In last night's Republican debate, one of the questions posed to the candidates was "What threat might we face in the next few years that no one is talking about today?". The question was in the context of the 9/11 attacks shortly after George Bush became President, that defined his term in office. One of the answers that caught my attention was cyber-terrorism. Instead of a physical attack, our critical computer systems and networks could be attacked by hackers. When you stop and think about how pervasive computing is in our modern lives, covering everything from banking to delivery of our utilities, it's scary to think of how vulerable we are.
In the Kaspersky Labs Threat Post yesterday, Paul Roberts posed a very scary question: Was the three character password used to hack South Houston's Water Treatment Plant a Siemen Default? Apparently the hacker describe an "easy-to-crack three character password" that provided access to the Siemans Simatic HMI (human machine interface) software that controlled the water treatment plant. The description matches the default password that comes with the equipment, but the actual password hasn't been confirmed yet.
Although the hacker says he didn't take any action when he gained access to the system, he could have shut out other users, taken control of the water treatment plant, and cause a lot of damage. He used Internet scanning software to discover systems that were connected to the Internet, and then had a pretty easy time getting in. He describes himself as merely a hobbyist, not a "real" hacker.
If default passwords are being used to protect our critical infrastructure, we're at risk! This breach has gotten attention in the news, but who knows how many other similar systems are vulnerable like this. The department of Homeland Security is working with Siemans to investigate the breach, but this is just the starting point.
ALWAYS use STRONG passwords to protect any applications you access over the Internet. Strong passwords should contain uppercase and lowercase letters, numbers, and symbols. They should never be words in the dictionary, and ALWAYS change the default password!