Attackers accessed UK military data through high-security fencing firm's Windows 7 rig The risk of running obsolete code and hardware was highlighted after attackers exfiltrated data from a UK supplier of high-security fencing for military bases. The initial entry point? A Windows 7 PC. While the supplier, Wolverhampton-based Zaun, said it believed that no classified information was downloaded, reports indicated …
Assuming they have a CTO (I'm probably being optimistic there), I imagine their response to the question "Do you have an effective firewall in place?" would be something along the lines of "Of course we do, ours has prevented anyone from getting burned while welding red hot fence slats together for over 50 years now..."
I laughed when I read the headline, but when I got the sentence you quoted, I sobered up. I used to work in an environment the depended on some very sophisticated scientific equipment which was computer controlled. We could not afford to throw out perfectly functional half-a-megabuck hardware just because M$ excreted a new OS, and the manufacturer hadn't bothered to update their software for prior customers. Sometimes we could move the software to a newer OS, but most often not.
I do have sympathy for these guys - I expect they had their reasons for not air-gaping the old systems, but I'm going to guess that convenience was the main one.
You are assuming IT specialists are in unlimited supply and cheap. Besides cyber-security is intellectually hard and typically a 53-th priority for small and mid-size business.
At the same time elReg readers seem to fervently protest large layoffs by Big IT, but this is exactly what is needed to fill job gaps of other businesses. In another news, actors and video game workers form guilds and strike, protecting their (easier?) jobs, instead of doing more in-demand IT or medical jobs, for example. This is an important example of how job security can be harmful for a country as a whole.
Well, government must support people while they are retraining. But firing people should be easy. The economy will thrive and compensate the unemployment costs and retraining.
"actors and video game workers form guilds and strike, protecting their (easier?) jobs, instead of doing more in-demand IT or medical jobs"
Haven't we been here before?
Government scraps ballet dancer reskilling ad criticised as 'crass'
https://www.theguardian.com/politics/2020/oct/12/ballet-dancer-could-reskill-with-job-in-cyber-security-suggests-uk-government-ad
I feel uneasy passing by huge fancy gov-funded offices providing zero-value services. Same with bailed-out banks.
While many private businesses are paying huge taxes and huddle in tiny boxed spaces to stay afloat.
Ballet is great. But everyone needs a nurse one day. Economy is a bitch.
Some of the control software for older equipment in printing and manufacturing is ancient but attached to perfectly cromulent hardware that still does a fine job. There are incredibly old PCs running a museum full of DOS and Win3.1 and OS/2 apps to support these things. It's quite a challenge, and frequently the best you can do is a VM (and the worst is having to support a dongle in a parallel port.) Regardless, these machines are helpless in the face of modern attacks and need to be kept in a very controlled environment.
Which is perfectly fine until some numpty connects them directly to a network. A cheap no-name firewall cost a few 10s of £, a branded one a little more but best value is probably to be had with one that can have a third party Firewall OS loaded onto it. Point the "external" end at the untrusted kit and only allow the absolute minimum routes in and out. Even a monitoring application is probably excessive and not required, and maintenance can be performed in person.
Doesn't work when there's lots of such kit, but for most scenarios of individual, usually very expensive, machinery it's all that is required.
While a VM would work, the trouble with doing so is usually where the VM is run and it adds a lot of extra complexity and potential for failure or attack.
But did they actually target Windows 7?
Nowhere in the article is there reference to evidence that Windows 7 was specifically targeted because of known security holes that have only come to light since MS stopped releasing security updates for W7.
I would not be surprised if once the attack vector used is identified, it is discovered the attack also works against W10/11…
So whilst running an unsupported OS in production is questionable, what should be more troubling is the failure of security layers to prevent access to the more vulnerable W7 machine.
I can fix this problem and prevent all hackers in the future ... I'll just replace the Windows PC with an S-100 computer, the control software running from an 8" floppy disk, or maybe I could use a PDP-11 and a tape drive?
