or gotten sick, the hacking party would be the ones to get in shit, not the asshat that put the admin password in a text file...

      They both should get in deep shit for it. Yes, the asshole who left the admin password in a text file should get fired.

      However, you should be able to leave an admin password posted on a banner on a 24 hr news station and a good person wouldn't use the password to get in and fuck with a water treatment plant. That's like saying that anyone who leaves their door unlocked deserves to have their house broken into and accidentally burned down while people are trying to steal shit.

      So, yeah, the both hackers and the admin should be dealt with severely. This isn't an either/or situation.

    3. Re:And the worst of it? by Ungrounded+Lightning · · Score: 3, Insightful

      ... you could open the valves to their greatest extent without jumping the chlorine content up from the usual part-per-million to more than a couple of parts per million...that is, still way less chlorine than your average municipal pool needs to combat all those filthy kids.

      But what if the bad guys CLOSE the valves? Then live pathogens go straight from the water source into the no-longer-purified water supply. Several million customers are exposed. Many are sickened. Some take permanent damage. Some die. Even after the issue is fixed the whole water system needs decontamination. And the whole set of cities fed by the plant are disrupted (which is what they're really after).

      It gets even nastier if the bad guys up the ante by dumping a bit of some particularly virulent bugs upstream of the intakes, during the period where they won't be killed off by the shut-down disinfectant injection.

      They use chlorine because its a heck of a lot less damaging to people than the things it is used to kill off.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  2. "Nobody got poisoned or sick in the end." by jeffb+(2.718) · · Score: 4, Insightful

    Problem is, this is a lot more "just the beginning" than "in the end".

    How many such systems do you suppose have been penetrated by folks who do know what they're doing, and are just sitting on their access until the next political party convention, or major sporting event, or...?

  3. Holy crap ... by gstoddart · · Score: 4, Insightful

    and the payments app contained an INI file with the administrative password for the central router

    You know, every time I have encountered anything this moronic I've raised bloody hell over it.

    Why the hell would a fscking payment app need the administrative password for the damned router, and what idiot allowed this on their network. On at least three occasions I've said "no way in hell I'm going to put a plaintext password into an INI file, and if you want me to do it you're going to have to send me an email and CC a lot of other people demanding it". (Reading TFA, it wasn't the actual payment app, but they got it off a web server they compromised which had it in an INI file, so bad job in the summary).

    I swear, security is often either non-existent or written by idiots.

    And that's before you even get to the epic stupidity of having your SCADA stuff to your normal network. I've been in places that had SCADA stuff, and NOTHING was on that network which wasn't fully vetted.

    This whole article reads like "what happens when unqualified people run critical systems" -- right down to the fact that they also had access to "2.5 million customer and financial records".

    I'd like to say I'm astonished, but that would imply that I keep being surprised at just how bad companies suck at fairly basic security.

    --
    Lost at C:>. Found at C.
  4. Airgap by Moof123 · · Score: 4, Insightful

    Equipment of this sort should be air gapped from the wild wild west of the internet. Frankly anything that is safety related (hospital equipment, elevators, and even HVAC systems) should be unreachable without badging into a building. While there are still ways to propagate things in via USB stick, it would keep clowns from pulling this kind of stuff.