The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 28 Issue 47

Monday 26 January 2015


Unwitting trusted travelers and drug smuggling
AP via PGN
UK Commission recommends digital voting by 2020
Peter Bernard Ladkin
People upset that the E-911 folk want to use GLONASS
danny burstein
F-35 software is a buggy mess
Henry Baker
Implementation of Gas Station Remote Inventory Monitoring Systems vulnerable to attack
Ars via Bob Gezelter
California must lead on cybersecurity
Jonathan Mayer and Edward W. Felten via Henry Baker
Government Health Care Website Quietly Sharing Personal Data
ABC via Monty Solomon
AMA et al., on medical records?
Harry Hochheiser
Risks in uninformed legislation and governance
Jay Ashworth
Calls for ISPs to filter content could be illegal, EU council documents suggest
Lauren Weinstein
Autonomous Bot Seized For Illegal Purchases: Who's Liable When A Bot Breaks The Law?
Mike Masnick via robert schaefer
Mozilla tweaks `referer headers' in bid to limit website privacy grabs
Ars via Monty Solomon
2014: The year of living cable TV-free via Monty Solomon
Google discloses three severe vulnerabilities in Apple OS X
Monty Solomon
Cuba demonstrates the future of the Internet
Henry Baker
The Internet isn't the only one with a DNS/Certificate problem...
Henry Baker
Re: 4th-Party Collection: NSA's Wink Wink Nod Nod to the 4th Amendment
Dick Mills
Re: Today's Apps Are Turning Us Into Sociopaths?
Peter Houppermans
Re: Schneider Electric SCADA Gateway contains hardcoded credentials
Henry Baker
Bob Gezelter
Info on RISKS (comp.risks)

Unwitting trusted travelers and drug smuggling

"Peter G. Neumann" <>
Fri, 23 Jan 2015 13:36:56 PST
This is a really egregious example of exploits of a Time of Check to Time of
Use (ToCToU) vulnerability.  Hundreds of thousands of drivers with trusted
backgrounds have enrolled in the SENTRI program (Secure Electronic Network
for Travelers Rapid Inspection), which endows them with a "trusted traveler"
status—reducing to about fifteen minutes what are normally 2+ hour
crossings at automobile checkpoints from Mexico to the U.S.  Initially,
trusted travelers were issued windshield decals, although that ceased in
2013.  Smugglers have figured out they could track vehicles bearing the
decal on both sides of the border, plant magnetic containers with drugs
under the cars on the Mexican side, and then recover those containers on the
U.S. side.  With a little observation of who goes through the trusted
traveler lines regularly over time, even the subsequent absence of the
decals is not a serious obstacle.

Here the time of check is when the driver's automobile is registered in the
SENTRI program, and the time of use any time or times after that.

This exploit has been discovered accidentally, and has resulted in several
recent seizures.  A complication arises if the trusted traveler is actually
the culprit rather than the dupe, combining insider misuse with the ToCToU

Source: an Associated Press item, Unwitting drivers used to carry drugs,
unauthored, which I saw in the *San Francisco Chronicle*, 23 Jan 2015, D8.

UK Commission recommends digital voting by 2020

Peter Bernard Ladkin <>
Mon, 26 Jan 2015 15:25:05 +0100
A Commission called the Digital Democracy Commission, set up by the Speaker
of the UK House of Commons, apparently has recommended on-line voting be
implemented for the 2020 UK general election.

They are certainly right that it's somewhat popular, judging by letters
columns I read in a couple of UK publications. But it can equally be said
that the people who may make such recommendations and, unfortunately, who
may make such decisions do not appear to be sufficiently aware of the risks.

People who read RISKS are, though. So, let me pop in another one or two. If
you are going to use your smartphone to vote, then what is to prevent Apple
or Google or the NSA or GCHQ or all of them from knowing exactly who voted
for whom? Suppose they "secured" it and said so publicly, cross their hearts
and hope to die, who might want to believe it, given recent history of such
public statements? And how would this square with the UK Parliament
mandating decryptability for all civil electronic communications in the next
Parliament, if the current Prime Minister has his way.

