[Info-vax] OpenVMS versus Windows/GE Telemetry Control Systems.
Stephen Hoffman
seaohveh at hoffmanlabs.invalid
Wed Jan 16 09:47:03 EST 2013
On 2013-01-16 08:44:17 +0000, David Froble said:
> Bill Gunshannon wrote:
>> In article <kd52bk$as$1 at dont-email.me>,
>> David Froble <davef at tsoft-inc.com> writes:
>>> Stephen Hoffman wrote:
>>>> On 2013-01-15 20:27:19 +0000, Stephen Hoffman said:
>>>>
>>>>> On 2013-01-15 20:10:04 +0000, Bob Gezelter said:
>>>>>
>>>>>> I note that my published recommendation for nearly twenty years has
>>>>>> been to "air-gap" process control systems from the general corporate
>>>>>> network as well as the public Internet [citation: Computer Security
>>>>>> Handbook, 3rd Edition].
>>>>> That approach is great. In theory. But the air gap is not always
>>>>> practical. As Stuxnet showed, there are ways to jump the air gap, too.
>>>> And not three minutes after posting that:
>>>>
>>>> http://arstechnica.com/security/2013/01/two-us-power-plants-infected-with-malware-spread-via-usb-drive/
>>>>
>>>>
>>>>
>>> I seem to recall that the USB ports on Alphas were not functional under
>>> VMS. If that's correct, then another security notch for VMS ...
>>>
>>> :-)
>>
>> So, in order to be safe you have to give up some convenience.
>
> Did you miss the smiley ?
No, I didn't. I was pointing out that there are USB ports on VMS boxes.
There are potential paths leading to breaches of VMS boxes, whether or
not those VMS boxes have USB ports, too. Off the top, the foothold
would probably not be the USB port on the VMS box.
>
>> And the same is true of any system. Security people always walk a thin
>> line between convenience and safety.
>
> Maybe so, but it doesn't have to be that way. I'd bet there are many
> people here on c.o.v that could come up with convient and safe methods
> for communications, software distribution, and such.
It's tougher than it looks.
> As a small example, I've implemented some socket communications. The
> socket is basically an open port to the world. But it's under program
> control, and what's coming in must meet expectations, or it's flushed
> and the connection dropped. Are there ways to defeat such? I have to
> say that I don't know, but, I really doubt it.
DNS spoofing and routing-level shenanigans can be used for MiTM
attacks, and there are other approaches.
--
Pure Personal Opinion | HoffmanLabs LLC
More information about the Info-vax
mailing list