Domain: stearns.org
Stories and comments across the archive that link to stearns.org.
Comments · 26
-
Re:The Internet of Things
It is trivial to make a "one way, unhackable" ethernet connection to export data to a unsafe network device.
you have a machine on the SCADA network with TWO network cards. One connects to another PC on the insecure network via an ethernet cable with ONLY the TX wires connected. no RX lines. set both to a static IP and then UDP broadcast your information from the secure PC to the insecure one.
There is no hacker or security expert on this planet that can hack that connection and gain access to the SCADA system. Unless they found a way around physics or can teleport things with their mind.
http://www.stearns.org/doc/one-way-ethernet-cable.html
The problem is most places refuse to hire educated IT staff with experience in security. They want low cost MCSE holders that can barely do their job at the lowest cost possible.
If updates to SCADA software are needed, "most are not in reality" you use write once media such as a DVD or BluRay created on a machine that has nothing to do with the SCADA system and based on an OS that is drastically different to further reduce the chances of homogenous OS infection vectors. If it's important, then the files are inspected byte by byte on a security computer designed to look for infections and injection. then after full and careful inspection you apply the updates.
THIS is how you run a critical system SCADA network. and 99% of them out there are not ran this way as the people in charge of it have zero education in security let alone networking and IT.
-
Re:Why don't you just hire a competent sysadmin?
"Just" is such a dangerous word when deleting data.
You can download William Stearns's fully-debugged version, though:
http://www.stearns.org/freedups/
inotify can't watch an entire filesystem. No current *notify kernel hooks can offer this, unfortunately.
-
Re:and why...
Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
I don't see how TCP could possibly work over a unidirectional ethernet cable. Only UDP. And even then only if the higher level network code was designed to handle generic broadcast to an IP address without anything initiating the connection or any kind of handshaking, etc. My point being that virtually no software would work with such a cable unless it was specifically designed to handle that scenario.
-
and why...
Is a FRACKING SCADA system on the internet?
The Plant manager needs to be fired on the spot. there is ZERO need to have a full connection from a SCADA system to any internet accessable networks.
An airgap for data is standard operating proceedure for these things. Hell even crap SCADA software like "wonderware" supports a unidirectional ethernet cable and UDB broadcasting of the data stream so that you can airgap it from the administrative computers doing data collection.
Note: if you don't know what a "unidirectional ethernet cable" is, think standard Cat 5 with the TX wires clipped off on one end http://www.stearns.org/doc/one-way-ethernet-cable.html and YES they do work PC to PC with the right settings or by using a switch where you can force a port on without negotiation.
No hacker on this planet can crack a system that is at the other end of this type of cable, unless he has physical access. -
Re:Dear world....
I suggest you learn networking as well as Ethernet, oh and take your lithium your Bipolar is showing.
Here is some reading material that might be too advanced for you, but I like to share...
http://www.sun.com/bigadmin/content/submitted/passive_ethernet_tap.jsp -- how to receive only network traffic.
http://www.public.asu.edu/~sksrini2/Projects/TFTP/AP36.pdf -- basics on how to broadcast data on transmit only, might be too advanced for you.
http://www.stearns.org/doc/one-way-ethernet-cable.html -- more info for your basic education.and that was with 3 seconds of Google searching... another thing you seem to be incapable of understating, there are a lot of websites out there that can help you learn how to use a search engine and google.
Also look up what UDP broadcast is, you seem to be significantly deficient in your education as a whole. Networking is hard, you should leave it to those of us that know what we are doing and actually have an education in it.
-
Re:From what I understand
You don't necessarily need an airgap. You just need the network so that you can read SCADA status info and alert based on that.
http://www.stearns.org/doc/one-way-ethernet-cable.html
Be able to read from WAN->SCADA, but never be able to write.
-
Re:DangerousThe utility you're looking for is lzip. It's great. I've compressed a load of files on my server, and have _loads_ of disk space free now.
Sadly, the sourceforge page appears to have been taken down. I'm some what disappointed that there wasn't enough interest to sustain this project.
-
lzip!
Just use lzip! 100% compression on any data, even if it's already been compressed by another utility! It works fantastically, but you may run into trouble if you try uncompressing the data.
-
Here's one I've been using for a while
fanout and fanterm
We use fanout to run wsadmin.sh and deploy apps across our WebSphere App servers. We were using the NDM but found custom scripts to be much more reliable. It's really handy for JspBatchCompile.sh as well.
Fanterm is just FUN. run fanterm against a list of servers and see how much. -
The proper way to do this.