And, for extra points - we can go back way before smartphonery for this --
why might one think that it would not be such a great idea to have any of
those four entities - or indeed any large influential organisation,
government or private - being able to know who voted whom?

Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
Je suis Charlie

People upset that the E-911 folk want to use GLONASS

danny burstein <>
Thu, 22 Jan 2015 19:05:58 -0500 (EST)
"GLONASS was chosen because similar US systems don't cover the required
territory, Trey Forgety, National Emergency Number Association's director of
government affairs, said.

"Besides that, GLONASS is a lot better than GPS in locating mobile phones
when the call is made from inside the building."

  Ok, there are clearly politics involved here, but to rely on a system
  under the complete control of another nation for such a critical piece of
  communications infrastructure, raises my eyebrows, too

F-35 software is a buggy mess

Henry Baker <>
Thu, 22 Jan 2015 08:19:21 -0800
This story reminds me of the elaborate hoaxes the Victorians played on the
Meiji-period Japanese, by providing the Japanese with shipbuilding plans
that were purposely flawed.

Security by obscurity wins!

Richard Chirgwin, *The Register*, 22 Jan 2015
US military finds F-35 software is a buggy mess
Tests jettisoned to protect schedule

The F-35 Joint Strike Fighter (JSF) remains the problem child of the US
military, with some operational tests abandoned in 2014, and buggy software
proving a headache.

The US military's Office of the Director, Operational Test & Evaluation
(DOT&E) has released its latest annual report, and the F-35 Joint Strike
Fighter chapter describes the Department of Defense's efforts in trying to
get the project back somewhere close to schedule.

To avoid a cascading series of delays that would have stretched into 2016,
the project abandoned an Operational Utility Evaluation (OUE) planned in
April 2014 for the Marines' Block 2B configuration of the aircraft.

The reasoning, explained at Aviation Week, was that Lockheed Martin couldn't
put together enough units in that configuration to run the Block 2B OUE in
time.  If it had proceeded, the OUE would have been pushed back until 2016,
in turn delaying the software development effort for Block 3F.

Instead, F-35A test aircraft will be used for a `limited assessment', the
report states.

The Block 2B tests were also impacted by restrictions imposed after a June
2013 engine failure in an F-35A unit.  That impacted software tests, because
the restricted flying hours “reduced the number of accessible test points.''

There were also unplanned software releases to fix bugs, in spite of which
“discoveries continued to occur in later versions of software.''

To try and get around software-associated delays, the test program is being
revised: some test points are being eliminated, reducing the total number of
test points remaining for Block 2B from 529 down to 243; and some fixes are
being deferred to the Block 3 program.

Mission `data load' software is also causing concern.  This software is
loaded on a mission-by-mission basis, working in conjunction with the
permanent systems, to operate sensors and respond to conditions for a
particular battleground (Aviation Week gives identifying hostile radars as
an example).

The DOT&E report says “truncating the mission data load development and
conducting open-air flight testing early on a limited open-air range for the
purpose of releasing a mission data load in mid-2015 would create
significant operational risk to fielded units.''

Implementation of Gas Station Remote Inventory Monitoring Systems vulnerable to attack (Ars)

"Bob Gezelter" <>
Mon, 26 Jan 2015 07:25:00 -0700
Ars Technica reports that the remotely accessible inventory reporting
systems used by the over 100,000 fuel dealers in North America use weak
security schemes for remote access (whether connecting over dial-ups or via
the public Internet). In a modern day transposition of Napoleon's "an army
travels on its stomach", this could lead to an attack that would disrupt the
availability of availability of petroleum products. It is worth noting that
a key element in the Allied victory in World War II was the systematic
attacks against axis POL (Petroleum, Oil, and Lubricant) facilities and
logistic chains.  The core of the problem is that, rather than initiating
connections from the stations, the devices are polled, either over dial-up
lines or via the public Internet. Reportedly, most of the communications are
unencrypted, making them subject to eavesdropping, replay, and later,
impersonation attacks.  This is also an excellent example of what will
become a severe problem with Internet of Things, unsecured or weakly secured
devices with the ability to disrupt or endanger everyday life.  The original
article is at:

