US Water Utilities Hacked After Default Passwords Set to '1111', Cybersecurity Officials Say (fastcompany.com) 84
An anonymous reader shared this report from Fast Company:
Providers of critical infrastructure in the United States are doing a sloppy job of defending against cyber intrusions, the National Security Council tells Fast Company, pointing to recent Iran-linked attacks on U.S. water utilities that exploited basic security lapses [earlier this month]. The security council tells Fast Company it's also aware of recent intrusions by hackers linked to China's military at American infrastructure entities that include water and energy utilities in multiple states.
Neither the Iran-linked or China-linked attacks affected critical systems or caused disruptions, according to reports.
"We're seeing companies and critical services facing increased cyber threats from malicious criminals and countries," Anne Neuberger, the deputy national security advisor for cyber and emerging tech, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these recent hacks, but "clearly, by the most recent success of the criminal cyberattacks, more work needs to be done," she says... The attacks hit at least 11 different entities using Unitronics devices across the United States, which included six local water facilities, a pharmacy, an aquatics center, and a brewery...
Some of the compromised devices had been connected to the open internet with a default password of "1111," federal authorities say, making it easy for hackers to find them and gain access. Fixing that "doesn't cost any money," Neuberger says, "and those are the kinds of basic things that we really want companies urgently to do." But cybersecurity experts say these attacks point to a larger issue: the general vulnerability of the technology that powers physical infrastructure. Much of the hardware was developed before the internet and, though they were retrofitted with digital capabilities, still "have insufficient security controls," says Gary Perkins, chief information security officer at cybersecurity firm CISO Global. Additionally, many infrastructure facilities prioritize "operational ease of use rather than security," since many vendors often need to access the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk. But that can make the systems equally easy for attackers to exploit: freely available web tools allow anyone to generate lists of hardware connected to the public internet, like the Unitronics devices used by water companies.
"Not making critical infrastructure easily accessible via the internet should be standard practice," Thompson says.
Neither the Iran-linked or China-linked attacks affected critical systems or caused disruptions, according to reports.
"We're seeing companies and critical services facing increased cyber threats from malicious criminals and countries," Anne Neuberger, the deputy national security advisor for cyber and emerging tech, tells Fast Company. The White House had been urging infrastructure providers to upgrade their cyber defenses before these recent hacks, but "clearly, by the most recent success of the criminal cyberattacks, more work needs to be done," she says... The attacks hit at least 11 different entities using Unitronics devices across the United States, which included six local water facilities, a pharmacy, an aquatics center, and a brewery...
Some of the compromised devices had been connected to the open internet with a default password of "1111," federal authorities say, making it easy for hackers to find them and gain access. Fixing that "doesn't cost any money," Neuberger says, "and those are the kinds of basic things that we really want companies urgently to do." But cybersecurity experts say these attacks point to a larger issue: the general vulnerability of the technology that powers physical infrastructure. Much of the hardware was developed before the internet and, though they were retrofitted with digital capabilities, still "have insufficient security controls," says Gary Perkins, chief information security officer at cybersecurity firm CISO Global. Additionally, many infrastructure facilities prioritize "operational ease of use rather than security," since many vendors often need to access the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk. But that can make the systems equally easy for attackers to exploit: freely available web tools allow anyone to generate lists of hardware connected to the public internet, like the Unitronics devices used by water companies.
"Not making critical infrastructure easily accessible via the internet should be standard practice," Thompson says.
1111? (Score:5, Funny)
1234? (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
nah, 0000 0000
8 digits long, no one will ever guess it.
Re: (Score:2)
But we already know that's the nuclear launch code.
Re: (Score:3)
Indeed.
00000000 [arstechnica.com]
Re: (Score:2)
I've learned my lesson - now I use 1235.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:1111? (Score:4, Insightful)
>"Pshaw. Modern passwords should be strong, and contain letters, numbers, and special characters. Like CPE-1704-TKS."
