First real-world SCADA attack in US
Steven Bellovin
smb at cs.columbia.edu
Wed Nov 23 01:08:58 UTC 2011
On Nov 22, 2011, at 7:51 59PM, Valdis.Kletnieks at vt.edu wrote:
> On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said:
>
>>> http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alleged.html
>
>> And "In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign entities, as
>> previously reported."
>
> It's interesting to read the rest of the text while doing some deconstruction:
>
> "There is no evidence to support claims made in the initial Fusion Center
> report ... that any credentials were stolen, or that the vendor was involved
> in any malicious activity that led to a pump failure at the water plant."
>
> Notice that they're carefully framing it as "no evidence that credentials were
> stolen" - while carefully tap-dancing around the fact that you don't need to
> steal credentials in order to totally pwn a box via an SQL injection or a PHP
> security issue, or to log into a box that's still got the vendor-default
> userid/passwords on them. You don't need to steal the admin password
> if Google tells you the default login is "admin/admin" ;)
>
> "No evidence that the vendor was involved" - *HAH*. When is the vendor *EVER*
> involved? The RSA-related hacks of RSA's customers are conspicuous by their
> uniqueness.
>
> And I've probably missed a few weasel words in there...
They do state categorically that "After detailed analysis, DHS and the
FBI have found no evidence of a cyber intrusion into the SCADA system of
the Curran-Gardner Public Water District in Springfield, Illinois."
I'm waiting to see Joe Weiss's response.
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the NANOG
mailing list