• Watch
  • Listen
  • Live Stream
Security Weekly
Security Market Validation
  • Listeners
    • Subscribe
    • Insider List
    • Suggest a Guest
  • Shows
    • Paul’s Security Weekly
    • Enterprise Security Weekly
    • Business Security Weekly
    • Application Security Weekly
    • Security & Compliance Weekly
    • Security Weekly News
    • Tradecraft Security Weekly
    • Secure Digital Life
  • Series
    • CISO Stories
    • Getting the Real Work Done in Cybersecurity
  • Webcasts/Trainings
    • Registration
    • On-demand
  • Articles
  • Partners
    • Become a Partner
    • Landing Pages
  • Hosts
  • Company
    • About
    • Careers
    • Contact

Articles/ Identity and Access

SCADA System + 3 Character Password = PWNED

Paul Asadoorian December 5, 2011

Ok, really anything with a 3 character password is going to get compromised, but it being a SCADA system just makes this a bit more insane.  The basics of this is that the city of South Houston made their water control system accessible from the internet and “protected” it with a 3 character password.  Sure enough, someone poked around at it a bit and got access to it.  Could have been messy if an attacker decided to cause some problems.  Can you imagine what it would be like when all the toilets in town suddenly can’t flush because the water is shut down?  Yech!

Toilet Down!

What I suspect happened is that whoever was managing this system just wasn’t thinking about what they were doing.  Maybe they got in a hurry when doing the install and forgot to go back and reset the password.  Or they (incorrectly) decided that since this was an internal system, they didn’t need a good password.  Then later it was decided to allow access to the management interface to the internet.

Either way this whole thing was bad.  It could have been avoided with some basic procedures and controls.  Things like using a reasonable password and not putting any management interface directly online come to mind quickly.  If you really do need remote access to such an interface, then use some kind of VPN to do so.  It doesn’t really take that long to do and is at least a start on performing some due care.

Time for some folks to take a step back, learn some basics and then start trying to fix some stuff.  Aim for good security practices at first, then start worrying about some of the more difficult attacks to defend against.

Link - https://threatpost.com/en_us/blogs/hacker-says-texas-town-used-three-digit-password-secure-internet-facing-scada-system-112011

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)
  • Click to share on Facebook (Opens in new window)

Related Posts

uptrend line arrows with bar chart in stock market on blue color background

Articles /

Ransomware Damage Claims Driving Insurance Hikes

SWG

Identity and Access /

Preventing Criminals from Using Cloud Applications to Inject Chaos Into Work Environments

web-application-firewall-comparison-696x423

Articles /

Building a More Secure AppDev Process

‹ Cracking MD5 Passwords with BozoCrack › Testing Your SSL Configuration with sslyze

About Security Weekly

Security Weekly is the security podcast network for the security community, distributing free podcasts and media since 2005. We connect the security industry and the security community through our security market validation programs.

More Than Just A Sponsor

We view our relationships with the security industry as partnerships, not sponsorships. Security Weekly works closely with each partner to help you achieve your marketing goals and gain traction in the security market. Interested in becoming a partner? Please visit our partnerships page.

Back to Top

Subscribe To The Blog:

RSS feed RSS - Posts

Search

Latest Tweets

Tweets by @secweekly
© Security Weekly 2022
Powered by WordPress • Themify WordPress Themes