On security - SCADA sofware defect (Siemens' WinCC)

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Fri Sep 24 02:34:42 UTC 2010


On Thu, Sep 23, 2010 at 10:14:19PM -0400, Mel Wilson wrote:
> On 10-09-23 11:32 AM, William Muriithi wrote:
>> Morning pal
>>
>> Just came to learn about this virus - Stuxnet.  If you google more on
>> it, look like work from a well financed organization which make it
>> petty interesting.
>>
>> Now, what though is surprising is that changing the default password
>> impact the operation of the whole system.  How the f**k is that
>> acceptable in current times.  That would be like a good reason to
>> automatically eliminate it from consideration during sourcing I would
>> think.
>>
>> http://en.wikipedia.org/wiki/Stuxnet
>>
>> http://www.bbc.co.uk/news/technology-11388018
>>
>> Really, am I over reacting a bit by stating an enterprise product
>> should at least allow password reset?
>
> One theory is that it's targeting one specific system:
>
> <http://motherjones.com/kevin-drum/2010/09/living-jack-bauers-world>

It sounds to me like someone designed a system where a hardcoded "secret,
no one will ever know what it is" password is used for devices to talk
to each other, and the "real" passwords that users set are only used
by humans to talk to the devices, and if you try changing the "secret"
passwords, the devices can't talk to each other anymore.

Any system where changing the passwords isn't part of normal setup before
deployment and is in fact discouraged is clearly broken by design.

-- 
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists





More information about the Legacy mailing list