Earlier this week, we reported that hackers were trying to poison the water of 15,000 people in the town of Oldsmar in Florida, USA. This is done by attacking the software that controls the water supply and increasing the amount of sodium hydroxide, lye, in the water to dangerous levels.
Ars Technica now reports that the state of Massachusetts' cyber security department and the FBI have both concluded that the infested infrastructure had serious security flaws.
Running Windows 7
Among other things, the computers used will run Windows 7, an operating system that publisher Microsoft no longer supports and that has not received any new security updates in over a year.
Employees must also share one and the same password for Teamviewer, the program that the hacker used to gain remote access to the system. The computers with Teamviewer that have been connected to the internet must also have been without any kind of firewall.
According to Ars Technica, there is information that indicates that the authorities suspect that a former employee may be behind the intrusion.
Doesn't the military run its own Windows XP version that it has been updating on its own dime, because it is safer and better than anything after it? Or is that just an urban myth?
They did, as of 2015. Don't know if they still do.
And it's not necessarily that it's "safer" and "better" but they likely have a bunch of software that they either can't get to run on newer versions or they aren't able to qualify on newer versions. This happens a lot in regulated industries too, where it becomes cost prohibitive to qualify upgrades to systems to run on the newer OS-es, so it doesn't get done.
I know State Department still has 2003 servers running around the network somewhere. Legacy systems and incompetent management are a fucking security scourge.
Translation for the non borkborks
Doesn't the military run its own Windows XP version that it has been updating on its own dime, because it is safer and better than anything after it? Or is that just an urban myth?
They did, as of 2015. Don't know if they still do.
And it's not necessarily that it's "safer" and "better" but they likely have a bunch of software that they either can't get to run on newer versions or they aren't able to qualify on newer versions. This happens a lot in regulated industries too, where it becomes cost prohibitive to qualify upgrades to systems to run on the newer OS-es, so it doesn't get done.
I know State Department still has 2003 servers running around the network somewhere. Legacy systems and incompetent management are a fucking security scourge.
there's probably some mission-critical system that they're unable or unwilling to replace.