By Kim Zetter
July 19, 2010
A sophisticated new piece of malware that targets command-and-control
software installed in critical infrastructures uses a known default
password that the software maker hard-coded into its system. The
password has been available online since at least 2008, when it was
posted to product forums in Germany and Russia.
The password protects the database used in Siemens' Simatic WinCC SCADA
system, which runs on Windows operating systems. SCADA, short for
"supervisory control and data acquisition," systems are programs
installed in utilities and manufacturing facilities to manage the
operations. SCADA has been the focus of much controversy lately for
being potentially vulnerable to remote attack by malicious outsiders who
might want to seize control of utilities for purposes of sabotage,
espionage or extortion.
"Default passwords are and have been a major vulnerability for many
years," said Steve Bellovin, a computer scientist as Columbia University
who specializes in security issues. "It's irresponsible to put them in,
in the first place, let alone in a system that doesn't work if you
change it. If that's the way the Siemens systems works, they were
Siemens did not respond to a request for comment.
Attend Black Hat USA 2010, hosted at Caesars Palace in Las Vegas, Nevada
July 24-29th, offering over 60 training sessions and 11 tracks of Briefings
from security industry elite. To sign up visit http://www.blackhat.com