What were they thinking?
-
From http://www.theregister.co.uk/2010/07/20/win_shortcut_vuln_exploit_code/[^] "The Siemens SIMATIC WinCC SCADA systems specially targeted by the Stuxnet Trojan use hard-coded admin username / password combinations that users are told not to change. Details of these passwords has been available on underground hacker forums for at least two years, Wired reports. Worse still, changing Siemens' hard-coded password will crash vulnerable SCADA systems, IDG reports. Siemens is in the process of developing guidelines for customers on how to mitigate against the risk of possible attack." I can just imagine the QA review: Dev: "So, I've hardcoded the username and password" QA: "Why?" Dev: "Well, if you change it, the system crashes, and that was the easiest way to fix the bug" QA: "Sounds perfectly fine. I can't see any problem with that." :doh:
-
From http://www.theregister.co.uk/2010/07/20/win_shortcut_vuln_exploit_code/[^] "The Siemens SIMATIC WinCC SCADA systems specially targeted by the Stuxnet Trojan use hard-coded admin username / password combinations that users are told not to change. Details of these passwords has been available on underground hacker forums for at least two years, Wired reports. Worse still, changing Siemens' hard-coded password will crash vulnerable SCADA systems, IDG reports. Siemens is in the process of developing guidelines for customers on how to mitigate against the risk of possible attack." I can just imagine the QA review: Dev: "So, I've hardcoded the username and password" QA: "Why?" Dev: "Well, if you change it, the system crashes, and that was the easiest way to fix the bug" QA: "Sounds perfectly fine. I can't see any problem with that." :doh:
"For now the best defence against attacks is contained within the Microsoft Security Advisory; disable the displaying of icons for shortcuts and disable the WebClient service." Alternatively, switch the computer off, and restart in DOS mode. Who needs a GUI, anyway?
I wanna be a eunuchs developer! Pass me a bread knife!
-
From http://www.theregister.co.uk/2010/07/20/win_shortcut_vuln_exploit_code/[^] "The Siemens SIMATIC WinCC SCADA systems specially targeted by the Stuxnet Trojan use hard-coded admin username / password combinations that users are told not to change. Details of these passwords has been available on underground hacker forums for at least two years, Wired reports. Worse still, changing Siemens' hard-coded password will crash vulnerable SCADA systems, IDG reports. Siemens is in the process of developing guidelines for customers on how to mitigate against the risk of possible attack." I can just imagine the QA review: Dev: "So, I've hardcoded the username and password" QA: "Why?" Dev: "Well, if you change it, the system crashes, and that was the easiest way to fix the bug" QA: "Sounds perfectly fine. I can't see any problem with that." :doh:
You'd be surprised and shocked, or greatly amused depending on personality type, to learn that the majority of hardware has hardcoded passwords and a simple reset command you can remotely send, with hardcoded ports that are hardcodded open. I was in an I.T. Security course for 2 years, I find out news like this. I quit and am now happily in Conservation and Land Mangement. ;P
-
"For now the best defence against attacks is contained within the Microsoft Security Advisory; disable the displaying of icons for shortcuts and disable the WebClient service." Alternatively, switch the computer off, and restart in DOS mode. Who needs a GUI, anyway?
I wanna be a eunuchs developer! Pass me a bread knife!
Mark Wallace wrote:
Who needs a GUI, anyway?
Unfortunately, SCADA systems are particularly used for their GUI capabilities.
If you truly believe you need to pick a mobile phone that "says something" about your personality, don't bother. You don't have a personality. A mental illness, maybe, but not a personality. [Charlie Brooker] ScrewTurn Wiki, Continuous Localization and My Startup
-
You'd be surprised and shocked, or greatly amused depending on personality type, to learn that the majority of hardware has hardcoded passwords and a simple reset command you can remotely send, with hardcoded ports that are hardcodded open. I was in an I.T. Security course for 2 years, I find out news like this. I quit and am now happily in Conservation and Land Mangement. ;P
-
Mark Wallace wrote:
Who needs a GUI, anyway?
Unfortunately, SCADA systems are particularly used for their GUI capabilities.
If you truly believe you need to pick a mobile phone that "says something" about your personality, don't bother. You don't have a personality. A mental illness, maybe, but not a personality. [Charlie Brooker] ScrewTurn Wiki, Continuous Localization and My Startup
Dario Solera wrote:
Unfortunately, SCADA systems are particularly used for their GUI capabilities.
I suggest you read a little deeper. The "solution" to the problem caused by this is to completely disable the use of icons for shortcuts. Microsoft has gone so far as to tell people (people, not experts -- that means your grandma!) to edit the registry to disable use of icons. In ALL versions of Windows -- even weven. If they're handing out advice like that, it's time to make a full back-up. Several full back-ups. The open-source and Mac loonies will be having a field day (so be ready to tell them to andare in c*l*) -- and lots of Windows users will be thoroughly pissed off at having nothing but "vanilla" shortcuts on their "Wow!" desktops.
A little learning is a dangerous thing.
-
chrissb wrote:
I quit and am now happily in Conservation and Land Mangement.
Good choice. You may not support user's computers anymore, but you still have to support your own computer.
TOMZ_KV
Tomz_KV wrote:
but you still have to support your own computer
I can support a computer that's taken care of with ease. Anything that's hit repeatedly till it fails is no fun working on, whether it's a computer, automobile or garden in my current line of work. Also turns out I enjoy coding and working with tech when it's not someone elses piece of junk. ;P