CNN's Sean Lyngaas back once again with a belter story: Iranian hackers are behind a series of breaches of systems that monitor the amount of fuel in storage tanks serving gas stations in multiple U.S. states.

philsalkie@mindly.social

Most industrial equipment that has an Ethernet port is completely unsafe to put naked on the Internet.

But when there's an Ethernet port, somebody's gonna hang a static IP on it and put it on the Net. Because of course they are.

Most of those systems will be the default passwords, or won't stop you just brute forcing, or will even do things like telling you the password if you ask it. (It's expecting the development environment to do the password checking.)

Newer stuff is better, but there's an awful lot of stuff out there with horrid firmware and an Ethernet port.

(Fixing this sort of mess is a big part of my job.)

trillionb@mstdn.social

@zackwhittaker I have zero doubt there are still stations with a Win 95 box reading a bunch of PLCs and dialing a modem to report nightly status.

And they are more secure than this bs.

cav@infosec.exchange

@zackwhittaker oof.

And I'm sure they already know about all of the internet facing devices that monitor and control crude oil levels in tanks and can be disrupted to stop the flow of oil going into pipelines. Protected only by default user/pass. I saw that far to many times when I was the industry.

I'm sure that won't become an issue at all at some point /s

maddad@mastodon.world

@zackwhittaker

Which makes me wonder if they could then initiate false readings too.

jason@logoff.website

@zackwhittaker I mean weev went to prison for accessing things unprotected on the web. “Breach” is a dumb word here though.

gabs@mastodonapp.uk

@XauriEL @zackwhittaker script kiddies are back

johntimaeus@infosec.exchange

@neurovagrant @threatresearch @zackwhittaker

As part of spinning up on ICS/OT, I've been ingesting all the "cyber" writeups and videos from the vendors that I can.
Two weeks ago I watched a CTO doing a ted-ish talk on why *grid devices* don't need and can't do basic security.
The devices in question control substation contactors up th 500kV. They ship with default creds, and open telnet.

I'm trying to figure out how big the upcoming rant is gonna be.

felurx@troet.cafe

@johntimaeus Ooh that sounds like a fascinating watch, is it public / can you share a link?

tinker@infosec.exchange

@zackwhittaker - Everyone is worried about the next stuxnet, but OT / ICS devices often have default creds or... as you point out... no creds...

And yes! The system is airgapped from the IT network! We only access it from the internet!!!!

zdl@mstdn.social

@zackwhittaker Isn't blaming "Iranian hackers" for this kind of DARVOing it? You didn't put a lock on something you attached to the network. Do you also leave your gas tanks unlocked for any random passersby to open?

zdl@mstdn.social

@tinker @csstrowbridge @zackwhittaker Entered unsecured premises.

johntimaeus@infosec.exchange

@felurx

Haven't written the rant quite yet. And I'll probably have to pull it back some because I suspect that corporate lawyers are going to advise me against the phrase "willful reckless negligence for the safety of the nation's critical infrastructure", while I mention specific companies.

Will share if allowed.

leadegroot@bne.social

@zackwhittaker @drwho and they figure it has to be Iranian hackers, not 11 year olds from Detroit, for Reasons ‍️

drwho@masto.hackers.town

@leadegroot @zackwhittaker Heh... Last year it would have been Chinese hackers.

starkrg@myside-yourside.net

@zackwhittaker So, they're not so much hackers as they are casual browsers with a penchant for finding open doors.

zazen@ieji.de

@zackwhittaker Probably royally Shodaned!

cascheranno@hachyderm.io

@csstrowbridge @zackwhittaker I’d say the wardialing part part counts, but have to admit they prolly just needed to ask Shodan