lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTimP9tBuKe4g1t=rQi8fqGG78GQH-A@mail.gmail.com>
Date: Sun, 17 Apr 2011 14:35:56 +0100
From: Cal Leeming <cal@...whisper.co.uk>
To: Benji <me@...ji.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Florida Power & Light Company (FPL) Fort
 Sumner Wind turbine Control SCADA was HACKED

So hold on.. the person who did this, was an ex-employee who already had
access to their systems?

On Sun, Apr 17, 2011 at 2:28 PM, Benji <me@...ji.com> wrote:

> Interesting, as @reversemode on twitter has pointed out
>
> 74.50.135.51 is the ip for the scada system as pointed out, and found by
> SHODAN
>
> http://www.shodanhq.com/?q=Ft.+Sumner+SCADA
>
> Not the 160.x.x.x IP as indicated in the original email.
>
> On Sun, Apr 17, 2011 at 12:41 PM, Benji <me@...ji.com> wrote:
>
>> so wait? Let me humor you..
>>
>>
>> SSH was running and publically accessible so it was actually legal for me
>> to login to <something>,gov, as if they didnt want me to connect it wouldnt
>> be a publically accessible service?
>>
>>
>> On Sun, Apr 17, 2011 at 12:39 PM, Jeffrey Walton <noloader@...il.com>wrote:
>>
>>> > so how long do you give yourself before you're in prison?
>>> lol....
>>>
>>> To pay devil's advocate here: FPL placed those hosts on a public
>>> internet. In addition, FPL also configured the hosts to advertise services.
>>> If FPL did not want the services accessed, the company would have removed
>>> the hosts from the public internet, shut down the services, or used leased
>>> [private] lines. Where's the leap to a criminal offense?
>>>
>>> Jeff
>>>
>>> On Sun, Apr 17, 2011 at 6:29 AM, Benji <me@...ji.com> wrote:
>>>
>>>> so how long do you give yourself before you're in prison?
>>>>
>>>> On Sat, Apr 16, 2011 at 4:22 PM, Bgr R <bgr_24423@...oo.com> wrote:
>>>>
>>>>> Here comes my revenge for illegitimate firing from Florida Power &
>>>>> Light Company (FPL)
>>>>>    ... ain't nothing you can do with it, since your electricity is
>>>>> turned off !!!
>>>>>
>>>>> Secure you SCADA better! Leaked files are attached ...
>>>>>
>>>>> 1) http://img838.imageshack.us/i/49986845.png/
>>>>> 2) http://img718.imageshack.us/i/24380855.png/
>>>>> 3) http://img24.imageshack.us/i/58868342.png/
>>>>> 4) http://img228.imageshack.us/i/85258364.png/
>>>>> 5) http://img163.imageshack.us/i/90736853.png/
>>>>> 6) http://img217.imageshack.us/i/55439027.png/
>>>>> 7) http://img40.imageshack.us/i/87526089.png/
>>>>> 8) http://img864.imageshack.us/i/94061747.png/
>>>>> ------------------------------------------------------------
>>>>>
>>>>> 161.154.232.65
>>>>>
>>>>> HTTP/1.0 401 Unauthorized
>>>>> Date: Sat, 05 Feb 2011 23:43:13 GMT
>>>>> Server: VTS 9.0.05
>>>>> Content-Type: text/html
>>>>> Content-Length: 622
>>>>> Cache-Control: no-cache
>>>>> WWW-Authenticate: Basic realm="Ft. Sumner SCADA"
>>>>> Cache-control: no-cache="set-cookie"
>>>>> Cache-control: private
>>>>> Set-Cookie: VTS=9.0005;Version=1;Path=/
>>>>> Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner
>>>>> SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a
>>>>> Set-Cookie:
>>>>> SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c..
