Thursday, December 13, 2012

Security & Hacking: "Unauthorized Access to a New Jersey Company’s Industrial Control System"

Some snippets of interest:

"US Business 1 had a controller for the system that was password protected, but was set up for remote/Internet access. By using the link posted by the hacktivist, the published backdoor URL provided the same level of access to the company’s control system as the password-protected administrator login. The backdoor required no password and allowed direct access to the control system."

"The URL that linked to the control system of US Business 1 provided access to a Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area. All areas of the office were clearly labeled with employee names or area names."

As a gamer, I'll note the second snippet matches up with some games, which seems amusing, sad, and ironic to me.

As someone with much deeper background in physical security than computer security, I'll also note that the second snippet above would provide a lot of very useful intel for physical attacks and/or social engineering.

IMHO Social Engineering attacks are on a boundary of Physical & Computer Security, walking in and pretending to be there to fix something is certainly a Physical attack, though you might be placing a physical keylogger or other Pen Testing equipment to attack the computer network.

No comments:

Post a Comment