Bob Gezelter,

California must lead on cybersecurity

Henry Baker <>
Mon, 26 Jan 2015 08:42:21 -0800
FYI—Very interesting proposal.

Jonathan Mayer and Edward W. Felten, The Sacramento Bee, 24-24 Jan 2015

No state has more at stake on cybersecurity than California.  From
Hollywood's intellectual property to the Central Valley's water reserves to
Silicon Valley's cloud services, the Golden State is at singular risk.  But,
as the world's innovation capital, California also has a unique opportunity
to advance cybersecurity.

At last week's State of the Union address, President Barack Obama announced
a new federal cybersecurity agenda.  Except, it wasn't so new.  It was a
portfolio of unpopular old proposals, dusted off and relabeled.  The odds of
clearing Congress: low.  The odds of materially improving security: even

That's a shame.  Events over the past year—most prominently, the breach
at Sony Pictures in Culver City—have highlighted the growing importance
of cybersecurity.  Attacks are more frequent, better organized and
increasingly sophisticated.  And intruders are driven by a diverse range of
motives—greed, malice, national security or even national pride.
America's consumers, businesses and government agencies are undeniably under

While the federal government is stalled, however, the states have an
opportunity to lead. California could blaze a trail for effective
cybersecurity policy.

The Golden State is, in fact, already an innovator on technology security
and privacy.  In 2002, California passed the nation's first data breach
notification law.  If a company leaks personal data, it has to fess up and
provide warning.  Forty-six other states now have similar laws on the books.
In 2003, California mandated that online services make commitments about how
they handle consumer data.  That farsighted policy has contributed to
numerous law enforcement actions, both federal and state, where a business
has bungled security or privacy.

Demonstrated successes aside, there are other reasons for California to step
up.  One of the greatest concerns in cybersecurity policy is critical
infrastructure, such as power and water.  Even brief disruptions in service
could have extraordinary economic and human costs.  Remember the Northeast
blackout of 2003?  It may have claimed dozens of lives and cost the economy
billions of dollars.  And it was caused, in part, by a software bug.
California should not tolerate a fraction of that risk from cybersecurity

Utilities are already subject to extensive state legal requirements, and
they already answer to a powerful state regulatory commission.  Addressing
security and privacy would be a sensible application of existing authority.

Critical infrastructure increasingly relies on industrial automation
systems.  And those systems are often vulnerable—they keep a default
password, for instance, or are accessible from the public Internet.  These
are not subtle or sophisticated errors.  Fixing them requires basic due
diligence, not rocket science.  Requiring the state's critical
infrastructure providers to undergo regular security audits would be
straightforward and inexpensive—especially relative to the enormous

Areas of sensitive data are also low-hanging cyber fruit.  In health care,
education and finance, California already imposes security and privacy
requirements that go beyond federal law.  Those legal mandates, though, are
mostly enforced through after-the-fact penalties.  Much like critical
infrastructure, sectors that rely upon sensitive data would benefit from
periodic outside auditing.

California's own agencies are yet another worthwhile focus.  Many
government systems are outdated, including some that contain sensitive data.
According to the California Department of Justice, there were at least 20
leaks from state and local agencies in just the past year.  In addition to
regular audits, uniform security training and standards would be no-brainer

What's more, California could benefit the private sector through its own
improvements.  It could improve services on the market by leveraging its
massive acquisition outlays, presently over $4.5 billion on information
technology projects.  The state could also lead by example in deploying
security technology.  Migrating state and local websites to https, the
secure Web protocol, would be a good first step.

