On Nov 22, 2011, at 8:08 58PM, Steven Bellovin wrote: > > On Nov 22, 2011, at 7:51 59PM, valdis.kletni...@vt.edu wrote: > >> On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said: >> >>>> http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alleged.html >> >>> And "In addition, DHS and FBI have concluded that there was no malicious >>> traffic from Russia or any foreign entities, as >>> previously reported." >> >> It's interesting to read the rest of the text while doing some >> deconstruction: >> >> "There is no evidence to support claims made in the initial Fusion Center >> report ... that any credentials were stolen, or that the vendor was involved >> in any malicious activity that led to a pump failure at the water plant." >> >> Notice that they're carefully framing it as "no evidence that credentials >> were >> stolen" - while carefully tap-dancing around the fact that you don't need to >> steal credentials in order to totally pwn a box via an SQL injection or a PHP >> security issue, or to log into a box that's still got the vendor-default >> userid/passwords on them. You don't need to steal the admin password >> if Google tells you the default login is "admin/admin" ;) >> >> "No evidence that the vendor was involved" - *HAH*. When is the vendor >> *EVER* >> involved? The RSA-related hacks of RSA's customers are conspicuous by their >> uniqueness. >> >> And I've probably missed a few weasel words in there... > > They do state categorically that "After detailed analysis, DHS and the > FBI have found no evidence of a cyber intrusion into the SCADA system of > the Curran-Gardner Public Water District in Springfield, Illinois." > > I'm waiting to see Joe Weiss's response.
See http://www.wired.com/threatlevel/2011/11/scada-hack-report-wrong/ --Steve Bellovin, https://www.cs.columbia.edu/~smb