This is not a "joke" it's just that I see daily malware and attempted attacks on Windows computers, all hackers have Windows computers and can work on all the infections and access but if you have a situation like the Ministry of Defense then building your own unique CPU's and operating systems and hardware systems (but not selling them at all) has the possibilities of 98% safety. And good, well paid, jobs for all the digital engineers reading about this on El Reg (icon).
Yep, I'm sure you can rebuild an entire system from the ground up and not leave any kind of security loopholes whatever. That's easy, isn't it? - I mean, whoever heard of anyone failing at that?
Your post advocates, basically, security by obscurity. Even if it lasts so long, it'll be broken the minute an employee starts to feel less than completely gruntled.
Doesn't the government cryptography unit (near MK) use that technique?
All the politicians who want no cryptography, obviously don't know how the UK foreign embassy communications work.
Anon, as even knowing that there is such a place may be secret.
I've spent 50 years working to try and fix peoples problems with their working environments, mostly I can help them get things fixed but telling their employers or designers that the problems exist means that I am always seen as a critic. It's been that way for years now ... discovering a problem can be a problem.
So you're suggesting that they implement "security thorugh obscurity" as a mandate? Cool, I totally agree until the time someone sneaks out with the blueprints, finds the weakness and decimates the whole shooting match in minutes 'cos only 10 people on the plannet have enough indepth knowledge about the systems!
Perfect!
Department by department nomination of taxation might make a number of bureaucracies very nervous. So, it won't happen as there would be too many vested interests upset.
But if it would happen, for example the police, military, might suddenly become very customer friendly. Fits right in with free market economy.
A nice compromise might be 90% is pre allocated and then 10% you can freely nominate. If you don't nominate, it get distributed according to the pre-allocated formula. (Need an icon for greybeard scratching the chin.)
Back in the day, when I was responsible for classified information, there was the concept of bulk data. Just because an individual item of data was in itself unclassified did not mean that a complete table of the information was also unclassified.
> 10 e-mail addresses = Maybes O, maybes O-S - ask security guys
Depends on whose email addresses they are.
I worked on one project where I was permitted to name the 2 pilot data centers in a (restricted) technical design document, I could not give addresses or list the names of all the data centres in the estate to be covered by the design and neither could I give a precise total number, as these items of information would mean the document would have to be classified at level the majority of the intended audience did not have clearance to read, even though many of the intended audience through their work had committed this information to memory.
Right,
before I start and get flamed, their setup was just wrong and it should not have had access to external internet, been fire walled etc, I think we can all agree on that...
But.... having had to deal with some lab analysis machines that you were not allowed to put any form of windows update on, will never have their software upgraded / patched, and is generally not written by software people but by (probably Chemistry / Biology) students who worked at the place developing the thing a decade ago I do have some sympathy (not a lot see above)
I can't imagine that any process control software for the specific machine that does a thing will be any different. With weird hardware that won't / can't run on anything but the exact equipment that is now no longer available, and the the replacement (equally as bad but enough breaking changes that nothing done previously would work) is probably in the 10s or 100s of pounds.
Oh and they might just want to verify the licence information on their servers before it starts to work.
Don't get me started on BMS etc....
The installation was probably done not by the IT guy but an Engineering tech who has nothing to do with IT and wouldn't know a packet other than his packet of fags (cigarettes for our American cousins)..he would have just plugged the yellow cable into the network port as the instructions said and left it at that.
So yes is should have been done better but so should all the control software for all the little bits that people don't think about. Not every computer is in a nice clean office doing Word Documents or spreadsheets.
Yup.
Been there, done that.
BT call management server on Windows 2003, provided and 'maintained' entirely by them but had to be on our AD domain for some reason.
Never patched, no A/V, we weren't allowed to touch it by contract.
Always flagged up on every security report but there was nothing we could do about it. :-(
But when he plugged it into the network port it shouldn't have worked. Any site with classified data should at a minimum use managed switches with unused ports disabled and in-use ports locked to client MAC addresses at a minimum.
So he should have plugged it into the network port, then discovered that it didn't work and ring the IT people. Who would then ask for proper authorisation etc before putting it into its own VLAN.
Yeah, I know "should" is very optimistic.