You are probably joking, but I am so tired of seeing that type of thing as a blanket statement. The strength of the password needs to match the opportunity to break it. And that is a function of throttling:
1) How much delay between failed attempts
2) How many simultaneous attempts are allowed
Let's take a door lock, not connected to any network and with the only way to enter the password is a local numpad. A random 4 digit numeric password is enough to prevent entry, even with no other throttling (you should, however, limit to not allow a password with all repeating or a simple sequence). The throttling is that humans can only enter stuff so fast. Now, if you add an open USB HID port to it, it won't be secure anymore, because you can feed passwords at it well beyond human speed with a computer and it can be cracked in a short time. In that case, it was not the weakness of the password, it was the lack of throttling that made it insecure.
Even if that same lock were on a network, but accepted only one connection at a time, and it limited trials to 3 and then a 20 second delay before any more trials, it might still be secure (although challenging in such a case, just trying to illustrate here).
Even a very "complex" password can be broken in relatively short order if there is no effective throttling. A botnet can attack it as fast as the connection. But if you have effective throttling, then the complexity becomes far, far less necessary.
Throttling *must* be part of security and it is far more important than password security. And if you have well-designed throttling (limit trials, delays, lockouts, alerts) then you no longer have to obsess over password length and complexity, both of which are extremely hostile to human users. And when it is too complex to remember, humans will do everything they can to fight you- writing it down, storing them in insecure ways, and sharing them. Plus password maintenance becomes a nightmare for administration- forgotten password resets mostly.
Re: (Score:2)
The keys for the four numbers in the passcode will be easily identifiable by the wear and lack of grime on them. That greatly reduces the number of possible codes, making trying all possible ones quite feasible.
If it is network connected, if the password database can be accessed then an offline attack can try billions of passwords per second with an off the shelf GPU.
Re: (Score:2)
Bosco (Score:3)
You're weak, spineless, a man of temptations.
But what tempts you? You're a portly fellow. A bit long in the waistband.
So what's your pleasure? Is it the salty snacks you crave?
Yours is a sweet tooth! Oh, you may stray, but you will always returns to your Dark Master. The cocoa bean!
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Ingeniously, they obfuscated it in binary.
The actual password is 15
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
No, they should have used 9999. That would have taken 9999 times longer to guess.
Re: (Score:2)
OK, 12345 then. https://www.youtube.com/watch?... [youtube.com] ;)
Get out! (Score:2)
Re: (Score:2)
Indeed. Both the ones that set and allowed a uniform, easy to guess default password and the ones that did not change it or did not make sure at least basic security procedures (like mandatory changes to default passwords) were in place.
Re: (Score:2)
There is no need.
First, the machines should be secured behind a secure site to site VPN, the "internet" part should stop at the router and to go beyond requires going through the VPN tunnet. This is not hard to accomplish.
Second, it shouldn't be hard to give everything a nic
Re:Get out! (Score:5, Insightful)
As a IT security professional that has worked at multiple employers who are covered by DHS regulations of one type or another, I can say the majority of the time the issue is not stuff this stupid, but is in fact entitled executive management and the fact that DHS regulation has no teeth until something happens. Then it is too late. Things like refusing to allow the PC's to be locked down or refusing to set IT policy that works via whitelist where you can use company equipment to access things relevant to work that have been pre-vetted. IT security is not hard if you simply get rid of the fucking egos. Whitelist, fail by default, based systems solve 99% of issues before they occur. They are very very cheap compared to any other system but entitled management prioritizes happiness of themselves or users over security. Listen to music on your phone. Install that app you want on your home PC. Your work equipment should work for only the things that have been pre-authorized and then it becomes very simple and very cheap to maintain security. And DHS needs to put teeth on companies that don't live by those requirements BEFORE the bad stuff happens.
Re: (Score:2)
> the majority of the time the issue is not stuff this stupid, but is in fact entitled executive management
"I'm the manager, and I'm telling you to relax policy because it's making the users unhappy!" - Idiot/political manager in a secure facility over locking down systems to avoid people going to pirate sites to watch hockey games.
Re:Get out! (Score:5, Insightful)
"I'm the manager, and I'm telling you to relax policy because it's making the users unhappy!"
