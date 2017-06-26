Judge Sentences Man To One Year In Prison For Hacking Smart Water Readers In Five US Cities (bleepingcomputer.com) 24
An anonymous reader writes: A Pennsylvania man was sentenced to one year and one day in prison for hacking and disabling base stations belonging to water utility providers in five cities across the U.S. East Coast. Called TGB, these devices collect data from smart meters installed at people's homes and relay the information to the water provider's main systems, where it is logged, monitored for incidents, and processed for billing. Before he was fired by the unnamed TGB manufacturing company, Flanagan's role was to set up these devices. After he was fired, Flanagan used former root account passwords to log onto the devices and disable their ability to communicate with their respective water utility providers' upstream equipment. He wasn't that careful, as the FBI was able to trace back the attacks to his home. Apparently, the guy wasn't that silent, leaving behind a lot of clues. Flanagan's attacks resulted in water utility providers not being able to collect user equipment readings remotely. This incurred damage to the utility providers, who had to send out employees at customer premises to collect monthly readings. He was arrested in Nov 2014, and later pleaded guilty.
I am not even a security professional. Hell, I'm retired. Even *I* know that you revoke passwords when you fire someone - and if they can't be revoked, you change them. (That they can't be revoked is another matter - and probably another stupid fucking idea.) Ideally, you revoke their access before you fire them and when they're unable to access the system by means of physical separation.
I got laid off about 10 years ago and I was responsible for maintaining firewalls and remote access network equipment for the company's customers around the world. I left them with a document that listed *every* password that I had set on *every* one of the firewalls and VPN endpoints with instructions that said "CHANGE THESE!"
They called me a year later asking if I knew the passwords for customer "x" firewall and remote access server... Where I remembered what I had set them to, my response was "Didn't
meh. Against stupidity even the gods themselves contend in vain.
Free water?! It's not like the stuff just falls out of the sky for free. Oh wait...
Re: (Score:2)
I live in town and have no water rights on my own land... I can't dig a well or have a rain barrel.
You might be surprised.... (Score:2)
In many smaller cities and towns, the water treatment plants are older (circa 1970's or so) and expensive to maintain. I live in one such city, along the Potomac River, and our water bills are combined with sewer and trash pickup. We're billed once every 3 months, and the typical bill is easily in excess of $350. Trash collection is only once per week here, with no yard waste pickup - so it really only amounts to $80 or so of the total bill. The rest is sewer and water, which go hand-in-hand.

If you have a
If you have a
Plaintext passwords?
..defendant...remotely accessed a TGB...and and changed the password to "fuckyou."
Wouldn't that imply that the passwords on these internet connected devices are being stored in plaintext somewhere? I'm no security expert, but that seems like it's a bad idea.
Maybe it was md5 hashed. Nearly the same thing as plaintext.
The damages are "less profits" because they had to, you know, hire people and pay them a wage.