Re: First real-world SCADA attack in US

[Steven Bellovin <smb () cs columbia edu>]

On Nov 22, 2011, at 7:51 59PM, Valdis.Kletnieks () vt edu wrote:

> On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said:
>
> > > http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alleged.html
>
> > And "In addition, DHS and FBI have concluded that there was no malicious traffic from Russia or any foreign 
> > entities, as 
> > previously reported."
>
> It's interesting to read the rest of the text while doing some deconstruction:
>
> "There is no evidence to support claims made in the initial Fusion Center
> report ... that any credentials were stolen, or that the vendor was involved
> in any malicious activity that led to a pump failure at the water plant."
>
> Notice that they're carefully framing it as "no evidence that credentials were
> stolen"  - while carefully tap-dancing around the fact that you don't need to
> steal credentials in order to totally pwn a box via an SQL injection or a PHP
> security issue, or to log into a box that's still got the vendor-default
> userid/passwords on them.  You don't need to steal the admin password
> if Google tells you the default login is "admin/admin" ;)
>
> "No evidence that the vendor was involved" - *HAH*.  When is the vendor *EVER*
> involved?  The RSA-related hacks of RSA's customers are conspicuous by their
> uniqueness.
>
> And I've probably missed a few weasel words in there...

They do state categorically that "After detailed analysis, DHS and the
FBI have found no evidence of a cyber intrusion into the SCADA system of
the Curran-Gardner Public Water District in Springfield, Illinois."

I'm waiting to see Joe Weiss's response.

                --Steve Bellovin, https://www.cs.columbia.edu/~smb