>>>>>
>>>>> NetRange:       161.154.0.0 - 161.154.255.255
>>>>> CIDR:           161.154.0.0/16
>>>>> OriginAS:
>>>>> NetName:        FPL2
>>>>> NetHandle:      NET-161-154-0-0-1
>>>>> Parent:         NET-161-0-0-0-0
>>>>> NetType:        Direct Assignment
>>>>> RegDate:        1992-12-17
>>>>> Updated:        2008-10-10
>>>>> Ref:            http://whois.arin.net/rest/net/NET-161-154-0-0-1
>>>>>
>>>>> OrgName:        Florida Power & Light Company
>>>>> OrgId:          FFPL-1
>>>>> Address:        700 Universe Blvd
>>>>> Address:        P.O. Box 14000
>>>>> City:           Juno Beach
>>>>> StateProv:      FL
>>>>> PostalCode:     33408-0420
>>>>> Country:        US
>>>>> RegDate:        1997-06-03
>>>>> Updated:        2007-06-29
>>>>> Ref:            http://whois.arin.net/rest/org/FFPL-1
>>>>>
>>>>> OrgAbuseHandle: INFOR40-ARIN
>>>>> OrgAbuseName:   Information Security
>>>>> OrgAbusePhone:  +1-305-552-3727
>>>>> OrgAbuseEmail:  information_security@....com
>>>>> OrgAbuseRef:    http://whois.arin.net/rest/poc/INFOR40-ARIN
>>>>>
>>>>> OrgTechHandle: DHE37-ARIN
>>>>> OrgTechName:   Hertzog, Dean
>>>>> OrgTechPhone:  +1-305-552-4080
>>>>> OrgTechEmail:  FPLNOC@....com
>>>>> OrgTechRef:    http://whois.arin.net/rest/poc/DHE37-ARIN
>>>>>
>>>>> OrgNOCHandle: DHE37-ARIN
>>>>> OrgNOCName:   Hertzog, Dean
>>>>> OrgNOCPhone:  +1-305-552-4080
>>>>> OrgNOCEmail:  FPLNOC@....com
>>>>> OrgNOCRef:    http://whois.arin.net/rest/poc/DHE37-ARIN
>>>>>
>>>>>
>>>>> -------------------------------------------------------------------------------
>>>>> Configuration file from the central Cisco Router and Security Device
>>>>> Manager: 161.154.232.2 (FPL - FFPL-1)
>>>>>
>>>>> Building configuration...
>>>>>
>>>>> Current configuration : 8467 bytes
>>>>> !
>>>>> ! Last configuration change at 18:01:57 UTC Mon Oct 25 2010 by ro5810
>>>>> ! NVRAM config last updated at 18:01:59 UTC Mon Oct 25 2010 by ro5810
>>>>> !
>>>>> version 12.2
>>>>> no service pad
>>>>> service timestamps debug datetime localtime
>>>>> service timestamps log datetime localtime
>>>>> service password-encryption
>>>>> service udp-small-servers
>>>>> service tcp-small-servers
>>>>> !
>>>>> hostname cpr622i00bct
>>>>> !
>>>>> logging buffered 65000 debugging
>>>>> logging rate-limit all 10 except critical
>>>>> enable secret 5 $1$7uN5$Ok9fYku/HC/KNqWQkHoWP.
>>>>> !
>>>>> aaa new-model
>>>>> aaa authentication login default group tacacs+ enable
>>>>> aaa authentication enable default group tacacs+ enable
>>>>> aaa authorization exec default group tacacs+ none
>>>>> aaa accounting exec default start-stop group tacacs+
>>>>> aaa accounting commands 15 default start-stop group tacacs+
>>>>> !
>>>>> aaa session-id common
>>>>> ip subnet-zero
>>>>> no ip source-route
>>>>> ip routing
>>>>> !
>>>>> no ip domain-lookup
>>>>> ip host cs00noc 172.16.0.132
>>>>> ip host cs01noc 172.16.0.133
>>>>> ip host cs00noc-pub 209.215.34.12
>>>>> ip host cs01noc-pub 209.215.34.11
>>>>> ip name-server 205.152.132.23
>>>>> ip name-server 205.152.144.23
>>>>> vtp domain Core
>>>>> vtp mode transparent
>>>>> !