There are, to be sure, valid concerns about the Golden State taking action
on cybersecurity.  For starters, not all of California's agencies have
the requisite technical chops for making and enforcing cyberpolicies.  In
our view, the skills gap is manageable—outside experts are willing and
able to lend a hand.

That's no hypothetical.  When former Secretary of State Debra Bowen had
concerns about electronic voting systems in 2007, she brought in a cadre of
computer security researchers.  They quickly produced a comprehensive set of
reports, demonstrating severe vulnerabilities.  Similarly, when Attorney
General Kamala Harris made consumer privacy a focus of her administration,
her staff turned to experts in the field.

We know these models work because we collaborated on them.  To this day, the
secretary of state's “top to bottom” review is considered an
authoritative study of electronic voting machine security.  As for the
attorney general's consumer privacy initiative, it now reaches every
major app store.  California is home to some of the nation's greatest
technical minds; it should use them.

Another foreseeable worry is that California might mandate specific security
technologies.  We share this concern.  Governments have a spotty track
record at picking technical winners and losers, and technology is developing
too rapidly for rigid rules.  What we suggest is a middle ground: The state
could establish review processes and high-level standards, informed by
outside experts.  Businesses would then have substantial flexibility in
meeting those obligations.

An adaptable approach would also facilitate cybersecurity reform in other
states.  A national patchwork of nit-picky requirements serves no one.
Harmonized high-level standards, by contrast, would make multistate
compliance straightforward.  Best practices could percolate among
jurisdictions, channeled through auditors, consultants and large businesses.

As the federal government gets serious about cybersecurity, it too could
draw upon California's template.  This is already happening.  Versions of
the state's data breach notification law have already won bipartisan
support in Congress, and the White House has dubbed it a “landmark”

Even before Congress acts, California does not need to shoulder the
cybersecurity burden alone.  There are some areas where the federal
government has been effective, such as when businesses misrepresent their
practices to consumers.  The state can complement federal policy in those
spaces by cooperating on investigations and policymaking.  It can also bring
parallel enforcement actions, enhancing incentives for legal compliance.

California also need not tackle cybersecurity all at once.  The problem is
complex, to be sure, but it is also divisible.  Cybersecurity policy could
be comfortably enacted in bits and pieces as the state's priorities evolve.
Each of the proposals we suggest here, or reforms like them, could be
implemented in an evolutionary and exploratory fashion.

Supreme Court Justice Louis Brandeis famously observed that the states are
`laboratories of democracy'.  They can experiment, and lead, when the
federal government has failed to act.  California is already the nation's
laboratory for information technology.  It's time for the state to become a
laboratory for cybersecurity policy.

Jonathan Mayer is a doctoral candidate in computer science at Stanford
University, where he received his law degree in 2013.  He is a cybersecurity
fellow at the Center for International Security and Cooperation at Stanford.
Edward W. Felten is a professor of computer science and public affairs at
Princeton University and the director of Princeton's Center for
Information Technology Policy.  He served as chief technologist of the
Federal Trade Commission from 2011-12.

Government Health Care Website Quietly Sharing Personal Data (ABC)

Monty Solomon <>
Wed, 21 Jan 2015 23:17:30 -0500

AMA et al., on medical records?

Harry Hochheiser <>
Fri, 23 Jan 2015 08:51:59 -0500
AMA-Led Coalition tells ONC EHR Certification Must Change

"...The group charges that the MU [Meaningful Use] certification
requirements are contributing to EHR system problems with `downstream
effects' on patient safety and that MU certification “has become the
priority in health IT design at the expense of meeting physician customers'
needs, patient safety, and product innovation.''  The coalition also
expresses its concern with the “lack of oversight ONC places on authorized
testing and certification bodies for ensuring testing procedures and
standards are adequate to secure and protect electronic patient information
contained in EHRs.''  In addition to patient safety concerns, they say the
certification process lacks necessary security measures to protect patient
information."  [...]

