If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Ars Technica)   Mission critical routers at power operators, railroads and other large industries have a secret 'factory account' with default passwords that leave them vulnerable. Sleep tight, citizen   (arstechnica.com) divider line 74
    More: Scary, default password, operators, critical infrastructure, routers, control systems, factory, DHS, Homeland Security  
•       •       •

7646 clicks; posted to Geek » on 05 Sep 2012 at 1:11 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



74 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread

First | « | 1 | 2 | » | Last | Show all
 
2012-09-05 10:03:47 AM
doesn't surprise me in the slightest that these would be set up with the defaults and no security. I also would have accepted "uses all the same passwords" as something they might have done.

One of the big hotel chains in Vegas is known in some IT circles for that. Each of their properties has the same password on all their internal and staff wifi-routers.
 
2012-09-05 10:35:55 AM
I find it hard to believe that we don't have some kind of security standard for major infrastructure.

Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.
 
2012-09-05 11:21:15 AM

unlikely: Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.


A simple bill. 2 pages tops. Of course they will add the following to it:

Subsidies for North Dakota weasel farmers
College tuition for undocumented refugees from Hoboken
Studies of the Norther California Burrowing Swamp Deer
Free school lunches for Spotted Owls in Chicago
Vaccinations for Whooping Pimples
Contraception for UAW workers while on the assembly line
Gay Cocker Spaniel Awareness Day
A bridge from Nebraska to Disney World
Federally mandated stealth cheese
and of course, $132,233,238,992,111.13 for the top secret new underground bomber.
 
2012-09-05 11:45:25 AM

flucto: unlikely: Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.

A simple bill. 2 pages tops. Of course they will add the following to it:

Subsidies for North Dakota weasel farmers
College tuition for undocumented refugees from Hoboken
Studies of the Norther California Burrowing Swamp Deer
Free school lunches for Spotted Owls in Chicago
Vaccinations for Whooping Pimples
Contraception for UAW workers while on the assembly line
Gay Cocker Spaniel Awareness Day
A bridge from Nebraska to Disney World
Federally mandated stealth cheese
and of course, $132,233,238,992,111.13 for the top secret new underground bomber.


I know you are joking but this happened recently to a bill designed to introduce technical security standards for nuclear plants and other major projects like that. The R's added stuff to it about abortion and personhood, the D's then added gun control stuff. The sponsor was like WTF and gave up.
 
2012-09-05 11:50:14 AM

unlikely: I find it hard to believe that we don't have some kind of security standard for major infrastructure.

Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.


Yeah, I would like to make some money starting a consulting company that audits other businesses to make sure they comply with arbitrary standards that don't work. The sarbox market is pretty much saturated, so some new legislation would help me break into the business.
 
2012-09-05 01:16:20 PM

NickelP: I know you are joking but this happened recently to a bill designed to introduce technical security standards for nuclear plants and other major projects like that. The R's added stuff to it about abortion and personhood, the D's then added gun control stuff. The sponsor was like WTF and gave up.


As wacky as he was, Hermain Cain was actually onto something with his "All bills must be no longer than 3 pages long" schtick.

Rather than limiting the length, we need to find a way to limit the contents to only items that are directly related to the intent of the bill.

I propose a 3 person board that reviews all proposed bills and if they find them to be packed with unrelated bullshiat, they're stamped GTFO and returned to the congress for reworking.

To avoid having the board purposely stacked with partisan asshats, it'll be like jury duty. The panel will be randomly selected from a list of registered voters. A basic test to weed out illiterates and those who lack any semblance of critical thinking skills will also be applied.
 
2012-09-05 01:21:09 PM
I've audited many power and ethanol generation plants. From an IT perspective - this is the least of their problems.

/if properly implemented and secured this is a non-issue
//emphasis on the word "properly"
 
2012-09-05 01:23:08 PM

Eddie Adams from Torrance: A basic test to weed out illiterates and those who lack any semblance of critical thinking skills will also be applied.


I'm not illiterate! My parents were married!
 
2012-09-05 01:26:54 PM

Eddie Adams from Torrance: Rather than limiting the length, we need to find a way to limit the contents to only items that are directly related to the intent of the bill.


Some of the states actually have this sort of rule in their legislatures.

