Sophos Senior Security Advisor Chester Wisniewski wrote an interesting piece on why phpMyAdmin is one of the weakest links in the SCADA security chain.In a Naked Security blog post, he writes of how he got the creeps when learning that many SCADA systems are using it.It has been reported that a SCADA systems failure at a municipal water processing plant may have been caused by hackers infiltrating their network. The attackers were repeatedly turning a pump on and off until it caused the pump to fail, raising an alert to the operators.Upon investigation they determined that attackers may have infiltrated the system starting in September 2011, although the attack wasn’t discovered until November 8th, 2011. The notice about the attack noted that it was similar to an attack against the Massachusetts Institute of Technology earlier this year which exploited bugs in the open source software phpMyAdmin.Reading about this my spidey-sense was tingling… What? They have SCADA control systems hooked up to the public internet? And they are running phpMyAdmin!?!?I run a reasonably low profile, small website for myself and some friends and at one point had installed phpMyAdmin to assist them with daily SQL management chores.I removed it four years ago after a never ending stream of severe vulnerabilities made it too risky for my *play* site.According the the National Vulnerability Database phpMyAdmin has at least 105 reported security vulnerabilities.It would appear it is common practice these days to connect these sensitive critical infrastructure systems to the public internet and use COTS (Common Off The Shelf) software to manage them. Convenience and price are always desirable to those responsible for managing these systems, but this is bordering on criminally negligent when you are responsible for our water, power, gas and other sensitive utilities.He’s right, of course.Hopefully, the incidents of last week will light a fire under those responsible for managing these complex, critical infrastructure networks.Doing away with the use of phpMyAdmin is probably an excellent place to start.–Bill Brenner one-stop view of latest business threats. We created it for you! Bookmark it! Use it!CSO’s Daily Dashboard gives you a Related content news Gwinnett Medical Center investigating possible data breach After being contacted by Salted Hash, Gwinnett Medical Center has confirmed they're investigating a security incident By Steve Ragan Oct 02, 2018 6 mins Regulation Data Breach Hacking news Facebook: 30 million accounts impacted by security flaw (updated) In a blog post, Facebook’s VP of product management Guy Rosen said the attackers exploited a flaw in the website's 'View As' function By Steve Ragan Sep 28, 2018 4 mins Data Breach Security news Scammers pose as CNN's Wolf Blitzer, target security professionals Did they really think this would work? By Steve Ragan Sep 04, 2018 2 mins Phishing Social Engineering Security news Congress pushes MITRE to fix CVE program, suggests regular reviews and stable funding After a year of investigation into the Common Vulnerabilities and Exposures (CVE) program, the Energy and Commerce Committee has some suggestions as to how it can be improved By Steve Ragan Aug 27, 2018 3 mins Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe