| 1 |
thegeezer <thegeezer <at> thegeezer.net> writes: |
| 2 |
|
| 3 |
|
| 4 |
> > I'm researching where we run all sorts of applications very securely, |
| 5 |
> > for one person at a time. It's eventually (hopefully) going to be |
| 6 |
> > a full LMS Learning Management system, something comprehensive, maybe even |
| 7 |
> > www-apps/moodle and or SWAD. Eventually a full ecommerce system, just |
| 8 |
> > for one company, not as a service to others. |
| 9 |
> |
| 10 |
> sounds interesting. going for full interactive video distance learning |
| 11 |
> too would be a great direction to take, especially if the teacher |
| 12 |
> controls who has audio (to speak). |
| 13 |
> |
| 14 |
> the only thing i would add is to keep each system seperated as much as |
| 15 |
> possible. don't put everything on one server. bad things happen to good |
| 16 |
> people so try to make sure one thing doesn't affect another. depending |
| 17 |
> on the age of the people you are helping they probably will try to use |
| 18 |
> latest scriptkiddie toys against you first, so think about the ingress |
| 19 |
> and egress of the network and of the individual nodes when you think |
| 20 |
> about security. |
| 21 |
|
| 22 |
We're planning on lots of unwanted noise from a range of talented |
| 23 |
problem hackers. Eventually a massive VM system approach will be |
| 24 |
deploy, but first I want to test security the old fashion way.... |
| 25 |
|
| 26 |
> > But for now, just running various forms of secure, minimized DNS. Some |
| 27 |
> > machine controls (SCADA) will use the DNS as part of the SSL services. |
| 28 |
> > |
| 29 |
> |
| 30 |
> scada huh. i wouldn't put it on a public facing internet connection. |
| 31 |
> even on a network connected to things i care about. i'm sure you have |
| 32 |
> good reasons, i would probably urge you to reconsider them [3] |
| 33 |
|
| 34 |
Let me share a little background with you on SCADA. Most networks that |
| 35 |
have SCADA on them, are really poorly secured. It's just layers upon |
| 36 |
layers of MS crap. I do not design those sorts of machine networks. |
| 37 |
|
| 38 |
I have been given the opprotunity of 'fix' many such networks. Most I just |
| 39 |
walk away from. I employ techniques I would characterize as "network |
| 40 |
partitioning" and "asymmetric traffic routing" and loads of passive |
| 41 |
monitoring and profiling. Many scada networks have all sorts of |
| 42 |
improperly configured devices, bounced packets, and no sort |
| 43 |
of 'state machine' design on what is and is not need, how often |
| 44 |
and why. They have evolved, mostly by technicians and poorly trained |
| 45 |
IT folks that just 'got it to work' without optimization or system |
| 46 |
design constraints being enforced. Far too many folks and machines |
| 47 |
are present on those critical networks. IT folks view a 20 million |
| 48 |
dollar gas turbine, just like an expensive printer. Hacking them |
| 49 |
is trivial. Most SCADA networks have MS servers on the same segments for |
| 50 |
the'convenience' of all sorts of non-essential personel. To boot they |
| 51 |
put video surveillance networks in place, so the hackers can actually |
| 52 |
"see" the physical layout of the plants. Stupid does not begin to |
| 53 |
characterize the mistakes common to scada operations. |
| 54 |
|
| 55 |
You have the very wrong impression of my scada network designs. Most |
| 56 |
companies I talk to, do not like my 'draconian' designs, and I'm never |
| 57 |
going to be responsible for MS inspired, stupid networks. That said |
| 58 |
the big vendors do make billions of (scada) dollars and I search pretty |
| 59 |
hard form companies that will listen and I like enough to work for. |
| 60 |
|
| 61 |
Networks with many machines and without humans are easy to secure, |
| 62 |
you just have to think out of the box a bit.... (sorry trade secrets here). |
| 63 |
Just keep anybody with an MBA out of the process. |
| 64 |
|
| 65 |
|
| 66 |
> >> if you are looking for dynamic dns updates you want to make sure you |
| 67 |
> >> have auth by secured ip (encrypted traffic) and you want to guard your |
| 68 |
> >> keys to allow DDNS. |
| 69 |
> >> |
| 70 |
> >> DNSSec is to prevent MITM attacks such as DNS cache poisoning, and you |
| 71 |
> >> can see some starter material at ISC BIND website [1] |
| 72 |
> > DNS sec will be down the road. I have time to build, test, research |
| 73 |
> > and adjust the strategy as this goes along. It's not fixing a desparate |
| 74 |
> > situation; more along the lines of building up various secure dns |
| 75 |
> > platforms along an increasing features set. |
| 76 |
> |
| 77 |
> if your scada devices are using the public internet to get to your dns |
| 78 |
> servers i would seriously urge you to rethink things, even if you are |
| 79 |
> using dnssec. |
| 80 |
|
| 81 |
Ok, so even though folks consider these 'devices' as scada, I do not. |
| 82 |
I mostly work on industrial control systems, when I choose to do scada |
| 83 |
work. |
| 84 |
|
| 85 |
What you are referring to, something like using a cell phone to open your |
| 86 |
front door, turn on the hot tub, or manipulate your audio gear, is not |
| 87 |
really what I consider scada, but others do. If those things get hacked, |
| 88 |
you flood a basement, illegally enter a house etc etc. Bad things but |
| 89 |
not really catistrophic to the neighborhood. For me, scada means |
| 90 |
big industry, water supply, chemical plants, manufacturing etc etc. |
| 91 |
So if you hack them, costs rise astronomically, very quickly. Loss of |
| 92 |
life is a distinct possibility. These types of things should not |
| 93 |
depend on MS anything, or using the open internet for anything. Few listen |
| 94 |
now a days, because of the allure of sexy visual candy for folks that |
| 95 |
do not need access to the data/controls/equipment. Large telecom companies |
| 96 |
are the worst offenders, that why the gov. is not considering them |
| 97 |
to mandate security standards, under the guise that it is for their |
| 98 |
customers...... |
| 99 |
|
| 100 |
|
| 101 |
Stuxnet was a weakup call. Few listen. Far, far worse is bound to happen, |
| 102 |
sooner or later. |
| 103 |
|
| 104 |
|
| 105 |
> >> In terms of "hack my dns server" there are many things that can hamper |
| 106 |
> >> it - something at the bleeding edge like gentoo is ace for this kind of |
| 107 |
> >> thing (*cough* centos is prehistoric *cough*) and if you were to load up |
| 108 |
> >> metasploit with ISC specific filters you can try to see what is |
| 109 |
> >> vulnerable. you can filter by CVE on your favourite website [2] |
| 110 |
> > Yep: |
| 111 |
> > |
| 112 |
http://cyberarms.wordpress.com/2014/04/20/detecting-openssl-heartbleed-with-nmap-exploiting-with-metasploit/ |
| 113 |
> > |
| 114 |
> > I got that, hense the advise is being sought out, first. |
| 115 |
> > |
| 116 |
> and bear in mind the security in depth. your perimeter will be bypassed |
| 117 |
> - what happens next is down to you. |
| 118 |
> you are looking at having possible external user generated web content |
| 119 |
|
| 120 |
I'm looking for consolidated information. I have a very very good track |
| 121 |
record for (2) things. Keeping machines very secure and pissing |
| 122 |
off managers by designing system with a need to know and very very |
| 123 |
limited access. I usually save folks signficantly by using the word |
| 124 |
"No" to all sorts of stupid ideas. One customer paid me out a fraction of |
| 125 |
the savings they realized, for a very long time. |
| 126 |
|
| 127 |
What managers need are reports from databases on systems, production and |
| 128 |
security scans, not real time access...... However, go to a trade show |
| 129 |
on scada and it's a feeding freenzy for hackers....... Vendors are putting |
| 130 |
controls on cell phones and have security equivalent to WEP. |
| 131 |
|
| 132 |
Thanks for your input. My goals here are building a series of dns servers |
| 133 |
from very simple and very secure, and on up, slowly learning and creating |
| 134 |
a portal for other to experinece what I figure out. My techniques on |
| 135 |
machines are pretty much unpublished and unique. In a big industrial |
| 136 |
environment, I teach folks to build something unique, and not follow |
| 137 |
the vendor main-line approach. Few listen, hence all the noise lately |
| 138 |
about the chineese hacking industries in the US...... The sad thing |
| 139 |
is most industries think the US governement is watching their network, |
| 140 |
will swoop in just in time to save them, and not make the managers look |
| 141 |
like idiots, when press reports are leaked. They do not understand that |
| 142 |
government agenices have a singular focus to increase their funding, and not |
| 143 |
to protect anyone. You nor I can get through to them, until |
| 144 |
after the pooper has been hacked. |
| 145 |
|
| 146 |
idiots....abound, sorry for the digression. |
| 147 |
|
| 148 |
peace, |
| 149 |
|
| 150 |
|
| 151 |
James |
Archives