It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Newly Disclosed "Back-Door" Vulnerability Built Into RuggedCom's "Mission-Critical" Switches An
page: 14
share:
RuggedCom is a Canadian company (recently acquired by Siemens) that manufactures electronic equipment used in sensitive military and industrial
"mission-critical" communication networks that operate power grids, railway traffic control systems and manufacturing facilities. Apparently, all
versions of the Rugged Operating System, created by RuggedCom, had a back-door vulnerability that cannot be disabled. It featured a static username,
that could not be changed by customers, and a dynamically generated password based on the device's MAC address. This built-in feature was not
disclosed to customers using their devices.
RuggedCom's inclusion of the back-door without disclosure is irresponsible, at best, and perhaps even criminal. It begs the question: Was it built-in under the direct orders of a Government or was it the result of an internally-made corporate decision? Stuxnet and Duqu were two things that immediately came to my mind. The recent Siemens acquisition of RuggedCom also adds an interesting twist to the plot. I'm simply thankful that the vulnerability wasn't discovered and exploited to ill effect. Thanks goes out to Justin Clarke for finding and exposing this problem.
Link:
www.wired.com...
RuggedCom's inclusion of the back-door without disclosure is irresponsible, at best, and perhaps even criminal. It begs the question: Was it built-in under the direct orders of a Government or was it the result of an internally-made corporate decision? Stuxnet and Duqu were two things that immediately came to my mind. The recent Siemens acquisition of RuggedCom also adds an interesting twist to the plot. I'm simply thankful that the vulnerability wasn't discovered and exploited to ill effect. Thanks goes out to Justin Clarke for finding and exposing this problem.
Link:
www.wired.com...
Originally posted by BULLPIN
RuggedCom is a Canadian company (recently acquired by Siemens) that manufactures electronic equipment used in sensitive military and industrial "mission-critical" communication networks that operate power grids, railway traffic control systems and manufacturing facilities. Apparently, all versions of the Rugged Operating System, created by RuggedCom, had a back-door vulnerability that cannot be disabled. It featured a static username, that could not be changed by customers, and a dynamically generated password based on the device's MAC address. This built-in feature was not disclosed to customers using their devices.
RuggedCom's inclusion of the back-door without disclosure is irresponsible, at best, and perhaps even criminal. It begs the question: Was it built-in under the direct orders of a Government or was it the result of an internally-made corporate decision? Stuxnet and Duqu were two things that immediately came to my mind. The recent Siemens acquisition of RuggedCom also adds an interesting twist to the plot. I'm simply thankful that the vulnerability wasn't discovered and exploited to ill effect. Thanks goes out to Justin Clarke for finding and exposing this problem.
Link:
www.wired.com...
I think if you are trying to put blame, should treat the corporation and government as the same entity.
It's clearly an intentional act. Luckily today the government can claim no responsibility for the acts of corporations and corporations claim no responsibility for government acts.
reply to post by BULLPIN
I do tend to believe anything electronic has a "back door" in it. It's just safer to think that way, in this day and age.
Either the companies who designed/built such devices want the access, or as you hinted, the governments want the access for their own reasons.
Either way, it's a sad world we live in where things we buy, are not truly ours to own and use as we see fit, without threat or potential for someone else to be spying on us, or accessing our information at will.
Rule #1: Want it to stay private, don't put it in digital format of any sort. Papers can be hidden, 0's and 1's cannot be hidden.
I do tend to believe anything electronic has a "back door" in it. It's just safer to think that way, in this day and age.
Either the companies who designed/built such devices want the access, or as you hinted, the governments want the access for their own reasons.
Either way, it's a sad world we live in where things we buy, are not truly ours to own and use as we see fit, without threat or potential for someone else to be spying on us, or accessing our information at will.
Rule #1: Want it to stay private, don't put it in digital format of any sort. Papers can be hidden, 0's and 1's cannot be hidden.
reply to post by BULLPIN
I guess, in theory, that's what I would do. Ensure I can take control of a product I've designed an manufactured if the situation calls for it.
