Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.

Re:Goobers...

[bobbied]

I got laid off about 10 years ago and I was responsible for maintaining firewalls and remote access network equipment for the company's customers around the world. I left them with a document that listed *every* password that I had set on *every* one of the firewalls and VPN endpoints with instructions that said "CHANGE THESE!"

They called me a year later asking if I knew the passwords for customer "x" firewall and remote access server... Where I remembered what I had set them to, my response was "Didn't you read the document I left for you?" And when they said "No" I quickly responded with "I don't know the passwords and I don't have a copy of the document I gave you, you are on your own."

NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

I did offer to help them recover all the passwords at a few hundred dollars an hour plus expenses, with a minimum of 8 hours paid in advance... And they didn't ever call me back, which was fine with me. They were idiots, both for laying me off initially, then refusing to pay the retention bonus and keep me on after the 90 day notice period when they realized their error PLUS not changing such sensitive passwords when I departed then coming back to ask me for them a year later.