DOS, Backdoor, and Easter Egg Found In Siemens S7 121
chicksdaddy writes with a post in Threat Post. From the article: "Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe. In an interview Tuesday evening, Beresford said he has reported 18 separate issues to Siemens and to officials at ICS CERT, the Computer Emergency Response Team for the Industrial Control Sector. Siemens said it is readying a patch for some of the holes, including one that would allow a remote attacker to gain administrative control over machinery controlled by certain models of its Step 7 industrial control software."
Re:Germans and humour... (Score:5, Insightful)
Adding more code to critical systems is NOT COOL. More bugs, more exploit. SCADA systems need to be developed by people who understand and enforce proper engineering and professionalism. This teenage hacker shot does NOT belong there.
IF the software industry would start enforcing engineering principles, most of these messes would even exist.
Re:Germans and humour... (Score:5, Insightful)
Easter eggs are cool
No, Easter eggs (in software) are not cool. They cause problems in many ways.
Re:Only quickly scanned TFA.... (Score:0, Insightful)
No, those systems should be on an isolated network. If they are internet facing, or there is an internet facing computer also on that network, then the utility company deserves all the havoc that comes to them.
Re:Gee thanks Mossad (Score:4, Insightful)
Re:Germans and humour... (Score:2, Insightful)
As I'm myself working for a grid operator I'm allowed to say that easter eggs in word processors and spreadsheets are one thing, and easter eggs in critical infrastructure control systems are quite another. Hopefully everyone can agree an easter egg in the software that controls the space shuttle would not be amusing either...
Re:Oh Good, A Backdoor (Score:5, Insightful)
Actually, I'd hazard a guess that MOST SCADA systems are vulnerable. These things weren't designed with security in mind - they're supposed to run off closed networks separated from the Internet (easily done - most of these things predate the Internet).
Heck, the biggest "security issue" would've been access via OPC ("OLE for Process Control" - yes, that same stuff Microsoft touted - "Object Linking and Embedding" from Windows 3.x).
And yeah, most industrial entities probably lack the proper IT team and infrastructure - after all, most of their work involved keeping the network up and running for the controllers, keeping OPC working. The someone demands Internet connectivity on their desktop and they set up routers and firewalls (and don't know about stuff like data diodes).
Basically, stuff that was never designed for security ends up on the Internet.