Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software, page 1
Pages:
ATS Members have flagged this thread 8 times
Topic started on 19-1-2012 @ 06:45 PM by brill

Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software


www.wired.com
A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they’re patched or taken offline.
(visit the link for the full news article)


reply posted on 19-1-2012 @ 07:45 PM by Blaine91555
reply to post by brill


In my mind that is a serious criminal act or should be. Anything that comes of it should lead to at the least massive civil suits by anyone negatively impacted, if not serious felony charges.


reply posted on 19-1-2012 @ 07:59 PM by brill
Originally posted by Blaine91555
reply to post by brill


In my mind that is a serious criminal act or should be. Anything that comes of it should lead to at the least massive civil suits by anyone negatively impacted, if not serious felony charges.


Agreed. In addition I should think there should be much stricter legislation and severe penalties for manufacturers who don't take rigorous steps to secure their products. This is simply not an area of compromise and much more needs to be done.

brill
edit on 19-1-2012 by brill because: (no reason given)



reply posted on 19-1-2012 @ 08:21 PM by korathin
Originally posted by brill
Skiddies (script kiddies) and exploitation of critical infrastructure is a sound blend. People are up in arms of the DoJ, MegaUpload and RIAA, etc. being down but wait till SCADA (supervisory control and data acquisition) systems are impacted. Add Stuxnet or Duqu to the equation and you have the potential for serious disorder. The release is integrated into the popular hacker toolkit called Metasploit.

The debate has now turned again as to whether the release of such knowledge and material should have been made public prior to giving vendors an opportunity to address the problems.

Vulnerability Matrix

brill

www.wired.com
(visit the link for the full news article)
edit on 19-1-2012 by brill because: (no reason given)
edit on 19-1-2012 by brill because: (no reason given)


The researches responsible should be in jail. But at the least they will probably be sued into oblivion for gross negligence if something bad happens as a result. Because as some have already stated the data they released has already been added to hacker tool kits.

It would be no different if researches released a list of vulnerable US targets overseas(with details of how to exploit their vulnerabilities) and enemies of the USA used that information to target them.

They went far beyond their 1st Amendment rights when they released the information on how to exploit. If they would of said X systems are vulnerable and give a brief(but lacking in depth) explanation of why they are vulnerable.

But what they did went far beyond that and blatantly ventured into enabling hacking, electronic terrorism, of the vulnerable systems.


reply posted on 19-1-2012 @ 09:05 PM by brill
Originally posted by korathin
The researches responsible should be in jail. But at the least they will probably be sued into oblivion for gross negligence if something bad happens as a result. Because as some have already stated the data they released has already been added to hacker tool kits.

It would be no different if researches released a list of vulnerable US targets overseas(with details of how to exploit their vulnerabilities) and enemies of the USA used that information to target them.

They went far beyond their 1st Amendment rights when they released the information on how to exploit. If they would of said X systems are vulnerable and give a brief(but lacking in depth) explanation of why they are vulnerable.

But what they did went far beyond that and blatantly ventured into enabling hacking, electronic terrorism, of the vulnerable systems.


Doubtful anything will happen to the researchers. Ask yourself this. Would you rather these people reveal the problem or have someone else find it and keep it for themselves to use as they see fit, ie. foreign governments. Also note that some of the problems had been brought to the attention of these vendors before with little concern. Shouldn't the people/companies who manufacture this equipment take blame for their negligence ? Like so many things its only when the actions taken by these researchers are presented do the people responsible sit up and finally take notice. How much should be released though is certainly worth mentioning, as you've noted.

brill


reply posted on 19-1-2012 @ 11:32 PM by seaez
Originally posted by Blaine91555
reply to post by brill


In my mind that is a serious criminal act or should be. Anything that comes of it should lead to at the least massive civil suits by anyone negatively impacted, if not serious felony charges.


You are talking about the companies producing and not patching these systems as the liable party and defendant in your hypothetical law suits correct? The majority of these flaws were known about or should have been known about by the very nature of the type of flaw they are. Hell some of them are not exploits but critical design flaws back doors and lack of security. The manufacturers of the software and hardware are completely liable and the public should know. With the released knowledge now professionals at these firms' customers can at least try to mitigate the risk and do what they can and know what to look out for. Instead of waiting (and hoping) for a fix.

Release of exploits is responsible computing. Odds are very good, if you found a hole: someone else has first.


reply posted on 19-1-2012 @ 11:50 PM by seaez
reply to post by korathin


I disagree entirely. If they know, someone else knows. We should all know. Now, if the word gets out further hopefully everyone in their fields who works with this equipment will know. Hopefully. You'd be surprised how many people might not care, people who work with the systems and should.

If you read this article or understood it, you'd know that some of these flaws are critical design or security flaws that are trivial to exploit, were placed and done purposely to cut corners or time, and / or already previously known about by said manufacturers. They were not fixed, had no time-frame to be fixed and in some cases were blatantly dismissed as won't be fixed.

Live systems with dead man switches hah... if they found out, odds are someone else knew first.
edit on 19-1-2012 by seaez because: / or forgot it


Pages:     ^^TOP^^



Iranian sailors chase off pirates attacking U.S. ship
  Posted 5 days ago with 95 member flags
BBC Caught In Syria Massacre Propaganda Hoax
  Posted 1 days ago with 74 member flags
Congressmen Seek To Lift Propaganda Ban
  Posted 9 days ago with 73 member flags
Man Loses $22,000 In New \'Policing For Profit\' Case
  Posted 7 days ago with 63 member flags
Bin Laden died of natural causes: Former CIA agent
  Posted 9 days ago with 58 member flags