Domain: digitalbond.com
Stories and comments across the archive that link to digitalbond.com.
Comments · 10
-
Re:WRONG on all counts & eat your words
See my subject & this link: No denying it
/https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785b [slashdot.org] & it's FAR from a complete list (even though it shows 100's of router security + inefficiency issues).Your argument is so old and tired I get a
/. 404 error, seriously I do. That said anyone who is using the factory provided firmware on a consumer router/firewall is dumb. OpenWRT or DDWRT are much better choices that offer better security and better options. Or if you prefer go and drop pfSense on some "powerful" but inexpensive hardware. As you will have a device like these between your computer and the internet I don't see how an argument about cost is an issue as you have your modem connected to the internet (DSL or Cable) and then either a router or firewall that your other gear sits behind. Depending on what hardware you have and layout your setup behind the router or firewall will vary greatly. * LMAO - again, that's you "networking menials" (that can't program their OWN solutions because you're limited) to a teeNot a millennial (I assume that it what you meant) by a long shot I do actually program and have through my employer contributed to a number of open source projects. You may have heard of a few of them.
WRONG! I don't understand "layered-security"/"defense-in-depth"? I wrote guides on it that even GOT ME PAID https://www.google.com/search?... [google.com]
Guess what I have contributed to guides on securing systems and am paid by my employer to do so when new versions and updates are sought. The difference is that what I have contributed to are respected and well known.
Also it looks like you are a bit to copy/paste happy as I see you are getting frustrated and double posting (see above and below). You really should look into getting treatment for your ails as something does appear to be wrong. -
Re:String the fucker up
if he calls himself a "hacker" he must be guilty.
I have to disagree, I'm identified as a hacker (one of my certifications actually uses the word "hacker" in the title) but I prefer the term "Security Engineer".
And you immediately know what that certificate is worth. It's bad for your rights, is what it is. And, of course, illegal, since it implies "computer hacking" and that's illegal, no matter what actually is going on. Maybe someone should tip the DA that this here "computer hacker certification company" (a/k/a legal front) is turning out "computer hackers" by the truckload and let's shut down that criminal organisation already.
The point here of course is that the "computer security" s'kiddies did go and done fscked things up, along with mass media including hollywood, and now a) the term means nothing any longer except in the meta-sense as a scare-word and proof of being a poser*, or perhaps complete nitwit, typically both, and b) it has been criminalised in an overbroad and therefore bad law--that law doesn't actually define what it's criminalising so it's up to "expert" witnesses to bicker and argue in court, in front of a confused judge and/or functionally ("digitally", or "cyber", or what have you) illiterate jury, how white and ETHICAL this here hat is this week. And here you are, admitting you're eating out of the same through and are therefore part of the problem. Thank you so much for your contribution, citizen.
* So indeed and exactly, you have a industry certificate marking you as a poser. Lucky you.
-
Source Code on Github ..
-
From the article
PLC = programmable logic controller
The CoDeSys runtime allows PLCs to load and execute so-called ladder logic files that were created using the CoDeSys development toolkit on a regular computer. These files contain instructions that affect the processes controlled by the PLCs.
According to the Digital Bond report, the CoDeSys runtime opens a TCP (Transmission Control Protocol) listening service that provides access to a command-line interface without the need for authentication.
One of those PLCs was running Linux on an x86 processor while another was running Windows CE on an ARM processor.
"We are aware of this security issue," Edwin Schwellinger, support manager at 3S-Smart Software, said Friday via email. "A patch is under development but not released. We are working with high pressure on these issues."
The vulnerability is only exploitable by an attacker who already has access to the network where the PLC runtime operates, Schwellinger said. Runtime systems should not be accessible from the Internet unless additional protection is in place, he said.
-
Runs Linux
According to Digital Bond, Beresford's PLC runs Linux. Cue the GPL requests for Siemen's source code now (I wonder if the backdoor username and password are hard-coded into a GPL's utility
:)).Disclosure: I work for Digital Bond.
Reid
-
Re:Interesting (highly speculative) link to Israel
I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.
Or, from the Guava wikipedia page, the fruit is part of the Myrtle family. Furthermore, From http://en.wikipedia.org/wiki/Myrtus#Uses_in_myth_and_ritual,
In Jewish liturgy, it is one of the four sacred plants of Sukkot, the Feast of Tabernacles representing the different types of personality making up the community - the myrtle having fragrance but not pleasant taste, represents those who have good deeds to their credit despite not having knowledge from Torah study. Three branches are held by the worshippers along with a citron, a palm leaf, and two willow branches. In Jewish mysticism, the myrtle represents the phallic, masculine force at work in the universe.
-
Interesting (highly speculative) link to Israelfrom here
I’m surprised at how often project names for secret projects have some relation on the project. This is really for you conspiracy theorists, but read the Book of Esther in the bible where Esther informs the King of a plot against the Jews. The King then allows the Jews to defend themselves, kill their enemies, Esther’s was born as Hadassah which means Myrtle. According to Symantec, “While we don’t know who the attackers are yet, they did leave a clue. The project string b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb appears in one of their drivers.” Myrtus is Myrtle. Yes this is a stretch, and of course even if this naming meant something it could be a feint to draw suspicion away from the actual attacker.