The problem is, that while the rider method is sometimes abused, it's also very legitimately useful. In spite of the fact that the US Congress often doesn't get a lot of high-profile stuff passed as of late, it does conduct and pass legislation on a regular basis, and much of that is in "bundles" like this, since to vote on every single thing individually would basically require Congress to be in session 24/7/365, which would lead to all sorts of problems.
 
2012-09-05 01:26:59 PM

unlikely: Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.


Didn't they try to do exactly this, and then it got all derped up in the house?
 
2012-09-05 01:27:11 PM

unlikely: I find it hard to believe that we don't have some kind of security standard for major infrastructure.

Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.


They've been trying to enact precisely that kind of standard for the past 15 or so years. The industry balks at nearly everything (because it would require them to spend $ to fix sloppy architecture and poor security), and the govt can't agree on much.

Just suggesting that they followed SANS recommendations for SCADA systems caused quite a ruckus, and most of that was just common sense. Caught one of the sessions on CSPAN once and nearly threw my drink at the TV due to the stupidity being portrayed at fact by the politicians and the industry hacks.
 
2012-09-05 01:27:46 PM

IronJelly: One of the big hotel chains in Vegas is known in some IT circles for that. Each of their properties has the same password on all their internal and staff wifi-routers.


Hotels are a notoriously low margin business - the vast majority are franchises which are owned by small businessmen who typically have a number of other businesses. Getting a hotel chain to do anything that costs the local owners money is next to impossible. That includes managing their infrastructure properly.

/spent a year at a hotel chain fixing those very issues after a breach
 
2012-09-05 01:31:27 PM

TheBeastOfYuccaFlats: Eddie Adams from Torrance: Rather than limiting the length, we need to find a way to limit the contents to only items that are directly related to the intent of the bill.

Some of the states actually have this sort of rule in their legislatures.

The problem is, that while the rider method is sometimes abused, it's also very legitimately useful. In spite of the fact that the US Congress often doesn't get a lot of high-profile stuff passed as of late, it does conduct and pass legislation on a regular basis, and much of that is in "bundles" like this, since to vote on every single thing individually would basically require Congress to be in session 24/7/365, which would lead to all sorts of problems.


Luckily that guarantees funding for the perverted arts. Oh, and saving Springfield.
 
2012-09-05 01:43:36 PM
I liked this mission critical router at a hotel I stayed at last weekend:

i45.tinypic.com

/Yes, that's the sky in the background
//Yes, it's just bolted to the underside of an outdoor walkway
 
2012-09-05 01:45:04 PM
MALVIN
I can't believe it, Jim. That girl's standing over there listening and you're telling him about our back doors?

JIM STING
[yelling] Mister Potato Head! Mister Potato Head! Back doors are not secrets!

MALVIN
Yeah, but Jim, you're giving away all our best tricks!

JIM STING
They're not tricks.
 
2012-09-05 01:47:27 PM

NickelP: I know you are joking but this happened recently to a bill designed to introduce technical security standards for nuclear plants and other major projects like that. The R's added stuff to it about abortion and personhood, the D's then added gun control stuff. The sponsor was like WTF and gave up.


I was only kind of joking. I haven't really thought it through, but on the surface it certainly seems like laws should only have language that relates to the basic subject of the law. Example: law about gay cocker spaniel day cannot contain language about the legality of bullet proof tutu research.
 
2012-09-05 01:48:26 PM

IamSoSmart_S_M_R_T: I liked this mission critical router at a hotel I stayed at last weekend:

[i45.tinypic.com image 850x1133]

/Yes, that's the sky in the background
//Yes, it's just bolted to the underside of an outdoor walkway


That's fantastic.
 
2012-09-05 01:52:10 PM

unlikely: I find it hard to believe that we don't have some kind of security standard for major infrastructure.

Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.


Knowing just a tad about "Critical Infrastructure Protection" I'd like to point out that there are dozens of standards and federal, state, county and local entities who all think they should be setting and auditing those conflicting "standards".
 
2012-09-05 01:53:13 PM

IamSoSmart_S_M_R_T: mission critical router at a hotel


Uh...
 
