Defcon: Software Vulnerability Exposes Hacking Threat

Terrorists and other criminals could exploit a newly discovered software flaw to hijack massive computer systems used to control critical infrastructure like oil refineries, power plants and factories, a researcher said Saturday. Ganesh Devarajan, a security researcher with 3Com Corp.'s TippingPoint in Austin, Texas, demonstrated the software vulnerability he uncovered to attendees at the Defcon […]

Terrorists and other criminals could exploit a newly discovered software flaw to hijack massive computer systems used to control critical infrastructure like oil refineries, power plants and factories, a researcher said Saturday.

Ganesh Devarajan, a security researcher with 3Com Corp.'s TippingPoint in Austin, Texas, demonstrated the software vulnerability he uncovered to attendees at the Defcon hacker conference on computer security.

The software is used to manage supervisory control and data acquisition, or SCADA, systems - computers that regulate the functioning of such important infrastructure as oil and gas pipelines, water treatment and power transmission facilities and the giant factories used by large technology companies.

The flaw could crash certain SCADA computer systems, particularly older ones, Devarajan said. The intrusion works by attacking sensors within the facilities that are linked to the Internet through unencrypted connections.

Devarajan declined to identify the software company whose product he hacked in his demonstration but said his firm has notified the company of the vulnerability so it can fix the problem.

Similar weaknesses likely exist in other programs, Devarajan said.

"SCADA systems are scary because they control your day-to-day life," he said. "And they use lightweight software - all you need to do is send some false requests and you can talk to them easily. These are scary threats."

Authorities have become increasingly concerned about vulnerabilities in SCADA systems as they've moved from closed networks to being connected to the Internet, said Linton Wells II, the Defense Department's former chief information officer and now distinguished research professor at National Defense University.

"People need to realize this is not just the techie, geek, adjunct stuff that doesn't affect their lives," he said before Devarajan's presentation.

Full Post

Defcon, Security, Hack, Hacking, Hackers, Intrunsion, Flaw, Vulnerabilities, Software vulnerability