Risks in uninformed legislation and governance

Jay Ashworth <>
Fri, 23 Jan 2015 13:32:04 -0500 (EST)
As technology expands to support and enable more of the things we want to do
-- and do more efficiently—in life, it tends to bump head on into law.

And, more and more, those laws are being written by people who not only
don't understand the technology they're restricting, they *purposefully*
don't understand it.  They venerate ignorance.

On the last point first, I'm speaking of the dissolution of the Office Of
Technology Assessment [1] in 1995, which made a lot of people very angry and
was widely regarded as a bad move.  OTA's job was to do this very thing, and
to, perhaps, prevent stories like this one [2]:

  "Chairman of the Armed Services subcommittee, Rep. Mike Rogers, has sent
  an angry letter to the Secretary of Defense and Director of National
  Intelligence (DNI) after learning about the intentions of the US Federal
  Communications Commission (FCC) [to GLONASS-enable 911 routing].

  "Rogers asked the Department of Defense and DNI to detail the extent of
  GLONASS use and the effect on national security if Russia provides the
  satellite communications."

"Provides the satellite communications", while admittedly not a quote, is
the sort of language I would expect from a legislator who is a) wigging out
about The Reds, and b) doesn't understand at all how GPS satellite systems

As many RISKS readers probably understand, GPS satellites, whatever they
are, merely say "It's this time.  It's this time.  It's this time" and the
receivers calculate their position based on the differences in reception
time from various birds; there are no `satellite communications' in the
fashion in which that term would be generally understood by the nontechnical

Since they don't understand it, though, it's a dandy term to use to whip
them up into a frenzy.

A companion example is the White House's upcoming War On Hackers, discussed
in a blog posting by Robert Graham at Erratasec [3].  This too, is an
excellent example of the RISKS in allowing people to control things they
don't understand, and do not appreciate, or worse, care about, the
unexpected consequences of.

I often think the best solution is for system admins nationwide to simply
take a week off [4], and see how long things last [5].  After all, I didn't --
and I don't think anyone else did—get into this career to worry about
whether my government thinks I ought to be a felon for doing the things that
are a normal part of my job.  Hopefully, a bit more sanity will be applied
to that bill before it comes to a vote.

[4] Call it a strike if you want
[5] I give it until Wednesday afternoon around 3:30

Jay R. Ashworth, Ashworth & Associates
St Petersburg FL USA  +1 727 647 1274

Calls for ISPs to filter content could be illegal, EU council documents suggest

Lauren Weinstein <>
Thu, 22 Jan 2015 09:30:40 -0800
IT World via NNSquad

  "Last week justice ministers from across the European Union called on ISPs
  to conduct voluntary censorship of online content--but documents in
  preparation for a meeting of telecoms ministers suggest such a move could
  be illegal."

Autonomous Bot Seized For Illegal Purchases: Who's Liable When A Bot Breaks The Law? (Mike Masnick)

robert schaefer <>
Fri, 23 Jan 2015 11:34:21 -0500
Mike Masnick, 23 Jan 2015

"If you program a bot to autonomously buy things online, and some of those
things turn out to be illegal, who's liable? We may be about to have the
first such test case in Switzerland, after an autonomous buying bot was
"seized" by law enforcement."