2012-09-05 01:53:52 PM

IamSoSmart_S_M_R_T: I liked this mission critical router at a hotel I stayed at last weekend:

[i45.tinypic.com image 850x1133]

/Yes, that's the sky in the background
//Yes, it's just bolted to the underside of an outdoor walkway


So...did you unplug it?
 
2012-09-05 01:55:09 PM

IamSoSmart_S_M_R_T: I liked this mission critical router at a hotel I stayed at last weekend:

[i45.tinypic.com image 850x1133]

/Yes, that's the sky in the background
//Yes, it's just bolted to the underside of an outdoor walkway


The great thing about that router is that if you try to access the admin page and fail it tells you the default username and password.
 
2012-09-05 01:55:18 PM

MoronLessOff: IamSoSmart_S_M_R_T: I liked this mission critical router at a hotel I stayed at last weekend:

[i45.tinypic.com image 850x1133]

/Yes, that's the sky in the background
//Yes, it's just bolted to the underside of an outdoor walkway

So...did you unplug it?


Or you know, drop a line into it, log in using the default Administrator account and password, helpfully displayed right on the router, and changed the settings and passwords?
 
2012-09-05 01:58:18 PM

Slaves2Darkness: MoronLessOff: IamSoSmart_S_M_R_T: I liked this mission critical router at a hotel I stayed at last weekend:

[i45.tinypic.com image 850x1133]

/Yes, that's the sky in the background
//Yes, it's just bolted to the underside of an outdoor walkway

So...did you unplug it?

Or you know, drop a line into it, log in using the default Administrator account and password, helpfully displayed right on the router, and changed the settings and passwords?


Preferably to "Cookie Monster" and "Cookie", respectively.
 
2012-09-05 01:59:24 PM
http://www.routerpasswords.com
 
2012-09-05 01:59:45 PM

Mr. Eugenides: Knowing just a tad about "Critical Infrastructure Protection" I'd like to point out that there are dozens of standards and federal, state, county and local entities who all think they should be setting and auditing those conflicting "standards".


Time for a new Federal Agency. We'll call it "Telecommunications Security Authority" or "TSA" (which will help to misdirect agency blame when issues occur) and assign them the responsibility of doing packet inspection as traffic passes through routers. Uncooperative packets will be assigned to the "deep inspection" line.
 
2012-09-05 02:08:36 PM

flucto: unlikely: Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.

A simple bill. 2 pages tops. Of course they will add the following to it:

Subsidies for North Dakota weasel farmers
College tuition for undocumented refugees from Hoboken
Studies of the Norther California Burrowing Swamp Deer
Free school lunches for Spotted Owls in Chicago
Vaccinations for Whooping Pimples
Contraception for UAW workers while on the assembly line
Gay Cocker Spaniel Awareness Day
A bridge from Nebraska to Disney World
Federally mandated stealth cheese
and of course, $132,233,238,992,111.13 for the top secret new underground bomber.


It is waste like this that annoys me. They should at least round up to the nearest nickel.
 
2012-09-05 02:09:18 PM

MoronLessOff:
So...did you unplug it?


I would've needed a ladder, or one of those handy "reaching arms" I see bundled as a free gift with every Rascal Scooter purchase. :(


Slaves2Darkness:
Or you know, drop a line into it, log in using the default Administrator account and password, helpfully displayed right on the router, and changed the settings and passwords?


While I seen such things done in places like Fishers, IN (where the hotel's admin passwords were a difficult to guess "fishers"), I wasn't able to this time since I only caught a glimpse of it as we were leaving. :(
 
2012-09-05 02:17:30 PM

Ima_Lurker: It is waste like this that annoys me. They should at least round up to the nearest nickel.


What? And alienate the American Copper Producers of America? (motto: "Go ahead, CU if you can get elected without our contribution") Anyway, the mandatory use of pennies by the Air Force is a matter of law (find it in the American Fisheries Act of 1997 which covers the use of bathroom freshener in porta-potties on Union job sites)
 
2012-09-05 02:35:38 PM
I work for one of the world's largest internet backbone companies. All I have to say is, "Who the hell is GarrettCom?"
 
2012-09-05 02:36:50 PM
[CSB]

Back when I worked for a large router company, we went out to CAL-ISO to try to sell them some firewalls and other security gear.
CAL-ISO was a co-op that interconnected all of the power companies so that they could share data and manage the grid.

