• Archives

  • Topics

  • Meta

  • The Boogeyman - Working Vacation
  • Coming Home
  • Via Serica

All posts in category Security

SCADA, SCADA, Shedoobie

Borepatch puts up some good points about IT security in general, and SCADA systems in particular, when he discusses the damage done by vandals using the controller for a water pump to disrupt operations at a water plant in Illinois.

I sort of tongue-in-cheek talked about IT security a few months ago with my 4 Rules of IT Security, and Borepatch added a 5th:  Boot it and they will come.

He couldn’t be more right.

Any system, be it a gaming console, a laptop, a smartphone, or the controllers for a nuclear power plant, can be compromised given access and time.  The ideal is to make it hard enough for someone to get in that they can’t do it before you notice and shut them down.  The least you can do is to know they were there so that you know what was damaged or stolen after they’re gone and you notice it.

So what do you do?

If you’re in IT, you bake security into the cake when you’re designing new software, systems, or products.  You balance user requirements against security best practices, with the scales always tipped towards protecting the information and business that your system services.  You patch early, and patch often, and double-check to make sure that your systems aren’t vulnerable to new vectors of attack.  You retrofit security into existing business processes and systems as much as you can, and you always watch your systems for early signs that someone is doing something nefarious.  And for Cthulhu’s sake, if you’re taking care of SCADA systems, start jumping up and down on your vendor’s desk to get them to do something about the abysmal state of their systems.  Do that about 3 minutes after making sure it’s hard as heck to get to your SCADA from the Internet, of course.

At work, if you’re not in IT, pay attention to the excruciatingly boring security briefings and policies that you’re regularly asked to attend and read.*  You think about what you’re using your computer for, and try to not do anything that will compromise it.  You keep yourself educated enough that you recognize someone trying to trick you into giving up the keys to your particular kingdom.

At home, you are probably your own IT guy, so act like it.  Educate yourself about the technology you have in your home the same as you do about the technology under the hood of your car.  Keep your systems patched the same as you would change the oil in your car.*  A quick pro-tip here:  If the company that produced your operating system announces that there won’t be any more patches to your system, replace it.  They’re not announcing that there isn’t anything left to fix, they’re announcing that they’re giving up for financial reasons. Also, use firewalls, both at the point where the Internet comes into your home, and on your systems.  I’m a Unix and Mac guy, and it pains me to say it, but Microsoft has come a long way in the security realm, so if you’re using Windows, use the built in and bolt-on security software to your advantage.

What else can you do?  If you use USB keys, be wary of putting information that can harm you on something so easily stolen or lost.  If you have to keep your financial or personal information on a USB key, then encrypt it.  Stay out of the seedier areas of the Internet, and always be on the look out for Nigerian princes who want to give you money.  Watch your credit cards, bank accounts, and other business dealings so that you know if someone has compromised your information.  Regularly check your credit report to make sure someone hasn’t gotten hold of your identity and opened a bunch of new accounts in your name.

Basically, take care of your information security the same way you would take care of your physical security. Lock your computer the same way you would lock your doors.  Use the most high-powered technology you can handle to protect your information the same way you would carry the most powerful handgun you can handle to protect your body.

*We enjoy writing and presenting them almost as much as you do going through them, trust me.

**If you don’t know much about the engine in your car or change your own oil, you should probably pay to have someone to regularly service your computer the same way you do your car.

by daddybear71 on November 20, 2011  •  Permalink
Posted in geekery, Security

Posted by daddybear71 on November 20, 2011

https://daddybearsden.com/2011/11/20/scada-scada-shedoobie/

Gadget Insecurity

OK, I’m a gadget geek.  I admit it.  Give me a little machine that has blinking lights and beeps, and it will amuse me for hours.  If you really want to get my attention, give it a screen and put a video game on it. I’m weak and immature, but for the most part, it’s harmless.

A few months ago, I bought a Roku media player.  Basically, it’s a teeny little box you connect to your TV and configure on your network.  It pulls down Netflix, Amazon, Pandora, and a whole bunch of other streaming content from the Internet.  Since we got it, we use our cable TV a lot less.  The convenience of being able to just grab what we want is wonderful.

The only drawback to the Roku is the remote.  It’s fully functional, and does everything you need to do on the box, but it’s tiny.  It’s about 1/2 inch by 1 1/4 inches by about 4 inches, about the size of a double-stack 9mm pistol magazine.  It’s in a continual state of ‘lost’.

I mentioned this to a co-worker today at lunch, and he suggested that I download a free app for my phone (gadget geek alert) that emulated the remote.  I wondered how it worked since the iPhone doesn’t have an IR port, but gave it a swing, and it works like a champ.  The app goes out onto the wireless network, finds a Roku to control, and give it commands across the network.  It was easy. I didn’t even have to verify that I was indeed the owner of the box.

While that’s pretty neat, it made the hair on the back of my neck stand up.  One of the hats I have at work is Designated Guilty Bastard for Security, and I just about had a fit over this.  I basically have a little computer on my network that will take commands from anything on my network that knows the correct magic incantation.  While I lock down my wireless network as well as I can, it’s pretty trivial for just about anyone to overcome even the best wireless security and get on a network.  Plus, the express purpose of this device is to go out on the Internet and pull down large amounts of content.  It would be exceedingly easy for someone do a man-in-the-middle attack between my Roku and Netflix and start telling my little box to start doing bad things.

If it’s got a command interface and a network interface, it can be a spambot or worse.

Something tells me this isn’t unique to the Roku.  Most of the new TV’s I lust after at Sam’s Club* come with a network port.  How much do you want to bet they don’t have much security baked into them either?  BlueRay players are the same, and I’ve heard tell that the car manufacturers are putting networked computers into their cars now.  So how long until h4x0rs and organized crime find a way to turn all of these into moneymakers as botnets?  

Excuse me while I go finish putting up that fine copper mesh around the volume of the house.

*Yes, I’m a guy, and I want a TV that I have to step on my tiptoes to look over.

by daddybear71 on June 11, 2011  •  Permalink
Posted in Security

Posted by daddybear71 on June 11, 2011

https://daddybearsden.com/2011/06/11/gadget-insecurity/