"Sure! Just send that to me in an email so I have a record of your request on file for when the forensic teams comes around to see why our system failed to follow the approved guidelines and I'll be happy to do that. Otherwise, the guidelines from headquarters take precedence and the security measures stay in place."
Any supervisor that will downgrade your performance rating for following established procedures is one that you don't want to work for anyway.
Re: (Score:2)
It wasn't quite like that, but yes, the guy was a sleazeball who did his best to ensure everything that could be put on you would be documented and anything that might blow back on him wasn't.
I'm glad I haven't worked there in a very long time.
Re: (Score:2)
But reality is digital.
Re: (Score:2)
In my experience of the water industry, it's because key management and distribution is too hard. If they had good passwords for everything, they would have to communicate those passwords wherever someone needed to go fix something. And then change the password because it's out there on some contractor's device.
Even if the mandate good passwords, the people keeping the network running day to day will charge them to 1111 because they are under-paid and over-worked, and get shouted at if things aren't fixed q
Re: (Score:2)
That's where physical tokens (cards, keys, fingerprints... whatever) should come into play.
Re: (Score:2)
That makes it worse. Then you have to keep track of who has the tokens, what do you do on their day off, deal with them getting lost...
Re: Get out! (Score:2)
Itâ(TM)s not that complicated. Almost every employee already walks around with a personal token generator that can employ biometrics and other features and assist in the distribution of passwords.
A simple password manager and some account management integrated with your HR systems. Literally 20 lines of code even if both of those systems donâ(TM)t have native integrations.
hear me out on this... (Score:5, Interesting)
Don't let devs have local admin. I've been on all sides of this issue in 30 years. I've argued for and against it. But now I'm squarely on the side of denying it. Sure they'll bitch and moan for a while, but after a settling out period things stabilize. In the last decade there has never been a time when a team of mine ground to a halt without it.
Developers are massive security problems because they have superiority complexes when it comes to the technical space, and are also mostly willing to install anything from anywhere in the name of "trying it out", no matter how niche the tool or how uncertain it's provenance
During my tenure at a large org, there four major virus incidents. All of them traced back to people in IT. Three were from devs, one from an architect.
I'm not saying restrict the devs specifically. I'm saying lump them in with everybody else.
Re: hear me out on this... (Score:2)
Segregation of duties is an important part of operational security. Fortune 100 companies have distinct development, test, and operations groups. The test group was like a firewall between dev and ops. Each group was responsible for managing the access and credentials to their environment-- dev, test, or production env. It was very effective.
Re: (Score:2)
There still are occasional situations where it's required - for instance, embedded devs and guys working on drivers sometimes have a need to hit the hardware directly or without the OS otherwise being involved to get some of our tools to work, although a network-restricted VM will suffice for that more often than not. Where I work we don't have direct admin access per se, but we do have to formally request to have USB access turned on and/or Avecto installed on the box. Afterwards any admin access requests
Re: (Score:2)
Re: (Score:1)
so you say (Score:2)
the more often attacks happen and the more varied they get, the more likely it is that your fuck-ups will be exploited? color me surprised, I'd never think of this.
The level of sheer incompetence is staggering (Score:2)
I mean, this is about as well secured as, what? A garbage bag put on the street for collection? This needs both vendor and user liability. Negligence gets not much more gross than this on both sides.
Re: (Score:2)
By virtue of requiring physical in-person interaction, the garbage bags are far more secure.
This reminds me of UNIX (Score:5, Interesting)
Re: (Score:3)
It being the 1980s, there's a pretty good chance those servers weren't reachable except from the building they were in.
Re: (Score:2)
I got my 1st modem in the 80s. Security was probably just keeping the phone number secret.
Re: (Score:2)
Re: (Score:1)
toor still works on a lot of systems.
I still try that and it's surprising how many times I get in.
default (Score:2)
Re:default (Score:5, Insightful)
It's kinda surprising they're provided with a default password like this, while my consumer-grade ISP-provided router came with a randomized password printed on a specific piece of cardboard in that one router's box. No other router would have the same password.
