[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED
- To: noloader@xxxxxxxxx
- Subject: Re: [Full-disclosure] Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED
- From: Benji <me@xxxxxxxxx>
- Date: Sun, 17 Apr 2011 14:28:16 +0100
Interesting, as @reversemode on twitter has pointed out
74.50.135.51 is the ip for the scada system as pointed out, and found by
SHODAN
http://www.shodanhq.com/?q=Ft.+Sumner+SCADA
Not the 160.x.x.x IP as indicated in the original email.
On Sun, Apr 17, 2011 at 12:41 PM, Benji <me@xxxxxxxxx> wrote:
> so wait? Let me humor you..
>
>
> SSH was running and publically accessible so it was actually legal for me
> to login to <something>,gov, as if they didnt want me to connect it wouldnt
> be a publically accessible service?
>
>
> On Sun, Apr 17, 2011 at 12:39 PM, Jeffrey Walton <noloader@xxxxxxxxx>wrote:
>
>> > so how long do you give yourself before you're in prison?
>> lol....
>>
>> To pay devil's advocate here: FPL placed those hosts on a public internet.
>> In addition, FPL also configured the hosts to advertise services. If FPL did
>> not want the services accessed, the company would have removed the hosts
>> from the public internet, shut down the services, or used leased [private]
>> lines. Where's the leap to a criminal offense?
>>
>> Jeff
>>
>> On Sun, Apr 17, 2011 at 6:29 AM, Benji <me@xxxxxxxxx> wrote:
>>
>>> so how long do you give yourself before you're in prison?
>>>
>>> On Sat, Apr 16, 2011 at 4:22 PM, Bgr R <bgr_24423@xxxxxxxxx> wrote:
>>>
>>>> Here comes my revenge for illegitimate firing from Florida Power & Light
>>>> Company (FPL)
>>>> ... ain't nothing you can do with it, since your electricity is
>>>> turned off !!!
>>>>
>>>> Secure you SCADA better! Leaked files are attached ...
>>>>
>>>> 1) http://img838.imageshack.us/i/49986845.png/
>>>> 2) http://img718.imageshack.us/i/24380855.png/
>>>> 3) http://img24.imageshack.us/i/58868342.png/
>>>> 4) http://img228.imageshack.us/i/85258364.png/
>>>> 5) http://img163.imageshack.us/i/90736853.png/
>>>> 6) http://img217.imageshack.us/i/55439027.png/
>>>> 7) http://img40.imageshack.us/i/87526089.png/
>>>> 8) http://img864.imageshack.us/i/94061747.png/
>>>> ------------------------------------------------------------
>>>>
>>>> 161.154.232.65
>>>>
>>>> HTTP/1.0 401 Unauthorized
>>>> Date: Sat, 05 Feb 2011 23:43:13 GMT
>>>> Server: VTS 9.0.05
>>>> Content-Type: text/html
>>>> Content-Length: 622
>>>> Cache-Control: no-cache
>>>> WWW-Authenticate: Basic realm="Ft. Sumner SCADA"
>>>> Cache-control: no-cache="set-cookie"
>>>> Cache-control: private
>>>> Set-Cookie: VTS=9.0005;Version=1;Path=/
>>>> Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner
>>>> SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a
>>>> Set-Cookie:
>>>> SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c..
>>>>
>>>> NetRange: 161.154.0.0 - 161.154.255.255
>>>> CIDR: 161.154.0.0/16
>>>> OriginAS:
>>>> NetName: FPL2
>>>> NetHandle: NET-161-154-0-0-1
>>>> Parent: NET-161-0-0-0-0
>>>> NetType: Direct Assignment
>>>> RegDate: 1992-12-17
>>>> Updated: 2008-10-10
>>>> Ref: http://whois.arin.net/rest/net/NET-161-154-0-0-1
>>>>
>>>> OrgName: Florida Power & Light Company
>>>> OrgId: FFPL-1
>>>> Address: 700 Universe Blvd
>>>> Address: P.O. Box 14000
>>>> City: Juno Beach
>>>> StateProv: FL
>>>> PostalCode: 33408-0420
>>>> Country: US
>>>> RegDate: 1997-06-03
>>>> Updated: 2007-06-29
>>>> Ref: http://whois.arin.net/rest/org/FFPL-1
>>>>
>>>> OrgAbuseHandle: INFOR40-ARIN
>>>> OrgAbuseName: Information Security
>>>> OrgAbusePhone: +1-305-552-3727
>>>> OrgAbuseEmail: information_security@xxxxxxx
>>>> OrgAbuseRef: http://whois.arin.net/rest/poc/INFOR40-ARIN
>>>>
>>>> OrgTechHandle: DHE37-ARIN
>>>> OrgTechName: Hertzog, Dean
>>>> OrgTechPhone: +1-305-552-4080
>>>> OrgTechEmail: FPLNOC@xxxxxxx
>>>> OrgTechRef: http://whois.arin.net/rest/poc/DHE37-ARIN
>>>>
>>>> OrgNOCHandle: DHE37-ARIN
>>>> OrgNOCName: Hertzog, Dean
>>>> OrgNOCPhone: +1-305-552-4080
>>>> OrgNOCEmail: FPLNOC@xxxxxxx
>>>> OrgNOCRef: http://whois.arin.net/rest/poc/DHE37-ARIN
>>>>
>>>>
>>>> -------------------------------------------------------------------------------
>>>> Configuration file from the central Cisco Router and Security Device
>>>> Manager: 161.154.232.2 (FPL - FFPL-1)
>>>>
>>>> Building configuration...
