U.S. offers $10m reward for Iranian hackers targeting critical infrastructure
It is alleged that the cyber criminals hacked into programmable logic controllers (PLCs), a type of industrial computer system used to control machines, leaving devices inoperable and displaying anti-Israel messages...
According to Dragos, an industrial cyber security company, Cyber Av3ngers were first observed in early September 2023...
Dragos believe that Cyber Av3ngers scanned the internet to identify accessible Unitronics devices, and then tried to log in using default credentials, which can be found in online operating manuals...
As a result, the U.S. Department of Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) published an alert advising that facilities change the default “1111” password and set up multi-factor authentication, along with other recommendations.
No doubt it's a serious issue, but failing to change the default "1111" password seems a little lax. Maybe not though, maybe it's just human nature to leave it until something goes wrong.
Operating this particular part of the infrastructure will have become more complex now, probably more tedious for the operators too. We may even see more employees in their fifties wanting to retire.
10 comments:
I read an autobiographical book by a scientist (It may have been Richard Feynman) who used to amaze his colleagues at a secretive research faculty by breaking to colleagues' office safes. He said most of them were on factory settings, or 12345, or the number was written on a slip of paper invariably found at the front of the small top drawer in the office desk.
The standard advice on passwords has always seemed profoundly stupid to me. We are told to use something unmemorable, and therefore unguessable, but never to write it down. We are told never to use the same password for different applications. We are not told how to develop the sort of memory that would allow us to follow these instructions.
Nobody could ever hack my password “Password”. Don’t tell anyone.
Sam - I bet he made a performance of it too, blowing on his fingertips, ear to the door and so on. That's what I'd have done.
dearieme - it is stupid advice and I bet nobody follows it.
Anon - I won't tell anyone, but I'll have to change mine now.
Several years ago, I did a password scan of the office I was then supporting, using - ahem - black-hat tools.
Almost all (more than 80%) of the passwords were some obvious variant of the word "Rangers".
This probably tells you (or some of you anyway) where I was working at the time; but it supports the OP too.
Why on earth would anyone leave the default password on a significant PLC? It beggars belief, but it happens all the time.
Peter - let me guess, you came across passwords such as "rangers10celtic0".
I keep my complicated non-default passwords in an encrypted database on my local machine. The database is backed up to an encrypted service elsewhere, but not as a working copy 'in the cloud'.
Do I consider myself 'safe'? No. A sufficiently motivated actor could crack my encryption eventually. And governments have some of the biggest fastest encryption breakers available. My security includes not saying illegal things on-line - even though Preposterous Starmer would now lower the bar to 'harmful but not illegal'.
DJ - I assume that the state could access everything anyway, only people with more limited facilities pose a threat we can deal with. The big issue seems to be leaks of online information rather than personal security measures. Plus fraud of course, but that tends to be obvious.
I have a paper list of my passwords, cunningly encrypted. Only occasionally do I forget how to code-break them.
A few of my passwords stick in my mind easily - does that mean they are particularly vulnerable?
dearieme - a few of my passwords stick in my mind, so I assume it does mean they are vulnerable, but I don't know how much effort would go into exploiting them.
Post a Comment