Rich Kulawiec points us to the news of Dillon Beresford of NSS Labs recently discovering (and revealing) that the Siemens control systems targeted by Stuxnet have massive security holes
, including a hardcoded username/password combo
("basisk" for both, in case you were wondering). As Kulawiec noted:
We have been treated, over the past few years, to an increasing chorus of hysteria and hype about "cyberwar". Some of that has come from governments eager to justify their increasing invasion of citizen privacy. Some of that has come from government contractors, eager to score more $100M do-nothing contracts. And since Stuxnet has come to light, it's been held up repeatedly as an example of the extreme cleverness of attackers.
But while Stuxnet is pretty darn clever, that's not the real problem. The real problem is that the incompetent morons at Siemens allowed this piece of crap to get out the door and into production environments. Thus the storyline isn't so much about the devious and subtle craft of Stuxnet's creators, as it is about the jaw-dropping negligence of Siemens: how could their QA miss this? How could they allow such a rudimentary, obvious mistake to pass?
We don't need to spend billions (or trillions) on elaborate cyberwar initiatives. We need to stop making fundamental mistakes. We need to stop doing the stupid things that we KNOW are stupid.
But that kind of stuff isn't quite as sexy as declaring "cyberwar" and asking for billions of dollars from the government.