<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/21/2013 06:30 PM, Jim Kinney
wrote:<br>
</div>
<blockquote
cite="mid:CAEo=5Pxm4YNLP04K-J8CXRTdd4jUZGXKwGmXCNM=VMbpJchj8A@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">On Thu, Mar 21, 2013 at 5:53 PM, Jay
Lozier <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im">
<div>On 03/21/2013 03:41 PM, Jim Kinney wrote:<br>
</div>
<blockquote type="cite">in short: embeded system MUST be
locked down or fully upgradeable.<br>
<br>
Basically this guy found a zillion embedded Linux
devices and they were all set up stupidly. Crap like
telnet running with a root password of root and just
boneheaded stuff like that.<br>
<br>
It's one of the blowbacks from rapid Linux adoption -
idiots make devices with a full OS installed and -WHAM-
you've a got a root-bot.<br>
<br>
Embedded devices are hard to get really right. Probably
impossible to get totally secure. SCADA security woes
are based on a zillion embedded windows 98 and XP
devices that run utilities and water treatment plants
and industrial processes. Full of security holes and not
fixable without a hardware refresh (at 4x the cost of
the original device).<br>
<br>
</blockquote>
</div>
Could the telnet and related packages be removed without
causing any problems? <br>
</div>
</blockquote>
<div>My understanding it these devices are burned into ROM and
not upgradeable. <br>
</div>
</div>
</blockquote>
Next semi-stupid question, since a Linux distro is customizable
could one make one with only the apps needed for the intended
service? And related, just how hard is it to create a customized or
adapt an existing distro for a specific purpose (not having done
this personally)? And once installed, have a firewall turned on
automatically<br>
<blockquote
cite="mid:CAEo=5Pxm4YNLP04K-J8CXRTdd4jUZGXKwGmXCNM=VMbpJchj8A@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
Also, how many of these devices need to be connected to the
Internet? <br>
</div>
</blockquote>
<div>directly and no firewall installed. <br>
</div>
</div>
</blockquote>
<blockquote
cite="mid:CAEo=5Pxm4YNLP04K-J8CXRTdd4jUZGXKwGmXCNM=VMbpJchj8A@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <br>
One of the problems with the SCADA devices is that the older
devices were never intended to be connected to something
like the Internet. If they were connected to any devices, it
was to be a local, independent control network with no
outside connections.</div>
</blockquote>
<div><br>
But they all got plugged in anyway because it was "easier" to
manage them.<br>
</div>
</div>
</blockquote>
My question is who needs to manage this off site? Most sewage and
water treatment plants do not need this; the control facility should
be on site. <br>
<blockquote
cite="mid:CAEo=5Pxm4YNLP04K-J8CXRTdd4jUZGXKwGmXCNM=VMbpJchj8A@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
<sigh><br>
<br>
this stuff (what a decent SysAdmin does) is really hard to do
even half-assed. Damn near impossible to do it well. Add in
the PHB/cheap factor and it turns into a clusterfook real
fast.<br>
</div>
</div>
</blockquote>
Or a politician trying their best to subtract from the sum total of
human knowledge.<br>
<blockquote
cite="mid:CAEo=5Pxm4YNLP04K-J8CXRTdd4jUZGXKwGmXCNM=VMbpJchj8A@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im"><br>
<br>
<blockquote type="cite">
<div class="gmail_quote">On Thu, Mar 21, 2013 at 2:56
PM, Ron Frazier (ALE) <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:atllinuxenthinfo@techstarship.com"
target="_blank">atllinuxenthinfo@techstarship.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Hi
all,<br>
<br>
This just came out on the Security Now podcast. I
thought I'd pass it along. I'll freely admit I
don't understand everything discussed. However, you
guys more up on security stuff will be able to
research this and act appropriately. I'll explain
this the best I can based on what I heard on the
podcast.<br>
<br>
The podcast is entitled Telnet-pocalypse, and he
reports on a very serious report by an anonymous
White Hat researcher about vulnerable devices. I
have not attempted to verify this information other
than what's stated in Steve's podcast and in the
report cited, but it appears to be legitimate.<br>
<br>
<a moz-do-not-send="true"
href="http://twit.tv/show/security-now/396"
target="_blank">http://twit.tv/show/security-now/396</a><br>
<br>
</blockquote>
</div>
</blockquote>
</div>
<snip><span class="HOEnZb"><font color="#888888"><br>
<br>
<br>
<pre cols="72">--
Jay Lozier
<a moz-do-not-send="true" href="mailto:jslozier@gmail.com" target="_blank">jslozier@gmail.com</a></pre>
</font></span></div>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale"
target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
-- <br>
James P. Kinney III<br>
<i><i><i><i><br>
</i></i></i></i>Every time you stop a school, you will have
to build a jail. What you gain at one end you lose at the other.
It's like feeding a dog on his own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br>
<i><i><i><i><br>
<a moz-do-not-send="true" href="http://electjimkinney.org"
target="_blank">http://electjimkinney.org</a><br>
<a moz-do-not-send="true"
href="http://heretothereideas.blogspot.com/"
target="_blank">http://heretothereideas.blogspot.com/</a><br>
</i></i></i></i>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ale mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ale@ale.org">Ale@ale.org</a>
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Jay Lozier
<a class="moz-txt-link-abbreviated" href="mailto:jslozier@gmail.com">jslozier@gmail.com</a></pre>
</body>
</html>