Friday, August 5, 2011

Oh. My. God.

My friend Marcus Ranum has a set of Security Laws, too.  His 6th Law is Sometimes it's easier not to do something dumb than it is to do something smart.

Marcus is too nice, sometimes.

I didn't realize when I posted earlier today on SCADA security just how kind Marcus had been.  After all, I proposed my own 4th Law: Everything is on the Internet.  Some things are just harder to find.

So riddle me this, SecurityMan: how do you find one of these systems on the Internet?  What uber 31337 extra crazy h4X0R skillz do you need to find them?

Google:
LAS VEGAS--Not only are SCADA systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators sometimes practically advertise their wares on Google search, according to a demo today during a Black Hat conference workshop.
Acknowledging that he wouldn't click on any link results to avoid breaking the law by accessing a network without authorization, researcher Tom Parker typed in some search terms associated with a Programmable Logic Controller (PLC), an embedded computer used for automating functions of electromechanical processes. Among the results was one referencing a "RTU pump status" for a Remote Terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password--"1234."

Read more: http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipment-discoverable-via-google/#ixzz1UByPXkzn
*Facepalm*

I think that we're past the point of proposing fines for companies who do this.  As a modest proposal to improve the security of the nation's critical infrastructure, here's a security device that should be applied to the CEO of any company found with these systems Google accessable:






No need to thank me, it's all part of the service.

4 comments:

Dave H said...

I've been developing products used by the power industry for (mumble) years, and I've told anyone who brought it up that connecting stuff to the internet was a Very Bad Idea. But the utilities aren't keen on building a new network parallel to one that's already there. (They've been trying to use the power lines for years, but those stink as data cables.)

The good news is they're aware of the problem and are establishing standards for security. The bad news is there's a LOT of insecure or marginally secure stuff already deployed, and they're not going to replace it all the day an alternative is available. It'll take more years to do that.

As for Easter eggs in our products, um... ooh, look over there! (Darts away hastily.)

Old NFO said...

Dave is correct... sigh...

kx59 said...

damn that is funny, only thing missing is the guillotine blade.
I am not an I.T. professional, but I play one at work in my "spare" time.
One thing I've observed that runs deep in the I.T. world is a serious lack of problem solving skills and a complete inability to think outside the box.

Carteach said...

Given the nature of human beings, even those in command of our infrastructure... a rational man assures himself of his basic necessities. As a lowly peon, I certainly cannot bolster system security, but I can damn well make sure everyone in this house can live comfortably when the magic elektrickity stops flowing in.