http://www.wired.com/threatlevel/2012/04/ruggedcom-to-fix-vuln/
By Kim Zetter
Threat Level
Wired.com
April 30, 2012
After ignoring a serious security vulnerability in its product for at
least a year, a Canadian company that makes equipment and software for
critical industrial control systems announced quietly on Friday that it
would eliminate a backdoor login account in its flagship operating
system, following public disclosure and pressure.
RuggedCom, which was purchased recently by German-conglomerate Siemens,
said in the next few weeks it would be releasing new versions of its
RuggedCom firmware in order to remove the backdoor account in critical
components used in power grids, railway and traffic control systems, as
well as military systems.
The company also said in a press release that the update would disable
telnet and remote shell services by default. The latter were two
communication vectors that would allow an intruder to discover and
exploit a vulnerable system.
Critics say the company should never have installed the backdoor, which
was exposed last week by independent security researcher Justin W.
Clarke, and has, as a result, exhibited no evidence of security
awareness in its development process, raising questions about other
problems its products may contain.
[...]
_______________________________________________
LayerOne Security Conference
May 26-27, Clarion Hotel, Anaheim, CA
http://www.layerone.org