It'd be a b!tch if someone else found it though and that's what seems to have happened. Even worse if the customer finds out but I guess that depends on the situation. Maybe it's there to protect the customer if their device is hacked and they've lost control over it.
The irony is obvious.
I guess, in theory, that's what I would do. Ensure I can take control of a product I've designed an manufactured if the situation calls for it.
It'd be a b!tch if someone else found it though and that's what seems to have happened. Even worse if the customer finds out but I guess that depends on the situation. Maybe it's there to protect the customer if their device is hacked and they've lost control over it.
The irony is obvious.
alot of stuff like this is coded in to allow the manufacturer access should there be no way for the normal administrators to log in and obviously
wouldnt be generally reported as such but known that the manufacturer has the ability to get in even in the event of a system fault
i'd imagine that big sites using this stuff and military buyers would know that such a back door exists but keeping quiet is part of the contract when buying this stuff
when i worked on mainframes there was usually an engineers login which had the ability to be promoted to full admin rights if you knew the password
i'd imagine that big sites using this stuff and military buyers would know that such a back door exists but keeping quiet is part of the contract when buying this stuff
when i worked on mainframes there was usually an engineers login which had the ability to be promoted to full admin rights if you knew the password
Thank you all for your comments and input. I'm pleased to have them, as this is my first thread, and I was expecting the sound of crickets chirping
in an empty theatre.
What bothers me most about RuggedCom's "standard" back-door feature is that we are put at risk, unbeknownst to us, simply to facilitate convenient access to these servers/switches in the event usual routes of access fail, or are otherwise unavailable. On the other hand, one could reasonably argue that such a feature could be used to help save lives, or prevent damage, in the case of an emergency or other anomalous event. There seem to be deeper moral/ethical/philosophical considerations to hash out after a closer inspection of the issues at hand.
What bothers me most about RuggedCom's "standard" back-door feature is that we are put at risk, unbeknownst to us, simply to facilitate convenient access to these servers/switches in the event usual routes of access fail, or are otherwise unavailable. On the other hand, one could reasonably argue that such a feature could be used to help save lives, or prevent damage, in the case of an emergency or other anomalous event. There seem to be deeper moral/ethical/philosophical considerations to hash out after a closer inspection of the issues at hand.
If you were to lump together all of the other highly illegal or "wrong" things allowed in computer programs initially without the public's
knowledge (cookies anyone?) then you have your answer to the who and why.
NSA sends around its wish list to product design teams and the companies comply. No mystery there.
NSA sends around its wish list to product design teams and the companies comply. No mystery there.
reply to post by Aliensun
Yeah, what you're saying is certainly true for US based companies. RuggedCom is/was a Canadian company and I wonder if they too are obliged to follow orders from the NSA. Know any good jokes aboot The United States of Canada or Canada being the 51st US State Hahaha. All kidding aside, the "just following orders" inclusion of this backdoor threat doesn't mitigate the risk all of us are unknowingly exposed to. There has got to be a safer and more secure way to accomplish the same objectives as these "secret" unsecured back-doors. I expect more ingenuity from the software engineers developing operating systems for these critical servers and switches. I know we're dead-heads here in North America but geez. If there are not better ways than RuggedCom's simplistic, un-innovative back-doors....we will eventually be screwed. NSA has got to find a better way, even if it means bringing someone with real brain power from India, or China, into the fold.