>>>>> mls qos
>>>>> no mpls traffic-eng auto-bw timers frequency 0
>>>>> !
>>>>> !
>>>>> no file verify auto
>>>>> spanning-tree mode pvst
>>>>> spanning-tree extend system-id
>>>>> !
>>>>> !
>>>>> !
>>>>> vlan internal allocation policy ascending
>>>>> !
>>>>> vlan 1578
>>>>>  name FPL
>>>>> !
>>>>> policy-map SHAPER1
>>>>>   class class-default
>>>>>    shape average 250000000
>>>>> !
>>>>> !
>>>>> !
>>>>> interface FastEthernet1/0/1
>>>>> !
>>>>> interface FastEthernet1/0/2
>>>>> !
>>>>> interface FastEthernet1/0/3
>>>>> !
>>>>> interface FastEthernet1/0/4
>>>>> !
>>>>> interface FastEthernet1/0/5
>>>>> !
>>>>> interface FastEthernet1/0/6
>>>>> !
>>>>> interface FastEthernet1/0/7
>>>>> !
>>>>> interface FastEthernet1/0/8
>>>>> !
>>>>> interface FastEthernet1/0/9
>>>>> !
>>>>> interface FastEthernet1/0/10
>>>>> !
>>>>> interface FastEthernet1/0/11
>>>>> !
>>>>> interface FastEthernet1/0/12
>>>>> !
>>>>> interface FastEthernet1/0/13
>>>>> !
>>>>> interface FastEthernet1/0/14
>>>>> !
>>>>> interface FastEthernet1/0/15
>>>>> !
>>>>> interface FastEthernet1/0/16
>>>>> !
>>>>> interface FastEthernet1/0/17
>>>>> !
>>>>> interface FastEthernet1/0/18
>>>>> !
>>>>> interface FastEthernet1/0/19
>>>>> !
>>>>> interface FastEthernet1/0/20
>>>>> !
>>>>> interface FastEthernet1/0/21
>>>>> !
>>>>> interface FastEthernet1/0/22
>>>>> !
>>>>> interface FastEthernet1/0/23
>>>>> !
>>>>> interface FastEthernet1/0/24
>>>>> !
>>>>> interface GigabitEthernet1/0/1
>>>>> !
>>>>> interface GigabitEthernet1/0/2
>>>>> !
>>>>> interface GigabitEthernet1/1/1
>>>>>  switchport trunk allowed vlan 1578
>>>>>  switchport mode trunk
>>>>>  switchport nonegotiate
>>>>>  ip access-group 112 in
>>>>>  service-policy output SHAPER1
>>>>>  load-interval 30
>>>>>  speed nonegotiate
>>>>> !
>>>>> interface GigabitEthernet1/1/2
>>>>>  no switchport
>>>>>  ip address 161.154.232.2 255.255.255.0
>>>>>  ip access-group 115 in
>>>>>  load-interval 30
>>>>>  keepalive 10
>>>>>  speed nonegotiate
>>>>>  mls qos trust dscp
>>>>>  no cdp enable
>>>>>  no clns route-cache
>>>>>  hold-queue 100 in
>>>>>  hold-queue 100 out
>>>>> !
>>>>> interface Vlan1
>>>>>  no ip address
>>>>>  shutdown
>>>>> !
>>>>> interface Vlan1578
>>>>>  ip address 65.14.117.30 255.255.255.252
>>>>>  load-interval 30
>>>>>  no clns route-cache
>>>>> !