Was it super secure? Absolutely not. But it was random and not something you could just look up in the router's spec sheet online.
Re: (Score:3)
It's kinda surprising they're provided with a default password like this, while my consumer-grade ISP-provided router came with a randomized password printed on a specific piece of cardboard in that one router's box. No other router would have the same password.
Was it super secure? Absolutely not. But it was random and not something you could just look up in the router's spec sheet online.
The industrial space is a weird one, big projects but very few customers.
Not knowing the exact system attacked those industrial systems can take months or years to configure, and a lot of that config is done by the software seller. Setting a strong password would typically be on a configuration checklist somewhere, but I'm guessing the company didn't really push the customer on it and the customer was paying attention to other things.
Re: (Score:2)
The last home routers I've installed had a default admin password that was some random sequence printed on the back of the box, and every box had a different one. I though this was a good idea at the time.
Re: (Score:2)
Remember in the XP days when best practice, when installing Windows, was to unplug the network cable before proceeding?
Iran and China (Score:1)
Ah, right. Of course. Because trust me bro.
Re: (Score:2)
Re: (Score:2)
Going for the low-hanging fruit is very much in the human nature, and is done every single time low-hanging fruit is available.
water trivial? (Score:5, Insightful)
Re: (Score:2)
I live in the Maritime Pacific Northwestern US, you insensitive clod! Cutting off access to water would be next to impossible here!
Re: (Score:2)
It wouldn't be cut off that long. When the water tank goes dry someone will notice, call someone, possibly me as I am on the Water Board, I'll check my own tap, say "oops" and go down to the main pump and either reset the controller or put the hand-auto switch to hand and push the start button.
If the main pump has expired gracelessly, then I'll do the same thing with the backup pump.
If the PLC really has barfed its guts out then we have to run the system in manual until it gets sorted out. It's happened bef
Re: (Score:2)
Re: (Score:2)
Why? Screwing up a city's water supply is effective. A nuclear facility's control system is not likely internet capable.
Re: (Score:2)
A long list of low value successes probably looks better on the performance metrics than a short list of high value failures.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Offensive cybersecurity expert? (Score:1)
Additionally, many infrastructure facilities prioritize "their whore mothers" since many vendors often need to access the same equipment, says Andy Thompson, an offensive cybersecurity expert at CyberArk.
Needs to be consequences (Score:3, Insightful)
Probably the best thing would be to have an annual national audit of critical infrastructure, where the entire board of directors have their entire annual pay plus bonuses seized and put into social security if any flaws are detected.
So, not only do the directors suffer, but the people they hold most in contempt benefit. You'd see improvements across the board in a week.
There's three downsides to this. It would be totally unlawful, it would be totally unconstitutional, and it would earn the perpetual ire of Libertarians and Conservatives. Although some might wonder if the last of these is really a downside, it is because - like it or not - it's actually necessary to work together.
Because of the system in place, there's really no practical way to enforce high standards for critical systems. The system is built to operate through competition, not governance.
But competition is ineffective when everyone does the same thing. And everyone does the same thing because they don't want to let go of power or money, society and the business aren't considered factors in the equation, because hacking is sufficiently infrequent and it's the customers who carry the cost of doing business like that, not the execs. No evolution when there's no evolutionary pressure.
There needs to be a compromise solution, one that honours the current economic principles and the basis on which the US is premise, yet respects the fact that in a high dependency society that has centralised resources because nothing else is efficient enough is going to be a target of hostile powers.
The US stopped being Little House on the Prarie a long time ago, things have changed, vulnerabilities don't vanish because they're politically inconvenient, but the US has set itself axioms for business and governance and you have to work within those or admit failure.
I don't think the US is ready to admit failure.
Re: (Score:2)
That's right, criminalize the victims.
There are many water boards that are run by volunteers who are paid nothing. They do it because somebody's got to do it. These places are literally lucky just to have somebody to take the job. These are not the kind of people you want to target with penalties.
How about targeting the companies that make this kind of insecure hardware instead!
Re: (Score:2)
No.
