[ale] researcher's linux worm infects 400 K + devices by TELNET

Jay Lozier jslozier at gmail.com
Thu Mar 21 19:09:41 EDT 2013


On 03/21/2013 06:30 PM, Jim Kinney wrote:
>
>
> On Thu, Mar 21, 2013 at 5:53 PM, Jay Lozier <jslozier at gmail.com 
> <mailto:jslozier at gmail.com>> wrote:
>
>     On 03/21/2013 03:41 PM, Jim Kinney wrote:
>>     in short: embeded system MUST be locked down or fully upgradeable.
>>
>>     Basically this guy found a zillion embedded Linux devices and
>>     they were all set up stupidly. Crap like telnet running with a
>>     root password of root and just boneheaded stuff like that.
>>
>>     It's one of the blowbacks from rapid Linux adoption - idiots make
>>     devices with a full OS installed and -WHAM- you've a got a root-bot.
>>
>>     Embedded devices are hard to get really right. Probably
>>     impossible to get totally secure. SCADA security woes are based
>>     on a zillion embedded windows 98 and XP devices that run
>>     utilities and water treatment plants and industrial processes.
>>     Full of security holes and not fixable without a hardware refresh
>>     (at 4x the cost of the original device).
>>
>     Could the telnet  and related packages be removed without causing
>     any problems?
>
> My understanding it these devices are burned into ROM and not 
> upgradeable.
Next semi-stupid question, since a Linux distro is customizable could 
one make one with only the apps needed for the intended service? And 
related, just how hard is it to create a customized or adapt an existing 
distro for a specific purpose (not having done this personally)? And 
once installed, have a firewall turned on automatically
>
>
>     Also, how many of these devices need to be connected to the Internet?
>
> directly and no firewall installed.
>
>
>     One of the problems with the SCADA devices is that the older
>     devices were never intended to be connected to something like the
>     Internet. If they were connected to any devices, it was to be a
>     local, independent control network with no outside connections.
>
>
> But they all got plugged in anyway because it was "easier" to manage them.
My question is who needs to manage this off site? Most sewage and water 
treatment plants do not need this; the control facility should be on site.
>
> <sigh>
>
> this stuff (what a decent SysAdmin does) is really hard to do even 
> half-assed. Damn near impossible to do it well. Add in the PHB/cheap 
> factor and it turns into a clusterfook real fast.
Or a politician trying their best to subtract from the sum total of 
human knowledge.
>
>
>
>>     On Thu, Mar 21, 2013 at 2:56 PM, Ron Frazier (ALE)
>>     <atllinuxenthinfo at techstarship.com
>>     <mailto:atllinuxenthinfo at techstarship.com>> wrote:
>>
>>         Hi all,
>>
>>         This just came out on the Security Now podcast.  I thought
>>         I'd pass it along.  I'll freely admit I don't understand
>>         everything discussed.  However, you guys more up on security
>>         stuff will be able to research this and act appropriately.
>>          I'll explain this the best I can based on what I heard on
>>         the podcast.
>>
>>         The podcast is entitled Telnet-pocalypse, and he reports on a
>>         very serious report by an anonymous White Hat researcher
>>         about vulnerable devices.  I have not attempted to verify
>>         this information other than what's stated in Steve's podcast
>>         and in the report cited, but it appears to be legitimate.
>>
>>         http://twit.tv/show/security-now/396
>>
>     <snip>
>
>
>     -- 
>     Jay Lozier
>     jslozier at gmail.com  <mailto:jslozier at gmail.com>
>
>
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo
>
>
>
>
> -- 
> -- 
> James P. Kinney III
> ////
> ////Every time you stop a school, you will have to build a jail. What 
> you gain at one end you lose at the other. It's like feeding a dog on 
> his own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> ////
> http://electjimkinney.org
> http://heretothereideas.blogspot.com/
> ////
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo


-- 
Jay Lozier
jslozier at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130321/e2604dc1/attachment.html>


More information about the Ale mailing list