>>>>> ip classless
>>>>> ip route 0.0.0.0 0.0.0.0 65.14.117.29
>>>>> ip route 155.109.5.0 255.255.255.0 161.154.232.1
>>>>> ip route 155.109.19.0 255.255.255.0 161.154.232.1
>>>>> ip route 155.109.29.0 255.255.255.0 161.154.232.1
>>>>> ip route 155.109.29.204 255.255.255.255 65.14.117.29
>>>>> ip route 155.109.29.214 255.255.255.255 65.14.117.29
>>>>> ip route 155.109.66.0 255.255.255.0 161.154.232.1
>>>>> ip route 155.109.88.0 255.255.255.0 161.154.232.1
>>>>> ip route 155.109.95.0 255.255.255.0 161.154.232.1
>>>>> ip route 161.154.0.0 255.255.0.0 161.154.232.1
>>>>> ip route 170.55.0.0 255.255.0.0 161.154.232.1
>>>>> ip route 204.238.236.0 255.255.255.0 161.154.232.1
>>>>> no ip http server
>>>>> ip http secure-server
>>>>> !
>>>>> !
>>>>> !
>>>>> access-list 98 permit 205.152.144.226
>>>>> access-list 98 permit 205.152.132.250
>>>>> access-list 98 permit 205.152.132.226
>>>>> access-list 98 permit 205.152.144.250
>>>>> access-list 98 permit 205.152.144.165
>>>>> access-list 98 permit 205.152.37.19
>>>>> access-list 98 permit 205.152.37.20
>>>>> access-list 98 permit 205.152.144.163
>>>>> access-list 98 permit 205.152.37.26
>>>>> access-list 98 permit 205.152.37.27
>>>>> access-list 98 permit 205.152.132.163
>>>>> access-list 98 permit 205.152.132.165
>>>>> access-list 98 permit 205.152.37.250
>>>>> access-list 98 permit 205.152.37.226
>>>>> access-list 98 permit 205.152.132.27
>>>>> access-list 98 permit 205.152.132.26
>>>>> access-list 98 permit 205.152.144.20
>>>>> access-list 98 permit 205.152.37.163
>>>>> access-list 98 permit 205.152.37.165
>>>>> access-list 98 permit 205.152.144.19
>>>>> access-list 98 permit 205.152.144.27
>>>>> access-list 98 permit 205.152.144.26
>>>>> access-list 98 permit 139.76.53.0 0.0.0.255
>>>>> access-list 98 permit 139.76.68.0 0.0.3.255
>>>>> access-list 98 permit 139.76.88.0 0.0.1.255
>>>>> access-list 98 permit 139.76.228.0 0.0.3.255
>>>>> access-list 98 permit 139.76.240.0 0.0.1.255
>>>>> access-list 98 permit 172.16.0.0 0.0.1.255
>>>>> access-list 98 permit 205.152.6.0 0.0.0.255
>>>>> access-list 98 permit 205.152.66.0 0.0.0.255
>>>>> access-list 98 permit 205.152.204.0 0.0.0.255
>>>>> access-list 99 permit 68.153.6.0 0.0.1.255
>>>>> access-list 99 permit 172.16.0.0 0.0.1.255
>>>>> access-list 99 permit 139.76.53.0 0.0.0.255
>>>>> access-list 99 permit 139.76.68.0 0.0.3.255
>>>>> access-list 99 permit 139.76.88.0 0.0.1.255
>>>>> access-list 99 permit 139.76.228.0 0.0.3.255
>>>>> access-list 99 permit 139.76.240.0 0.0.1.255
>>>>> access-list 99 permit 205.152.6.0 0.0.0.255
>>>>> access-list 111 permit ip 65.14.117.28 0.0.0.3 any
>>>>> access-list 111 permit ip 74.175.105.64 0.0.0.31 any
>>>>> access-list 111 permit ip 205.152.17.0 0.0.0.255 any
>>>>> access-list 111 permit ip 155.109.0.0 0.0.255.255 any
>>>>> access-list 111 permit ip 161.154.0.0 0.0.255.255 any
>>>>> access-list 111 permit ip 205.152.161.0 0.0.0.255 any
>>>>> access-list 111 permit ip 204.238.236.0 0.0.0.255 any
>>>>> access-list 111 permit ip 170.55.0.0 0.0.255.255 any
>>>>> access-list 112 deny   ip 204.0.0.0 0.0.255.255 any
>>>>> access-list 112 deny   ip 204.1.0.0 0.0.255.255 any
>>>>> access-list 112 deny   ip 204.3.0.0 0.0.255.255 any
>>>>> access-list 112 deny   ip 69.22.0.0 0.0.192.255 any
>>>>> access-list 112 permit ip any any
>>>>> access-list 115 deny   53 any any
>>>>> access-list 115 deny   55 any any
>>>>> access-list 115 deny   77 any any
>>>>> access-list 115 deny   pim any any
>>>>> access-list 115 permit ip any any
>>>>> no cdp run
>>>>> snmp-server community Ty#Qr53b RO 98
>>>>> snmp-server community R5t3bF5c RW 98
>>>>> tacacs-server host 172.16.0.132
>>>>> tacacs-server host 209.215.34.12
>>>>> tacacs-server host 172.16.0.133
>>>>> tacacs-server host 209.215.34.11
>>>>> tacacs-server timeout 10
>>>>> tacacs-server directed-request
>>>>> tacacs-server key 7 010703174F
>>>>> !
