Monday, September 8, 2008

Terrorists can make things go "Boom" remotely

This has been, well, inevitable:
Gasoline refineries, manufacturing plants and other critical facilities that rely on computerized control systems just became more vulnerable to tampering or sabotage with the release of attack code that exploits a security flaw in a widely used piece of software.
SCADA are computers that control electric power distribution, manufacturing, Natural Gas pipelines, and other basic components of our national manufacturing economy. Think big factories, you'll find SCADA at its heart.

They're computers, so they run programs. Programs have vulnerabilities that a Bad Guy can exploit if it's connected to Al Gore's intarwebz. We've seen this before - a Cookie Factory goes haywire and burns up all the cookies. The process controller got confused and decided to take a fandango on it's memory. Now replace "Cookie Factory" with Natural Gas Pipeline. Boom.

No problem, right? For Al Qaeda to get to the computers, someone has to put it onto Al Gore's Intarwebz, right? Who on earth would connect such an important computer to the 'net?
A core tenet among system administrators of such systems is that remote terminal units and other critical industrial controls should never be exposed to the internet. In reality, however, there are frequently numerous ways unauthorized people can gain access to those controls.
Look at the IRS, which has thousands of computers connected to the 'net without authorization, or even passwords.

Well, everyone must be scrambling to fix it, right? Not so much:
"In reality, I would be willing to wager a small fortune that most of the folks that received the Citect advisory were not inspired to take immediate action," Finisterre wrote in this paper published to the Milw0rm website. "In general, no one should be more knowledgeable about a software product than the vendor, so if the vendor pulls an Alfred E. Newman and says 'What, me worry?' you can rest assured the userbase will do the same."
This is monumentally, insanely, dare I say criminally stupid.

No comments: