funsec mailing list archives

Re: dumb. Comcast pop-ups

From: Jim Murray <jim () digitaldaemons co uk>
Date: Sun, 11 Oct 2009 10:27:40 +0100

Michael Collins wrote:

Heh,

One of the fun exercises I like to spring on people is to play out the  
following scenario: assume you've got an embedded system of some kind  
being controlled by a windows 3.1 box.  Let's say it's doing something  
like wrapping candybars or stamping plaques or wahtever, it's  
piecework payment.  The machine gets 0wned, and while it's not doing  
anything that's impacting you personally, it's contributing a couple  
of kb/s to spamming or ddosing or other fun things.  Is it in your  
interest to sacrifice the day, and the consequent profits involved in  
fixing your box, to solve the problem or better to just let it run?


My first question has to be 'What is such a device doing connected to
the public internet in the first place?'. If it really MUST be connected
 then it should be properly protected. If you they don't do that and get
0wned then you deserve the costs and inconvenience of cleaning up the
mess you made, it's a safe bet you'll be more careful in future.

The problem was given a more concrete example by a colleague who  
pointed out that most medical hardware running on windows boxes is not  
only certified for windows only, but specific *patchlevels*, and that  
consequently these machines can get restored, taken down, reinstalled,  
and put back on the net with known vulnerabilities because their  
software is certified with vulnerabilities intact.


If I were to find any critical piece of medical hardware connected to
the public internet it'd be very concerned indeed. Surely best practice
dictates that clinical networks are kept isolated from the
administrative networks & public internet?

Jim.

-- 
      DigitalDaemons IT Services.
---------------------------------------
   E-Mail : jim () digitaldaemons co uk
       PGP Key ID : 0xB7066495

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups), (continued)
- - - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Nick FitzGerald (Oct 19)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) chris (Oct 19)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcastpop-ups) Rich Kulawiec (Oct 17)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Rich Kulawiec (Oct 13)
    - Re: Public Policy and Consumer ISP Hygiene (was Comcast pop-ups) Michael Collins (Oct 13)
  - Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 10)
    - Re: dumb. Comcast pop-ups Toralv_Dirro (Oct 10)
    - Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)
    - Re: dumb. Comcast pop-ups Michael Collins (Oct 10)
    - Re: dumb. Comcast pop-ups Jim Murray (Oct 11)
    - Re: dumb. Comcast pop-ups Jon Kibler (Oct 11)
    - Re: dumb. Comcast pop-ups Michael Collins (Oct 11)
    - Re: dumb. Comcast pop-ups Larry Seltzer (Oct 10)
    - Re: dumb. Comcast pop-ups der Mouse (Oct 10)
    - Re: dumb. Comcast pop-ups Dave Dennis (Oct 10)
    - Re: dumb. Comcast pop-ups der Mouse (Oct 10)
    - Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 11)
    - Re: dumb. Comcast pop-ups Paul Vixie (Oct 11)
    - Re: dumb. Comcast pop-ups Valdis . Kletnieks (Oct 11)
- Re: dumb. Comcast pop-ups Larry Seltzer (Oct 11)

(Thread continues...)