Tag Archives: wasn’t

ICS security fails the Black Hat test

The news at Black Hat 2018 wasn’t great when it came to industrial control systems. But while numerous sessions added up to sweeping condemnation of ICS security, there was at least the occasional saving grace that some vendors will correct some problems — at least some of the time. Still, the apparent lack of a security-conscious culture within these organizations means they’ll only fix the minimum, leaving similar products with the same underlying hardware, firmware and fatal bugs untouched and unsecured.

Speaking in a session, called “Breaking the IIoT: Hacking Industrial Control Gateways,” Thomas Roth, security researcher and founder of Leveldown Security, an embedded and ICS security consulting and research company based in Esslingen, Germany, walked through the security faults of a series of five gateway devices he’d found at prices he could afford on eBay. He wanted to look at commonly deployed, relatively current devices — things you find in the real world.

“If you go out on the network and start scanning, you’ll find thousands of these devices. In fact, you’ll find entire network ranges that are used almost exclusively for these devices,” he said.

“Often, they use static IP addresses with no VPN protection.” One device he looked at had a proprietary protocol for its wireless communications. But if you could break it — and he did — you had access to every one of those devices in the field, because the network addressing architecture was flat and unsegmented.

The first device he looked at was typical of his various experiments, tackling a Moxa W2150A which connects ICS devices to wireless networks via an Ethernet port on the device side and a wireless interface on the other side. In between the two interfaces is an easily opened case that reveals a circuit board with pads for connecting to a debugging port. Roth discovered, in a common theme across many of the devices discussed at the conference, the port was a serial terminal connection that booted directly to a root shell in Linux.

“This is a design decision, not a bug,” Roth said. But he noted that if you have the device and you can access a root shell, then as you are writing exploits, you can debug them directly on the device, “which is a pretty nice situation to be in.”

Roth noted the firmware for the device was available on the internet from the Moxa website, but it was encrypted. At first, this seemed like a dead end. But in looking at earlier firmware versions, he noticed one of the upgrades included adding the feature of encrypting the firmware.

This led him to an unencrypted update version, which included a package called “upgrade_firmware.” This, in turn, led to a function called “firmware_decrypt” — a function name that gave the audience a chuckle — which gave him plaintext access to the current version of the software. The decryption key was, needless to say, included in the upgrade code.

Roth raised an issue that hasn’t been much discussed in ICS security: supply chain security issues caused by the wide prevalence of openly accessible terminal access ports on devices. You can change the firmware, he said, write the changed version back to the device, return it to your distributor without mentioning the change, “and they will happily resell it to someone else.” In fact, he knows this because he conducted an experiment and was sold a device with firmware he had previously rewritten.

Roth discussed four more devices in some detail, with two of them still in the process of disclosure, “and there are a lot of fun issues.”

Beyond Roth’s pathway strewn with pwned gateways, there were other such sessions, including ones that found significant vulnerabilities in medical devices, cellular gateways, smart city infrastructure and satellite communications.

Jonathan Butts, CEO of security consultancy QED Secure Solutions, located in Coppell, Texas, noted in a press conference at the event that dealing with vendors around ICS security disclosure had been particularly frustrating. In the case of a pacemaker made by Medtronic, a protracted process leading to the company deciding that changes in the product weren’t necessary led Butts and co-speaker Billy Rios, founder of WhiteScope LLC, a cybersecurity company based in Half Moon Bay, Calif., to demonstrate their attack live and let the audience judge for themselves.

“To be honest,” Butts said, “after about the one-and-a-half-year mark, and you see stuff like [Medtronic’s response], you get fed up.”

ICS security: Protection? Not

While it’s theoretically possible to protect at least the devices that aren’t implanted in human bodies by placing the ICS equivalents of a firewall at strategic network junction points, a session by Airbus security evaluators Julien Lenoir and Benoit Camredon showed a widely deployed ICS firewall made by Belden could be remotely exploited.

The Tofino Xenon device is typically situated between the IP-based control network and local ICS assets that use Modbus, EtherNet/IP or OPC protocols. Interestingly, the device itself doesn’t have an IP address; it is essentially invisible to ordinary interrogation on the network.

A custom protocol allows a Windows machine running a configurator to discover and then send configuration data to a Xenon device. The configurator knows the addresses of protected ICS devices and knows the Xenon is somewhere between the configurator and the devices. The Xenon knows to watch for packets that carry a specific payload and recognizes them as packets from a configurator.

The two researchers were able to reverse-engineer the protocol enough to understand the arrangement that was used for encryption keys. The configurator discovers devices using a common key and then generates two additional keys that are unique to the particular pairing of that configurator and that specific firewall. All of these keys could be extracted from the discovery session, and then the keys unique to the device were used to establish a connection with the device.

“We were able to get a root shell,” Lenoir told the audience, heralding the familiar theme that almost all ICS devices are actually outdated Linux kernels. “Once everything was running as root, now the appliance was no longer a black box, but was instead a Linux kernel.”

From here, they settled on an attack model that used the devices’ ability to be updated from files on a USB stick. Camredon explained the updates comprised two files, both encrypted. “One is an update script, and one is a data file that is an image, including an image of the kernel.”

It turned out that all configurators and all Tofino Xenon devices used the same key for decrypting the update files. Because they had access to root on the Xenon, they were able to extract this key, at which point they further discovered there were no checks in the update script to ensure the data file hadn’t been tampered with since it was created.

Thus, a breached Xenon could be modified in whatever way the attackers wanted, an image of that system made, and the image could be encrypted and included in an update package without the separate installation script detecting the change.

The Xenon has been updated to correct these problems since the researchers disclosed their findings. So, in theory, the firewall is back in business. One problem Roth noted, though, is these systems often come in dozens of variants, with different names and model numbers.

“If you report a bug to some of these vendors,” Roth said, “the vulnerability gets fixed, but then there are 10 different devices which run the same firmware, and they are left completely unpatched.”

Roth suggested this was a clear indication of the lack of security culture at many ICS vendors.

“It’s like exploiting in the ’90s,” he concluded. “We have no integrity protections on any of these devices.”

At another moment, he made a sweeping generalization: “Everything runs as root; everything runs on outdated Linux kernels; everything runs on outdated web servers. If any of these components fails, you have root permission.”

For Sale – Samsung 950 PRO NVMe M.2 256GB

Wasn’t sure there was a difference which is why I was asking earlier. I’ve looked into it though and unless I’m reading the tests wrong, the 960 Evo seems to have superceded the 950 Pro and is faster and the 970 is newer & quicker again. Something to do with the different architecture from the 2016 generations to the 2017 & 2018 ones?

Ignore me if I’m totally wrong though![/QUOTE

Samsung Evo 970 fastest drive available at the moment I believe from the reviews,and £85 at Scan with free delivery.

Click to expand…

How a first-time teacher brought new energy to education in rural Morocco |

Teaching wasn’t really on my to-do list. My ambition was to be a financial manager once I graduated from university, but instead I followed my father’s path into teaching. And in my country, Morocco, that means consigning yourself to an isolated region for the first few years of your career. No electricity, no drinkable water, and in winter you might have to cross rivers just to get to school.

Unlike many educators around the world, one of my challenges wasn’t to integrate technology into a modern urban classroom – it was to make it work in a rural environment, where students, their parents and their siblings have never so much as touched a PC or used the internet. But even in this situation, or maybe because of it, I started to change my mind about my career. I began to like my new job. Those innocent eyes waiting for me every morning pushed me into giving everything I have to improve education for children in rural places.

As a teacher and messenger of knowledge, situated in hard conditions, I had two choices: surrender to the reality, or choose the path of innovative educators. Click To Tweet

My classroom didn’t have electricity. The internet and mobile signals in the area were weak, and I had to walk a five-mile round trip, six days per week, over the mountains to get to the school. Still, I believed in the power of information and communication through technology, and I tried hard to surpass any technical or logistical problems, just to take my students to another climate of learning and bring my classroom to life. Where to start?

 

With most students here passing their time after school (and even at dawn) herding and guarding sheep, looking for water or helping their families at shelters, school just wasn’t the biggest priority. To figure out how to reduce absence, I needed to know more about it.

