Using hard coder password on things the affect public safety should be criminal. Yes lets make easy for a hacker or foreign country to disable you remotely. This makes warfare easy. You dont even have to leave home.
Homebrew crypto SNAFU on electrical grid sees GE rush patches
General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack. The company hasn't published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas). The …
COMMENTS
-
-
Thursday 27th April 2017 05:35 GMT Griffo
Dude, it was the 1990's. It might have been the time for Guru Josh, but not for Security. Stateful firewalls didnt even exist until 1994 when Checkpoint released FW1, and it was not uncommon at the time to use public IP internally and just plug into the Internet with nothing but the most basic filtering. I'm not even sure NAT was invented yet. So yeah, hard-coded admin passwords were not exactly known to be bad practice at the time.
-
-
-
Thursday 27th April 2017 23:04 GMT Blotto
@Tom
Nothing wrong with using routable addressing internally.
Easily blockable at the border especially when those addresses need NAT to get out.
Route those addresses from internet perspective to null anywhere on the net other than the site that the addresses are used at and your golden, the internet will then never be able to reach those hosts as they won't exist where the net thinks they do.
-
-
-
-
Thursday 27th April 2017 05:40 GMT Blotto
Explain that to the people who regard the fact it uses some form of encryption as proof it's safe to go on the net.
Also re hard coded passwords, what about Windows service accounts who's passwords never change or passwords of last resort that never change (only useable once central authentication system is unreachable) there are some use cases where hard coded password is the only option, but admin process should change that password on regular basis.
-
Thursday 27th April 2017 07:56 GMT John Robson
"what about Windows service accounts who's passwords never change or passwords of last resort that never change (only useable once central authentication system is unreachable) there are some use cases where hard coded password is the only option, but admin process should change that password on regular basis."
Passwords of last resort don't need regular rotation - the account wants monitoring for login attempts, but the password of last resort is presumably a) horrific and b) printed on two pieces of paper, each held in a safe in separate locations...
Why rotate an unused password - no-one can be getting it by key logger... And the login rate (failed and successful) can easily be monitored
-
-
Thursday 27th April 2017 08:05 GMT Anonymous Coward
Put this in perspective....
..in the 1990's very little was connected to the internet. You biggest threat was someone walking up to the pc / device with an infected floppy disk or by direct dial up access.
https://en.wikipedia.org/wiki/Internet_Systems_Consortium#/media/File:Internet_Hosts_Count_log.svg
-
Thursday 27th April 2017 22:00 GMT John Smith 19
Remember GE is the home of "Not Invented Here"
Because if it was a good idea "we would have invented it already."
So they did.
Not very well it seems.
Capital equipment has a very long operating life. These gadgets were probably first hooked up to a proprietary interface (I think GE was supporting something called the Mfg Automation Protocol around then) then a dialup modem and now to an IP router.