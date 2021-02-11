 Skip to content
(The Verge)   Turns out that "hack" of the water treatment plant was more of a "all computers shared the same password for remote access and appeared to be connected directly to the Internet without any type of firewall protection installed"   (theverge.com) divider line
Don't Troll Me Bro! [TotalFark]
‘’ 1 hour ago  
Well, yeah. Gotta save some money and make sure those software people can update remotely at will!
 
WelldeadLink [TotalFark]
‘’ 1 hour ago  

Don't Troll Me Bro!: Well, yeah. Gotta save some money and make sure those software people can update remotely at will!


That was helpfully taken care of when Microsoft Support phoned in and set it all up properly.
 
moothemagiccow [TotalFark]
‘’ 44 minutes ago  
this was the same thing at the Florida Health Department where the whistleblower was arrested for computer hacking

maybe this is really common
maybe this shows how the government is dumb
or maybe it shows that the government has farmed out too many of its essential functions to fly-by-night contractors who don't give a shiat about the incredibly important work they do
 
farknozzle
‘’ 36 minutes ago  
So less of a hack and more of an ID-10-T error.
 
chaoswolf
‘’ 35 minutes ago  
My surprised face is not present at this time.
 
RogueWallEnthusiast [TotalFark] [OhFark]
‘’ 35 minutes ago  
Security via obscurity fails again...
 
bughunter [TotalFark]
‘’ 33 minutes ago  
It was a small Florida town.

I expected no less.

/or more
 
dj_bigbird [TotalFark]
‘’ 33 minutes ago  
And yet, people want government to take over more stuff.
 
dukeblue219 [BareFark]
‘’ 33 minutes ago  
It's still a hack.

It's still burglary if the door is wide open.
 
MusicMakeMyHeadPound [TotalFark] [OhFark]
‘’ 30 minutes ago  

moothemagiccow: maybe it shows that the government has farmed out too many of its essential functions to fly-by-night contractors who don't give a shiat about the incredibly important work they do


As a former fly-by-night state contractor, the government managers themselves don't get a sh*t about the work they do.

And the shell game is probably the weirdest. One of the State employees finally asked how long I'd been with my company. "Well, I started with them the same day I started here."  "Who's your boss?"   "Don't know, never met them. I just submit my time card to a system and receive my paycheck by direct deposit" .

I found the employment opportunity with the State, interviewed with them, then had to shop for a company to work for.
 
NeoCortex42 [BareFark]
‘’ 28 minutes ago  
Why does everything need to be connected to the internet?  You can have a local network that has no connection to the outside world and function just fine.
 
MusicMakeMyHeadPound [TotalFark] [OhFark]
‘’ 27 minutes ago  

NeoCortex42: You can have a local network that has no connection to the outside world and function just fine.


You can have a secure VPN for remote work and monitoring too but competent IT people cost money.
 
WastrelWay
‘’ 26 minutes ago  

NeoCortex42: Why does everything need to be connected to the internet?  You can have a local network that has no connection to the outside world and function just fine.


True. And if you want to allow internet access, there should be a firewall.
 
Remarkable_Anus [TotalFark]
‘’ 21 minutes ago  
I used to work for a very prominent Data Center and we had a switch that was running untouched for nearly 10 years with password as the default login. The infrastructure in the US is really there for the taking if someone really wants to do damage.
 
bughunter [TotalFark]
‘’ 18 minutes ago  
Sounds like a real Mickey Mouse operation.
 
Ambitwistor
‘’ 15 minutes ago  
external-preview.redd.itView Full Size
 
BitwiseShift [TotalFark]
‘’ 15 minutes ago  
Two more instances of exactly the same setup, and the lawyers will require replacing the model as soon as the cat filters are turned off.

Are engineering operations more vulnerable because they are run by engineers?  Or are good engineers locked out by third party proprietary software that only works with all firewalls, etc. are disabled?
 