When we asked what sorts of firewalls and security existed between them and the power companies, they said..... you guessed it... none.
We laughed a little and then commented "Well, I guess it's not like they have the actual control systems for the generating stations connected to this network...right?"

Their engineer said "Of course they do..that the whole idea" [/CSB]

With all of the billions of dollars we waste on airline security it's farking shameful that we don't pay even the slightest attention to securing critical infrastructure, but I guess the sheeple are more afraid of brown people on aircraft than they are of actual threats to our power/water/communication systems.
 
2012-09-05 02:53:36 PM

Eddie Adams from Torrance: With all of the billions of dollars we waste on airline security it's farking shameful that we don't pay even the slightest attention to securing critical infrastructure, but I guess the sheeple are more afraid of brown people on aircraft than they are of actual threats to our power/water/communication systems.


The sheeple are not in charge of that. They don't even know why the electric company needs generators, I mean, it's not like the electric company is going to have a power outage.

The government will do NOTHING about any of this until there's a 9/11 sized event, then they will pass laws officially allocating blame to trans-fat and 2nd hand smoke.
 
2012-09-05 02:54:33 PM
As a regional fiber tech for a carrier ethernet company I'm getting a Ctrl+Break from these replies.

You wouldn't believe the amount of secure doors, gates, and other facilities that are protected with '1234', '12345', password, admin, or [blank]. And there is no kind of access like physical access.
Also there are plenty of locks & alarms that will sound but aren't that loud & aren't monitored. If anything kick in a door, walk away and wait for police to drive by. They may never arrive. If they do just keep setting off alarms every night for a week. Little Boy Blue grew up & became a thief.

Not the worst site I've seen
Link
 
2012-09-05 02:57:26 PM

Eddie Adams from Torrance: NickelP: I know you are joking but this happened recently to a bill designed to introduce technical security standards for nuclear plants and other major projects like that. The R's added stuff to it about abortion and personhood, the D's then added gun control stuff. The sponsor was like WTF and gave up.

As wacky as he was, Hermain Cain was actually onto something with his "All bills must be no longer than 3 pages long" schtick.

Rather than limiting the length, we need to find a way to limit the contents to only items that are directly related to the intent of the bill.

I propose a 3 person board that reviews all proposed bills and if they find them to be packed with unrelated bullshiat, they're stamped GTFO and returned to the congress for reworking.

To avoid having the board purposely stacked with partisan asshats, it'll be like jury duty. The panel will be randomly selected from a list of registered voters. A basic test to weed out illiterates and those who lack any semblance of critical thinking skills will also be applied.


The problem with that approach is that bills will get killed by the opposition simply by adding crap to them (which happens now sometimes).
 
2012-09-05 02:59:30 PM

Eddie Adams from Torrance: NickelP: I know you are joking but this happened recently to a bill designed to introduce technical security standards for nuclear plants and other major projects like that. The R's added stuff to it about abortion and personhood, the D's then added gun control stuff. The sponsor was like WTF and gave up.

As wacky as he was, Hermain Cain was actually onto something with his "All bills must be no longer than 3 pages long" schtick.

Rather than limiting the length, we need to find a way to limit the contents to only items that are directly related to the intent of the bill.


Support the "One Subject at a Time Act."
 
2012-09-05 03:02:35 PM
"They're also fluent in the Modbus and DNP communications protocols used to natively administer industrial control and supervisory control and data acquisition gear."

Well, that Stux.
 
2012-09-05 03:03:03 PM

DrPainMD: Support the "One Subject at a Time Act."


That's the kind of site where you fill in the petition and a week later get your welcome kit to the American Nazi Cannibal Party to Ban the Designated Hitter.
 
2012-09-05 03:04:52 PM
i was getting "free" internet so were many kids in the neighborhood until i changed the network name (it was unsecured) TO "LOOKING AT YOU" then they left. then i guess the owner noticed oh well.
 
2012-09-05 03:08:37 PM

NickelP: I know you are joking but this happened recently to a bill designed to introduce technical security standards for nuclear plants and other major projects like that. The R's added stuff to it about abortion and personhood, the D's then added gun control stuff. The sponsor was like WTF and gave up.


