Educause Security Discussion mailing list archives

Re: potential security issues with embedded systems?

From: Tom Jackson <tom.jackson () UNCP EDU>
Date: Fri, 12 Dec 2003 17:24:09 -0500

We have about half a dozen Windows servers which we installed
and maintain, as well as four that were installed by vendors.
Two of the latter were VoIP Call Managers.  The vender basically
sells these as an appliance, but it is possible to login to
Windows on these boxes.  When we were looking at purchasing them,
we raised the issue of security and were told that they ran a
stripped down version of Windows and that extra steps had been
taken to secure them.  When Nachi hit our campus, the only servers
to be affected were these two and one other sold and installed by
a vender.  Since that time, we have chosen to tighten security on
them ourselves.  If we have a support issue, we may be forced to
revert to the vendors settings until the issue is resolved.
My personal interpretation of this situation is that we cannot
rely on vendor promises of security and must be aggressive in our
management of these devices.

Tom Jackson
University Computing and Information Services
University of North Carolina at Pembroke
PO Box 1510 Pembroke, NC 28372-1510
tom.jackson () uncp edu | 910/521-6455 | fax: 910/521-6649

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Kyle Barger
Sent: Thursday, December 11, 2003 2:42 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] potential security issues with embedded systems?

The recent story about Diebold teller machines being hit by
the Nachi worm
started me thinking.  In the past few months I've seen
demonstrations of a
PBX system and of a "one card" debitcard/building access
system that were
both based on Windows.

We all know what we've had to deal with in terms of security
issues for
Windows as a server and desktop OS.  What has the track
record been for
embedded systems that use Windows?  Is this enough of a
concern to take
such products out of the running for future consideration?  What about
other operating systems?  If I buy a firewall appliance
that's built on
Linux, should I worry about how fast the vendor will be
releasing firmware
upgrades to handle Linux security issues that crop up?

Any experiences or thoughts are appreciated.
--
Kyle Barger        Manager of Computing & Telecom Services
kbarger () ltsp edu   The Lutheran Theological Seminary at Philadelphia

**********
Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at

http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Re: potential security issues with embedded systems?, (continued)
- Re: potential security issues with embedded systems? H. Morrow Long (Dec 11)
- Re: potential security issues with embedded systems? Gary Flynn (Dec 11)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 11)
- Re: potential security issues with embedded systems? Cal Frye (Dec 11)
- Re: potential security issues with embedded systems? Jere Retzer (Dec 11)
- Re: potential security issues with embedded systems? Randy Marchany (Dec 11)
- Re: potential security issues with embedded systems? Jack Suess (Dec 11)
- Re: potential security issues with embedded systems? Dewitt Latimer (Dec 12)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 12)
- Re: potential security issues with embedded systems? Don Westlight (Dec 12)
- Re: potential security issues with embedded systems? Tom Jackson (Dec 12)