Comments on: Stumbling upon Security Issues

By: Tyler

Tyler — Wed, 04 Jun 2008 11:32:08 +0000

The same as you I would have done the same thing – reporting it to the owners. It always surprises me of this when I hear about them even though it shouldn’t. Good find…hopefully they’ll fix it.

By: Tom

Tom — Wed, 04 Jun 2008 00:24:32 +0000

Thanks for the comments. Yes, war dialing sometimes gets overlooked…and can still be the easy way in to a network. Seems like most new HVAC installations are Internet enabled with the default security settings of "no security".

By: Matt

Matt — Mon, 02 Jun 2008 23:33:50 +0000

Sadly I have seen a couple HVAC systems connected to the Internet, in most cases the manufacture or vendor required the company to do this so they could "remotely administer the system."

Systems like this are the primary reason I still recommend people war dial their exchanges. More often than not when war dialing a large company I will discover an HVAC or elevator control system connect to a modem. Tip - If you come across a modem set to 300, 1200 or 2400 baud it is probably a control system of some sort. And of course it goes without saying you should only wardail ranges you are authorized to scan.

What would I of done in the scenario above? Probably the same actions you took and try to contact the site administrator.

By: Quzart

Quzart — Mon, 02 Jun 2008 15:21:11 +0000

Hmmm, I think I would ‘leave a present’, like putting a textfile on the server, or changing something that doesn’t mess up the whole system. Then I would email them that something isn’t right and let them know what I changed so they know it is serious.

By: Tarek

Tarek — Mon, 02 Jun 2008 10:49:43 +0000

It depends, I sometimes prefer to put a Black Hat when I am in the Evil and Wanna-Have-Some Phun mood, but I guess most of the time I will prefer putting a White Hat on instead