>>>>
>>>> Current configuration : 8467 bytes
>>>> !
>>>> ! Last configuration change at 18:01:57 UTC Mon Oct 25 2010 by ro5810
>>>> ! NVRAM config last updated at 18:01:59 UTC Mon Oct 25 2010 by ro5810
>>>> !
>>>> version 12.2
>>>> no service pad
>>>> service timestamps debug datetime localtime
>>>> service timestamps log datetime localtime
>>>> service password-encryption
>>>> service udp-small-servers
>>>> service tcp-small-servers
>>>> !
>>>> hostname cpr622i00bct
>>>> !
>>>> logging buffered 65000 debugging
>>>> logging rate-limit all 10 except critical
>>>> enable secret 5 $1$7uN5$Ok9fYku/HC/KNqWQkHoWP.
>>>> !
>>>> aaa new-model
>>>> aaa authentication login default group tacacs+ enable
>>>> aaa authentication enable default group tacacs+ enable
>>>> aaa authorization exec default group tacacs+ none
>>>> aaa accounting exec default start-stop group tacacs+
>>>> aaa accounting commands 15 default start-stop group tacacs+
>>>> !
>>>> aaa session-id common
>>>> ip subnet-zero
>>>> no ip source-route
>>>> ip routing
>>>> !
>>>> no ip domain-lookup
>>>> ip host cs00noc 172.16.0.132
>>>> ip host cs01noc 172.16.0.133
>>>> ip host cs00noc-pub 209.215.34.12
>>>> ip host cs01noc-pub 209.215.34.11
>>>> ip name-server 205.152.132.23
>>>> ip name-server 205.152.144.23
>>>> vtp domain Core
>>>> vtp mode transparent
>>>> !
>>>> mls qos
>>>> no mpls traffic-eng auto-bw timers frequency 0
>>>> !
>>>> !
>>>> no file verify auto
>>>> spanning-tree mode pvst
>>>> spanning-tree extend system-id
>>>> !
>>>> !
>>>> !
>>>> vlan internal allocation policy ascending
>>>> !
>>>> vlan 1578
>>>> name FPL
>>>> !
>>>> policy-map SHAPER1
>>>> class class-default
>>>> shape average 250000000
>>>> !
>>>> !
>>>> !
>>>> interface FastEthernet1/0/1
>>>> !
>>>> interface FastEthernet1/0/2
>>>> !
>>>> interface FastEthernet1/0/3
>>>> !
>>>> interface FastEthernet1/0/4
>>>> !
>>>> interface FastEthernet1/0/5
>>>> !
>>>> interface FastEthernet1/0/6
>>>> !
>>>> interface FastEthernet1/0/7
>>>> !
>>>> interface FastEthernet1/0/8
>>>> !
>>>> interface FastEthernet1/0/9
>>>> !
>>>> interface FastEthernet1/0/10
>>>> !
>>>> interface FastEthernet1/0/11
>>>> !
>>>> interface FastEthernet1/0/12
>>>> !
>>>> interface FastEthernet1/0/13
>>>> !
>>>> interface FastEthernet1/0/14
>>>> !
>>>> interface FastEthernet1/0/15
>>>> !
>>>> interface FastEthernet1/0/16
>>>> !
>>>> interface FastEthernet1/0/17
>>>> !
>>>> interface FastEthernet1/0/18
>>>> !
>>>> interface FastEthernet1/0/19
>>>> !
>>>> interface FastEthernet1/0/20
>>>> !
>>>> interface FastEthernet1/0/21
>>>> !
>>>> interface FastEthernet1/0/22
>>>> !
>>>> interface FastEthernet1/0/23
>>>> !
>>>> interface FastEthernet1/0/24
>>>> !
>>>> interface GigabitEthernet1/0/1
>>>> !
>>>> interface GigabitEthernet1/0/2
>>>> !
>>>> interface GigabitEthernet1/1/1
>>>> switchport trunk allowed vlan 1578
>>>> switchport mode trunk
>>>> switchport nonegotiate
>>>> ip access-group 112 in
>>>> service-policy output SHAPER1
>>>> load-interval 30
>>>> speed nonegotiate
>>>> !
>>>> interface GigabitEthernet1/1/2
>>>> no switchport
>>>> ip address 161.154.232.2 255.255.255.0
>>>> ip access-group 115 in
>>>> load-interval 30
>>>> keepalive 10
>>>> speed nonegotiate
>>>> mls qos trust dscp
>>>> no cdp enable
>>>> no clns route-cache
>>>> hold-queue 100 in
>>>> hold-queue 100 out
>>>> !
>>>> interface Vlan1
>>>> no ip address
>>>> shutdown
>>>> !
>>>> interface Vlan1578
>>>> ip address 65.14.117.30 255.255.255.252
>>>> load-interval 30
>>>> no clns route-cache
>>>> !
>>>> ip classless
>>>> ip route 0.0.0.0 0.0.0.0 65.14.117.29
>>>> ip route 155.109.5.0 255.255.255.0 161.154.232.1
>>>> ip route 155.109.19.0 255.255.255.0 161.154.232.1
>>>> ip route 155.109.29.0 255.255.255.0 161.154.232.1
>>>> ip route 155.109.29.204 255.255.255.255 65.14.117.29
>>>> ip route 155.109.29.214 255.255.255.255 65.14.117.29
>>>> ip route 155.109.66.0 255.255.255.0 161.154.232.1
>>>> ip route 155.109.88.0 255.255.255.0 161.154.232.1
>>>> ip route 155.109.95.0 255.255.255.0 161.154.232.1
>>>> ip route 161.154.0.0 255.255.0.0 161.154.232.1
>>>> ip route 170.55.0.0 255.255.0.0 161.154.232.1
>>>> ip route 204.238.236.0 255.255.255.0 161.154.232.1
>>>> no ip http server
>>>> ip http secure-server
>>>> !
>>>> !
>>>> !
>>>> access-list 98 permit 205.152.144.226
>>>> access-list 98 permit 205.152.132.250
>>>> access-list 98 permit 205.152.132.226
>>>> access-list 98 permit 205.152.144.250
>>>> access-list 98 permit 205.152.144.165
>>>> access-list 98 permit 205.152.37.19
>>>> access-list 98 permit 205.152.37.20
>>>> access-list 98 permit 205.152.144.163
>>>> access-list 98 permit 205.152.37.26
>>>> access-list 98 permit 205.152.37.27
>>>> access-list 98 permit 205.152.132.163
>>>> access-list 98 permit 205.152.132.165
>>>> access-list 98 permit 205.152.37.250
>>>> access-list 98 permit 205.152.37.226
>>>> access-list 98 permit 205.152.132.27
>>>> access-list 98 permit 205.152.132.26
>>>> access-list 98 permit 205.152.144.20
>>>> access-list 98 permit 205.152.37.163
>>>> access-list 98 permit 205.152.37.165
>>>> access-list 98 permit 205.152.144.19
>>>> access-list 98 permit 205.152.144.27
>>>> access-list 98 permit 205.152.144.26
>>>> access-list 98 permit 139.76.53.0 0.0.0.255
>>>> access-list 98 permit 139.76.68.0 0.0.3.255
>>>> access-list 98 permit 139.76.88.0 0.0.1.255
>>>> access-list 98 permit 139.76.228.0 0.0.3.255
>>>> access-list 98 permit 139.76.240.0 0.0.1.255
>>>> access-list 98 permit 172.16.0.0 0.0.1.255
>>>> access-list 98 permit 205.152.6.0 0.0.0.255
>>>> access-list 98 permit 205.152.66.0 0.0.0.255
>>>> access-list 98 permit 205.152.204.0 0.0.0.255
>>>> access-list 99 permit 68.153.6.0 0.0.1.255
>>>> access-list 99 permit 172.16.0.0 0.0.1.255
>>>> access-list 99 permit 139.76.53.0 0.0.0.255
>>>> access-list 99 permit 139.76.68.0 0.0.3.255
>>>> access-list 99 permit 139.76.88.0 0.0.1.255
>>>> access-list 99 permit 139.76.228.0 0.0.3.255
>>>> access-list 99 permit 139.76.240.0 0.0.1.255
>>>> access-list 99 permit 205.152.6.0 0.0.0.255
>>>> access-list 111 permit ip 65.14.117.28 0.0.0.3 any