Yeah, what you're saying is certainly true for US based companies. RuggedCom is/was a Canadian company and I wonder if they too are obliged to follow orders from the NSA. Know any good jokes aboot The United States of Canada or Canada being the 51st US State Hahaha. All kidding aside, the "just following orders" inclusion of this backdoor threat doesn't mitigate the risk all of us are unknowingly exposed to. There has got to be a safer and more secure way to accomplish the same objectives as these "secret" unsecured back-doors. I expect more ingenuity from the software engineers developing operating systems for these critical servers and switches. I know we're dead-heads here in North America but geez. If there are not better ways than RuggedCom's simplistic, un-innovative back-doors....we will eventually be screwed. NSA has got to find a better way, even if it means bringing someone with real brain power from India, or China, into the fold.
alot of the sites employing this sort of stuff will be remotely managed to keep the cost of maintenance and support down and probably will be directly
managed by the manufacturer so it will require top level access to all the kit and at least it had a generated password alot of systems come
preshipped with a standard username/password for admin level access and guess what people never think to change them remembers alot of Mitel phone
systems had a standard uname/pwd combo that no one ever changed
if the kit has been anywhere near any government system then i'm sure the security bods in the related departments will of had the source code to check out, just like in India they managed to find the source code to various anti viruses on a state owned server
if the kit has been anywhere near any government system then i'm sure the security bods in the related departments will of had the source code to check out, just like in India they managed to find the source code to various anti viruses on a state owned server
new topics
-
Inca stone masonry at Sacsayhuaman, Ollantaytambo and the Sun Temple
Ancient & Lost Civilizations: 3 hours ago -
President-Elect TRUMP Picks Former Florida A.G. PAM BONDI to be U.S. Attorney General.
2024 Elections: 7 hours ago -
A Mysterious Orb filmed over NYC by local news
Aliens and UFOs: 8 hours ago -
Putin will warn civilians in targeted areas
World War Three: 9 hours ago -
The Popular Vote does not matter
Political Issues: 11 hours ago
top topics
-
International Criminal Court Issues Arrest Warrant For Netanyahu
Mainstream News: 17 hours ago, 13 flags -
President-Elect TRUMP Picks Former Florida A.G. PAM BONDI to be U.S. Attorney General.
2024 Elections: 7 hours ago, 12 flags -
Gaetz withdraws from attorney general consideration
US Political Madness: 14 hours ago, 12 flags -
Is Russia Using a New Type of Beam Weapon Against Ukraine?
Weaponry: 15 hours ago, 11 flags -
Putin will warn civilians in targeted areas
World War Three: 9 hours ago, 11 flags -
The Popular Vote does not matter
Political Issues: 11 hours ago, 8 flags -
Bridgewater Triangle
General Chit Chat: 14 hours ago, 7 flags -
Here is why Western leaders in NATO have zero fear of nuclear warfare. At all. Zero.
World War Three: 17 hours ago, 6 flags -
A Mysterious Orb filmed over NYC by local news
Aliens and UFOs: 8 hours ago, 5 flags -
Inca stone masonry at Sacsayhuaman, Ollantaytambo and the Sun Temple
Ancient & Lost Civilizations: 3 hours ago, 1 flags
active topics
-
Well, here we go red lines crossed Biden gives the go ahead to use long range missiles
World War Three • 321 • : Freeborn -
Putin will warn civilians in targeted areas
World War Three • 32 • : Flyingclaydisk -
Inca stone masonry at Sacsayhuaman, Ollantaytambo and the Sun Temple
Ancient & Lost Civilizations • 1 • : randomtangentsrme -
International Criminal Court Issues Arrest Warrant For Netanyahu
Mainstream News • 39 • : JJproductions -
Is Russia Using a New Type of Beam Weapon Against Ukraine?
Weaponry • 19 • : KrustyKrab -
FEMA Head Admits Agency Skipped 20 Homes with Trump Signs
Mainstream News • 18 • : EyeoftheHurricane -
Biden at 81: Often sharp and focused but sometimes confused and forgetful
2024 Elections • 12 • : WeMustCare -
A Mysterious Orb filmed over NYC by local news
Aliens and UFOs • 4 • : EduardoLopez -
Well we know Putins ICBMs won't fail in their silos
World War Three • 120 • : yuppa -
-@TH3WH17ERABB17- -Q- ---TIME TO SHOW THE WORLD--- -Part- --44--
Dissecting Disinformation • 3343 • : 777Vader
4