A Russian security researcher has uncovered security vulnerabilities that could allow a malicious attacker to conduct man-in-the-middle attacks, denial‑of‑service attacks, and possibly authenticate themselves as valid users.
So far, so much par for the course.
But what makes this vulnerability disclosure by Ilya Karpov of Positive Technologies particularly noteworthy, as The Register reports, is that the vulnerabilities were found in Siemens SIMATIC HMI devices used to control critical systems at petrochemical facilities, power plants and even the Large Hadron Collider.
Yes, you can imagine how that could cause problems…
One of the vulnerabiities, as described in ICS-CERT’s advisory explains that a hacker might only need a hash of the system’s password – rather than the password itself – to gain access to privileged systems.
If attackers obtain password hashes for SIMATIC WinCC users, they could possibly use the hashes to authenticate themselves. This vulnerability affects SIMATIC WinCC and SIMATIC PCS 7.
Threats such as Stuxnet and Dragonfly have raised the public’s awareness of the need to properly protect industrial control systems (ICS) which control critical infrastructure such as the management of electrical, water, oil, gas and data supplies.
Siemens says it has now patched the vulnerabilities.
Nonetheless, you think you had a headache keeping your home computer updated with security patches? Just imagine if you were responsible for securing the Large Hadron Collider or a nuclear plant…
On the subject of protecting nuclear plants…
http://www.bbc.co.uk/news/world-us-canada-32663107
And as for the character limit, while it is probably not a problem at 3000 characters (even for me mostly), the issue of quoting comes to mind as that adds up. Maybe you could have a way that quotes the article (I don't mean the full article but portions of). Perhaps this isn't a problem even, but I'm raising the point now just in case (at least it isn't like the BBC where they limit to 400 characters). But until this sentence it was 2494 characters left, and I didn't write all that much (though amusingly almost all of it is about the character limit itself).