Hackers Modify Water Treatment Parameters By Accident

An anonymous reader writes: Verizon's RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times. The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design, and the payments app contained an INI file with the administrative password for the central router, from where the hackers reached the water treatment SCADA equipment. Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.

And the worst of it?

[wardrich86]

If somebody had have died or gotten sick, the hacking party would be the ones to get in shit, not the asshat that put the admin password in a text file...

Re:And the worst of it?

[tnk1]

If somebody had have died or gotten sick, the hacking party would be the ones to get in shit, not the asshat that put the admin password in a text file...

They both should get in deep shit for it. Yes, the asshole who left the admin password in a text file should get fired.

However, you should be able to leave an admin password posted on a banner on a 24 hr news station and a good person wouldn't use the password to get in and fuck with a water treatment plant. That's like saying that anyone who leaves their door unlocked deserves to have their house broken into and accidentally burned down while people are trying to steal shit.

So, yeah, the both hackers and the admin should be dealt with severely. This isn't an either/or situation.