[ISN] SCADA System's Hard-Coded Password Circulated Online for Years

From: InfoSec News <alerts_at_private>
Date: Wed, 21 Jul 2010 02:54:29 -0500 (CDT)
http://www.wired.com/threatlevel/2010/07/siemens-scada/

By Kim Zetter  
Threat Level
Wired.com
July 19, 2010

A sophisticated new piece of malware that targets command-and-control 
software installed in critical infrastructures uses a known default 
password that the software maker hard-coded into its system. The 
password has been available online since at least 2008, when it was 
posted to product forums in Germany and Russia.

The password protects the database used in Siemens' Simatic WinCC SCADA 
system, which runs on Windows operating systems. SCADA, short for 
"supervisory control and data acquisition," systems are programs 
installed in utilities and manufacturing facilities to manage the 
operations. SCADA has been the focus of much controversy lately for 
being potentially vulnerable to remote attack by malicious outsiders who 
might want to seize control of utilities for purposes of sabotage, 
espionage or extortion.

"Default passwords are and have been a major vulnerability for many 
years," said Steve Bellovin, a computer scientist as Columbia University 
who specializes in security issues. "It's irresponsible to put them in, 
in the first place, let alone in a system that doesn't work if you 
change it. If that's the way the Siemens systems works, they were 
negligent."

Siemens did not respond to a request for comment.

[...]


_________________________________________________________________
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com
Received on Wed Jul 21 2010 - 00:54:29 PDT

This archive was generated by hypermail 2.2.0 : Wed Jul 21 2010 - 01:02:56 PDT