<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 03/21/2013 10:39 PM, David Tomaschik
wrote:<br>
</div>
<blockquote
cite="mid:CAOy4VzfbpSJ0yD4yvnXfQ3LiPJT6X-tfM=f-wx1Lc_J6C5peag@mail.gmail.com"
type="cite">
<div dir="ltr">On Thu, Mar 21, 2013 at 4:09 PM, Jay Lozier <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<div>On 03/21/2013 06:30 PM, Jim Kinney wrote:<br>
</div>
<blockquote type="cite"><br>
<br>
<div class="gmail_quote">On Thu, Mar 21, 2013 at
5:53 PM, Jay Lozier <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:jslozier@gmail.com"
target="_blank">jslozier@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>On 03/21/2013 03:41 PM, Jim Kinney
wrote:<br>
</div>
<blockquote type="cite">in short: embeded
system MUST be locked down or fully
upgradeable.<br>
<br>
Basically this guy found a zillion
embedded Linux devices and they were all
set up stupidly. Crap like telnet running
with a root password of root and just
boneheaded stuff like that.<br>
<br>
It's one of the blowbacks from rapid Linux
adoption - idiots make devices with a full
OS installed and -WHAM- you've a got a
root-bot.<br>
<br>
Embedded devices are hard to get really
right. Probably impossible to get totally
secure. SCADA security woes are based on a
zillion embedded windows 98 and XP devices
that run utilities and water treatment
plants and industrial processes. Full of
security holes and not fixable without a
hardware refresh (at 4x the cost of the
original device).<br>
<br>
</blockquote>
</div>
Could the telnet and related packages be
removed without causing any problems? <br>
</div>
</blockquote>
<div>My understanding it these devices are burned
into ROM and not upgradeable. <br>
</div>
</div>
</blockquote>
</div>
Next semi-stupid question, since a Linux distro is
customizable could one make one with only the apps
needed for the intended service? And related, just how
hard is it to create a customized or adapt an existing
distro for a specific purpose (not having done this
personally)? And once installed, have a firewall turned
on automatically</div>
</blockquote>
<div><br>
</div>
<div style="">Most embedded devices that run Linux don't run
what you'd typically think of as a distro -- more often
it's something similar to Linux From Scratch. Usually you
find a kernel, busybox, and a few tools specific to the
device. That being said: telnet was most likely on those
devices *on purpose*: many embedded devices want to have
some sort of management capability, and the telnet daemon
was there to provide it. Many embedded vendors are too
cheap to provide enough flash & RAM to run SSH, or
they labor under the assumption the device will only be on
a "secure" network. That being said, telnet wasn't really
the problem here. Even if they'd been using SSH,
root/root (or anything else Hydra can guess in less than,
say, a day) for credentials is unforgivable.</div>
</div>
</div>
</div>
</blockquote>
I can understand reducing costs to a point but if you endanger the
end user by being too cheap you deserve whatever the shysters can
shake you down for. Some basic security goes a long way and removing
a security risk should be done. IMHO the problem is that you should
have an on-site service call not a remote log in because often there
is more wrong than just a software problem or at least that is my
experience with plants. <br>
<blockquote
cite="mid:CAOy4VzfbpSJ0yD4yvnXfQ3LiPJT6X-tfM=f-wx1Lc_J6C5peag@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
Also, how many of these devices need to be
connected to the Internet? <br>
</div>
</blockquote>
<div>directly and no firewall installed. <br>
</div>
</div>
</blockquote>
<blockquote type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
One of the problems with the SCADA devices is
that the older devices were never intended to
be connected to something like the Internet.
If they were connected to any devices, it was
to be a local, independent control network
with no outside connections.</div>
</blockquote>
<div><br>
But they all got plugged in anyway because it
was "easier" to manage them.<br>
</div>
</div>
</blockquote>
</div>
My question is who needs to manage this off site? Most
sewage and water treatment plants do not need this; the
control facility should be on site.</div>
</blockquote>
<div><br>
</div>
<div style="">Many vendors have these sort of things set up
so they can provide remote troubleshooting/management.
Yes, apparently a VPN is too much trouble...</div>
</div>
</div>
</div>
</blockquote>
The old SCADA systems used ladder logic and once the system was
working the program was rarely the problem. Very rarely one might
need to reload the program but these programs were generally one-off
because each plant was different and the customer was usually given
a copy of the program on some media. At least that was the practice
10 years ago.<br>
<blockquote
cite="mid:CAOy4VzfbpSJ0yD4yvnXfQ3LiPJT6X-tfM=f-wx1Lc_J6C5peag@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<blockquote type="cite">
<div class="gmail_quote">
<div> <sigh><br>
<br>
this stuff (what a decent SysAdmin does) is
really hard to do even half-assed. Damn near
impossible to do it well. Add in the PHB/cheap
factor and it turns into a clusterfook real
fast.<br>
</div>
</div>
</blockquote>
</div>
Or a politician trying their best to subtract from the
sum total of human knowledge.
<div>
<div class="h5"><br>
<blockquote type="cite">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
<br>
<blockquote type="cite">
<div class="gmail_quote">On Thu, Mar 21,
2013 at 2:56 PM, Ron Frazier (ALE) <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:atllinuxenthinfo@techstarship.com"
target="_blank">atllinuxenthinfo@techstarship.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">Hi all,<br>
<br>
This just came out on the Security
Now podcast. I thought I'd pass it
along. I'll freely admit I don't
understand everything discussed.
However, you guys more up on
security stuff will be able to
research this and act appropriately.
I'll explain this the best I can
based on what I heard on the
podcast.<br>
<br>
The podcast is entitled
Telnet-pocalypse, and he reports on
a very serious report by an
anonymous White Hat researcher about
vulnerable devices. I have not
attempted to verify this information
other than what's stated in Steve's
podcast and in the report cited, but
it appears to be legitimate.<br>
<br>
<a moz-do-not-send="true"
href="http://twit.tv/show/security-now/396"
target="_blank">http://twit.tv/show/security-now/396</a><br>
<br>
</blockquote>
</div>
</blockquote>
</div>
<snip><span><font color="#888888"><br>
<br>
<br>
<pre cols="72">--
Jay Lozier
<a moz-do-not-send="true" href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a></pre>
</font></span></div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
David Tomaschik<br>
OpenPGP: 0x5DEA789B<br>
<a moz-do-not-send="true" href="http://systemoverlord.com"
target="_blank">http://systemoverlord.com</a><br>
<a moz-do-not-send="true"
href="mailto:david@systemoverlord.com" target="_blank">david@systemoverlord.com</a>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ale mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ale@ale.org">Ale@ale.org</a>
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Jay Lozier
<a class="moz-txt-link-abbreviated" href="mailto:jslozier@gmail.com">jslozier@gmail.com</a></pre>
</body>
</html>