It was only a matter of time for this kind of thing to happen with anonymous
purchasing.  The legal authorities can simply wait to see who picks up the
goods for physical items, but what about illegal purchases of virtual items?

robert schaefer, Atmospheric Sciences Group, MIT Haystack Observatory,
Westford, MA 01886 781-981-5767

Mozilla tweaks `referer headers' in bid to limit website privacy grabs

Monty Solomon <>
Wed, 21 Jan 2015 23:18:26 -0500

2014: The year of living cable TV-free

Monty Solomon <>
Fri, 23 Jan 2015 21:54:29 -0500

Google discloses three severe vulnerabilities in Apple OS X

Monty Solomon <>
Sat, 24 Jan 2015 10:26:02 -0500

Cuba demonstrates the future of the Internet

Henry Baker <>
Mon, 26 Jan 2015 10:35:58 -0800
FYI—This is the future of the Internet, brought to you by
NSA/GCHQ/Great-Firewall-of-China/etc.  Who knew that Cuba was such a leader
in high technology?

  [The current DNS & CA system is hopelessly broken, so without an immediate

  (<24 months) improvement, we can kiss the whole Internet goodbye.]

Cuban Youth Built A Secret Internet Network
Michael Weissenstein, Associated Press, 26 Jan 2015

Cut off from the Internet, young Cubans have quietly linked thousands of
computers into a hidden network that stretches miles across Havana, letting
them chat with friends, play games and download hit movies in a mini-replica
of the online world that most can't access.

Home Internet connections are banned for all but a handful of Cubans, and
the government charges nearly a quarter of a month's salary for an hour
online in government-run hotels and Internet centers.  As a result, most
people on the island live offline, complaining about their lack of access to
information and contact with friends and family abroad.

A small minority have covertly engineered a partial solution by pooling
funds to create a private network of more than 9,000 computers with small,
inexpensive but powerful hidden WiFi antennas and Ethernet cables strung
over streets and rooftops spanning the entire city.  Disconnected from the
real Internet, the network is limited, local and built with equipment
commercially available around the world, with no help from any outside
government, organizers say.

Hundreds are online at any moment pretending to be orcs or U.S. soldiers in
multiplayer online games such as "World of Warcraft" or "Call of Duty."
They trade jokes and photos in chat rooms and organize real-world events
like house parties or trips to the beach.

"We really need Internet because there's so much information online, but at
least this satisfies you a little bit because you feel like, 'I'm connected
with a bunch of people, talking to them, sharing files," said Rafael Antonio
Broche Moreno, a 22-year-old electrical engineer who helped build the
network known as SNet, short for `streetnet'.


Broche Moreno estimated it costs about $200 to equip a group of computers
with the antennas and cables needed to become a new node, meaning the cost
of networking all the computers in SNet could be as little as $200,000.
Similar but smaller networks exist in other Cuban cities and provinces.

"It's proof that it can be done," said Alien Garcia, a 30-year-old systems
engineer who publishes a magazine on information technology that's
distributed by email and storage devices.  "If I as a private citizen can
put up a network with far less income than a government, a country should be
able to do it, too, no?"

The Internet isn't the only one with a DNS/Certificate problem...

Henry Baker <>
Mon, 26 Jan 2015 07:04:37 -0800
FYI—I wonder how many spam advertising phone calls make it through into
the NSA and/or White House?  It must be significantly greater than zero.

Perhaps the acronym "MITM" has a new interpretation?

Alan Cowell, *The New York Times*, 26 Jan 2015
Prank Caller Pulls Wool Over British Surveillance Agency's Eyes  [PRUNE]

LONDON—At a time when Western leaders are clamoring for greater powers to
conduct covert surveillance, a prankster in Britain has turned the table on
the watchers, securing a private cellphone number for a top intelligence
chief and apparently making a separate phone call to the prime minister in
his name, British officials acknowledged on Monday.

The unidentified caller then phoned a tabloid newspaper on Sunday to boast.
He told the tabloid, *The Sun*, that he had been high on alcohol and drugs
when he persuaded GCHQ, the British electronic surveillance agency, to give
him a cellphone number for its director, Robert Hannigan.

