Oldsmar Water Plant Hacked, Authorities Downplay Danger

Avatar

Andrew Donaldson

Born and raised in West Virginia, Andrew has since lived and traveled around the world several times over. Though frequently writing about politics out of a sense of duty and love of country, most of the time he would prefer discussions on history, culture, occasionally nerding on aviation, and his amateur foodie tendencies. He can usually be found misspelling/misusing words on Twitter @four4thefire and his writing website Yonder and Home.

Related Post Roulette

35 Responses

  1. Avatar Oscar Gordon
    Ignored
    says:

    How much you want to bet some manager at the plant had a dead simple TeamViewer password, or was in the habit of having the password written down or stored in clear text on their phone?Report

    • Avatar Philip H in reply to Oscar Gordon
      Ignored
      says:

      Well written down is not actually the problem a lot of IT people want it to be, unless you are also in the habit of showing it to people all the time.

      Weak passwords are, however, another issue …Report

      • Avatar Dark Matter in reply to Philip H
        Ignored
        says:

        password=password.

        The more interesting question is who did this? At a guess, disgruntled worker or someone who expects to get more budget from this.

        On a side note passwords are a problem, I have 50+ of them, maybe 100+. They need to be different. They need to be long.Report

      • Avatar Oscar Gordon in reply to Philip H
        Ignored
        says:

        Or leaving it on your desk, where it’s easy to see/find (under the keyboard is a great one). Or stored in clear text on your phone (people have strange ideas regarding how secure phones are).Report

        • Avatar Oscar Gordon in reply to Oscar Gordon
          Ignored
          says:

          I use a password manager, and my employer encourages us to use a different password manager on our work machines.

          I also wonder if the plant workstations are behind a VPN?Report

        • Avatar Philip H in reply to Oscar Gordon
          Ignored
          says:

          I have too many friends working in IT security to make those mistakes. Other mistakes, sure.Report

        • Avatar Kazzy in reply to Oscar Gordon
          Ignored
          says:

          Related… what are your thoughts on the following:

          1.) Chrome’s built-in password manager
          2.) Apple’s built-in password manager
          3.) A 3rd party password manager like LastPass (I think I know your feeling on that one because I vaguely remember you recommending it but could be wrong)

          If you have hesitations about any of those, what would you recommend for someone wanting to secure passwords for mostly personal use (e.g., bank accounts, email, etc.).Report

          • Avatar Oscar Gordon in reply to Kazzy
            Ignored
            says:

            Almost all of them are fine, but they are only as strong as your master password. And for that, I refer you to this wonderful XKCD comic.

            Beyond that, it’s all about ease of use and what features you need. I like LastPass because it has features I find useful and I can run it almost everywhere.Report

            • Avatar Kazzy in reply to Oscar Gordon
              Ignored
              says:

              LastPass has been my preferred one, though I have all three turned on and sometimes get annoyed when they start fighting with each other. But that is user error.

              I could probably stand to pick a better master password. I mean, Password69 has worked thus far but…Report

              • Avatar Oscar Gordon in reply to Kazzy
                Ignored
                says:

                Right up there with Maga2020!

                I use phrases for my ‘have to remember it’ password, because it annoys dictionary attacks.

                For instance, a few lines from a poem:

                I took the one less traveled by,
                And that has made all the difference.

                becomes

                Itt1ltbAthmatd!

                Nice, long, meets all password requirements, and those two lines are easy to remember.Report

              • Avatar J_A in reply to Oscar Gordon
                Ignored
                says:

                Great minds think alike – I do exactly the same, but use song lyrics, and a number that means something to me but to no one else (like my friend growing up -i.e. 35 years ago that I haven’t seen since the mid 80s- birthday)

                And I use hints in my phone to remember like “Holophernes” is a key that I’m using the Hey Jude lyrics (Jude=Judith), and Alexander is a key for I’m using my friend’s birthdayReport

              • Avatar Oscar Gordon in reply to J_A
                Ignored
                says:

                It’s something my old boss told me to do back when I first started in IT. Can’t have network admin passwords that are easy to guess or crack, but you also don’t want to be forgetting it all the time.Report

              • Avatar Michael Cain in reply to J_A
                Ignored
                says:

                Yeah, first letter from the lyrics of an obscure song plus something odd tacked on to the end to make the password-strength checkers happy.Report

          • Avatar Chip Daniels in reply to Kazzy
            Ignored
            says:

            I prefer post-it notes affixed to my monitor.Report

    • fillyjonk fillyjonk in reply to Oscar Gordon
      Ignored
      says:

      “password1234”

      I wonder if it will come out this was a white-hat hacker, showing them their insecurities, and he’d never actually poison people. Or maybe I’m being too PollyannaReport

  2. Avatar Philip H
    Ignored
    says:

    This – right here this – is why the IOT is so worrisome. And don’t think turning it all off won’t be a goal of domestic terrorists at some point.Report

    • fillyjonk fillyjonk in reply to Philip H
      Ignored
      says:

      I hope there remains a market for things like low-end fridges and that like that DON’T connect to the internet; I have no interest in some goofball being able to turn my house lights off and on for the lulz just because I decided it was easier to control them from my phone than to throw a manual switchReport

  3. Avatar Michael Cain
    Ignored
    says:

    Back in the 1960s, when the Bell System began deploying switches and other telecommunications gear that could be monitored and controlled remotely, they accepted Bell Labs’ word that the computers doing the control must never be connected to a public network. It’s expensive — in this case, you would have to physically go into the water treatment plant in order to adjust the settings, or have appropriate staff on site 24/7.

