Partial map of the Internet based on the January 15, 2005 data found on opte.org.

I’m dutch, so this time I’m going to react on a local news item (translation by Google). ‘Hacking critical infrastructure is still possible on a large scale’ was in the news a couple of days ago here in the Netherlands. Some of the examples given were:

• A bridge which has to be opened and closed from a remote location.
• The escalators in an airport
• Traffic lights
• Water purifying plants

Cool features, don’t you think? Logon to a machine via the internet and be able to change the lights on your local freeway, that would shave some time off my commute every day.

Fred Strive from ENCS:  “We are certainly not there yet, we can not just simply replace all of those devices, but there are claims it will be years before we have provided the critical infrastructure with secure devices.”.

Replacing would be expensive, but would that fix the problem? KLM, a local airline company, happened to run their entire internal network protected by standard user and passwords (translation by Google). Replacing old hardware would maybe trigger people to look again at the security, but no-one says you can’t change the way security is views at this moment right now. Yeah, changing stuff is scary, yeah, it might go wrong. But what sounds better: 1) Waiting, scared in a dark corner of your office hoping no-one will find the exploit or 2) Using your current knowledge (which you off course keep up-to-date) to look continuously look at your security measures. Personally, I’m with no. 2, so here’s my suggestion for a fix: You don’t want people to exploit your old firmware, but you need the devices on a network. So why don’t you separate this network from the rest of the internet.  I don’t think these devices need to call home to keep on working, but if they do, make sure they can only connect to a few IP’s outside your own network.

Laurens Boven: “They do it for thirty years, and often stems from before the Internet generation and are often not built to be connected to the Internet.”

If they stem from before the Internet generation, why do they need to be connected? Probability these devices were intended to be called into via landlines. So there is already a conversion going on somewhere to enable these devices to be used over the internet which makes my second suggestion even more usable, you don’t need to change the device, you need to change the modem-device which enabled the internet for these devices. What I learned by this article was one thing, there is apparently a free search machine for exploitable machines. Let’s hope none of my devices will ever be present on this list.
tl/dr:

Don’t talk about stuff you know nothing about. I don’t tell a politician how he should do his work, so please don’t let him tell me how to do mine. Also, don’t trust all the media. (And you may quote me on that)