<div dir="ltr">On Thu, Mar 21, 2013 at 4:09 PM, Jay Lozier <span dir="ltr"><<a href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a>></span> wrote:<br><div class="gmail_extra"><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div>On 03/21/2013 06:30 PM, Jim Kinney
wrote:<br>
</div>
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Thu, Mar 21, 2013 at 5:53 PM, Jay
Lozier <span dir="ltr"><<a href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>On 03/21/2013 03:41 PM, Jim Kinney wrote:<br>
</div>
<blockquote type="cite">in short: embeded system MUST be
locked down or fully upgradeable.<br>
<br>
Basically this guy found a zillion embedded Linux
devices and they were all set up stupidly. Crap like
telnet running with a root password of root and just
boneheaded stuff like that.<br>
<br>
It's one of the blowbacks from rapid Linux adoption -
idiots make devices with a full OS installed and -WHAM-
you've a got a root-bot.<br>
<br>
Embedded devices are hard to get really right. Probably
impossible to get totally secure. SCADA security woes
are based on a zillion embedded windows 98 and XP
devices that run utilities and water treatment plants
and industrial processes. Full of security holes and not
fixable without a hardware refresh (at 4x the cost of
the original device).<br>
<br>
</blockquote>
</div>
Could the telnet and related packages be removed without
causing any problems? <br>
</div>
</blockquote>
<div>My understanding it these devices are burned into ROM and
not upgradeable. <br>
</div>
</div>
</blockquote></div>
Next semi-stupid question, since a Linux distro is customizable
could one make one with only the apps needed for the intended
service? And related, just how hard is it to create a customized or
adapt an existing distro for a specific purpose (not having done
this personally)? And once installed, have a firewall turned on
automatically</div></blockquote><div><br></div><div style>Most embedded devices that run Linux don't run what you'd typically think of as a distro -- more often it's something similar to Linux From Scratch. Usually you find a kernel, busybox, and a few tools specific to the device. That being said: telnet was most likely on those devices *on purpose*: many embedded devices want to have some sort of management capability, and the telnet daemon was there to provide it. Many embedded vendors are too cheap to provide enough flash & RAM to run SSH, or they labor under the assumption the device will only be on a "secure" network. That being said, telnet wasn't really the problem here. Even if they'd been using SSH, root/root (or anything else Hydra can guess in less than, say, a day) for credentials is unforgivable.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="im">
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
Also, how many of these devices need to be connected to the
Internet? <br>
</div>
</blockquote>
<div>directly and no firewall installed. <br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
One of the problems with the SCADA devices is that the older
devices were never intended to be connected to something
like the Internet. If they were connected to any devices, it
was to be a local, independent control network with no
outside connections.</div>
</blockquote>
<div><br>
But they all got plugged in anyway because it was "easier" to
manage them.<br>
</div>
</div>
</blockquote></div>
My question is who needs to manage this off site? Most sewage and
water treatment plants do not need this; the control facility should
be on site.</div></blockquote><div><br></div><div style>Many vendors have these sort of things set up so they can provide remote troubleshooting/management. Yes, apparently a VPN is too much trouble...</div><div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="im"><blockquote type="cite">
<div class="gmail_quote">
<div>
<sigh><br>
<br>
this stuff (what a decent SysAdmin does) is really hard to do
even half-assed. Damn near impossible to do it well. Add in
the PHB/cheap factor and it turns into a clusterfook real
fast.<br>
</div>
</div>
</blockquote></div>
Or a politician trying their best to subtract from the sum total of
human knowledge.<div><div class="h5"><br>
<blockquote type="cite">
<div class="gmail_quote">
<div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_quote">On Thu, Mar 21, 2013 at 2:56
PM, Ron Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi
all,<br>
<br>
This just came out on the Security Now podcast. I
thought I'd pass it along. I'll freely admit I
don't understand everything discussed. However, you
guys more up on security stuff will be able to
research this and act appropriately. I'll explain
this the best I can based on what I heard on the
podcast.<br>
<br>
The podcast is entitled Telnet-pocalypse, and he
reports on a very serious report by an anonymous
White Hat researcher about vulnerable devices. I
have not attempted to verify this information other
than what's stated in Steve's podcast and in the
report cited, but it appears to be legitimate.<br>
<br>
<a href="http://twit.tv/show/security-now/396" target="_blank">http://twit.tv/show/security-now/396</a><br>
<br>
</blockquote>
</div>
</blockquote>
</div>
<snip><span><font color="#888888"><br>
<br>
<br>
<pre cols="72">--
Jay Lozier
<a href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a></pre>
</font></span></div>
</blockquote></div></blockquote></div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>David Tomaschik<br>OpenPGP: 0x5DEA789B<br><a href="http://systemoverlord.com" target="_blank">http://systemoverlord.com</a><br>
<a href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div></div>