They have two options for this:
1) Cygwin
2) Dedicated Shell Server
Within this environment you will use fanout from Bill Stearns
A) If the remote systems are not set to ``UseLogin yes'' in sshd_config then the custom environment can be used with environment='whatever=whatever' in the remote ~/.ssh/authorized_keys. This, of course, would also require a key which may not be possible as well as ``PermitUserEnvironment yes'' set in sshd_config.
B) The env channel from the ssh client can set the environment on the remote system. This also will not work if ``PermitUserEnvironment no'' is set in sshd_config.
C) If ``PermitUserEnvironment yes'' is set then ~/.ssh/environment will also be evaluated upon login. This would not be advised as it appears as though multiple users aside from the admin's would be using the account(s).
Remember, A and B rely on C to work.
You will recieve the following if it is not setup correctly:
Server refused to set environment variables
Anyways, fanout is the method of choice for issuing commands across multiple servers at the same time while providing the output of those commands to the controling terminal. Just setup a few variables and include them in the remote command(s). -
The proper way to do this.
They have two options for this:
1) Cygwin
2) Dedicated Shell Server
Within this environment you will use fanout from Bill Stearns
A) If the remote systems are not set to ``UseLogin yes'' in sshd_config then the custom environment can be used with environment='whatever=whatever' in the remote ~/.ssh/authorized_keys. This, of course, would also require a key which may not be possible as well as ``PermitUserEnvironment yes'' set in sshd_config.
B) The env channel from the ssh client can set the environment on the remote system. This also will not work if ``PermitUserEnvironment no'' is set in sshd_config.
C) If ``PermitUserEnvironment yes'' is set then ~/.ssh/environment will also be evaluated upon login. This would not be advised as it appears as though multiple users aside from the admin's would be using the account(s).
Remember, A and B rely on C to work.
You will recieve the following if it is not setup correctly:
Server refused to set environment variables
Anyways, fanout is the method of choice for issuing commands across multiple servers at the same time while providing the output of those commands to the controling terminal. Just setup a few variables and include them in the remote command(s). -
Lzip support?The software now supports the PPMd and bzip2 compression formats
Does anyone know if the free version supports lzip? I've been looking for a Windows tool that can read my old lzip archives - there's some good stuff in there.
-
Re:"Make my day"
Supposedly, the rat was so caught up in pressing the pleasure lever, it never got around to pushing the food lever, and starved to death.
Leading to the famous quote:
"If addiction is judged by how long a dumb animal will sit pressing a lever to get a 'fix' of something, to its own detriment, then I would conclude that netnews is far more addictive than cocaine."
-- Rob Stampfli
(source) -
Re:Yes...
To force myself to learn Python, I'm thinking of setting up a Python daemon that will listen for an "administrator" machine that pushes commands that a company's SysAd wants.
You may wanna check out FanOut and FanTerm. Both programs are used to run commands on multiple boxes via SSH. FanOut does non-interactive commands, and FanTerm pulls up one window for each SSH session. You type commands into the master window then see the results from each machine in the slave windows.
Combine that with certificate authentication for your SSH logons and you're good to go. -
a few thingsfanout is a handy app for passing the same exact identical command to multiple servers at once. Since you're running 10 servers with the same distro, this seems like it would be handy for you at times. (updating etc)
Get one (preferably two) test systems and install and prep them as if they were the machines you were using. Hell, get one of those 10 servers and make a backup of it and restore it to your test systems.
Essential System Administration by O'Reilly is pretty good (although it covers a lot of ground...good for theory and the "why is it like this?" stuff). Linux Server Hacks (also on O'Reilly) is quite handy as well.
-
Re:2.4.23-pre?
According to a quick Google search the fix was first implemented in 2.4.22-bk45, but it appears in the changelog for the "Summary of changes from v2.4.23-pre6 to v2.4.23-pre7" as well, I'm not sure why this is.
The actual change reported is:
marcelo:dmt.cyclades:
o Fix missing part of Centrino cache detection change
o Add TASK_SIZE check to do_brk()
There's a 2.4.23-pre8 UML kernel at stearns.org, I'd probably use that (if you don't want to compile your own). The 2.4.23-pre8 can be downloaded from here and the .config can be found here -
Re:2.4.23-pre?
According to a quick Google search the fix was first implemented in 2.4.22-bk45, but it appears in the changelog for the "Summary of changes from v2.4.23-pre6 to v2.4.23-pre7" as well, I'm not sure why this is.
The actual change reported is:
marcelo:dmt.cyclades:
o Fix missing part of Centrino cache detection change
o Add TASK_SIZE check to do_brk()
There's a 2.4.23-pre8 UML kernel at stearns.org, I'd probably use that (if you don't want to compile your own). The 2.4.23-pre8 can be downloaded from here and the .config can be found here -
Re:2.4.23-pre?
