First real-world SCADA attack in US

Leigh Porter leigh.porter at ukbroadband.com
Mon Nov 21 21:09:45 UTC 2011


On 21 Nov 2011, at 20:23, "Ryan Pavely" <paradox at nac.net> wrote:

> Might I suggest using 127.0.0.2 if you want less spam :P
> 
> Pretty scary that folks have
> 1. Their scada gear on public networks, not behind vpns and firewalls.

Do people really do that? Just dump a /24 of routable space on a network and use it? 
Fifteen years ago perhaps, but now, really? Or are these legacy installations with Cisco routers that don't do 'ip classless' and that everybody has forgotten about?


> 2. Allow their hardware vendor to keep a list of usernames / passwords.

Yeah I can believe this. That's if they bothered changing the passwords at all.

> 2b. Obviously don't change these so often.  Whens the last time they really "called support" and refreshed the password with the hw vendor.... Probably when they installed the gear... Sheesh..

I am curious now as to what you would find port scanning for port 23 on some space owned by utility companies. Now, I'm not about to do this, but it would be interesting.

Does anybody know what really happened here? We're they just using some ancient VHF radio link to an unmanned pumping station that somebody hacked with an old TCM3105 or AM2911 modem chip and a ham radio?


--
Leigh


______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________




More information about the NANOG mailing list