If you're talking about the Cybersecurity Act, the bogus amendments aren't what killed it. The parties started attaching garbage amendments to its already-dead corpse as political stunts after a group of anti-regulation republicans teamed with the U.S. Chamber of Commerce to torpedo it with a filibuster. 

The gun control and anti-abortion measures were just mindless pandering through a dead bill.
 
2012-09-05 03:20:06 PM
www.movieactors.com

Has the same password on his luggage
 
2012-09-05 03:24:33 PM
If the default credentials haven't been changed, the undocumented factory account can allow people with guest accounts to gain unfettered control of the devices,

I think I see your problem...
 
2012-09-05 03:29:20 PM
admin
admin
?
 
2012-09-05 03:45:32 PM
sys/change_on_install
 
2012-09-05 03:47:05 PM

flucto: Federally mandated stealth cheese


Awesome... just awesome.
 
2012-09-05 03:52:24 PM

Buck Henderson: Awesome... just awesome.


I was particularly proud of that.
 
2012-09-05 03:56:21 PM
CSB: When I was working at Canadian National at the early part of the 2000s, the IT support desk phone number for the Mississippi corridor (basically the old Illinois Central line) was also the number that members of the general public called to report things like stuck crossing gates. I was doing network operation stuff, but it was pretty common for the computer helpdesk people to have to track down some CN employee because the sheriff of East Bumfark County was having a hissy fit over a gate that had been down for 10 minutes with no train.

CSB2: The CN operations center at Harvey, Illinois's stated policy was to disallow end users from having passwords on their NT workstations and SGI machines, because password resets required too much administrative time.

CSB3: During that time period (like, 2000 or early 2001), CN transitioned from a pure Windows NT environment to Windows 98 with Banyan VINES. Once again for all the IT-types, they moved onto VINES. In 2001.

CSB4: While I was in their downtown office, a CN VP cornered me and asked if I would install a copy of "Railroad Tycoon" on the computer in his office. Which I did.

None of this is applicable now, but it's all still amusing.
 
2012-09-05 04:00:24 PM
"GarrettCom boxes are similar to regular network routers and switches except that they're designed to withstand extreme heat and cold, as well as dry, wet, or dusty conditions."

So they're designed to withstand all manner of abuse........except stupidity.

I can barely understand the manufacturer's rationale for having that access ability in the first place, but those things shouldn't have been allowed to be sold without HUGE RED LETTERS informing the client of its existence and mandatory re-configuration at the time of installation to make sure it is not allowed to continue once the item is put into use.
 
2012-09-05 04:00:24 PM

Am I the only one who thought of

upload.wikimedia.org

when I read the phrase "Search results recently returned by the Shodan computer search engine"?

 
2012-09-05 04:02:05 PM

unlikely: I find it hard to believe that we don't have some kind of security standard for major infrastructure.

Someone should introduce legislation to require such security standards and everyone who votes against it should be shot as a traitor.


I would shoot back.
 
2012-09-05 05:11:08 PM
The problem is a lot of these things are run by old people who have no idea how technology has changed.

CSB
Where I work we use an interoffice messenger, word from on high came down that everyone who used a PC should start using it. No problem there, I just described it as "sort of like really fast, small E-mail" and everyone was all for it. The problem came when I told people that they couldn't leave their account passwords at the default. It was then that I found that a good portion of our pcs didn't have windows login passwords, even the customer facing ones! I dealt with that crap for months:
"Why do I need a password?"
"I don't care if someone sends messages as me."
"If I have a windows password my co-workers won't be able to access my mail when I am away!"
"Why would someone want to send messages as me?"
"I trust my co-workers, they're not going to hack my shiat."
I eventually got fed up with it and told people "You will change the messenger password, because I said so!" and "if you don't create a Windows password I will give you a sixteen character alpha-numeric code for a password."
/CSB
 
2012-09-05 05:40:10 PM

Jormungandr: "if you don't create a Windows password I will give you a sixteen character alpha-numeric code for a password."


Which they will then write on a post-it and stick to their monitor.
 
Displayed 50 of 74 comments

First | « | 1 | 2 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report