Wednesday, November 30, 2011

Hackers accessed city infrastructure via SCADA

(This article was originally written by Hal Hodsen on November 29, 2011 via Information Age and has been copied here for reference purposes only.)

The deputy assistant director of the FBI's Cyber Division says hackers recently accessed the infrastructure of three cities through SCADA systems

Hackers recently accessed the critical infrastructure of three unnamed cities by compromising their SCADA (supervisory control and data acquisition) systems, the deputy assistant director of the FBI's Cyber Division said today.

Sunday, November 27, 2011

Gleg releases Ver 1.8 of the SCADA+ Exploit Pack for Immunity Canvas

On November 24, Gleg released version 1.8 of the SCADA+ Exploit Pack for the Immunity Canvas framework, along with a corresponding version 2.7 of the Agora Exploit Pack.

In SCADA+ 1.8 there are modules for several fresh public SCADA/ICS vulnerabilities, most of which were recently disclosed by Luigi Auriemma.  Many of these exploits appear to be denial-of-service (DoS) exploits, so this really is not something that I think is worth the money at this time.

Monday, November 21, 2011

UPDATED: Hackers Independently Attack Two Different Water Utility Districts

Updated: November 23, 2011

News reports broke on November 18, 2011 (Attack on City Water Station Destroys Pump - Wired) when fellow security specialist Joe Weiss blogged about a report released on November 8, 2011 that a water utility district in Springfield, IL (later identified as Curran-Gardner Public Water District) suffered what looked like a "blended attack". The first phase focused on compromising a supplier's internal system which contained remote access credentials not only the target, but several other yet "unnamed" sites. The second phase allowed the attackers to simply "turn the key and walk in the front door" gaining complete access to the industrial control system. The end result was a failure of one of the process pumps.

Wednesday, November 9, 2011

Are Web Services a Dumb Idea???

I recently read a blog post by Reid Wightman on the @DigitalBond site entitled "When Web Services are a Dumb Idea". It seems that the folks at Digital Bond are on some kind of mission to create a list of "insecure ICS products" which might not necessary be a bad idea, but at least we need to be sure that everyone is being evaluated against the same criteria.

First off, I have to apologize to Dale in my comment to this post, as I did not see that it was written by Reid, and incorrectly referenced Dale in my response.  I have copied my "edited" response from the @DigitalBond site below: