Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor In RuggedOS Systems: Infrastructure, Military Systems Vulnerable

Posted by Unknown on from the steal-me-up-some-electricity dept.

FhnuZoag writes "A backdoor has been found in Canadian based RuggedCom's 'Rugged Operating System', providing easy access to anyone with the devices's MAC address — something often publically displayed. Rugged OS is being used in a wide range of applications, including traffic control, power generation, and even U.S. Navy bases. The backdoor was first found over a year ago, and RuggedCom have so far refused to patch out the exploit." The exploit is trivial: each device has a permanent "factory" user, and an automatically generated password derived from the MAC.

154 comments

  1. Nothing is 100% secure. by sandytaru · · Score: 0

    Nothing. At. All.

    --
    Occasionally living proof of the Ballmer peak.
    1. Re:Nothing is 100% secure. by LordAndrewSama · · Score: 5, Funny

      There's a difference between "Nothing is 100% secure" and "Why yes sir, I will lay out the welcoming mat for you".

    2. Re:Nothing is 100% secure. by Pharmboy · · Score: 1

      You are correct. The issue isn't how easy it is to exploit, but rather how easy it would have been to not have this "feature", and the failure to address it.

      --
      Tequila: It's not just for breakfast anymore!
    3. Re:Nothing is 100% secure. by ColdWetDog · · Score: 5, Funny

      Never play cards with a man called Doc. Never eat at a place called Mom's. Never sleep with a woman whose troubles are worse than your own.

      Never trust an OS with the 'Rugged' in it's name.

      --
      Faster! Faster! Faster would be better!
    4. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      I would direct you to Less Wrong on this particular logical fallacy.

    5. Re:Nothing is 100% secure. by cpu6502 · · Score: 4, Insightful

      >>>the failure to address it.

      I suppose this is why OSS advocates claim closed-source is bad? You can't fix the problem yourself, and if the company refuses to do it, then you're stuck.

      --
      My AC stalker: " I personally agree with your posts most of the time, but that won't keep me from modding you troll"
    6. Re:Nothing is 100% secure. by yoyoq · · Score: 5, Informative

      never get involved in a land war in Asia Never go against a Sicilian when death is on the line

    7. Re:Nothing is 100% secure. by Beardo+the+Bearded · · Score: 4, Informative

      Okay, this feature has its use. Let's say Beardo works for the city for 15 years and puts a password on all the light controllers. That's only sane, right? You don't want some asshole changing the light pattern so they get a green light every morning at 7:43 when they're on their way to work or disabling the first-responder receiver.

      Let's also assume that Beardo got passed over for a raise AGAIN and decided, "okay, that's it, I'm leaving." Five years later they have to change the timing for some reason, let's say more traffic at the intersection or something, and Beardo is nowhere to be found. He's got a new job in Bermuda and you'll never hear from him again. (I actually did have a co-worker get a job in Bermuda and to this day I am unable to determine if he is alive or dead.)

      Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

      You've got to either find the password or send the unit back to the factory to get it reset to the blank factory default (automation direct will do this) People forget passwords. I'm sure once we switch to biometrics people will forget their thumbs or something.

      HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of wetwork. Well, then I guess the exploit then becomes "anyone with $175 to buy a NRD-1298 from Rugged can run a Perl script". Even if there was a master password list in the factory then someone could break in or bribe their way into the system. Maybe this password should only work on a direct link like the serial port.

      What I guess the company could have done is add the PO number or customer number to the MAC address and then use a more robust password generator to figure it out. I'm not entirely sure what they could do to make it a secure way of getting into your legitimately owned, but inadvertently locked, machine.

      Hell, if you get two keys for a master-locked system you can narrow down the master key to one of 17 possibilities. We don't go around telling people that their doors aren't going to work.

      Also, I hate to mention this, but I've said it before, the military uses weaponry to enforce their system security. If you're sitting on a rowboat with a parabolic dish, the frigate is going to shoot bullets at you.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    8. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 1

      Nice over-architected solution. Sorry you took so long to type out such an insanely complex impossible to implement solution. Maybe RuggedCom has a job for you!

      Alternate option: Simply make a bootrom option such that someone at the console during a power cycle can bypass the authentication. Cisco implemented this. It's not hard. No magic calculations, PO numbers, customer numbers.

      http://www.cisco.com/en/US/products/hw/routers/ps259/products_password_recovery09186a0080094675.shtml

    9. Re:Nothing is 100% secure. by gstoddart · · Score: 4, Insightful

      I think you're giving them far too much credit.

      A password generated using an externally visible attribute of the device is pure incompetence and making stupid decisions.

      This isn't about Beardo going away and losing the password, it's about someone making one of those shockingly stupid decisions about convenience over security which leads to security through obscurity.

      As TFS says, this is bordering on a trivial exploit since you can likely hack any and all devices running this OS merely by figuring out its MAC address.

      What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

      This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.

      --
      Lost at C:>. Found at C.
    10. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Never drink with a russian.

    11. Re:Nothing is 100% secure. by Yvan256 · · Score: 1

      I actually did have a co-worker get a job in Bermuda and to this day I am unable to determine if he is alive or dead.

      Oh, he's not alive. He's not dead either. He went for a boat ride and he's just.... gone.

    12. Re:Nothing is 100% secure. by cayenne8 · · Score: 3, Funny

      never get involved in a land war in Asia Never go against a Sicilian when death is on the line

      Hmmm....I happen to have some iocane here....care to partake in a battle of wits?

      :)

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    13. Re:Nothing is 100% secure. by splatter · · Score: 3, Insightful

      Never bet on a pool game against anyone named after a state.

      --
      "(I) have this unfortunate condition that causes me not to believe a single thing any politician says when a mic's on.
    14. Re:Nothing is 100% secure. by Jeremi · · Score: 2

      HOWEVER this feature should require some kind of dongle from the manufacturer or some kind of network.

      Or, you could do what every $35 Internet router in the history of Best Buy does: put a little 5-cent button on the back of the device that restores its default settings (or bypasses the password check, or whatever).

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
    15. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 2, Funny

      Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

      Why on earth would he set the password to 8675309? That's just silly.

    16. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Never play cards with dwarfs or elves.

    17. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Excellent article. Someone also pointed to The Relativity of Wrong by Asimov which is worth reading.

    18. Re:Nothing is 100% secure. by H0p313ss · · Score: 5, Insightful

      Never get involved in a software project where the team leader says either "agile" or "scrum" in every second sentence.

      --
      XML is a known as a key material required to create SMD: Software of Mass Destruction
    19. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

      Why on earth would he set the password to 8675309? That's just silly.

      Probably for a good time.

    20. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 1

      Yup, but it's /marketed/ as "mission critical".

      Just saying that if you're /buying/ "mission critical" kit, then you're the moron for not having thorough standards it must meet, that includes a method of proving it does meet these.

      This was outsourcing responsibility. This is buying a warranty, buying an insurance package you'll have to go to court to attempt to collect.

      If you're outsourcing a "mission critical" aspect of your business, then you're not in that business. Then you're just a middleman.

      "Case's primary insight into the dynamics of street dealing was that neither the buyer nor the seller really needed him. A middleman's business is to make himself a necessary evil. The dubious niche Case had carved for himself in the criminal ecology of Night City had beep cut out with lies, scooped out a night at a time with betrayal."

    21. Re:Nothing is 100% secure. by Beardo+the+Bearded · · Score: 3, Insightful

      Right, which means anyone with a pair of overalls can change the light controller.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    22. Re:Nothing is 100% secure. by roc97007 · · Score: 1

      Nothing. At. All.

      Absolutely correct, but building in a back door with a password easily derived is almost, but not quite, entirely unlike security.

      This makes me wonder how many other OS variants used in control systems have "factory" users built in.

      ...because you know damn good and well, if it's worth knowing, bad people will know it.

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    23. Re:Nothing is 100% secure. by osu-neko · · Score: 1

      Cue the platitudes that could be generically posted into half the articles on /. without reference to the article supposedly being commented on.

      Oh, I see you're way ahead of me. Carry on...

      --
      "Convictions are more dangerous enemies of truth than lies."
    24. Re:Nothing is 100% secure. by Burning1 · · Score: 1

      That's all well and good... But maybe instead of using an back door account that is easily derived from the MAC address, they should have installed a public key?

    25. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 1

      What's more, researchers say, for years the company hasn't bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

      This is just blatantly moronic. If you're marketing yourself for "mission critical", don't do something this stupid.

      Two guys, a pickup truck, and a box of grenades can do roughly a Billion dollars of damage an hour in the greater Houston area, just hand tossing from public highways. There's a lot of trust in the world...what's moronic is trusting that any kind of password lock access on a computer system is "secure" from the bad guys. If a password is typed in, a telephoto high def video camera can snag it from across the street or Beardo the Disgruntled can give it to a bad guy as a prank.

      Yeah, o.k., the MAC address as password scheme is a little more lame than some and should be stopped, but don't think that ANY password based scheme is really secure from a determined attacker.

    26. Re:Nothing is 100% secure. by Ihmhi · · Score: 3, Informative

      wetwork

      Is this some sort of computer security term? "Wetwork" is slang for "murder" in the espionage world.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    27. Re:Nothing is 100% secure. by gstoddart · · Score: 1

      Two guys, a pickup truck, and a box of grenades can do roughly a Billion dollars of damage an hour in the greater Houston area

      And here I thought that was a normal Friday night in Texas. ;-)

      --
      Lost at C:>. Found at C.
    28. Re:Nothing is 100% secure. by Beardo+the+Bearded · · Score: 1

      Solder in a jumper or resistor.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    29. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Never expect supporters of any organisation with the words "family" or "marriage" in its name to be anything less than bigoted, theocratic and idiotic cunts of the highest caliber.

    30. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 1

      Never play 3D chess with a Wookie.

    31. Re:Nothing is 100% secure. by Darinbob · · Score: 1

      Not so sure on that. I won a lot of money off of a guy named Vermont Average Build.

    32. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Thank God they secured those WMDs.

    33. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Really? I used to win big against Despair Andy. You had to keep an eye on Neglect Steven, though. He might have looked like a transient, but he could run a table like nobody's business.

    34. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Or let's just say Beardo forgot the password. "Oh, I think it was a seven-digit prime number... I don't think I wrote that down anywhere..."

      Why on earth would he set the password to 8675309? That's just silly.

      I just learned something new today.
      FUCK YOU, asshole AC!

    35. Re:Nothing is 100% secure. by Sam+Nitzberg · · Score: 4, Funny

      Never say never

    36. Re:Nothing is 100% secure. by gweihir · · Score: 1

      There's a difference between "Nothing is 100% secure" and "Why yes sir, I will lay out the welcoming mat for you".

      Indeed. But the concept of "degree" is something beyond quite a few people. For them it is always black and white. Stupid really, but widespread. If the world were black and white, there would be zero point in risk management. Instead it is one of the most important supporting disciplines for technology. And one quite a few people do not get at all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    37. Re:Nothing is 100% secure. by Ihmhi · · Score: 1

      Ah, thanks! Now if I ever meet an electrical engineer who is also a spy, I can humorously confuse him!

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    38. Re:Nothing is 100% secure. by DarwinSurvivor · · Score: 3, Insightful

      Once you have physical acccess, it's game over.

    39. Re:Nothing is 100% secure. by jd · · Score: 1

      Have the master password database at the manufacturer strongly encrypted, then have the password for that database on a couple of smartcards (one for use in recovery, one held elsewhere as a backup in case the first is rendered unusable). The database is only at risk if the smartcard's contents are intercepted by malware on that machine, up to (but not beyond) the point where the database is re-encrypted under a new key. If the machine is properly secured, the risk of this is close to zero.

      OR

      Have the master password database at the manufacturer off the corporate network. Passwords must be transferred physically from the master password computer to a networked machine in order to be used. Only the keys being used at that instant are ever at risk, the rest of the database is invisible. If the machine is properly secured, the risk of intercepting even the one or two keys exposed is close to zero.

      OR

      Use a one-time password system. You call up the manufacturer by phone, you read the challenge to them and they read you back what to type in to reset the administrator password. Since this changes each time a connection attempt is made, even if the call is intercepted the password is useless as a new socket connection by an intruder would have a different challenge even if created before the operator typed the answer to the challenge in.

      The problem is that manufacturers are part of the precipitate rather than part of the solution.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    40. Re:Nothing is 100% secure. by marcello_dl · · Score: 1

      Maybe it IS a feature, so they hate to have to remove that. Don't rumors about NSA backdoors surface every now and then?
      Not implementing a likely trivial patch to a gaping security hole hasn't many other credible explanations.

      --
      ---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
    41. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      As TFS says, this is bordering on a trivial exploit since you can likely hack any and all devices running this OS merely by figuring out its MAC address.

      If this exploit is that simple on mission critical equipment AND the company refuses to fix it (or even acknowledge it to the people that discovered it) tells the paranoid side of me that it is probably there by government mandate.

    42. Re:Nothing is 100% secure. by theshowmecanuck · · Score: 2

      Never beat off after chopping up scotch bonnet peppers.

      --
      -- I ignore anonymous replies to my comments and postings.
    43. Re:Nothing is 100% secure. by sjames · · Score: 2

      It beats a remote exploit. And the necessary reset should raise red flags.

    44. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      I'll bet the seven-digit prime number was 8675309.

      AC

    45. Re:Nothing is 100% secure. by Inigo+Montoya · · Score: 1

      Never kill my father.

    46. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      or "lean"

    47. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      never get involved in a land war in Asia Never go against a Sicilian when death is on the line

      Hmmm....I happen to have some iocane here....care to partake in a battle of wits?

      :)

      Anyone want a peanut?

    48. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      Never put an apostrophe in "it's" when it's not a contraction.

    49. Re:Nothing is 100% secure. by Anonymous Coward · · Score: 0

      That's hot.

  2. STUPID by GameboyRMH · · Score: 2, Informative

    Unchangeable default password = MEGAFAIL

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
    1. Re:STUPID by Thud457 · · Score: 1

      Rugged engineers are weenies!

      --

      the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

    2. Re:STUPID by Anonymous Coward · · Score: 0

      No, your crisco switches are puny! They can not stand up to manly substation environments. /humor off

      All jokes aside, the "weenies" didn't buy these things because they were secure. That was not part of the design. They bought them because an office switch would be destroyed the first time a breaker fires in the station.

      That said, RuggedCom needs a buy a few clues, because clearly they don't have any.

    3. Re:STUPID by Anonymous Coward · · Score: 0

      Ironically, that was the password...

    4. Re:STUPID by Anonymous Coward · · Score: 0

      I think you need to mix upper case, lower case, and numbers. Maybe some punctuation too.

      Unchangeable default password = M3gaf4!L

    5. Re:STUPID by gweihir · · Score: 2

      It is acceptable in exactly one scenario: A physically secured access port. But in all others, it is cheap and convenient. Quote stupid, really. My guess is that the people designing these things just have zero imagination and never expected their systems to come under attack.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    6. Re:STUPID by Cow+Jones · · Score: 1

      Very nice, I remember that one :)

      Before someone mistakes you for a troll, I guess I'd better link to an explanation. 14 years ago, somebody at Microsoft left a dangerous backdoor in Frontpage 98, with the phrase "Netscape engineers are weenies!" as the key. People were fired over this, and so should the persons responsible for the SNAFU at Rugged.

      Wish I could mod you up. I'd almost forgotten about that.

      --

      Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
    7. Re:STUPID by AmiMoJo · · Score: 1

      My guess is that the people designing these things just have zero imagination and never expected their systems to come under attack.

      A company called RuggedCom. That makes military equipment. That had the foresight to install user accounts and passwords in the first place.

      What usually happens in these situations is that someone clever implements the security properly and them some idiot creates a backdoor for convenience. Say the technicians got annoyed by having to find out the admin username/password for every device they needed to work on so demanded a backdoor, or a random PHB just kept forgetting his password and looked like a dick at tradeshows.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  3. Blame Canada by Anonymous Coward · · Score: 0

    Or could it be those evil Chinese?

  4. Whois JC CREW? by Anonymous Coward · · Score: 1

    What's this JC CREW organization that supposedly discovered this backdoor? Is it a corporation? group of hackers? single individual? in the US? International?

    i went to their site at www.jccrew.org and it's just a picture of a burned out car. I don't get it. This is huge, but I can't find anything about the research person or organization.

    1. Re:Whois JC CREW? by Beardo+the+Bearded · · Score: 4, Funny

      Their website had a default password, sorry, couldn't help myself.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    2. Re:Whois JC CREW? by Alioth · · Score: 1

      They are probably (rightly) paranoid that reporting security defects like this will make them liable for criminal prosecution, and would prefer to remain anonymous. It's not like it hasn't happened before.

      --
      Oolite: Elite-like game. For Mac, Linux and Windows
    3. Re:Whois JC CREW? by h4rr4r · · Score: 1

      They probably don't want to get sued.

    4. Re:Whois JC CREW? by Anonymous Coward · · Score: 1

      Straight from TFA:

      > "[...]" said Justin W. Clarke, the author of the full-disclosure advisory who said he notified company officials of the backdoor 12 months ago.

      Justin Clarke. JC.

    5. Re:Whois JC CREW? by Anonymous Coward · · Score: 0

      Wow. Hardcore internet detective work.

    6. Re:Whois JC CREW? by michaelwigle · · Score: 1

      and would prefer to remain anonymous

      I knew Anonymous had to be behind this! ;)

    7. Re:Whois JC CREW? by Anonymous Coward · · Score: 0

      his name was Justin Clarke... his name was Justin Clarke... his name was Justin Clarke...

    8. Re:Whois JC CREW? by Ihmhi · · Score: 1

      i went to their site at www.jccrew.org and it's just a picture of a burned out car. I don't get it.

      Ah, well, that's a picture of what used to be a vehicle full of hacking equipment and anabolic steroids that subsequently blew up for no good reason.

      --
      Random Thoughts From A Diseased Mind (Not For Dummies)
    9. Re:Whois JC CREW? by Anonymous Coward · · Score: 0

      Dude! You must be like a hacker or something.

    10. Re:Whois JC CREW? by Anonymous Coward · · Score: 0

      pig aids

  5. PCI-DSS and others by Alioth · · Score: 5, Interesting

    Using this device would mean you would fail PCI-DSS and probably a few other widely used standards (ISO-27001 for example). One of the first requirements in these standards is that default vendor passwords be changed. You can't change it or even disable it.

    --
    Oolite: Elite-like game. For Mac, Linux and Windows
    1. Re:PCI-DSS and others by h4rr4r · · Score: 4, Interesting

      From what I have seen, the PCI audit company would pass you anyway or the company would find another that would pass them. This is the main problem with PCI. As the entity that is being certified pays for the service they choose an auditor that will pass them. The correct way to do it would be if the industry paid for this service.

    2. Re:PCI-DSS and others by TheMathemagician · · Score: 1

      Their failure to patch this in a year - or even enter into any meaningful dialogue - is indicative of a company with no effective management. Is it wrong to hope some script kiddies now run riot and permanently damage the brand. Probably but meh.

    3. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      Maybe it was a hidden 'feature' ?

    4. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      Perhaps, but it's better to revoke the rights to certify of the company, shut them down, and blacklist the CEO from payment processing or related work.

      When you have a professional engineer screw up, that's how they do it. But the banking isn't really regulated much, so this shit goes on forever.

    5. Re:PCI-DSS and others by X0563511 · · Score: 1

      Ah, but it's not a "default vendor password". It's machine generated, and is unique per device.

      I've seen plenty of devices with generated root passwords be certified, and even when they were audited by bloodhounds sent in by an irritable customer. If those passed, well, so would this.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    6. Re:PCI-DSS and others by Guppy06 · · Score: 1

      The correct way to do it would be if the industry paid for this service.

      Which "industry?" The industry of the auditor? The industry of the auditee? The industry of the equipment manufacturer?

      You're leaving the realm of "standards" and "fees" and entering the realm of "regulations" and "taxes."

    7. Re:PCI-DSS and others by h4rr4r · · Score: 1

      The credit card industry itself. Meaning that to get to PCI compliance certified you and all others who are certified would pay into a pool that pays the auditors to audit, with randomly assigned auditors and the same payment pass or fail. These auditors would then take some sort of financial risk if you were to fail a future audit.

    8. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      <paranoid conspiracy theory>It would also be indicative of a company in the pay of a foreign intelligence agency. You're Welcome.</paranoid conspiracy theory>

    9. Re:PCI-DSS and others by DarkOx · · Score: 1

      There is no real incentive for the CC companies to make audit compliance difficult. Remember that when a charge-back happens the seller pays.

      Really the financial to do a good job and really be PCI compliant already falls on the merchant. For the most part PCI standards make sense. If you as business don't implement PCI properly and then find some rubber stamp audit firm to sign off its disservice to yourself. Just ask Sony; I bet they wish they'd have taken PCI more seriously!

      It might be a hassle for your customers having your e-comm site be pwn'd might very well hurt you too. You might have to eat the cost of all kinds of inventory shipped to fraudsters, and your public image might be destroyed.

      Poor auditors are a problem, but the root cause is the foolish people who hire them. They have missed judged the risks associated with doing it wrong.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    10. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      You know, I bet you are older and have more experience than me, but even I know this is...well... only true in spirit, not in form.

      In practice, whoever wrote the policy would either ignore it, and the auditor would ignore it not knowing to look for it. Or the auditor would find it, and it would go back for review and a recommendation to fix the policy or implementation with a minor penalty assuming it was added to a redress list.

      In rewrite, the access would be listed as "vendor debugging interface" or "vendor remote support interface" and not a default password.

      If the word "default password" appears, it would be explained in an attached memo that said password is not a default -- because it consistently changes, or fails to meet a definition of default.

      The password, if inspected, would be identified as "vendor specified encrypted password". And the audit would get stamped.

      PCI is just another standard that returns what it measures. What it measures is compliance with itself. Not security.

    11. Re:PCI-DSS and others by aaarrrgggh · · Score: 1

      These boxes are NERC certified, so I doubt PCI is a problem. These are the boxes we used to protect SCADA systems at the network level.they were generally considered more robust than Cisco equipment.

    12. Re:PCI-DSS and others by gweihir · · Score: 1

      Security certifications are pretty useless and have no significant impact on actual security. Sad but true. The only reasons why these certifications are so in demand is that the serve as CYA for now. I hope that goes away and vendors become liable if their devices are insecure, regardless of certification and with only sound practices, competent personnel, sound architecture, design, implementation and external _competent_ review limiting their liability.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:PCI-DSS and others by Peeteriz · · Score: 1

      If you pass a PCI audit, and then get credit card data stolen because of an uncompliant practice that the auditors missed, then you're fracked (i.e., fully liable) anyway. THAT is the point of PCI - to ensure that the industry pays for nothing, and both compliance costs and fraud costs are on your (merchant) shoulders.

            You wouldn't even get a refund from the auditors for not checking most basic things, they tend to have their legal homework done perfectly even if they are sloppy in the actual audit.

    14. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      Uh, no. Generally your processor pays a 3rd party auditing service to make sure your local arrangement is PCI compliant.

    15. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      wow, dude, you are HIGH

      first, NERC does not certify equipment.
      second, any "more robust" claim is purely because of their ability to handle temperature extremes and ability to work without fans. Cisco has comparable products that meet the same specifications.
      lastly, why would NERC certification or lack thereof have ANY impact to PCI issues?

      seriously. what the fuck?

    16. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      There is no real incentive for the CC companies to make audit compliance difficult. Remember that when a charge-back happens the seller pays.

      Having worked for a CC company on PCI-DSS compliance I can say yes, there is an incentive to make audit compliance difficult; it's an excellent barrier against competition.

      Even a difficult audit is reasonably straight-forward for an established CC processor to pass - there'll be incremental changes in the PCI-DSS since last time but really, once you've got the processes in place there shouldn't be any surprises. You've also got the cash-flow to pay for it.

      It's the first audit that kills companies. Every system and business process is new and untested. You're pretty much guaranteed to fail the initial audit, and have to go through an expensive fail-fix-retest cycle. And that's an expense that generally has to be paid out of investment capital rather than revenues.

    17. Re:PCI-DSS and others by Anonymous Coward · · Score: 0

      It would also be indicative of a company in the pay of a clandestine organization.

      FTFY

  6. .. Too easy. by Anonymous Coward · · Score: 0

    This whole post sounds like a setup for a classic GNNA troll. Rugged military backdoors? Are you kidding me?

  7. Well, maybe it will be fixed by PPH · · Score: 1

    RuggedCom have so far refused to patch out the exploit.

    Perhaps when Siemens moves in new management, the problem will be fixed. After having the egg of Stuxnet on their face, they might be a bit more proactive about these sorts of things.

    --
    Have gnu, will travel.
    1. Re:Well, maybe it will be fixed by Anonymous Coward · · Score: 0

      Perhaps when Siemens [cleanbreak.ca] moves development to Asia,

      Fixed that for you.

    2. Re:Well, maybe it will be fixed by whoever57 · · Score: 1

      Perhaps when Siemens moves in new management, the problem will be fixed. After having the egg of Stuxnet on their face

      What makes you think there was any failure? Stuxnet was a success. How do you know that Siemens were not complicit in the creation of Stuxnet?

      --
      The real "Libtards" are the Libertarians!
    3. Re:Well, maybe it will be fixed by Albanach · · Score: 1

      I have to wonder about the Siemens issue here. Sounds like this could rapidly move into the hands of lawyers unless the CERT communications were disclosed during the transaction.

      RuggedCom's management held $55.8 million (CAD) worth of stock, so pocketed handsomely from this takeover. Would RuggedCom still be worth $33/share this morning?

    4. Re:Well, maybe it will be fixed by ColdWetDog · · Score: 1

      Exactly. Siemens might well be next up for the Nobel Peace Prize. They stopped (or at least deferred) Nuclear Armageddon.

      Just remember that when you're developing your new super secure application or device....

      Just who's side are you really on, anyway?

      --
      Faster! Faster! Faster would be better!
    5. Re:Well, maybe it will be fixed by PPH · · Score: 1

      Because for every instance of terrorism that the FBI/CIA/Mossad/Pentagon stops there are dozens (hundreds?) of instances of industrial espionage carried out. No one in their right mind would ever install Siemens hardware or software in their plant again if they suspected that there was a back door built in for their US competitors to sniff around through.

      --
      Have gnu, will travel.
    6. Re:Well, maybe it will be fixed by jd · · Score: 1

      Or brought it about. Unless you're really good at reading tea-leaves, you cannot possibly know what the probability of a nuclear confrontation with Iran is now versus what it would have been. So far, every country on the US' naughty list that has lacked WMD has been attacked and those on the list that have had WMD have not been attacked. If Stuxnet was indeed an attack, then Iran has recent experience of the former, which lends itself to the idea that it might prefer to be in the latter group.

      Possibly. But, then, maybe not. Not everyone who screams loud is a raving lunatic, hell-bent on mutually assured destruction.

      There was no intelligence (military or otherwise) prior to Stuxnet that the Iranians were after the bomb -- or that they were not. There is no intelligence (military or otherwise) today that the Iranians are or are not after the bomb. Drawing conclusions from a state of complete ignorance is, well, ignorant. We simply don't know what the hell is going on and all guesses are just that.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  8. not an exploit by CosaNostra+Pizza+Inc · · Score: 0

    Its a feature...not an exploit.

  9. exploit by vlm · · Score: 5, Insightful

    Looks like to exploit this, you need the MAC addrs.
    1) One way is to be on the same LAN segment and watch a sniffer. This means you're already dead because you've lost physical security.
    2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?
    3) If you manage to somehow own a plain ole PC on a scada network, now you can own embedded control devices. But having an owned PC on your network means you're dead anyway.

    I'm still struggling to figure out how a live, well run network could be in danger. What I mean is to implement this exploit takes a system that is already more screwed up than anything you could do with the exploit.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    1. Re:exploit by Hentes · · Score: 1

      A MAC adress is only 6 bytes which is easy to bruteforce.

    2. Re:exploit by Anonymous Coward · · Score: 0

      > I'm still struggling to figure out how a live, well run network could be in danger.

      If the network were managed by software made by the same people who, I dunno, use unchangeable vendor passwords?

    3. Re:exploit by Guppy06 · · Score: 5, Insightful

      4) brute force the password, knowing that only 3 bytes are unique to the device.

    4. Re:exploit by Anonymous Coward · · Score: 0

      As can clearly be seen in the article, the telnet server on the box helpfully hands you the MAC address before even asking for your username.

    5. Re:exploit by Anonymous Coward · · Score: 0

      It boils down to practicing defense in depth. Just because you have a hard crunchy outside does not justify having a soft chewy inner core full of backdoors and default passwords.

      The MAC address is exposed through the web interface as well.

    6. Re:exploit by Anonymous Coward · · Score: 0

      its 48 bits, this is 2^48 = 281,474,976,710,656 addresses to brute force sir.
      although yup, if you know the manufacturer of the devices you can narrow it down a bit, and also i think they may have some sort of detection for unusual network traffic, but still.

    7. Re:exploit by Anonymous Coward · · Score: 0

      Even at 6 bytes there are still 281,474,976,710,656 choices. I wouldn't call that easy.

    8. Re:exploit by idontgno · · Score: 5, Informative

      It really isn't 6 bytes either. Since RuggedCom has two registered MAC OUIs (grep for "RuggedCom"), it's only 24 bits to brute-force over two possible 3-byte manufacturer prefixes.

      Yeah. Fail-flavored failure-stuffed failure topped with fail gravy.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    9. Re:exploit by h4rr4r · · Score: 1

      1. is pretty easy to do. I walk into your office with a clipboard. I unplug an unused PC and away I go. If need be I clone that PCs network address. How many places actually encrypt their wired network?

    10. Re:exploit by Zocalo · · Score: 4, Insightful

      Also, don't forget that the first couple of those bytes are specific to a vendor, and in RuggedCom's case those would be "000ADC". So that leaves only 2^24 possible MACs from which to generate passwords to try, a search space which could then be further reduced by the need to be able to actually type the password in.

      Barring rate limiting, or other protection mechanisms (unlikely on a SCADA device) I'd estimate that a brute force attack on a 100mb/s link is going to be done and dusted in a matter of minutes rather than hours or days.

      --
      UNIX? They're not even circumcised! Savages!
    11. Re:exploit by Anonymous Coward · · Score: 0

      You don't see a problem with an unchangeable factory default password on every network-enabled embedded device that uses this operating system?

      That's very interesting. What other standard safety measures do you find useless? Have you short circuited all the circuit breakers in your house? Remove the safety railing next to your stairs? Cut the seat belts out of your car? Thrown away the life jackets on your boat?

    12. Re:exploit by X0563511 · · Score: 3, Informative

      Cain and Abel can do an ARP sweep for every possible MAC on a 10mbps link in a handful of minutes.

      That number isn't as large as you think it is.

      --
      For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
    13. Re:exploit by tlhIngan · · Score: 2

      2) Another way is to telnet (FREAKING telnet in 2012?) into the device and the MAC is in the MOTD. This means you're already dead because you've lost all network security. What kind of madman allows telnet traffic thru a firewall in 2012? What kind of a madman allows unrestricted internet access to an embedded control device?

      From TFA - the MAC is displayed in the MOTD.

      As for telnet - you don't need telnet through the firewall. You just need something on the other side of the firewall, like say, an infected computer. Which is good because most IDS's won't track traffic on the internal link (they can't unless they monitor the enitre network).

      And having an owned PC on the network is easier if you don't need root priviledges. For this hack, you only need the same level of access that a secretary has - telnet is easily done with socket calls that don't require priviledges after all. If you need admin/root, it's a lot harder, but just getting someone to run a random file - much easier. Heck, I'm sure with a bit of careful crafting, you might even be able to do it with Javascript on a web page and faking same-origin using DNS tricks.

    14. Re:exploit by networkBoy · · Score: 1

      That's very interesting. What other standard safety measures do you find useless? Have you short circuited all the circuit breakers in your house? Remove the safety railing next to your stairs? Cut the seat belts out of your car? Thrown away the life jackets on your boat?

      yes, yes, no (it never came with them), and I wish I had a boat...
      (kidding of course, it is absurd how people rely on one thing to protect them and assume it will never fail.)

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    15. Re:exploit by Anonymous Coward · · Score: 0

      1) One way is to be on the same LAN segment and watch a sniffer. This means you're already dead because you've lost physical security.

      I don't think you have to be physically the LAN... that's so TRON!

    16. Re:exploit by wiredlogic · · Score: 1

      The US Army thought it was a good idea to give enlistees access to tons of classified data and a DVD burner. Morons abound when expediency is valued more than security.

      --
      I am becoming gerund, destroyer of verbs.
    17. Re:exploit by couchslug · · Score: 1

      "I'm still struggling to figure out how a live, well run network could be in danger."

      Keywords: "well run".

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    18. Re:exploit by ColdWetDog · · Score: 1

      1. is pretty easy to do. I walk into your office with a clipboard. I unplug an unused PC and away I go. If need be I clone that PCs network address. How many places actually encrypt their wired network?

      I walk up to you, don't recognize you as an employee so I figure you're a tech from one of our vendors. I start hinting around for toys and freebies.

      Boy, you'd better be able to deliver or you're in a heap of trouble.

      --
      Faster! Faster! Faster would be better!
    19. Re:exploit by vlm · · Score: 1

      Or in other words 25 bits. This will unfortunately not stop marketing-math from claiming 24 bit space + another 24 bit space = 48 bits.

      This easy violation of #1 above Still requires epic fail of #2 and/or #3 above to be applied, and if you have failed #2 or #3 you don't need to brute force anyway.

      Because you need telnet access to haxor the thing, and the telnet MOTD supposedly tells you the MAC, I have absolutely no idea why you'd brute force the thing instead of just a simple expect script and a regex on the resulting log. Look there's the mac right there. No need to check the other 2**25-1 macs.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    20. Re:exploit by vlm · · Score: 1

      This reminds me of the periodic epic haxor discovery that if you have physical access to a cisco router and know the "config register hack" then you can pown any router. Its one of those "duh" moments where if you don't have physical security, then you have no security at all.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    21. Re:exploit by Anonymous Coward · · Score: 0

      You don't have a clue how networks work, do you?

    22. Re:exploit by DarkOx · · Score: 1

      I'm still struggling to figure out how a live, well run network could be in danger. What I mean is to implement this exploit takes a system that is already more screwed up than anything you could do with the exploit.

      Directly no, but that is not really the issue at all. The way to win in security is consistency, consistency, and consistency. You do the right things every time, every where you know of in hopes that it might save in the places you don't.

      I have seen command and control shell codes that look enough like plain Jane http to not get flaged by most ids, and the target is not in everyones URL filters yet that is getting past the firewall and over the proxy. Couple that with a little social engineering and someone is on your internal lan segment right next to your vulnerable box, no firewalls, no IPS, and little to get in their way. That's how.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    23. Re:exploit by h4rr4r · · Score: 1

      Not a problem I tell you, you will be getting a free Cisco/Dell/HP/Verizon thing as soon as I am done. It is out in the truck parked in the garage a couple blocks over.

    24. Re:exploit by gweihir · · Score: 1

      MAC addresses are only 24 bits if you know the vendor. May be far less if you have some idea about the device and/or its year of manufacturing.

      And, yes, telnet, snmp, http are still pretty popular even for remote management over the Internet.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    25. Re:exploit by gweihir · · Score: 1

      Actually, it is 3 Bytes if you know the 3-Byte vendor part. Much less, if you have an idea how the vendor assigns MAC addresses.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    26. Re:exploit by PowerKe · · Score: 1

      Are you sure you don't mean sweep for every possible IP? In case of a private network, that would be 16 million addresses (1.6 * 10^7) which is a lot less than 2.81 * 10^14. Unless it filters MAC addresses somehow, exhausting the entire range would require going through 2.81 * 10^14 addresses. If that were possible using just 1 bit of traffic per address, it'd still take 2.81 * 10^14 / 10^7 (10Mbps) = 2.81 * 10^7 seconds which is just over 325 days.

      That number is large.

  10. scanners scripties by TeddyR · · Score: 1

    Does this mean that there will now be another set of noise with script kiddies trying to create automated scanners to locate these devices, thus adding more junk for me to look through in the logs?

    --

    --
    Time is on my side
    1. Re:scanners scripties by Nerdfest · · Score: 2

      Perhaps. With power control systems and traffic systems using this stuff it's also possible that I may have a power outage at my office and a *very* quick trip home, where all the lights my way are green. Possibly.

  11. SC Function initialized by Anonymous Coward · · Score: 0

    [Slow_Clap()]{2}

    Good. The SC function works.

    So we have that.

  12. Especially things with factory supplied backdoor by perpenso · · Score: 4, Insightful

    Nothing is 100% secure. Nothing. At. All.

    Especially those things with a factory supplied backdoor. Regardless of the complexity of the password, regardless of how the marketing guys try to spin it as a "maintenance portal" or whatever they are calling it (assuming of course customers knew it was there), such a thing is essentially a backdoor.

    Hopefully this was something that customers were aware of and something that customers could disable. Or more optimistically a debugging feature customers would have to enable for a session while in direct communication with the factory. Even so a hypothetically generate-able password is troubling.

  13. This word, "rugged" by Guppy06 · · Score: 0

    I do not think it means what you think it means.

    1. Re:This word, "rugged" by machine321 · · Score: 4, Funny

      It means "covered with carpet", right?

    2. Re:This word, "rugged" by sjames · · Score: 1

      Apparently it's what they sweep the security flaws under.

  14. Not an issue at all by hfollmann · · Score: 1

    It is a device for industrial manufacturing. In the past the terminals and switches were accessible to anybody allowed into that area. It is an access problem. The network in a manufacturing plant should be inaccessible from outside. Why is that even news?

    --
    hfoo
    1. Re:Not an issue at all by mspohr · · Score: 1

      It is a device for industrial manufacturing. In the past the terminals and switches were accessible to anybody allowed into that area. It is an access problem. The network in a manufacturing plant should be inaccessible from outside.

      Why is that even news?

      Because morons DO allow access (physical and Internet) to these "secure" areas.

      --
      I don't read your sig. Why are you reading mine?
    2. Re:Not an issue at all by Anonymous Coward · · Score: 2, Informative

      Look up the term "defense in depth." You do not stop at establishing perimeter security, an appropriate security architecture involves many layers of security thus ensuring you aren't screwed if someone decides to install a DSL line in the plant. Or a cellular modem connected to the serial port of this device in an electric substation. Or in case Bob the IT genius decides to punch a telnet hole through the firewall to make remote admin easier.

    3. Re:Not an issue at all by hfollmann · · Score: 1

      Well, that sounds fine, but totally unrealistic. You have in an industrial plant thousands of these control devices. Maintaining a password list for all these is just not going to work. So builder Bob will have a default password and Joe the mechanic has one. And you the operator have to know who installed this piece of hardware. In an industrial plant not every button or any pressure valve control needs a password. In fact I say the must not have one.

      --
      hfoo
    4. Re:Not an issue at all by plover · · Score: 1

      Well, that sounds fine, but totally unrealistic. You have in an industrial plant thousands of these control devices. Maintaining a password list for all these is just not going to work.

      The devices don't need individual passwords, they need individual keys. Passwords are not keys. And deriving secure unique keys from a master key is a solved problem. You can use master key injection systems (like DUKPT). Or you can have the devices automatically create them when they are introduced to the network (like Z-Wave).

      So builder Bob will have a default password and Joe the mechanic has one. And you the operator have to know who installed this piece of hardware.

      Role based authority is also a way to ensure that the right people have the necessary access. You never give them the raw keys, you give them an access mechanism that uses the keys internally. Even that can be increased in security by using a smarter device capable of session level encryption, or even public key cryptography. Again, passwords are not keys.

      In an industrial plant not every button or any pressure valve control needs a password. In fact I say the must not have one.

      You're right. But they all need keys, or you have little integrity and no security.

      --
      John
    5. Re:Not an issue at all by aaarrrgggh · · Score: 1

      I am all for defense in depth, but to be honest this equipment is usually in place because of known limitations in lower layers. There is only one higher layer on most systems, and there are plenty of attack vectors that would bypass this. I am not a network engineer, but I really can't come up with ways to make a functional SCADA system if you can't trust VLAN level security at some point in the system for compartmentalization of systems.

  15. Clothing company? by Anonymous Coward · · Score: 1

    I think they sell clothing - JCrew has lots on their website. :-)

  16. So, when the pols start bitching about 'cyberwar' by CanHasDIY · · Score: 1

    We'll already be fully aware who our biggest enemy is: big business.

