Hi Tony,
Back in 2009, you kindly gave us permission to include your credited photo in our Schmap Las Vegas Guide.
I’m writing now to let you know that we’ve recently completely reformatted and overhauled our Schmap Guides to include real-time local buzz for events, restaurants, bars and more:
Your photo in the new Real-Time Schmap Las Vegas Guide is at:
McCarran International Airport
sch.mp/0l9K38I hope you like the changes we’ve made - if you’ve any comments or ideas, please do drop me a line!
Best regards,
Emma J. Williams
Managing Editor, Schmap GuidesP.S. If you're a Twitter user, I'm hoping you might help us test this before media launch: sch.mp/arh1f (advance notice for local Las Vegas events and deals via Twitter DM)
We also have two Twitter accounts for Las Vegas, well worth following:
Twitter-trending Las Vegas restaurants and bars:
www.twitter.com/LasVegas_PicksLive music, parties and more happening right now in Las Vegas:
www.twitter.com/LasVegas_Now
Sunday, November 27, 2011
Schmap Las Vegas Guide used my photo for their map promo. #w00T¡
Texas Town Used Three Character Password To Secure SCADA System | threatpost by @paulfroberts
In an e-mail interview with Threatpost, the hacker who compromised software used to manage water infrastructure for South Houston, Texas, said the district had HMI (human machine interface) software used to manage water and sewage infrastructure accessible to the Internet and used a password that was just three characters long to protect the system, making it easy picking for a remote attack.
The hacker, using the handle "pr0f" took credit for a remote compromise of supervisory control and data acquisition (SCADA) systems used by South Houston, a community in Harris County, Texas. Communicating from an e-mail address tied to a Romanian domain, the hacker told Threatpost that he discovered the vulnerable system using a scanner that looks for the online fingerprints of SCADA systems. He said South Houston had an instance of the Siemens Simatic human machine interface (HMI) software that was accessible from the Internet and that was protected with an easy-to-hack, three character password.
"This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this," he wrote in an e-mail to Threatpost.
Editor's Pick
"I'm sorry this ain't a tale of advanced persistent threats and stuff, but frankly most compromises I've seen have been have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint."
In a public post accompanied by screenshots taken from the HMI software, the hacker said he carried out the attack after becoming frustrated with reports about an unrelated incident in which an Illinois disaster response agency issued a report claiming that a cyber attack damaged a pump used as part of the town's water distribution system.
A report by the Illinois Statewide Terrorism and Intelligence Center on Nov. 10 described the incident, in which remote attackers hacked into and compromised SCADA software in use by the water utility company. The hackers leveraged the unauthorized access to pilfer client user names and passwords from the SCADA manufacturer. Those credentials were used to compromise the water utility’s industrial control systems, according to Joe Weiss, a security expert at Applied Control Solutions, who described the incident on ControlGlobal.com’s Unfettered Blog.
"You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I've also seen various people doubt the possibility an attack like this could be done," he wrote in a note on the file sharing Web site pastebin.com.
The system that was compromised was protected by a three character password, pr0f claimed - though not neccessarily the default password for the device.
Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers. The company warned about a password vulnerability affecting Simatic programmable logic controllers that could allow a remote attacker to intercept and decipher passwords, or change the configuration of the devices.
In July, Siemens advised customers to restrict physical and logical access to its Simatic Industrial Automation products. The company warned that attackers with access to the product or the control system link could decipher the product's password and potentially make unauthorized changes to the Simatic product.
At the Black Hat Briefings in August, security researcher Dillon Beresford Dillon Beresford unveiled a string of other software vulnerabilities affecting Siemens industrial controllers, including a serious remotely exploitable denial of service vulnerability, the use of hard-coded administrative passwords, and an easter egg program buried in the code that runs industrial machinery around the globe.
Commenting on this Article will be automatically closed on February 20, 2012.
Amazing... simply amazing. Great article by Paul Roberts, hopefully it wakes up some admins and managers.
