Homebrew crypto SNAFU on electrical grid sees GE rush patches General Electric is pushing patches for protection relay bugs that, if exploited, could open up transmission systems to a grid-scale attack. The company hasn't published much by way of detail, but spoke to Reuters after this Black Hat abstract was published (the talk will be delivered to the July conference in Les Vegas). The …
Dude, it was the 1990's. It might have been the time for Guru Josh, but not for Security. Stateful firewalls didnt even exist until 1994 when Checkpoint released FW1, and it was not uncommon at the time to use public IP internally and just plug into the Internet with nothing but the most basic filtering. I'm not even sure NAT was invented yet. So yeah, hard-coded admin passwords were not exactly known to be bad practice at the time.
@Tom
Nothing wrong with using routable addressing internally.
Easily blockable at the border especially when those addresses need NAT to get out.
Route those addresses from internet perspective to null anywhere on the net other than the site that the addresses are used at and your golden, the internet will then never be able to reach those hosts as they won't exist where the net thinks they do.
Explain that to the people who regard the fact it uses some form of encryption as proof it's safe to go on the net.
Also re hard coded passwords, what about Windows service accounts who's passwords never change or passwords of last resort that never change (only useable once central authentication system is unreachable) there are some use cases where hard coded password is the only option, but admin process should change that password on regular basis.
"what about Windows service accounts who's passwords never change or passwords of last resort that never change (only useable once central authentication system is unreachable) there are some use cases where hard coded password is the only option, but admin process should change that password on regular basis."
Passwords of last resort don't need regular rotation - the account wants monitoring for login attempts, but the password of last resort is presumably a) horrific and b) printed on two pieces of paper, each held in a safe in separate locations...
Why rotate an unused password - no-one can be getting it by key logger... And the login rate (failed and successful) can easily be monitored
..in the 1990's very little was connected to the internet. You biggest threat was someone walking up to the pc / device with an infected floppy disk or by direct dial up access.
https://en.wikipedia.org/wiki/Internet_Systems_Consortium#/media/File:Internet_Hosts_Count_log.svg
Because if it was a good idea "we would have invented it already."
So they did.
Not very well it seems.
Capital equipment has a very long operating life. These gadgets were probably first hooked up to a proprietary interface (I think GE was supporting something called the Mfg Automation Protocol around then) then a dialup modem and now to an IP router.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
