Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Courts Crime United States

Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities (bleepingcomputer.com) 60

An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.
This discussion has been archived. No new comments can be posted.

Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities

Comments Filter:
  • Goobers... (Score:4, Insightful)

    by KGIII ( 973947 ) <uninvolved@outlook.com> on Monday June 26, 2017 @04:24PM (#54694461) Journal

    I am not even a security professional. Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone - and if they can't be revoked, you change them. (That they can't be revoked is another matter - and probably another stupid fucking idea.) Ideally, you revoke their access before you fire them and when they're unable to access the system by means of physical separation.

    • Policy and practice are two different things. It gets harder when someone has been in a job for years and years and had access to thousands of systems over that time period.
      • by KGIII ( 973947 )

        Yeah... They should have someone keep track of that. Maybe they could call them, I don't know, something like a Compliance Officer? Maybe stick Security on the front of it... It'd probably save them some money, at least in the long term and assuming they hire someone capable and listen to them.

        • at least in the long term and assuming they hire someone capable and listen to them.

          I see 3 things that a lot of companies have never thought about for very long.

    • Re:Goobers... (Score:5, Interesting)

      by bobbied ( 2522392 ) on Monday June 26, 2017 @04:57PM (#54694627)

      I got laid off about 10 years ago and I was responsible for maintaining firewalls and remote access network equipment for the company's customers around the world. I left them with a document that listed *every* password that I had set on *every* one of the firewalls and VPN endpoints with instructions that said "CHANGE THESE!"

      They called me a year later asking if I knew the passwords for customer "x" firewall and remote access server... Where I remembered what I had set them to, my response was "Didn't you read the document I left for you?" And when they said "No" I quickly responded with "I don't know the passwords and I don't have a copy of the document I gave you, you are on your own."

      NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

      I did offer to help them recover all the passwords at a few hundred dollars an hour plus expenses, with a minimum of 8 hours paid in advance... And they didn't ever call me back, which was fine with me. They were idiots, both for laying me off initially, then refusing to pay the retention bonus and keep me on after the 90 day notice period when they realized their error PLUS not changing such sensitive passwords when I departed then coming back to ask me for them a year later.

      • by KGIII ( 973947 )

        That's kinda scary. In the few instances we had issues with employees, they were physically separated and access terminated as they were escorted from the building. (That was kinda rare, actually. I had great people working with me.)

        But, yeah... See, I hired smart people to do things I could not - and then I, you know, listened to them because, again, I hired them to do things I could not. If I could have done them, I'd not have had to hire them.

        In your case, was there nobody smart to listen to - or did the

        • My working theory is they canned me in a cost cutting effort driven by a new department director. She was a nice lady, but I think she misunderstood my perspective when she REQUIRED my presence at a 9 AM breakfast meeting the morning after a 2 AM maintenance window (the third one that week) and then asked us to share what we thought should be changed... Yea, it was stupid to complain about 9 AM mandatory meetings after being up all night working, but at that point I'd had about 2 hours sleep/night for a co

      • by Anonymous Coward

        NO way I was going to admit that I had unfettered access to these systems....There was no upside for me and these idiots didn't have a clue what security was so I didn't dare risk being blamed for some problem by admitting I still knew the passwords...

        Yeah, but you just admitted to it here. All they have to do is subpoena your /. account history, and you're fucked.

        • I never touched any of the systems after my departure and this was over 15 years ago at this point so I think the statute of limitations has run out. Not to mention, they are now out of business... Trust me, I'm golden.

          The reason I didn't admit to remembering is three fold.. 1. I told them the passwords already in the document I left with them... 2. I didn't want to leave them the impression that I maintained a backdoor or had accessed any of these systems had they experienced a security problem... 3. I

    • by Lumpy ( 12016 )

      Problem is companies that make smart meters, for all of the utilities only employ really low IQ types for their programmers, there is a LOT of hardcoded backdoors and admin passwords in them that can notbe changed. They simply rely on obscurity for their security.

      This is the problem companies are not liable for their crap-tastic security. until they are you will not see them putting in place anything that has any semblance of security.

    • Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone

      You're on Slashdot. That puts you head and shoulders above most of the people managing such devices. You talk about password revocation and password changing. How about something simple like making the password not "password" or the name of the company you work for.

      Baby steps.

  • Hacked? (Score:5, Insightful)

    by chuckugly ( 2030942 ) on Monday June 26, 2017 @04:28PM (#54694479)
    In what universe is accessing a system using the device password you were issued "hacking"? Attack, yes, unauthorized access, yes, hack? Not so much.
  • that's not hacking.
    meh. Against stupidity even the gods themselves contend in vain.
  • Free water?! It's not like the stuff just falls out of the sky for free. Oh wait...

    • I live in town and have no water rights on my own land... I can't dig a well or have a rain barrel.

    • In many smaller cities and towns, the water treatment plants are older (circa 1970's or so) and expensive to maintain. I live in one such city, along the Potomac River, and our water bills are combined with sewer and trash pickup. We're billed once every 3 months, and the typical bill is easily in excess of $350. Trash collection is only once per week here, with no yard waste pickup - so it really only amounts to $80 or so of the total bill. The rest is sewer and water, which go hand-in-hand.

      If you have a

  • Probably a dumb question, but per the second (twitter link):

    ..defendant...remotely accessed a TGB...and and changed the password to "fuckyou."

    Wouldn't that imply that the passwords on these internet connected devices are being stored in plaintext somewhere? I'm no security expert, but that seems like it's a bad idea.

    • Maybe it was md5 hashed. Nearly the same thing as plaintext.

      • by Anonymous Coward

        I believe they used the much stronger ROT26

    • Well, that is the sort of thing that one might easily crack using a dictionary. For all I know it is in amongst the "common" passwords somewhere.
  • Aaron Swartz (Score:3, Insightful)

    by Rockoon ( 1252108 ) on Monday June 26, 2017 @05:17PM (#54694765)
    Consider, Aaron Swartz faced less jail time.

    This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

    This pretty well backs up my theory that Aaron may have never had to serve any time as a member of the general population of a federal prison, and even if he did it would not have been anything even close to the maximum.
    • This guy got a 1 year sentence but faced up to 90 years and a $3 million fine.

      Mad dog court system, drunk on power, crazed with bloodlust.

  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Monday June 26, 2017 @05:18PM (#54694775) Homepage

    he could have made a lot of money. Quietly kept his root access, put in a few logging scripts that would have searched and told him where water usage had dropped in for a couple of days ... probably a good sign that people are away on holiday ... sold this information on to his friend Burglar Bill who could have paid the properties an uninvited visit; very hard to trace this back to leaked water readings [pardon the pun]. This is why accepting smart meters into your house that allow real time water/electric/... usage is a huge security risk.

    The utilities all claim that it is perfectly safe - something that this story shows is a lie -- or at best wildly optimistic. The reason that they want to do this is to increase their profits - but the cost is your household security; but they don't care about that.

    • by Anonymous Coward

      You don't need TGB access to do that. Just get an antenna and use RTL-SDR, most of these transmissions aren't encrypted. You don't get the range of data the TGB has, but the TGB doesn't have the address or anything either, just a meter number and usage, and a few flags as data.

    • Wish I could mod you up...

  • "What do you mean I have to get out of my car? Send him to prison!"

  • by Visarga ( 1071662 ) on Monday June 26, 2017 @10:04PM (#54696035)
    We all know you can't fire the person with root access to your devices. These companies never learn. /s

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...