ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes 60
Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."
Readme.txt (Score:5, Funny)
Re:I want to hire some of those cyborgs you use. (Score:4, Funny)
The studies I saw that showed that "normal human employees will trade their passwords for sex, chocolate, or free theatre tickets" had a HUGE flaw -- they didn't check to see if the respondants were lying when they gave "their" password. Hell, if someone offered me sex for my password, I'd say "sure, it's swordfish." Which it isn't really, but I'd still get laid.