CaptainSpaceJohnny [TotalFark]
‘’ 14 minutes ago  
It seems that people really don't give a crap about doing a good job because organizations don't incentivize them to give a crap or do a good job.  We've become a society where the only thing that matters is that everything is cheap, albeit poor quality.  I've worked in various firms where the same pattern repeats...
1). Firm provides quality service at a high price.
2). Firm is bought.  Founders retire.
3).  Purchasing firm cuts costs, depletes firm infrastructure.
4).  Clients no longer happy.  Revenue goes down.
5).  Layoffs
 
spacechecker
‘’ 13 minutes ago  

moothemagiccow: this was the same thing at the Florida Health Department where the whistleblower was arrested for computer hacking

maybe this is really common
maybe this shows how the government is dumb
or maybe it shows that the government has farmed out too many of its essential functions to fly-by-night contractors who don't give a shiat about the incredibly important work they do


This is really common EVERYWHERE. I see things like this all the time and keep the Picard facepalm meme in my camera roll for this reason. IT Operations is a cost center so when companies want to cut, they cut cost centers first and hope for the best.

/then they bring in people like me since what I charge is a capital expense for them, thus tax deductible
//but usually only after things are really bad
///business is good
 
Lsherm [recently expired TotalFark]
‘’ 13 minutes ago  

WastrelWay: NeoCortex42: Why does everything need to be connected to the internet?  You can have a local network that has no connection to the outside world and function just fine.

True. And if you want to allow internet access, there should be a firewall.


They were using TeamViewer, which is explicitly designed to work from behind a firewall. It's why so many people use it. Teamviewer is also stupid expensive if you have to pay for it, so I bet the reason they were all using the same username/password is because they didn't want to pay for more than one license.
 
pdieten [BareFark]
‘’ 12 minutes ago  
There are bots running constantly on the net searching for open 3389/tcp ports (the port that allows Remote Desktop access to Windows computers) and tries various credentials from a dictionary when it finds a machine. What happened here is only possible if you direct connected your machine to the internet without a router/firewall (extraordinarily bad idea) or allowed traffic to a machine through the firewall (also extraordinarily bad idea) and then have a guessable credential.

TL;DR: It is very easy to not have this happen to you. So don't let it.
 
Baloo Uriza [BareFark]
‘’ 9 minutes ago  
Why is there a SCADA system connected to the internet in the first place?  Air gap that shiat.
 
gameshowhost
‘’ 8 minutes ago  
That installer who just got his CompTIA A+ certification sure worked out well.
 
I'm no expert but...
‘’ 7 minutes ago  

NeoCortex42: Why does everything need to be connected to the internet?  You can have a local network that has no connection to the outside world and function just fine.


Email.
 
Mad_Radhu
‘’ 6 minutes ago  

Ambitwistor: [external-preview.redd.it image 576x821]


Mr. Robot actually did a really great job at showing the social networking aspect of cracking a network.
 
Slypork
‘’ 5 minutes ago  

moothemagiccow: this was the same thing at the Florida Health Department where the whistleblower was arrested for computer hacking

maybe this is really common
maybe this shows how the government is dumb
or maybe it shows that the government has farmed out too many of its essential functions to fly-by-night contractors who don't give a shiat about the incredibly important work they do


Fifth paragraph FTA:

Yes, just like Florida's Department of Health, this Florida water treatment plant apparently didn't bother to issue individual passwords for software that could give anyone complete access to any of their computers and their water treatment system.
 
yet_another_wumpus
‘’ less than a minute ago  

Remarkable_Anus: I used to work for a very prominent Data Center and we had a switch that was running untouched for nearly 10 years with password as the default login. The infrastructure in the US is really there for the taking if someone really wants to do damage.


From 2010, after the Stuxnet story (US hack of Iranian nuclear program):

"Siemens has advised its customers not to change the default passwords hard-coded into its WinCC Scada product, even though the Stuxnet malware that exploits the critical infrastructure systems software is circulating in the wild.

Changing the passwords could affect the operations of critical infrastructure organisations such as utilities companies and electricity suppliers, according to Siemens.

"We will be publishing customer guidance shortly, but it won't include advice to change default settings as that could impact plant operations," said Siemens spokesman Michael Krampe in a statement on Monday."

Yes, this is a huge piece of industrial control that you couldn't change the default password.  Brilliant.  Also, if any place has a rare, expensive, and absolutely required to work piece of machinery at their heart, there is a good chance it runs on Windows XP, which of course has no security whatsoever.

Security is always "somebody else's problem".
 
