It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software

page: 1
8

log in

join
share:

posted on Jan, 19 2012 @ 06:45 PM
link   

Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software


www.wired.com

A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they’re patched or taken offline.
(visit the link for the full news article)




posted on Jan, 19 2012 @ 06:45 PM
link   
Skiddies (script kiddies) and exploitation of critical infrastructure is a sound blend. People are up in arms of the DoJ, MegaUpload and RIAA, etc. being down but wait till SCADA (supervisory control and data acquisition) systems are impacted. Add Stuxnet or Duqu to the equation and you have the potential for serious disorder. The release is integrated into the popular hacker toolkit called Metasploit.

The debate has now turned again as to whether the release of such knowledge and material should have been made public prior to giving vendors an opportunity to address the problems.

Vulnerability Matrix

brill

www.wired.com
(visit the link for the full news article)
edit on 19-1-2012 by brill because: (no reason given)

edit on 19-1-2012 by brill because: (no reason given)



posted on Jan, 19 2012 @ 06:49 PM
link   
........

when did january turn into hack the planet? I have a bad feeling about all this...



posted on Jan, 19 2012 @ 07:01 PM
link   
I think they should tell them about low-level ones, tell them that it's possible others exist, and then if they do a crappy job, they get what they get.



posted on Jan, 19 2012 @ 07:01 PM
link   

Originally posted by whatsinaname
........
when did january turn into hack the planet? I have a bad feeling about all this...


Well in fairness several of the vulnerabilities have been known for a while. This was just an attempt to give a sense of urgency to PLC manufacturers to better identify security deficiencies. As the article states Stuxnet was an eye opener to many. Having commonly available tools to assist in exploitation is frightening in its own sense but its more or less lighting a fire under their collective asses to fix these problems.

Interesting note. A vendor I work with has now begun to release enhanced security protection for industrial controls for their intrusion prevention systems. At the rate things are going we won't need the Mayans prediction to come true, we're on a solid path to take ourselves out.

brill



posted on Jan, 19 2012 @ 07:45 PM
link   
reply to post by brill
 


In my mind that is a serious criminal act or should be. Anything that comes of it should lead to at the least massive civil suits by anyone negatively impacted, if not serious felony charges.



posted on Jan, 19 2012 @ 07:59 PM
link   

Originally posted by Blaine91555
reply to post by brill
 


In my mind that is a serious criminal act or should be. Anything that comes of it should lead to at the least massive civil suits by anyone negatively impacted, if not serious felony charges.


Agreed. In addition I should think there should be much stricter legislation and severe penalties for manufacturers who don't take rigorous steps to secure their products. This is simply not an area of compromise and much more needs to be done.

brill
edit on 19-1-2012 by brill because: (no reason given)



posted on Jan, 19 2012 @ 08:21 PM
link   

Originally posted by brill
Skiddies (script kiddies) and exploitation of critical infrastructure is a sound blend. People are up in arms of the DoJ, MegaUpload and RIAA, etc. being down but wait till SCADA (supervisory control and data acquisition) systems are impacted. Add Stuxnet or Duqu to the equation and you have the potential for serious disorder. The release is integrated into the popular hacker toolkit called Metasploit.

The debate has now turned again as to whether the release of such knowledge and material should have been made public prior to giving vendors an opportunity to address the problems.

Vulnerability Matrix

brill

www.wired.com
(visit the link for the full news article)
edit on 19-1-2012 by brill because: (no reason given)

edit on 19-1-2012 by brill because: (no reason given)


The researches responsible should be in jail. But at the least they will probably be sued into oblivion for gross negligence if something bad happens as a result. Because as some have already stated the data they released has already been added to hacker tool kits.

It would be no different if researches released a list of vulnerable US targets overseas(with details of how to exploit their vulnerabilities) and enemies of the USA used that information to target them.

They went far beyond their 1st Amendment rights when they released the information on how to exploit. If they would of said X systems are vulnerable and give a brief(but lacking in depth) explanation of why they are vulnerable.

But what they did went far beyond that and blatantly ventured into enabling hacking, electronic terrorism, of the vulnerable systems.



posted on Jan, 19 2012 @ 08:52 PM
link   
Does anybody know if Iran has any cyberwar capabilities? If so this seems to be a pretty little Achilles heel.

I never thought I would say this about anything, but this also seems like a juicy target for a false flag,



posted on Jan, 19 2012 @ 09:05 PM
link   

Originally posted by korathin
The researches responsible should be in jail. But at the least they will probably be sued into oblivion for gross negligence if something bad happens as a result. Because as some have already stated the data they released has already been added to hacker tool kits.

It would be no different if researches released a list of vulnerable US targets overseas(with details of how to exploit their vulnerabilities) and enemies of the USA used that information to target them.

They went far beyond their 1st Amendment rights when they released the information on how to exploit. If they would of said X systems are vulnerable and give a brief(but lacking in depth) explanation of why they are vulnerable.

But what they did went far beyond that and blatantly ventured into enabling hacking, electronic terrorism, of the vulnerable systems.


Doubtful anything will happen to the researchers. Ask yourself this. Would you rather these people reveal the problem or have someone else find it and keep it for themselves to use as they see fit, ie. foreign governments. Also note that some of the problems had been brought to the attention of these vendors before with little concern. Shouldn't the people/companies who manufacture this equipment take blame for their negligence ? Like so many things its only when the actions taken by these researchers are presented do the people responsible sit up and finally take notice. How much should be released though is certainly worth mentioning, as you've noted.

brill



posted on Jan, 19 2012 @ 11:32 PM
link   

Originally posted by Blaine91555
reply to post by brill
 


In my mind that is a serious criminal act or should be. Anything that comes of it should lead to at the least massive civil suits by anyone negatively impacted, if not serious felony charges.


You are talking about the companies producing and not patching these systems as the liable party and defendant in your hypothetical law suits correct? The majority of these flaws were known about or should have been known about by the very nature of the type of flaw they are. Hell some of them are not exploits but critical design flaws back doors and lack of security. The manufacturers of the software and hardware are completely liable and the public should know. With the released knowledge now professionals at these firms' customers can at least try to mitigate the risk and do what they can and know what to look out for. Instead of waiting (and hoping) for a fix.

Release of exploits is responsible computing. Odds are very good, if you found a hole: someone else has first.



posted on Jan, 19 2012 @ 11:50 PM
link   
reply to post by korathin
 


I disagree entirely. If they know, someone else knows. We should all know. Now, if the word gets out further hopefully everyone in their fields who works with this equipment will know. Hopefully. You'd be surprised how many people might not care, people who work with the systems and should.

If you read this article or understood it, you'd know that some of these flaws are critical design or security flaws that are trivial to exploit, were placed and done purposely to cut corners or time, and / or already previously known about by said manufacturers. They were not fixed, had no time-frame to be fixed and in some cases were blatantly dismissed as won't be fixed.

Live systems with dead man switches hah... if they found out, odds are someone else knew first.
edit on 19-1-2012 by seaez because: / or forgot it




top topics



 
8

log in

join