[ale] researcher's linux worm infects 400 K + devices by TELNET
Jay Lozier
jslozier at gmail.com
Thu Mar 21 23:46:57 EDT 2013
On 03/21/2013 10:39 PM, David Tomaschik wrote:
> On Thu, Mar 21, 2013 at 4:09 PM, Jay Lozier <jslozier at gmail.com
> <mailto:jslozier at gmail.com>> wrote:
>
> On 03/21/2013 06:30 PM, Jim Kinney wrote:
>>
>>
>> On Thu, Mar 21, 2013 at 5:53 PM, Jay Lozier <jslozier at gmail.com
>> <mailto:jslozier at gmail.com>> wrote:
>>
>> On 03/21/2013 03:41 PM, Jim Kinney wrote:
>>> in short: embeded system MUST be locked down or fully
>>> upgradeable.
>>>
>>> Basically this guy found a zillion embedded Linux devices
>>> and they were all set up stupidly. Crap like telnet running
>>> with a root password of root and just boneheaded stuff like
>>> that.
>>>
>>> It's one of the blowbacks from rapid Linux adoption - idiots
>>> make devices with a full OS installed and -WHAM- you've a
>>> got a root-bot.
>>>
>>> Embedded devices are hard to get really right. Probably
>>> impossible to get totally secure. SCADA security woes are
>>> based on a zillion embedded windows 98 and XP devices that
>>> run utilities and water treatment plants and industrial
>>> processes. Full of security holes and not fixable without a
>>> hardware refresh (at 4x the cost of the original device).
>>>
>> Could the telnet and related packages be removed without
>> causing any problems?
>>
>> My understanding it these devices are burned into ROM and not
>> upgradeable.
> Next semi-stupid question, since a Linux distro is customizable
> could one make one with only the apps needed for the intended
> service? And related, just how hard is it to create a customized
> or adapt an existing distro for a specific purpose (not having
> done this personally)? And once installed, have a firewall turned
> on automatically
>
>
> Most embedded devices that run Linux don't run what you'd typically
> think of as a distro -- more often it's something similar to Linux
> From Scratch. Usually you find a kernel, busybox, and a few tools
> specific to the device. That being said: telnet was most likely on
> those devices *on purpose*: many embedded devices want to have some
> sort of management capability, and the telnet daemon was there to
> provide it. Many embedded vendors are too cheap to provide enough
> flash & RAM to run SSH, or they labor under the assumption the device
> will only be on a "secure" network. That being said, telnet wasn't
> really the problem here. Even if they'd been using SSH, root/root (or
> anything else Hydra can guess in less than, say, a day) for
> credentials is unforgivable.
I can understand reducing costs to a point but if you endanger the end
user by being too cheap you deserve whatever the shysters can shake you
down for. Some basic security goes a long way and removing a security
risk should be done. IMHO the problem is that you should have an on-site
service call not a remote log in because often there is more wrong than
just a software problem or at least that is my experience with plants.
>
>>
>> Also, how many of these devices need to be connected to the
>> Internet?
>>
>> directly and no firewall installed.
>>
>>
>> One of the problems with the SCADA devices is that the older
>> devices were never intended to be connected to something like
>> the Internet. If they were connected to any devices, it was
>> to be a local, independent control network with no outside
>> connections.
>>
>>
>> But they all got plugged in anyway because it was "easier" to
>> manage them.
> My question is who needs to manage this off site? Most sewage and
> water treatment plants do not need this; the control facility
> should be on site.
>
>
> Many vendors have these sort of things set up so they can provide
> remote troubleshooting/management. Yes, apparently a VPN is too much
> trouble...
The old SCADA systems used ladder logic and once the system was working
the program was rarely the problem. Very rarely one might need to reload
the program but these programs were generally one-off because each plant
was different and the customer was usually given a copy of the program
on some media. At least that was the practice 10 years ago.
>
>> <sigh>
>>
>> this stuff (what a decent SysAdmin does) is really hard to do
>> even half-assed. Damn near impossible to do it well. Add in the
>> PHB/cheap factor and it turns into a clusterfook real fast.
> Or a politician trying their best to subtract from the sum total
> of human knowledge.
>
>>
>>
>>> On Thu, Mar 21, 2013 at 2:56 PM, Ron Frazier (ALE)
>>> <atllinuxenthinfo at techstarship.com
>>> <mailto:atllinuxenthinfo at techstarship.com>> wrote:
>>>
>>> Hi all,
>>>
>>> This just came out on the Security Now podcast. I
>>> thought I'd pass it along. I'll freely admit I don't
>>> understand everything discussed. However, you guys more
>>> up on security stuff will be able to research this and
>>> act appropriately. I'll explain this the best I can
>>> based on what I heard on the podcast.
>>>
>>> The podcast is entitled Telnet-pocalypse, and he reports
>>> on a very serious report by an anonymous White Hat
>>> researcher about vulnerable devices. I have not
>>> attempted to verify this information other than what's
>>> stated in Steve's podcast and in the report cited, but
>>> it appears to be legitimate.
>>>
>>> http://twit.tv/show/security-now/396
>>>
>> <snip>
>>
>>
>> --
>> Jay Lozier
>> jslozier at gmail.com <mailto:jslozier at gmail.com>
>>
>
>
>
> --
> David Tomaschik
> OpenPGP: 0x5DEA789B
> http://systemoverlord.com
> david at systemoverlord.com <mailto:david at systemoverlord.com>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
--
Jay Lozier
jslozier at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130321/854d6e5e/attachment-0001.html>
More information about the Ale
mailing list