On Nov 22, 2011, at 7:51 59PM, valdis.kletni...@vt.edu wrote: > On Tue, 22 Nov 2011 13:32:23 -1000, Michael Painter said: > >>> http://jeffreycarr.blogspot.com/2011/11/latest-fbi-statement-on-alleged.html > >> And "In addition, DHS and FBI have concluded that there was no malicious >> traffic from Russia or any foreign entities, as >> previously reported." > > It's interesting to read the rest of the text while doing some deconstruction: > > "There is no evidence to support claims made in the initial Fusion Center > report ... that any credentials were stolen, or that the vendor was involved > in any malicious activity that led to a pump failure at the water plant." > > Notice that they're carefully framing it as "no evidence that credentials were > stolen" - while carefully tap-dancing around the fact that you don't need to > steal credentials in order to totally pwn a box via an SQL injection or a PHP > security issue, or to log into a box that's still got the vendor-default > userid/passwords on them. You don't need to steal the admin password > if Google tells you the default login is "admin/admin" ;) > > "No evidence that the vendor was involved" - *HAH*. When is the vendor *EVER* > involved? The RSA-related hacks of RSA's customers are conspicuous by their > uniqueness. > > And I've probably missed a few weasel words in there...
They do state categorically that "After detailed analysis, DHS and the FBI have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois." I'm waiting to see Joe Weiss's response. --Steve Bellovin, https://www.cs.columbia.edu/~smb