Educause Security Discussion mailing list archives
Re: potential security issues with embedded systems?
From: Tom Jackson <tom.jackson () UNCP EDU>
Date: Fri, 12 Dec 2003 17:24:09 -0500
We have about half a dozen Windows servers which we installed and maintain, as well as four that were installed by vendors. Two of the latter were VoIP Call Managers. The vender basically sells these as an appliance, but it is possible to login to Windows on these boxes. When we were looking at purchasing them, we raised the issue of security and were told that they ran a stripped down version of Windows and that extra steps had been taken to secure them. When Nachi hit our campus, the only servers to be affected were these two and one other sold and installed by a vender. Since that time, we have chosen to tighten security on them ourselves. If we have a support issue, we may be forced to revert to the vendors settings until the issue is resolved. My personal interpretation of this situation is that we cannot rely on vendor promises of security and must be aggressive in our management of these devices. Tom Jackson University Computing and Information Services University of North Carolina at Pembroke PO Box 1510 Pembroke, NC 28372-1510 tom.jackson () uncp edu | 910/521-6455 | fax: 910/521-6649
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Kyle Barger Sent: Thursday, December 11, 2003 2:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] potential security issues with embedded systems? The recent story about Diebold teller machines being hit by the Nachi worm started me thinking. In the past few months I've seen demonstrations of a PBX system and of a "one card" debitcard/building access system that were both based on Windows. We all know what we've had to deal with in terms of security issues for Windows as a server and desktop OS. What has the track record been for embedded systems that use Windows? Is this enough of a concern to take such products out of the running for future consideration? What about other operating systems? If I buy a firewall appliance that's built on Linux, should I worry about how fast the vendor will be releasing firmware upgrades to handle Linux security issues that crop up? Any experiences or thoughts are appreciated. -- Kyle Barger Manager of Computing & Telecom Services kbarger () ltsp edu The Lutheran Theological Seminary at Philadelphia ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Re: potential security issues with embedded systems?, (continued)
- Re: potential security issues with embedded systems? H. Morrow Long (Dec 11)
- Re: potential security issues with embedded systems? Gary Flynn (Dec 11)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 11)
- Re: potential security issues with embedded systems? Cal Frye (Dec 11)
- Re: potential security issues with embedded systems? Jere Retzer (Dec 11)
- Re: potential security issues with embedded systems? Randy Marchany (Dec 11)
- Re: potential security issues with embedded systems? Jack Suess (Dec 11)
- Re: potential security issues with embedded systems? Dewitt Latimer (Dec 12)
- Re: potential security issues with embedded systems? Scott Bradner (Dec 12)
- Re: potential security issues with embedded systems? Don Westlight (Dec 12)
- Re: potential security issues with embedded systems? Tom Jackson (Dec 12)