<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Hi David,<br>
<br>
You have some good points. All the more reason to have a rock solid
backup.<br>
<br>
While not directly relevant to putting USB flash drives into secure
computers, this reminds me of some cool technology that was discussed
on a Security Now podcast. It allows failsafe transmission of data in
one direction from one system to another with no possibility of sending
data in the other direction. This allows, for example, the output of
telemetry from a nuclear plant with no data pipe back in which could be
hacked. It would also allow, for example, the sending of security
camera data into a secure facility without any possibility of data
leaking back out.<br>
<br>
The way they do it is to have a send only computer and a receive only
computer. They are linked together with fiber optic cable. The send
only machine has ONLY a transmit circuit, like a laser diode. The
receive only machine has ONLY a receive circuit, like a photo
detector. Thus, it is physically impossible for data to be sent in the
wrong direction. The person who wrote into the show says they have
equipment in half of our nuclear facilities for this purpose. I
thought this was a very cool idea.<br>
<br>
You can find data on it here:<br>
<br>
<a class="moz-txt-link-freetext" href="http://www.grc.com/sn/sn-379.pdf">http://www.grc.com/sn/sn-379.pdf</a> - see page 17<br>
<a class="moz-txt-link-freetext" href="http://media.grc.com/sn/sn-379.mp3">http://media.grc.com/sn/sn-379.mp3</a> - relevant discussion at 01:06:05<br>
<a class="moz-txt-link-freetext" href="http://www.owlcti.com/dualdiode_technology.html">http://www.owlcti.com/dualdiode_technology.html</a><br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
<br>
<br>
On 1/18/2013 11:06 PM, David Tomaschik wrote:
<blockquote
cite="mid:CAOy4VzfT17EF8z+TOj7_o6soxHYpnLcQr+zgiz3f4nHzmKjFAA@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Ron,
<div><br>
</div>
<div style="">You're making a big assumption here -- that the
software on the computer can be updated. Many SCADA applications are
only validated on VERY specific configurations and aren't updated to
every new version. SCADA really shouldn't be on the internet, and
workers really shouldn't be plugging flash drives into SCADA.</div>
<div style=""><br>
</div>
<div style="">David</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Fri, Jan 18, 2013 at 5:27 PM, Ron Frazier
(ALE) <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi
all,<br>
<br>
Step 1 - configure basic os and operational software from trusted
sources<br>
Step 2 - configure av, but it has to be updated, which could be a
problem<br>
Step 3 - scan the machine<br>
Step 4 - TURN AUTOPLAY OFF - applies to Linux too<br>
Step 5 - backup the machine locally<br>
Step 6 - backup the machine offsite, or at least in a second location
in a fireproof bunker<br>
Step 7 -maybe make a master backup on an mdisc or something so it's
permanent<br>
Step 8 - when the machine must be updated, scan the update media first
on a separate system with autoplay off<br>
Step 9 - do the update and create a second set of backups<br>
Step 10 - repeat until 3 - 6 entire sets of backups are in place<br>
<br>
OK I'm not a security guru and there are many variations on this theme.
But, that wasn't TOO hard to figure out. It wouldn't necessarily
protect too well against zero day exploits. But, since I solved their
problem, I want their salary.<br>
<br>
Ron<br>
<div>
<div class="h5"><br>
<br>
Sergio Chaves <<a moz-do-not-send="true"
href="mailto:sergio.chaves@gmail.com">sergio.chaves@gmail.com</a>>
wrote:<br>
<br>
><a moz-do-not-send="true"
href="http://www.eweek.com/security/usb-storage-drive-loaded-with-malware-shuts-down-power-plant/?kc=EWKNLNAV01182013STR1"
target="_blank">http://www.eweek.com/security/usb-storage-drive-loaded-with-malware-shuts-down-power-plant/?kc=EWKNLNAV01182013STR1</a><br>
><br>
>Sometimes you just gotta say, WTF???<br>
><br>
>"US-CERT, which is part of the U.S. Department of Homeland Security,<br>
>declined to identify which power plant was affected, and did not say<br>
>whether the facility was operating on nuclear or conventional power.<br>
>Industrial control systems frequently use Windows-based computers to<br>
>run their specialized software, but they rarely run antivirus
software<br>
>because these computers aren’t connected to outside networks.
However,<br>
>using a USB drive to perform updates is common on these systems."<br>
>"US-CERT, which is part of the U.S. Department of Homeland Security,<br>
>declined to identify which power plant was affected, and did not say<br>
>whether the facility was operating on nuclear or conventional power.<br>
>Industrial control systems frequently use Windows-based computers to<br>
>run their specialized software, but they rarely run antivirus
software<br>
>because these computers aren’t connected to outside networks.
However,<br>
>using a USB drive to perform updates is common on these systems."<br>
><br>
>_______________________________________________<br>
>Ale mailing list<br>
><a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
><a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>See JOBS, ANNOUNCE and SCHOOLS lists at<br>
><a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
<br>
</div>
</div>
--<br>
<br>
Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9
Mail.<br>
Please excuse my potential brevity.<br>
<br>
(To whom it may concern. My email address has changed. Replying to
former<br>
messages prior to 03/31/12 with my personal address will go to the wrong<br>
address. Please send all personal correspondence to the new address.)<br>
<br>
(PS - If you email me and don't get a quick response, you might want to<br>
call on the phone. I get about 300 emails per day from alternate energy<br>
mailing lists and such. I don't always see new email messages very
quickly.)<br>
<br>
Ron Frazier<br>
<a moz-do-not-send="true" href="tel:770-205-9422"
value="+17702059422">770-205-9422</a> (O) Leave a message.<br>
linuxdude AT <a moz-do-not-send="true" href="http://techstarship.com"
target="_blank">techstarship.com</a><br>
<div class="HOEnZb">
<div class="h5"><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
David Tomaschik<br>
OpenPGP: 0x5DEA789B<br>
<a moz-do-not-send="true" href="http://systemoverlord.com"
target="_blank">http://systemoverlord.com</a><br>
<a moz-do-not-send="true" href="mailto:david@systemoverlord.com"
target="_blank">david@systemoverlord.com</a>
</div>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Ale mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ale@ale.org">Ale@ale.org</a>
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
(To whom it may concern. My email address has changed. Replying to former
messages prior to 03/31/12 with my personal address will go to the wrong
address. Please send all personal correspondence to the new address.)
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new email messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT techstarship.com
</pre>
</body>
</html>