SCADA attack code released

A security researcher has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries.

The software was published late Friday night by Kevin Finisterre, a researcher who said he wants to raise awareness of the vulnerabilities in these systems, problems that he said are often downplayed by software vendors. "These vendors are not being held responsible for the software that they're producing," said Finisterre, who is head of research with security testing firm Netragard. "They're telling their customers that there is no problem, meanwhile this software is running critical infrastructure."

Finisterre released his attack code as a software module for Metasploit, a widely used hacking tool. By integrating it with Metasploit, Finisterre has made his code much easier to use, security experts said. "Integrating the exploit with Metasploit gives a broad spectrum of people access to the attack," said Seth Bromberger, manager of information security at PG&E. "Now all it takes is downloading Metasploit and you can launch the attack."