"So yes is should have been done better but so should all the control software for all the little bits that people don't think about. Not every computer is in a nice clean office doing Word Documents or spreadsheets."
Agreed. We regularly are regaled with tales of "the unknown box" on networks that might do "something important", or the "box that does" but can't be physically located. A new build network is probably fully documented. But there are networks out there that started on older technology and just growed and growed.
Yes and no.
If you're so reliant on old kit then you need to hire the right people and that costs money. You can't simply complain and make excuses when things fail or get had by some miscreant, simply put it's all a game of swings and roundabouts. Would the same people consider eye glasses and masks an affectation when working in the lab with dangerous substances? Of course not! A computer is a tool, like using good quality glassware for experiments or proper safety equipment, a computer is not immune to common sense, it's a tool and it needs the same consideration as any other tool.
Cyber essentials will allow you to run an unsupported OS where there's a business case (e.g. required to run very expensive old manufacturing equipment) and risk mitigating measures have been taken (e.g. incredibly limited LAN access). It's not 'zero tolerance' at all.
Unfortunately Cyber Essentials has also wound up tarred by the usual collection of shysters and snake oilers who lie about what it involves in order to sell add-on services.
The principle is good, they have it mostly right, and it's a validation of a minimum level of IT security, but it doesn't make anything actually secure. That requires ongoing thought, consideration and experience.
I'd rather that the (self) assessment and checking process is formalised to ensure consistency as well as periodic re-checks to continue with the good start that Cyber Essentials is (hell, it's in the name: Essentials) and to encourage ongoing thought, consideration and application.
Interestingly, in both this article and a statement from Zaun, it just mentions it was a Windows 7 PC and doesn't actually state the vulnerability/exploit and if this was somehow Windows 7 specific. For all I know, it may have just been a CNC controller someone had given a local account full admin rights to then left a very bored user with free reign over some lunchtime browsing - Windows 10+ isn't immune to general poor practice.
Updating to an in-support version of Windows doesn't automatically mean 'job done' on security, in fact, it's a bloody long way down the list.
"Updating to an in-support version of Windows doesn't automatically mean 'job done' on security, in fact, it's a bloody long way down the list."
True, but it's certainly an important step. Using an unsupported OS is also likely to invalidate any cyber insurance (the policies I've seen all have a clause about this).
The last thing I am is a hyper specialist. What I am is a damn good all rounder in the IT space.
I've posted a few times before about ring fencing specialist windows (7/NT/etc) installs to talk to ridiculously expensive hardware that does a specialist job, for which the vendor either no longer exists, or has no interest in updating the software for that set of hardware. (CAT and Xray kit mostly, but also a pair of 60 ton sheet steel presses with awesome capabilities, for which the *next* generation with updated software, running on newer windows has *cough* a) monthly baseline fees and b) for each of the awesome capabilities, monthly additional fees).
I'll note someone suggested Wine, above, and for *some* hardware connections its just fine, audio tends to be okay, printer port type connections are fine, but serial and USB connections tend (with this type of hardware) to be proprietary and Wine *really* doesn't like stuff like that. I *have* gotten parallel port connections with proprietary protocols working with Wine, but that was back when I was contributing. I don't know how far it got taken.
I'm a *very* firm believer in stuffing these instances into VM's and using the host firewalling to manage the connections directly for the guest. In my experience, it has worked the best, as VLAN management in windows 7 didn't exist. Yes, that can be done at the switch, but there are morons *who swap cables around* -- I'd hope there was mac address control on those ports as well, but I *really* haven't seen *that* much in the instances where I've done this, it seems to be an afterthought brought on by my ranting at the local tech. Hardware passthrough in KVM tends to work with somewhat more reliability than with Wine in my *personal* experience.
The *host* system can be backed up using standard processes, so long as we snapshot the VM beforehand, and get all the image files. With appropriate documentation, a system that was in use in this way, recently suffered complete meltdown (there was a serious fire, took out much of the plastic, wood, and non-hardened steel in the zone) where, when the rebuild completed on the press, and the software was restored from backup on new hardware, things picked up from where they left off. Documentation is *absolutely* required in these cases, careful, complete, and concise.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
