[ale] researcher's linux worm infects 400 K + devices by TELNET

David Tomaschik david at systemoverlord.com
Thu Mar 21 22:39:44 EDT 2013


On Thu, Mar 21, 2013 at 4:09 PM, Jay Lozier <jslozier at gmail.com> wrote:

>  On 03/21/2013 06:30 PM, Jim Kinney wrote:
>
>
>
> On Thu, Mar 21, 2013 at 5:53 PM, Jay Lozier <jslozier at gmail.com> wrote:
>
>>  On 03/21/2013 03:41 PM, Jim Kinney wrote:
>>
>> in short: embeded system MUST be locked down or fully upgradeable.
>>
>> Basically this guy found a zillion embedded Linux devices and they were
>> all set up stupidly. Crap like telnet running with a root password of root
>> and just boneheaded stuff like that.
>>
>> It's one of the blowbacks from rapid Linux adoption - idiots make devices
>> with a full OS installed and -WHAM- you've a got a root-bot.
>>
>> Embedded devices are hard to get really right. Probably impossible to get
>> totally secure. SCADA security woes are based on a zillion embedded windows
>> 98 and XP devices that run utilities and water treatment plants and
>> industrial processes. Full of security holes and not fixable without a
>> hardware refresh (at 4x the cost of the original device).
>>
>>  Could the telnet  and related packages be removed without causing any
>> problems?
>>
> My understanding it these devices are burned into ROM and not upgradeable.
>
> Next semi-stupid question, since a Linux distro is customizable could one
> make one with only the apps needed for the intended service? And related,
> just how hard is it to create a customized or adapt an existing distro for
> a specific purpose (not having done this personally)? And once installed,
> have a firewall turned on automatically
>

Most embedded devices that run Linux don't run what you'd typically think
of as a distro -- more often it's something similar to Linux From Scratch.
 Usually you find a kernel, busybox, and a few tools specific to the
device.  That being said: telnet was most likely on those devices *on
purpose*: many embedded devices want to have some sort of management
capability, and the telnet daemon was there to provide it.  Many embedded
vendors are too cheap to provide enough flash & RAM to run SSH, or they
labor under the assumption the device will only be on a "secure" network.
 That being said, telnet wasn't really the problem here.  Even if they'd
been using SSH, root/root (or anything else Hydra can guess in less than,
say, a day) for credentials is unforgivable.


>
>> Also, how many of these devices need to be connected to the Internet?
>>
> directly and no firewall installed.
>
>
>> One of the problems with the SCADA devices is that the older devices were
>> never intended to be connected to something like the Internet. If they were
>> connected to any devices, it was to be a local, independent control network
>> with no outside connections.
>>
>
> But they all got plugged in anyway because it was "easier" to manage them.
>
> My question is who needs to manage this off site? Most sewage and water
> treatment plants do not need this; the control facility should be on site.
>

Many vendors have these sort of things set up so they can provide remote
troubleshooting/management.  Yes, apparently a VPN is too much trouble...


>  <sigh>
>
> this stuff (what a decent SysAdmin does) is really hard to do even
> half-assed. Damn near impossible to do it well. Add in the PHB/cheap factor
> and it turns into a clusterfook real fast.
>
> Or a politician trying their best to subtract from the sum total of human
> knowledge.
>
>
>>
>>  On Thu, Mar 21, 2013 at 2:56 PM, Ron Frazier (ALE) <
>> atllinuxenthinfo at techstarship.com> wrote:
>>
>>> Hi all,
>>>
>>> This just came out on the Security Now podcast.  I thought I'd pass it
>>> along.  I'll freely admit I don't understand everything discussed.
>>>  However, you guys more up on security stuff will be able to research this
>>> and act appropriately.  I'll explain this the best I can based on what I
>>> heard on the podcast.
>>>
>>> The podcast is entitled Telnet-pocalypse, and he reports on a very
>>> serious report by an anonymous White Hat researcher about vulnerable
>>> devices.  I have not attempted to verify this information other than what's
>>> stated in Steve's podcast and in the report cited, but it appears to be
>>> legitimate.
>>>
>>> http://twit.tv/show/security-now/396
>>>
>>>   <snip>
>>
>>
>> --
>> Jay Lozierjslozier at gmail.com
>>
>>


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130321/3c3798e7/attachment.html>


More information about the Ale mailing list