A couple of weeks ago, right after I wrote my two sets of 2008 (in)security predictions (here and here), Mogull informed me that he was penning an article for Dark Reading on how security predictions are useless. He even sent me a rough draft to rub it in.
His Dark Reading article is titled "The Perils of Predictions - and Predicting Peril" which you can read here. The part I liked best was, of course, the multiple mentions that some idiot was going to predict an attack on SCADA infrastructure:
Oh, and there is one specific prediction I'll make for next year: Someone will predict a successful SCADA attack, and it won't happen. Until it does.
So, I'm obviously guilty as charged. Yup, I predicted it. Yup, I think it will happen.
In fact, it already has...
You see, Mogull is a huge geek and has invested large sums of money in his new home and outfitted it with a complete home automation system. In reality, this home automation system is basically just a scaled down version of a SCADA system (Supervisory Control and Data Acquisition.) Controlling sensors and integrating telemetry with centralized reporting and control...
Rich and I are always IM'ing and emailing one another, so a few days ago before Rich left town for an international junket, I sent him a little email asking him to review something I was working on. The email contained a link to my "trusted" website.
The page I sent him to was actually trojaned with the 0day POC code for the QT RTSP vulnerability from a couple of weeks ago. I guess Rich's Leopard ipfw rules need to be modified because right after he opened it, the trojan executed and then phoned home (to me) and I was able to open a remote shell on TCP/554 right to his Mac which incidentally controls his home automation system. I totally pwn his house.
So a couple of days ago, Rich went out of town and I waited patiently for the DR article to post. Now that it's up, I have exacted my revenge.
I must say that I think Rich's choice of automation controllers was top-shelf, but I think I might have gone with a better hot tub controller because I seem to have confused it and now it will only heat to 73 degrees.
I also think he should have gone with better carpet.
I'm pretty sure his wife is going absolutely bonkers given the fact that the lights in the den keep blinking to the beat of a Lionel Ritchie song and the garage door opener keeps trying to attack the gardener. I will let you know that I'm being a gentleman and not peeking at the CCTV images...much.
Let this be a lesson to you all. When it comes to predicting SCADA attacks, don't hassle the Hoff!
/Hoff