>>>> access-list 111 permit ip 74.175.105.64 0.0.0.31 any
>>>> access-list 111 permit ip 205.152.17.0 0.0.0.255 any
>>>> access-list 111 permit ip 155.109.0.0 0.0.255.255 any
>>>> access-list 111 permit ip 161.154.0.0 0.0.255.255 any
>>>> access-list 111 permit ip 205.152.161.0 0.0.0.255 any
>>>> access-list 111 permit ip 204.238.236.0 0.0.0.255 any
>>>> access-list 111 permit ip 170.55.0.0 0.0.255.255 any
>>>> access-list 112 deny ip 204.0.0.0 0.0.255.255 any
>>>> access-list 112 deny ip 204.1.0.0 0.0.255.255 any
>>>> access-list 112 deny ip 204.3.0.0 0.0.255.255 any
>>>> access-list 112 deny ip 69.22.0.0 0.0.192.255 any
>>>> access-list 112 permit ip any any
>>>> access-list 115 deny 53 any any
>>>> access-list 115 deny 55 any any
>>>> access-list 115 deny 77 any any
>>>> access-list 115 deny pim any any
>>>> access-list 115 permit ip any any
>>>> no cdp run
>>>> snmp-server community Ty#Qr53b RO 98
>>>> snmp-server community R5t3bF5c RW 98
>>>> tacacs-server host 172.16.0.132
>>>> tacacs-server host 209.215.34.12
>>>> tacacs-server host 172.16.0.133
>>>> tacacs-server host 209.215.34.11
>>>> tacacs-server timeout 10
>>>> tacacs-server directed-request
>>>> tacacs-server key 7 010703174F
>>>> !
>>>> radius-server source-ports 1645-1646
>>>> !
>>>> control-plane
>>>> !
>>>> banner motd ^CC
>>>> ######################################################################
>>>> # #
>>>> # ***PRIVATE/PROPRIETARY*** #
>>>> # #
>>>> # ANY UNAUTHORIZED ACCESS TO, OR MISUSE OF BELLSOUTH #
>>>> # SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL #
>>>> # PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING #
>>>> # DISCHARGE, OR THE TERMINATION OF VENDOR/SERVICE CONTRACTS. #
>>>> # #
>>>> # BELLSOUTH MAY PERIODICALLY MONITOR AND/OR AUDIT SYSTEM #
>>>> # ACCESS/USAGE. #
>>>> # #
>>>> # #
>>>> ######################################################################
>>>> # #
>>>> # <VERSION TEMPLATE DATE@TIME> #
>>>> ######################################################################
>>>> ^C
>>>> privilege exec level 1 traceroute
>>>> privilege exec level 1 ping
>>>> privilege exec level 1 terminal monitor
>>>> privilege exec level 1 terminal
>>>> privilege exec level 1 show line
>>>> privilege exec level 1 show snmp
>>>> privilege exec level 1 show arp
>>>> privilege exec level 1 show accounting
>>>> privilege exec level 1 show service-module
>>>> privilege exec level 1 show version
>>>> privilege exec level 1 show reload
>>>> privilege exec level 1 show debugging
>>>> privilege exec level 1 show controllers
>>>> privilege exec level 1 show users
>>>> privilege exec level 1 show sessions
>>>> privilege exec level 1 show access-lists
>>>> privilege exec level 1 show privilege
>>>> privilege exec level 1 show interfaces
>>>> privilege exec level 1 show startup-config
>>>> privilege exec level 1 show
>>>> privilege exec level 1 clear line
>>>> privilege exec level 1 clear counters
>>>> privilege exec level 1 clear
>>>> !
>>>> line con 0
>>>> exec-timeout 5 30
>>>> password 7 070C285F4D06
>>>> line vty 0 4
>>>> access-class 99 in
>>>> exec-timeout 30 0
>>>> password 7 03075218050061
>>>> line vty 5 15
>>>> access-class 99 in
>>>> exec-timeout 30 0
>>>> password 7 03075218050061
>>>> !
>>>> end
>>>>
>>>> ----------------------------------------------------
>>>> Fort Sumner wind turbines:
>>>> http://www.flickr.com/photos/30325073@N02/4113855086/
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/