According to a quick Google search the fix was first implemented in 2.4.22-bk45, but it appears in the changelog for the "Summary of changes from v2.4.23-pre6 to v2.4.23-pre7" as well, I'm not sure why this is.
The actual change reported is:
marcelo:dmt.cyclades:
o Fix missing part of Centrino cache detection change
o Add TASK_SIZE check to do_brk()
There's a 2.4.23-pre8 UML kernel at stearns.org, I'd probably use that (if you don't want to compile your own). The 2.4.23-pre8 can be downloaded from here and the .config can be found here -
Article/Editorial illegal use
I have an article on illegal activities under this law at: http://www.stearns.org/doc/networking-felony.curr
e nt.html. -
Hi
I read this article a few days ago and bookmarked most of the links I thought valueable. If anyone else is interested add some more to this thread so I can grab them
:)
Exported bookmarks Fingerprint
blackhole(4) - a sysctl(8) MIB for manipulating TCP
Help Net Security OS-FngrPrint article in PDF
Honeyd - Network Rhapsody for You
http://ojnk.sourceforge.net/stuff/iplog.readme
http://www.insecure.org/nmap/nmap-fingerprinting-a rticle.txt
IP Personality - Home
Kernel Options
p0f file listing
PhoneBoys FireWall-1 FAQs: Blocking queSO packets
s0ftpr0ject 2000 Fingerprint Fucker
Security Technologies
SourceForge.net: Project Info - SING
Sys-Security.com - Because Security is not Trivial
USENIX Technical Program - Abstract - Security Symposium - 2000 -
Re:No wonder these servers have so many problems
(I do realize that the post was supposed to be funny, but I suspect that people will wonder why there aren't more if the 13 get overloaded). This was tried a few years back; additional nameservers were put in place. Because the query for the root nameservers no longer fit in a udp packet, dns servers had to fall back to dns/tcp requests just to get the list of root nameservers, and we were reminded that a large number of firewalls block dns/tcp. With so many sites no longer able to make any dns lookups, the number was dropped back to 13 within a day.
For those that would like to try the dnstop package mentioned on the site, I have signed rpms available.
-
Linux RPMS and a public server
Linux RPMs of the tool can be found at http://www.stearns.org/iip/. Also, there's a public server at wstearns.stearns.org:6667
-
rsync-backup - a similar approach
I have a similar script called rsync-backup. This one does automatic daily snapshots, works over ssh, and uses rsync and hardlinks (to save space), chroot, and an ssh forced command for security.
-
Re:Signatures?Its way more complicated than that. Just read the "whats new" page for a good summary:
http://razor.sourceforge.net/docs/whatsnew.htmlActually, the version 2 protocol has been in use for some time. On my system, where I installed Razor in February 2002:
paul@wallace ~ > razor-check -v
Shame on me. Apparantly I missed Vipul's announcement four days ago that everyone needs to upgrade to version 2.06.
Razor Client Tools 1.19, protocol version 2Eventually, Razor is going to use the Nilsimsa Hash Algorithm, which is supposed to be able to detect spams where the spammer made only a minor change to avoid being matched against previously transmitted copies. The Razor V2 protocol has support for this hashing algorithm and others. Who knows, maybe they're already implmented it? Ought to take a peek at the perl code sometime....
-
The real problemThe real problem is not lack of bandwidth. There's plenty of it to go around. What saddens me is that the ISC is throwing away most of $80,000 annually because people can't be bothered to patch their kernel, and instead rely on downloading the full 20MB tarball every time a new kernel is released.
The solution to the problem is really quite simple. As Larry McVoy, who maintains the powerful but non-free BitKeeper RCS system and knows a thing or two about patches, has hinted towards kernel.org may be better off not providing a tarball for each release, instead providing some kind of utility that downloads the latest available full kernel, but only if necessary, plus patches. I'd be all for it. In the meantime, there are a number of incremental patching systems for the Linux kernel that automatically download patches, verify their signatures and patch the kernel which may be worth looking into to save time, bandwidth and resources:
- dlkern
- buildkernel
- lkpatch, which has fallen into disrepair
Of course, it goes without saying that everyone should still use their local mirror, particularly as kernel.org will only be accessible to mirrors for the forseeable future. -
Re:There have already been some Linux worms
100% agreed; when Ramen came out it exploited vulnerabilities that had been patched 3 and 6 months before.
Just for reference, there are detection and removal tools for all of these worms at ISTS/Dartmouth College. GPL'd, source at www.stearns.org/detectlib. (Many thanks to ISTS and SANS for their contributions).