[146830] in North American Network Operators' Group
Re: First real-world SCADA attack in US
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Tue Nov 22 21:08:12 2011
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <5F708076-4FD0-42B2-9E37-4E5599010278@cs.columbia.edu>
Date: Tue, 22 Nov 2011 21:07:08 -0500
To: Valdis.Kletnieks@vt.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Nov 22, 2011, at 8:08 58PM, Steven Bellovin wrote:
>=20
> On Nov 22, 2011, at 7:51 59PM, Valdis.Kletnieks@vt.edu wrote:
>=20
>> On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said:
>>=20
>>>> =
http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alleged.ht=
ml
>>=20
>>> And "In addition, DHS and FBI have concluded that there was no =
malicious traffic from Russia or any foreign entities, as=20
>>> previously reported."
>>=20
>> It's interesting to read the rest of the text while doing some =
deconstruction:
>>=20
>> "There is no evidence to support claims made in the initial Fusion =
Center
>> report ... that any credentials were stolen, or that the vendor was =
involved
>> in any malicious activity that led to a pump failure at the water =
plant."
>>=20
>> Notice that they're carefully framing it as "no evidence that =
credentials were
>> stolen" - while carefully tap-dancing around the fact that you don't =
need to
>> steal credentials in order to totally pwn a box via an SQL injection =
or a PHP
>> security issue, or to log into a box that's still got the =
vendor-default
>> userid/passwords on them. You don't need to steal the admin password
>> if Google tells you the default login is "admin/admin" ;)
>>=20
>> "No evidence that the vendor was involved" - *HAH*. When is the =
vendor *EVER*
>> involved? The RSA-related hacks of RSA's customers are conspicuous =
by their
>> uniqueness.
>>=20
>> And I've probably missed a few weasel words in there...
>=20
> They do state categorically that "After detailed analysis, DHS and the
> FBI have found no evidence of a cyber intrusion into the SCADA system =
of
> the Curran-Gardner Public Water District in Springfield, Illinois."
>=20
> I'm waiting to see Joe Weiss's response.
See http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/
--Steve Bellovin, https://www.cs.columbia.edu/~smb