    I'm certain the inevitable legislation to come from this will fairly and accurately reflect that fact...

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
  17. Engineers overlooking the obvious design by Anonymous Coward · · Score: 4, Insightful

    The obvious correct hardware design was a simple switch (on the device) that allows usage of a default password. That way, you ensure both that you can put maintenance to the device in the future, whilst maintaining daily security.

    1. Re:Engineers overlooking the obvious design by h4rr4r · · Score: 5, Insightful

      Also when the switch is flipped it should not perform its normal work.

      That way it cannot be left in that mode.

    2. Re:Engineers overlooking the obvious design by Anonymous Coward · · Score: 1

      You would soon find corporate procedure revised to require the switch to be always on because it saves $100k+ in downtime costs when the vendor pushes two updates in a month. You also have to make the switch prevent SCADA output and signal failure if left on.

    3. Re:Engineers overlooking the obvious design by MarcoAtWork · · Score: 1

      I don't think you're understanding what the other poster proposed: a well designed system, like they said, would have a user-modifiable root password (that you can set to whatever and change according to your password guidelines) *AND* a hardware switch that allows a default password to be used instead (so that if you lose your root password you can fix things without having major downtime).

      The other poster's addition of flipping the switch = the device does not work (save for maybe a "change the password" function and a "update the firmware" one) is also extremely well advised so the switch can't be "forgotten" in the "vulnerable" position.

      There is no $100k in downtime costs, on a day-to-day basis you use your own root password to do your own updates/changes, if your vendor needs to log in to do something you'd have to take your device offline anyways (or do you trust your vendor to muck around your production system while it's running?) so flipping a switch while coordinating the maintenance seems a trivial addition to the procedure (and secures you from somebody hacking into your vendor and updating your firmware without your knowledge, which could happen if you don't have something like this)

      --
      -- the cake is a lie
    4. Re:Engineers overlooking the obvious design by rtfa-troll · · Score: 1

      I really like the way that two posters, including an AC have managed to provide the fully correct design for this within ten minutes of the original design improvement proposal whilst, at the same time, the embedded device manufacturers can't get it right after decades of trying. The main positive take away is that the human race is doomed and will be replaced by more intelligent cockroaches.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  18. The Matrix by Anonymous Coward · · Score: 0

    Now we know what exploit Trinity used to shut down the power plant.

  19. It was a typo. by HiggsBison · · Score: 5, Funny

    It was supposed to be RiggedOS.

    --
    My other car is a 1984 Nark Avenger.
  20. YES! by Anonymous Coward · · Score: 0

    Finally! An excuse to declare war on Canada.

    Captcha: ambushed

  21. It's far easier than that. No guessing required. by Animats · · Score: 1

    4) brute force the password, knowing that only 3 bytes are unique to the device.

    You don't have to guess. The password is computable from the MAC address using this short Perl program.

    The factory password is, literally, "factory". It cannot be disabled and its password cannot be changed.

    Someone should go to jail for this. It may fall under criminal negligence, sabotage, or even providing material aid to terrorists.

  22. Any sane deployment is not vulnerable by Anonymous Coward · · Score: 0

    Any sane deployment is not vulnerable as it will not allow telnet or rsh (both insecure). As the release notes said, telnet can be set to allow 0, and rsh can be disabled (which is our stock deployment as we have sane SOPs). I have verified that this does affect the latest ROS v3.10.0 release from Oct 6, 2011 for telnet. It does not work via SSH or HTTPS services.

    Administration - Configure IP Services - Telnet Sessions Allowed - 0; RSH Server - Disabled.

  23. No sane deployment is vulnerable by Anonymous Coward · · Score: 0

    Any sane deployment is not vulnerable as it will not allow telnet or rsh (both insecure protocols). As the US-CERT work-around notes said: ROS users can disable the rsh service and set the number of allowed telnet connections to 0. Disabling the RSH service and setting telnet to 0 effectively disables this remote exploit. I have verified that this exploit works on the latest ROS v3.10.0 release from Oct 6, 2011 for telnet. In my testing, the same "factory" username and password which worked for telnet does not work via SSH or HTTPS services. There may be some other built-in username/password for SSH and HTTPS. Having said that, the ROS switches support multiple VLANs and the management of the switch can be assigned to an isolated management VLAN and restricted from all other access which will further restrict any management access to these devices.

  24. Not surprised, I've seen how they operate by Anonymous Coward · · Score: 0

    I had a job interview with Ruggedcom a couple years ago, terrible experience even got the full facilities tour. This was just before Christmas too, the interviewer kept interrupting with phone calls from his team working on a wi-fi project under a bridge somewhere in the states and told them they couldn't stop working until the project was done even if it they were stuck there over Christmas. I eventually asked to leave after it the interview continued on for over 3 hours...that and it turned to money and I discovered this company pays it's people *half* of the competitive market industry rate and works them to death! They really are a small shop for what they do.

    1. Re:Not surprised, I've seen how they operate by Anonymous Coward · · Score: 0

      Hmm ... I found this quote on GlassDoor. It's from 2009. See: http://www.glassdoor.com/Interview/RuggedCom-Interview-RVW1056302.htm

  25. Re:It's far easier than that. No guessing required by Anonymous Coward · · Score: 0

    Of course, the fact that you can only use the password via. telnet/serial/rsh (as per the article), which already guarantees you HAVE NO SECURITY is clearly criminal. </sarcasm>

    The vendor has posted a workaround on CERT (http://www.kb.cert.org/vuls/id/889195) which says 'disable telnet and rsh'.

  26. same FAIL for most remote access cards (iLO,DRAC) by davecason · · Score: 1

    This is not quite the same, since you CAN change the passwords on an iLo/riLo or DRAC... the problem is that most people forget or don't. So you thought remote root was unavailable until that dictionary attack is remotely performed against a local console.