Well, it’s a little early to talk about postscripts for that particular malware, which continues to cast a long shadow. (In fact, it was only a week ago that I mentioned it in passing here.)
However, while looking back through my ESET email for something quite different, I was kind of amused to come across a post from Randy Abrams drawing my attention to an article from 2007 by Andy Greenberg, for Forbes.
The first sentences read, “The first time Scott Lunsford offered to hack into a nuclear power station, he was told it would be impossible. There was no way, the plant’s owners claimed, that their critical components could be accessed from the internet.”
Greenberg goes on to quote Lunsford as saying that the job turned out to be one of the easiest penetration tests he’d ever done. If you’ve read the notes I recently released, you wouldn’t be surprised that SCADA sites are not always bulletproof, but you might be surprised, reading Greenberg’s article, that Auriemma is only one of the more recent in a long line of researchers who’ve tried control software and found it wanting… And whoever it was told Lunsford he was going to fail was already just the latest link in a long chain of disappointed people…
In 1985, according to Fred Cohen, he was evaluating computer systems at a conference in California. At the first booth he went to, he found a limited–function interface and asked to conduct an experiment to see if he could break into the system. He was told, “There is no way you are going to break into this system.” Of course, he did, starting with the least-privileged account possible. And at the next three booths he was told that the same attack would work against their systems, too. (The story is in his book, A Short Course on Computer Viruses.)
Moral? Mistrust the words, “there is no way…” There is nearly always a way.