[Cyberwar Central Links & Resources][Cyberwar Central][Cyberwar Central Members Area]



  << Previous Topic | Next Topic >>Return to Cyberwar Central  

Defects leave critical military, industrial infrastructure open to hacks

July 15 2012 at 3:06 PM

Coalde  (Login cwc.mgmt)
CWC Member


I suppose I should find it surprising that my purchase of a $0.99 song from iTunes is more secure than the system that delivers electricity and/or water for my survival, alas my years of exposure to human folly and short sightedness preclude me from being surprised at this point...but I am quite concerned. sad.gif

imagesqtbnANd9GcRcempdU8HQ006wmodPd.jpgiTunes has "more robust" security than some of our critical infrastructure.

By Dan Goodin - July 13 2012, 12:43pm EDT

Security researchers have blown the whistle on serious vulnerabilities in an Internet-connected system used by the US military, hospitals, and private industry to control boilers, air-conditioners, security alarms, and other critical industrial equipment.

The defects in the Niagara Framework, which links more than 11 million devices in 52 countries, could allow malicious hackers to seize control of critical infrastructure, an article published by The Washington Post warned. The vulnerabilities were unearthed by Billy Rios and Terry McCorkle, two researchers who have spent the past 18 months exposing security holes in a variety of ICS, or industrial control systems.

"The ICS software community is light years behind modern software security," Rios wrote in a blog post recounting his odyssey in getting Niagara officials to publicly acknowledge the vulnerabilities after he and McCorkle reported them. "Sadly, we can honestly say that the security of iTunes is more robust than most ICS software."

The 2,000-word Washington Post article recounts the researchers' steps in discovering the vulnerability, which they said makes it trivial for them to retrieve system files that contain user names, hashed passwords, and other sensitive material. "All told, it took me two days to go from zero knowledge to remote password theft," the paper quotes Rios as saying. Niagara allows administrators to remotely control boiler, heating, lighting, fire detection, elevator, and surveillance systems for the Pentagon, the FBI, the US Attorney's Office, and the Internal Revenue Service, to name just a few. The vulnerabilities could allow hackers anywhere in the world to sabotage the equipment using an Internet-connected computer.

A Tridium official told the paper: "We're committed to making our framework more secure. And we know it's our responsibility to educate our community."

Earlier this month, about a year after Tridium officials learned of the weaknesses, they issued a confidential advisory that describes ways customers can mitigate them.

The report is only the latest cautionary tale about the dangers of connecting gasoline pumps, power generation plants, and other critical infrastructure to the Internet. The number of serious security bugs that remain unpatched in ICS software sold by companies including GE, Siemens, Schneider, and ABB has given rise to the term forever-day vulnerabilities. One of the most recently discovered weaknesses affected users of Internet-connected devices made by Canada-based RuggedCom. An undocumented backdoor that couldn't be disabled made it possible for hackers to gain unauthorized access to equipment in electrical power stations. Following the exposure of the weakness, the company pledged to remove it.

Rios said the most disappointing thing he encountered in his interactions with Tridium was its "eagerness to blame the customer." He continued: "It should never be the customer's responsibility to have to compensate for poor design. Many ICS vendors expect customers to ensure their product is implemented securely, yet provide zero (or extremely vague) guidance on how to do so. In many cases, secure deployment is simply impossible due to the extremely poor security design."



 Respond to this message   
  Respond to this message   
  << Previous Topic | Next Topic >>Return to Cyberwar Central  
Find more forums on SocietyCreate your own forum at Network54
 Copyright © 1999-2016 Network54. All rights reserved.   Terms of Use   Privacy Statement  
      free countersMember of The Internet Defense League   [Exchange Links with CWC]