I was reading the SCADA mailing list this afternoon when I noticed an email about a new online training program for SCADA provided by the DHS. I figured I would have a look. My first problem straight away is the fact that this thing is NOT using SSL. At least make sure that it is not passing passwords in the clear.
So, I create a user account. Being my normal pain in the butt self I decide to create the user “Bob Smith”. Nice and generic. I had my sniffer all ready to go and I thought…wait a tick. I’m going to try and see if there is any sort of password enforcement.
(insert alarm sound)
Nope, I entered a password of “a” and THE DAMN THING ACCEPTED IT! So, what you might say? Well, if you are trying to teach people about security you might want to start with some basics like using strong passwords for one thing! I was able to login with a weaker than hell password to take my “Cyber Security for Control System Engineers & Operators”. Here is a description that accompanies the course.
Students will learn about cyber security risks in control systems and how to mitigate those risks. This training was developed through the Control Systems Security Program, established by the U.S. Department of Homeland Security National Cyber Security Division.
How to mitigate those risks? Hmmm.
Check it out for yourself to see US tax dollars hard at work. There is no excuse for this crap.
I’m going home….
[tags]SCADA Security, DHS, SCADA Web Based Training, Dumbass[/tags]