First, I used Microsoft Excel as a master tool to collect and analyze absence data, with clear definitions of when dropouts were happening. I asked for the absence data archive from the principal director and combined it with what I recorded every school day. From the results I concluded the highest rate of absence was on Fridays, which coincided with the most popular day for student to play, meet friends and step out of their routine life. It was all happening at the souk, an atmospheric and vibrant marketplace full of food and furniture, toys, candy, old comic books and other goods. In trying to think of something bigger, something more exciting and more attractive to get the students to their teacher, I decided to visit the souk myself and make a plan.

I bought a second laptop and additional batteries, so I wouldn’t have to worry about losing power in the class. It was a little hard at the beginning, carry two laptops in my bag for a 5-mile round trip to get to the school, but after some weeks I got used to it.

Each Friday, a raffle would be waiting for my students at the classroom. During recess, we’d organize a draw, and the winner would have the chance to use the laptop and choose between watching cartoons, playing an educational video games, or writing on Microsoft Word.

At the beginning, I thought my students would choose to play games or watch videos when they had their chance, but I was wrong. Most of them preferred to explore Word and they became so excited when they typed in their names and some words and paragraphs.

Giving my students the opportunity to use the PC and freely connect with technology had a powerful impact on combating the absence phenomenon. My students now prefer coming to school and they’re starting to convince their parents and siblings about the importance of school and ICT (Information and Communication Technologies). More recently, we’ve been holding a “Friday Surprise” each week, where students can express themselves and develop their skills by creating handmade decorations, using the laptop to look for creative ideas, to draw, or do other things that improve communication, collaboration, presentation, creativity, problem solving, and critical thinking.

There are some other educational issues we see in the multi-grade classroom. Some multi-grade teachers may teach two grades in the same class, while others may teach three or four grades. I’m teaching six grades. The students in these grades are usually of the same age but may differ in their abilities, which means:

  • Planning can be time consuming.
  • Teachers may be frustrated due to their geographical isolation.
  • Physical conditions may be unattractive. Some classrooms are very small and overcrowded.
  • Few materials are available for multi-grade teaching.

To take this challenge on, I thought about how being a teacher in a rural area didn’t prevent me from increasing my knowledge, or developing my professional and personal skills. I tried to use the internet to get away from the isolation and be a part of the community of innovative educators. After learning about new methods and experiences all over the planet, I decided to let my students choose, by themselves, to come to school, even on special days, rather than imposing it on them. With ICT, I would rather make them eager to build knowledge. I encouraged them to try new things and never be afraid of change. That why using ICT has had a positive impact not only in my classroom, but on the whole school environment.

For me, the weak infrastructure, the absence of digital tools and unawareness of how important education is are no excuse – we can still create and think of innovative ways to make our students love coming to school.

To meet the varied needs of multi-grade students, teachers need in-depth knowledge of child development and learning and a larger repertoire of instructional strategies than most single-grade teachers possess. They must be able to design open-ended, divergent learning experiences accessible to students functioning at different levels. They must know when and how to use homogeneous and heterogeneous grouping and how to design cooperative group tasks. They must be proficient in assessing, evaluating, and recording student progress using qualitative methods.

Multi-grade teachers must be able to facilitate positive group interaction and to teach social skills and independent learning skills to individual students. They must know how to plan and work cooperatively with colleagues, as team teaching is commonly combined with multi-grade organization. Finally, they must be able to explain multi-grade practices to parents and other community members, building understanding and support for their use.

The wealth of digital tools makes it easy to create your own educational materials, and there are many advantages in doing so. As a teacher, the learning for your students is strengthened by your voice and pedagogy. The students can study at their own pace and learn at their level. These are some of my strategies:

  • Consider students’ needs and their knowledge differentiation, by presenting my own lesson plan.
  • Make the explanation more attractive for my students.
  • Effectively manage the lesson’s time.
  • Develop game-based learning.
  • Improve real-world problem solving and collaboration

Microsoft technologies helped me perform my tasks more quickly and efficiently. Specifically:

  1. Planning: Microsoft offers planning templates that you can customize to your requirement. You can update and reuse these when you teach the lessons again.
  2. Record keeping: By maintaining electronic documents you can quickly access and update information, making it easier to share and cross reference.
  3. Assessing: With Microsoft Word, Excel and PowerPoint you can design assessments with automated marking.
  4. Coordinating and communicating: E-mail is a useful option to communicate. Microsoft Outlook offers the option of a shared calendar, which makes coordination efficient. You can use a blog or webpage that parents visit for updates.
  5. Collaborating: Shared workspaces or collaboration tools, such as SharePoint, Skype, Skype for Business, and Office 365 make it easier to collaborate on documents and hold virtual meetings.

For me, as a primary school teacher, my love for this noble job has grown far beyond what I ever expected. I have learned that the teacher doesn’t just light up minds, but hearts as well. I learned that teaching is art and love before it’s a job. I learned that education has no borders.

Top image: Bayla Khalid attending Education Exchange 2018 in Singapore, where he met educators from around the world.

To learn more about Microsoft Education and our tools and technology that help foster inclusion and support personalizing learning for every student, click here.

Kubernetes roadmap looks to smooth container management bumps

AUSTIN, Texas — “This job is too hard.”

It wasn’t a message the DevOps faithful at KubeCon 2017 last week might have expected from a Microsoft distinguished engineer and Kubernetes co-creator.

Brendan Burns, Microsoft Azure’s director of engineering, introduced a personal project called Metaparticle at the annual gathering of Kubernetes users and contributors. With Metaparticle, which translates complex distributed systems concepts into snippets of Java and JavaScript code, Burns aims to make distributed systems a Computer Science 101-level exercise.

In that same vein, Kubernetes project leaders know the container management platform will only get rapid acceptance if it is accessible to more people. The Cloud Native Computing Foundation (CNCF) revealed features on the Kubernetes roadmap and introduced a Kubernetes mentoring program for administrators to make it easier to manage clusters across multiple clouds.

Third-party integrations, such as Pivotal Cloud Foundry 2.0, which is now available, will also improve on-premises Kubernetes management and, eventually, hybrid cloud management for enterprises, said Larry Carvalho, an analyst at IDC.

Traditional enterprise IT vendors run hands-on training programs — Pivotal Labs, Red Hat Open Innovation Labs, IBM Cloud Garage — to impart distributed systems skills to enterprise IT staff, Carvalho said. “[These programs] not only lead a horse to water, but force it down his throat,” he said.

“Startups are going gangbusters, but more than half of enterprises still don’t have a production workload in containers,” Carvalho said. “There’s an opportunity, but for them to start adopting it really requires a culture shift.”

Kubernetes users want secure multicluster management

Enterprises with some Kubernetes experience echoed Burns’ desire for simplicity, particularly to manage multiple container orchestration clusters, as all got their first look at the Kubernetes roadmap for 2018.

Production-ready, federated Kubernetes clusters topped the wish list for Rick Moss, infrastructure operations engineer for MailChannels, an email service provider in Vancouver, B.C..

“We want to be able to set up and tear down Kubernetes in different clouds, and federation is the only way to do that securely,” Moss said.

One can use multiple separate clusters for multi-cloud Kubernetes deployments, but rather than stand up and debug a new cluster, Moss said he wants the ability to just roll out part of the same system. However, Kubernetes federation last saw a major update in Kubernetes release 1.5 last year, and it’s been difficult to operate in real-world environments. Kubernetes is at release 1.9 at the time of publication.

It’s not easy to do hybrid [cloud deployments] today, but Cluster API will be the great equalizer for deploying Kubernetes on different systems.
Aparna SinhaKubernetes project management lead, Google

Bloomberg LP engineers said they’re not interested in the nascent federated clusters, but will track their progress in 2018. In the meantime, engineers at the financial services company headquartered in New York must occasionally restart specific hosts in on-premises Kubernetes clusters, and they want instance addressability within Kubernetes to help with that. The ability to dynamically provision local persistent storage volumes would help move stateful apps closer to production on Kubernetes, said Steven Bower, search and data science infrastructure lead at Bloomberg.

Enterprise IT shops also look forward to the Kubernetes roadmap’s security features disclosed by Kubernetes project managers at KubeCon. Pluggable ID, for example, will allow Kubernetes identity management and role-based access control to plug into existing identity management systems, such as the Lightweight Directory Access Protocol (LDAP).

“It’s nice they have identity management support for Amazon [Web Services] and Google Cloud [Platform], but on-premises LDAP is where they need to focus,” Bower said.

A special-interest group within the CNCF will integrate with SPIFFE, which stands for Secure Production Identity Framework for Everyone, an open source project that defines a set of standards to identify and secure communications between web-based services. It’s still too early to tell if it will succeed, Bower said.

Brendan Burns, distinguished engineer at Microsoft Azure
Microsoft’s Brendan Burns presents the Metaparticle distributed systems management project at KubeCon 2017.

Cluster API project aspires to be ‘the great equalizer’

KubeCon attendees also saw Cluster API, a plan by the SIG-Cluster-Lifecycle group to create a set of standards to install Kubernetes clusters in multiple infrastructures.

“It’s a declarative way of deploying and upgrading clusters that abstracts the infrastructure behind Kubernetes,” said Aparna Sinha, project management lead for Kubernetes at Google. “It’s not easy to do hybrid [cloud deployments] today, but Cluster API will be the great equalizer for deploying Kubernetes on different systems.”

Also in the works is a declarative application management project that builds on the open source ksonnet configuration tools to define applications on Kubernetes in a nonrestrictive way, Sinha said. Though it’s still in its early stages, there is a working group.

Another trend expected in 2018 is increased attention to serverless technologies and how they compete with and integrate with containers. Several open source function-as-a-service projects are currently in process, but the CNCF has yet to align itself with any of them. CNCF officials think the community should remain neutral, but KubeCon observers said they think one will naturally emerge and eventually earn support from the CNCF next year.

Beth Pariseau is senior news writer for TechTarget’s Data Center and Virtualization Media Group. Write to her at bpariseau@techtarget.com or follow @PariseauTT on Twitter.

Wanted – Microsoft Surface Pro 2 (or good 1)

It has been a while since I last used it but I’ll dig it out and check, there wasn’t any real damage the last time I had it out. I’m afraid I don’t know about the battery since it has been a number of months since it was last used (although fully charged before it was put away), it didn’t get a lot of use over the years since I purchased it.

Yes, will include the stylus.

Edit – Will try to take some photos tomorrow evening after work

Wanted – Microsoft Surface Pro 2 (or good 1)

It has been a while since I last used it but I’ll dig it out and check, there wasn’t any real damage the last time I had it out. I’m afraid I don’t know about the battery since it has been a number of months since it was last used (although fully charged before it was put away), it didn’t get a lot of use over the years since I purchased it.

Yes, will include the stylus.

Edit – Will try to take some photos tomorrow evening after work

Wanted – Microsoft Surface Pro 2 (or good 1)

It has been a while since I last used it but I’ll dig it out and check, there wasn’t any real damage the last time I had it out. I’m afraid I don’t know about the battery since it has been a number of months since it was last used (although fully charged before it was put away), it didn’t get a lot of use over the years since I purchased it.

Yes, will include the stylus.

Edit – Will try to take some photos tomorrow evening after work

Wanted – Microsoft Surface Pro 2 (or good 1)

It has been a while since I last used it but I’ll dig it out and check, there wasn’t any real damage the last time I had it out. I’m afraid I don’t know about the battery since it has been a number of months since it was last used (although fully charged before it was put away), it didn’t get a lot of use over the years since I purchased it.

Yes, will include the stylus.

Edit – Will try to take some photos tomorrow evening after work

Wanted – Microsoft Surface Pro 2 (or good 1)

It has been a while since I last used it but I’ll dig it out and check, there wasn’t any real damage the last time I had it out. I’m afraid I don’t know about the battery since it has been a number of months since it was last used (although fully charged before it was put away), it didn’t get a lot of use over the years since I purchased it.

Yes, will include the stylus.

Edit – Will try to take some photos tomorrow evening after work

Wanted – Microsoft Surface Pro 2 (or good 1)

It has been a while since I last used it but I’ll dig it out and check, there wasn’t any real damage the last time I had it out. I’m afraid I don’t know about the battery since it has been a number of months since it was last used (although fully charged before it was put away), it didn’t get a lot of use over the years since I purchased it.

Yes, will include the stylus.

Edit – Will try to take some photos tomorrow evening after work