City's Water Control System Hacked Because of Three-Character Password
City's Water Control System Hacked Because of Three-Character Password
Posted 11/21/2011 at 4:06pm
| by Ryan Whitwam
20
Comments
Print
There is a lot of emphasis on computer security these days. Strong passwords, encryption, the whole nine yards. Apparently no one told a community called South Houston in Texas, USA. According to various confirmed reports, the municipality was using a simple three-character password to protect its Internet-facing SCADA system, which controls water and sewage systems. This system was accessed by a hacker known only as pr0f as a proof of concept. Yikes.
"This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” hacker pr0f said in an email. He went on to call the error an example of “gross stupidity.” Pr0f claims to have used a simple port scanner to look for instances of SCADA systems with web interfaces after being angered by the US Department of Homeland Security’s downplay of an earlier unrelated SCADA attack.
This attack was carried out more as a wake up call, but attackers could do serious damage to utilities. Pr0f is likely far from the only person scanning for these vulnerabilities, but the others are probably more malicious. Let’s hope that cities take a long hard look at their security practices.
More like this
20
Comments
Comments are closed on this article
Keno5net
November 22, 2011 at 2:54pm
The guy will probably be hunted down and strung up by his thumbs because he embarrassed The Department.
Bad Kharma
November 21, 2011 at 11:20pm
I would normally file this under life is hard but it is even harder when you are stupid.
don2041
November 21, 2011 at 6:44pm
Any idiots stupid enough to connect a utility company to the internet should be publicly flogged and then fired.
Eoraptor
November 21, 2011 at 9:17pm
EVERYTHING is on the internet these days, whether it's pofoundly stupid or not. why do you think (covert military operation of unknown origin) created stuxnet? because the Iranians had their nuclear material producing stuff hooked up to the net.
"because if it can't access the web, it's crap"
limitbreaker
November 22, 2011 at 2:10am
Actually youre wrong about stuxnet, you're underestimating both the Iranians and the virus... stuxnet was designed to spread by things like USB sticks because those computers were not connected to the internet. The virus was engineered to remain passive and spread from pc to pc without the internet until it finds the target.
stuxnet http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html
biggiebob12345
November 21, 2011 at 6:58pm
It's probably because of lazy engineers that want to be able to work from their phones while jerking off at home.
Same reason why American cars suck. America produces the best engineers....but you also end up with lazy and sloppy engineers too.
LatiosXT
November 22, 2011 at 9:06am
You're confusing engineers with IT.
Unless you're talking about the "Train Engineer" or "Flight Engineer" kind of engineer.
khaz19
November 22, 2011 at 7:51am
You're way off base. The SCADA and HMI/PLC systems are Ethernet-capable for a few (very good) reasons:
1. Enables for a greater physical distance between devices.
2. Remote connectivity for troubleshooting & updates.
3. Faster communication between devices.
4. Allows for more devices to communicate with each other simultaneously.
Having Ethernet/internet connectivity is a good thing, but without the proper and adequate security measures to ensure its protected, it's like a screen door on a submarine.
Eoraptor
November 22, 2011 at 1:05pm
exactly, it reduces or eluminates the need to have to pay some guy to sit with his tumb up his ass at a control station 24 hours a day on the off chance something MIGHT go wrong. Imagine something a small hydroelectric powerplant. it's sitting in the middle of the wilderness, on a waterfall, to generate electicity. now your choice in maintaining it is either to a.) put in an access road, a bathroom, several vending machines, maybe even a kitchen, a break room, and several chairs and desks or b.) hook the damned thing up to the web and let someone monitor it from downtown, and only send people physically there when needed.
Scatter
November 21, 2011 at 4:46pm
Unfortunately sometime it takes exposing vulnerabilities like these in order to bring attention to them and cause change. Unfortunately again he'll probably be arrested for doing so and charges as a terrorist.
Connect with MaximumPC
Featured Content
The gang discusses the GTX 690, Trinity, Ivy Bridge, Amazon, big-box stores, MMOs,...
This month's issue
Feature
Build a PC On Any Budget
Feature
Cloud Services Showdown
How-To
Encrypt Your External Drive
Build It
Upgrade an X58 Rig
Most Commented Articles
Latest Max PC Tweets
- maximumpc: Original RickRoll Video Returns to YouTube After 24-Hour Copyright Hiatus http://t.co/MaH9Sxyy1 day 5 hours ago
- maximumpc: Corsair has decided not to go forward with its $78 million IPO, citing weak equity market conditions http://t.co/A5a4DAzj1 day 5 hours ago
- maximumpc: Want to work at Maximum PC? Our Online Managing Editor, Alex, is moving away, so we need a new one. http://t.co/9Z7JCh0E3 days 3 hours ago
