<br><br><div class="gmail_quote">On Thu, Mar 21, 2013 at 5:53 PM, Jay Lozier <span dir="ltr"><<a href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<div>On 03/21/2013 03:41 PM, Jim Kinney
wrote:<br>
</div>
<blockquote type="cite">in short: embeded system MUST be locked down or fully
upgradeable.<br>
<br>
Basically this guy found a zillion embedded Linux devices and they
were all set up stupidly. Crap like telnet running with a root
password of root and just boneheaded stuff like that.<br>
<br>
It's one of the blowbacks from rapid Linux adoption - idiots make
devices with a full OS installed and -WHAM- you've a got a
root-bot.<br>
<br>
Embedded devices are hard to get really right. Probably impossible
to get totally secure. SCADA security woes are based on a zillion
embedded windows 98 and XP devices that run utilities and water
treatment plants and industrial processes. Full of security holes
and not fixable without a hardware refresh (at 4x the cost of the
original device).<br>
<br>
</blockquote></div>
Could the telnet and related packages be removed without causing
any problems? <br></div></blockquote><div>My understanding it these devices are burned into ROM and not upgradeable. <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
Also, how many of these devices need to be connected to the
Internet? <br></div></blockquote><div>directly and no firewall installed. <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<br>
One of the problems with the SCADA devices is that the older devices
were never intended to be connected to something like the Internet.
If they were connected to any devices, it was to be a local,
independent control network with no outside connections.</div></blockquote><div><br>But they all got plugged in anyway because it was "easier" to manage them.<br><br><sigh><br><br>this stuff (what a decent SysAdmin does) is really hard to do even half-assed. Damn near impossible to do it well. Add in the PHB/cheap factor and it turns into a clusterfook real fast.<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_quote">On Thu, Mar 21, 2013 at 2:56 PM, Ron
Frazier (ALE) <span dir="ltr"><<a href="mailto:atllinuxenthinfo@techstarship.com" target="_blank">atllinuxenthinfo@techstarship.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
This just came out on the Security Now podcast. I thought I'd
pass it along. I'll freely admit I don't understand
everything discussed. However, you guys more up on security
stuff will be able to research this and act appropriately.
I'll explain this the best I can based on what I heard on the
podcast.<br>
<br>
The podcast is entitled Telnet-pocalypse, and he reports on a
very serious report by an anonymous White Hat researcher about
vulnerable devices. I have not attempted to verify this
information other than what's stated in Steve's podcast and in
the report cited, but it appears to be legitimate.<br>
<br>
<a href="http://twit.tv/show/security-now/396" target="_blank">http://twit.tv/show/security-now/396</a><br>
<br>
</blockquote>
</div>
</blockquote></div>
<snip><span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<pre cols="72">--
Jay Lozier
<a href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a></pre>
</font></span></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://electjimkinney.org" target="_blank">http://electjimkinney.org</a><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>