There is no functional difference between running critical infrastructure by buying and using systems you know aren't secure, not bothering with making them secure, and then sticking them on a public Internet swarming with hostile actors, knowing your customers depend on you utterly, and driving a school bus when high on cocaine and drunk out of your gourd.
Do you think a volunteer school bus driver, with no driving license and smashed out of their minds would be treated leniently by the cops or a judge b
Re: (Score:2)
Your bus driver analogy misses the mark.
A better analogy would be a bus driver who is attacked by a student while driving, leading to a crash, and then charging the bus driver with negligence for not taking martial arts training. Well of COURSE the bus driver should have been prepared for an attack by a student while driving! We should throw them in jail until they rot!
Re: (Score:2)
This is something I run into over and over with security, there are people who's jobs are tied to security and compliance and they want everyone else to adopt their priorities,
Re: (Score:2)
Re: (Score:2)
So their entire $0 would be confiscated and given to SS.
Federal funding can solve this! (Score:2)
Errors (Score:3)
>"Some of the compromised devices had been connected to the open internet"
That is the primary error. And it never ceases to amaze me that any organization would do that. If you connect something to the Internet, you have to be very careful to place strict controls on it.
The next error I see is having no effective throttling (both time/trial limits and connection limits). Connections and computation are so fast now that without proper throttling, it doesn't matter how complex your password is, it can be brute-forced.
>"with a default password of"
And that is another error. Manufacturers are finally waking up to this one. The default (unconfigured/new equipment) password should never be the same on all devices or models produced. Laws finally are taking force on that, and cable modems, switches, IPMI, etc, are finally coming out with random initial passwords and stickers on the equipment with the password. If the device is unconfigured and placed into use, it will not be vulnerable to that type of attack. Some will even revert to that password if factory-reset. Because of that, some of the equipment I have seen also have a duplicate sticker INSIDE the case, in the event the external label becomes missing or damaged.
Change can be bad (Score:3)
Cellular telemetry modems eventually became a option. They provided faster throughput and were cheaper in some situations. But many problems showed up over time.
At will, the cellular carriers could obsolete whatever "G" you were using and entire cities would have to reintegrate new equipment all over the place, at significant parts and labor (and we've had new Gs 2 or 3 times now). And all the old, pricey modems would instantly become trash even though water doesn't require high speeds or large data.
The modem prices and the monthly data prices, of course, keep rising.
The cellular modems came about as automatically "on the public Internet", meaning the connected water controllers, some designed decades ago, could be suddenly exposed to the entire world of bad guys. This also forced the administrators' master SCADA computer onto the Internet, which resulted in many malware problems (local and remote) and even hacking issues, one of which caused our little, no-name company to assist the FBI with at least one investigation. Things probably got worse after the cellular modems eventually became available with Ethernet ports, and the younger hires pushed for using Ethernet, which they are familiar with, versus the RS-232 ports.
The good people I've worked with for decades are water system experts, not SecOps staffers. They've programmed and maintained these systems, on-call, some for 35 years. They can follow some basic security protocols, but they are too busy trying to keep water flowing to the people to spend much time keeping up with the zero-day du jour (pun intended) of the IT world. And somebody with such broad and deep skills would not stay in this boring industry especially when the real estate taxes don't enable high pay--the kids leave shortly as it is. I think it was a mistake to allow such remote connectivity and access because then you have to perpetually worry about threats. It wasn't necessary 20 years ago.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Doesn't cost any money (Score:2)
To develop and implement a password management scheme. And maintain a support organization to handle all the "I forgot the password" calls. And then develop an organization wide employee authentication and access control system to ensure that the person calling the help desk with "I forgot the password" plea is in fact not a social engineering hacker.
Yeah. This guy has a lot of experience in IT organizations.
Re: (Score:2)
standard practice (Score:2)
Perhaps critical infrastructure is inherently unsafe!
This was criminal, not sloppy (Score:2)
They KNEW what they were doing was wrong. Everyone involved in this should be charged criminally for endangering customers.
Cue obvious Spaceballs jokes... (Score:2)
Login Security (Score:1)