>>>>> radius-server source-ports 1645-1646
>>>>> !
>>>>> control-plane
>>>>> !
>>>>> banner motd ^CC
>>>>> ######################################################################
>>>>> #                                                                    #
>>>>> #                    ***PRIVATE/PROPRIETARY***                       #
>>>>> #                                                                    #
>>>>> #       ANY UNAUTHORIZED ACCESS TO, OR MISUSE OF BELLSOUTH           #
>>>>> #       SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL          #
>>>>> #       PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING         #
>>>>> #       DISCHARGE, OR THE TERMINATION OF VENDOR/SERVICE CONTRACTS.   #
>>>>> #                                                                    #
>>>>> #       BELLSOUTH MAY PERIODICALLY MONITOR AND/OR AUDIT SYSTEM       #
>>>>> #       ACCESS/USAGE.                                                #
>>>>> #                                                                    #
>>>>> #                                                                    #
>>>>> ######################################################################
>>>>> #                                                                    #
>>>>> #             <VERSION TEMPLATE DATE@...E>                           #
>>>>> ######################################################################
>>>>> ^C
>>>>> privilege exec level 1 traceroute
>>>>> privilege exec level 1 ping
>>>>> privilege exec level 1 terminal monitor
>>>>> privilege exec level 1 terminal
>>>>> privilege exec level 1 show line
>>>>> privilege exec level 1 show snmp
>>>>> privilege exec level 1 show arp
>>>>> privilege exec level 1 show accounting
>>>>> privilege exec level 1 show service-module
>>>>> privilege exec level 1 show version
>>>>> privilege exec level 1 show reload
>>>>> privilege exec level 1 show debugging
>>>>> privilege exec level 1 show controllers
>>>>> privilege exec level 1 show users
>>>>> privilege exec level 1 show sessions
>>>>> privilege exec level 1 show access-lists
>>>>> privilege exec level 1 show privilege
>>>>> privilege exec level 1 show interfaces
>>>>> privilege exec level 1 show startup-config
>>>>> privilege exec level 1 show
>>>>> privilege exec level 1 clear line
>>>>> privilege exec level 1 clear counters
>>>>> privilege exec level 1 clear
>>>>> !
>>>>> line con 0
>>>>>  exec-timeout 5 30
>>>>>  password 7 070C285F4D06
>>>>> line vty 0 4
>>>>>  access-class 99 in
>>>>>  exec-timeout 30 0
>>>>>  password 7 03075218050061
>>>>> line vty 5 15
>>>>>  access-class 99 in
>>>>>  exec-timeout 30 0
>>>>>  password 7 03075218050061
>>>>> !
>>>>> end
>>>>>
>>>>> ----------------------------------------------------
>>>>> Fort Sumner wind turbines:
>>>>> http://www.flickr.com/photos/30325073@N02/4113855086/
>>>>> _______________________________________________
>>>>> Full-Disclosure - We believe in it.
>>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