Later, an unidentified caller widely believed to be the same person
pretended to be Mr. Hannigan in a separate call to Prime Minister David

“I've just made complete monkeys out of GCHQ; I've got the mobile number of
the director.'', the unidentified caller told the newspaper—GCHQ
collaborates NSA, and also works with Britain's domestic and overseas
intelligence services.]  [LONG ITEM PRUNED for RISKS.  PGN]

Re: 4th-Party Collection: NSA's Wink Wink Nod Nod to the 4th Amendment (Baker)

Dick Mills <>
Thu, 22 Jan 2015 14:45:51 -0500
NSA makes a big deal about their "minimization procedures" which restrict
access to data collected under 215 and 702.

They should be asked if the same minimization procedures apply to info
gathered by 4th-parties.  I suspect that the answer is no because they never
give an unequivocal answer such as "minimization procedures apply in all
circumstances to all data regardless of source."

Ditto for 215 and 702 data that is shared to allies.   A NSA employee
denied access to the data because he does not qualify under the
minimization rules, might simply ask a friend at GCHQ if he could access
their copy of the same data.

Re: Today's Apps Are Turning Us Into Sociopaths? [Risks Digest 28.46]

Peter Houppermans <>
Thu, 22 Jan 2015 09:20:00 +0100
Hmm, one misguided app idea spun out into full article about an apparent
trend ("apps like") that heralds the end of society as we know it.

I hope Internet archives still hold the article detailing which doom befell
us with the release of Angry Birds.  An enquiring mind wants to know..

Re: Schneider Electric SCADA Gateway contains hardcoded credentials (Gezelter, RISKS-28.46)

Henry Baker <>
Wed, 21 Jan 2015 17:43:06 -0800
News Flash: Contrary to popular belief, there aren't turtles all the way
down.  There have to be credentials built-in at some point, and the only
question is who controls these credentials.  When you get an iPhone from
Apple, Apple controls those credentials; when you get a Windows computer
from HP, HP & Microsoft control those credentials.  You as a schlub
end-loser don't get to control almost _any_ of the credentials of the
computer objects that you supposedly "own".

Ideally, there should be some sort of _ceremony_ when you become the owner
of a computerized object, during which control of the credentials passes
from the vendor/distributor/previous owner to you--much like the ceremony
that transfers legal title of your new home to you along with the keys to
the premises.

Some computerized objects allow whomever has physical access to the object
to gain credentialed control—e.g., a home router with a reset/reboot
button together with a USB stick containing a new operating system.

You can easily tell which computerized objects you "own" by asking
the question: can I reflash its operating system with contents of my
choosing (including new credentials)?  If you can't, then that
computerized object is already "pwned" by someone else.

Re: Schneider Electric SCADA Gateway contains hardcoded credentials (Baker)

"Bob Gezelter" <>
Thu, 22 Jan 2015 08:48:13 -0700
Henry, Indeed, to use your words, "there aren't turtles all the way down".
The problem is not the existence of a documented, predefined default
configuration (which in any case, should not allow arbitrary use). Rather
the problem is products shipping with built-in security gaps.  Predefined
well-known default configuration settings (user­min, password­min)
are a bad idea. This is not a novel thought. The practice of wide-spread
default credentials was at the heart of several widespread attacks more than
two decades ago, which lead OS vendors to require a new administrative
password be specified during installation.  With various appliances,
including the referenced gateway, there are two related problems: -
undocumented, non-removable credentials and access methods (e.g., SOHO
routers with manufacturing interfaces left enabled in shipped product; SAN
and storage controllers with manufacturer's magic access codes); and -
published default configurations which users can easily fail to modify
during installation.  I have seen several cases of both. The first case
basically invalidates all attempts at imposing secure access (e.g., every
service technician can bypass all security). The second leads to a security
breach when the customer site fails to reset the credentials.  In the
subject case, the system is reported to ship with default credentials and
enabled FTP access. The default state should be "SAFE" not
"UNSAFE". Consider getting house locks from a store, with a universal key
and the note "Please call a locksmith to rekey before using".

Bob Gezelter,

Please report problems with the web pages to the maintainer