    I expect to live long enough to see major utilities crash and burn because remote control over the public internet was cheaper.Report

    • Avatar Michael Cain in reply to Michael Cain
      Ignored
      says:

      My favorite story from my colleagues who administer large internet backbone networks is the guy who mistyped a command — in a Denver suburb — and disconnected most of the UK from the global internet. To reverse that error, someone in the UK got a phone call at 2:00 am local time and had to drive 90 minutes so they could physically touch the router.Report

    • Avatar Oscar Gordon in reply to Michael Cain
      Ignored
      says:

      The lack of awareness regarding IT security at utilities makes me want to line my roof with solar panels and keep a large tank of fresh water in the attic.Report

      • Avatar Michael Cain in reply to Oscar Gordon
        Ignored
        says:

        I have a friend in far western North Carolina who has installed a large genset. During a recent power outage — natural causes — he described their house as “an island of light in the sea of dark.” He has doubled his propane capacity and is now set up to handle a week if they are careful.

        OTOH, I recently moved to an area served by a sizeable municipal power coop, leaving my previous private sector utility. After four months and a bit, the power has been so steady that I haven’t bothered putting the UPS on my desktop Mac.Report

        • Avatar Philip H in reply to Michael Cain
          Ignored
          says:

          Your friend might want to think about his basking in the glow . . . should any of the SHTF scenarios involving massive grid outages come to pass, his lights will attract all sorts of people . . .Report

          • fillyjonk fillyjonk in reply to Philip H
            Ignored
            says:

            that’s what blackout curtains are for….Report

          • Avatar Michael Cain in reply to Philip H
            Ignored
            says:

            In a SHTF scenario, I’m pretty sure that he won’t be an island of light in the dark. He’ll be down to minimum usage. Keeping the freezer running until it’s empty, etc.

            The genset he got and the propane expansion are overengineering typical of him. What he wants to deal with are the (not revealed at the time they bought the house and land) three or four times per year the power is out for two to twelve hours.

            The municipal utility that provides the power in our new place has the most flawless supply I’ve ever lived with. In the four months we’ve been here, the appliance timers have never reset. Hell, so far as I’ve noticed, the lights have never even flickered. I will put my desktop computer on the UPS one of these days, just to have it on the massive surge protector before the first thunderstorm season gets here.Report

  4. Avatar Michael Cain
    Ignored
    says:

    Ars Technica reports that the computer involved in the attack was running Windows 7 (Microsoft dropped support last month), there was no firewall, and the password was shared by multiple users.Report

    • Avatar Oscar Gordon in reply to Michael Cain
      Ignored
      says:

      OMFG! If that wasn’t so damn scary, I’d be LMFAO! This is the kind of thing people should get fired for.Report

      • Avatar Mike Schilling in reply to Oscar Gordon
        Ignored
        says:

        Windows 7 was a decent OS. For maximum comedy, they should have run Vista. And stored their most sensitive data in Access.Report

        • Avatar Michael Cain in reply to Mike Schilling
          Ignored
          says:

          Still, I put this in the “Those who do not study UNIX are doomed to reinvent it, badly” category. The control application running on a $40 Raspberry Pi using X Windows over ssh and standard login/password security would have been enormously better. Other than the Pi, that’s all quarter-century old technology.

          I have reconciled myself to the fact that when my utilities’ systems all come crashing down, it will be because it wasn’t running on some form of UNIX.Report

      • Avatar Philip H in reply to Oscar Gordon
        Ignored
        says:

        Oldsmar is a small town. I’d be surprised of the water plant had its own IT manager. They probably get IT support from the larger DPW – and that’s not a large outfit either. They aren’t going to have dozens of people with the latest certificates running this stuff 24/7 the same way DoD does.Report

        • Avatar Oscar Gordon in reply to Philip H
          Ignored
          says:

          You don’t need dozens of folks with the latest certificates to know that’s a disaster waiting to happen.

          It might be too much to ask that they have a VPN. Perhaps a basic firewall is a bridge too far.

          But not allowing shared passwords/accounts is basic fecking IT security. I mean, come on!Report

Leave a Reply

Your email address will not be published. Required fields are marked *