-
Re:Power Station PLCs should _not_ be connected...
Not so fast. See the first paper in this bunch. The authors managed to hack a Koyo and AB PLC Ethernet interfaces. The AB Ethernet card had lots of useful stuff in it, including a symbol table. From the symbol table I saw many backplane calls that you could use to communicate with the PLC. How well do you trust a hacked Ethernet module on a PLC backplane?
Having a physically separate port is nice, but it is no substitute for secure coding. If you think that coding is poorly secured in the PC world, you'll be shocked at what often gets done in embedded system coding.
Some PLCs and Variable Frequency Drives have been noted for their inability to handle Denial of Service traffic. I've seen that demonstrated myself. This is the official cause of a reactor SCRAM at Browns Ferry a few years ago.
Try a port scan of your PLC some time and tell me how many ports it responds to (DO THIS ON A TEST-BENCH --NOT PRODUCTION EQUIPMENT!). If you can identify everything that critter responds to, congratulations. If not, be afraid. Be VERY afraid. I've heard quite a few PLC models that have mysterious responses to ports where you wouldn't expect them to respond.
Real Time embedded systems are not good candidates for direct internet exposure. They're too difficult to patch in a timely fashion. Often the windshield time alone is prohibitive. And if you have any notions of pushing patches to them remotely, remember, these things control some pretty high speed/high power processes. You don't just patch them. There are process and safety implications that you need to consider. This ain't some office application where you can say oops and restore from a backup. Real physical things will happen and real physical problems will be created that you can't clean up with a simple code reversion.
Most of our infrastructure today has not been engineered with security issues in mind. There is still lots of Gee Whiz "Let's Share Data" synergy crap going on. This leads to all sorts of direct interconnections that aren't absolutely necessary. Many controls can be made over links that weren't intended for that purpose. It's not easy to split the data flows up any more because many organizations have been very profligate with their use of SCADA information and it isn't easy to find all the sources and sinks.
I'd love to post data from a PLC directly to the public. But I just can't sleep at night with something like that waiting to screw things up.
Good luck with your security, and I mean that quite sincerely.
-
Re:NERC CIP to the rescue!
NERC to the rescue?! Sounds like you need to read the standards, specifically the Measures sections. These are NOT enforceable technical standards but guidelines as they only talk about auditing documentation - not about auditing operational security.
BTW, NERC is comprised of the energy companies who, guess what, don't have any interested in penalizing themselves. This is why FERC has issued a NOPR on them to attempt and remove out clauses like "reasonable business justification" and "technical feasibility". Not nearly enough to make these standards worth more than a gold star from management.
The industry needs to pull it's collective head out of it's er...out of the sand. These regulations are weak, designed by the regulated organizations, and administered by the regulated organizations. FERC simply has oversight as a regulatory authority and issues NOPRs as a way to pat themselves on the back for having done something.
The energy sector is extremely connected and a failure one place has a high degree of likelihood of cascading through the grid, as evidenced in 2003 with the Northeast blackout. That event is the very reason these standards were developed. The standards suck, are not enforceable to any degree of meaning, and are left open to interpretation by the individual utilities.
The industry has been sleeping, and there are no signs of it waking up any time soon:
http://www.digitalbond.com/index.php/2007/08/09/fe rc-proposes-changes-to-nerc-cip/
http://www.digitalbond.com/index.php/2007/08/22/se cure-by-default-no-sale/ -
Re:NERC CIP to the rescue!
NERC to the rescue?! Sounds like you need to read the standards, specifically the Measures sections. These are NOT enforceable technical standards but guidelines as they only talk about auditing documentation - not about auditing operational security.
BTW, NERC is comprised of the energy companies who, guess what, don't have any interested in penalizing themselves. This is why FERC has issued a NOPR on them to attempt and remove out clauses like "reasonable business justification" and "technical feasibility". Not nearly enough to make these standards worth more than a gold star from management.
The industry needs to pull it's collective head out of it's er...out of the sand. These regulations are weak, designed by the regulated organizations, and administered by the regulated organizations. FERC simply has oversight as a regulatory authority and issues NOPRs as a way to pat themselves on the back for having done something.
The energy sector is extremely connected and a failure one place has a high degree of likelihood of cascading through the grid, as evidenced in 2003 with the Northeast blackout. That event is the very reason these standards were developed. The standards suck, are not enforceable to any degree of meaning, and are left open to interpretation by the individual utilities.
The industry has been sleeping, and there are no signs of it waking up any time soon:
http://www.digitalbond.com/index.php/2007/08/09/fe rc-proposes-changes-to-nerc-cip/
http://www.digitalbond.com/index.php/2007/08/22/se cure-by-default-no-sale/