back to article Attackers accessed UK military data through high-security fencing firm's Windows 7 rig

The risk of running obsolete code and hardware was highlighted after attackers exfiltrated data from a UK supplier of high-security fencing for military bases. The initial entry point? A Windows 7 PC. While the supplier, Wolverhampton-based Zaun, said it believed that no classified information was downloaded, reports indicated …

  1. Paul Crawford Silver badge

    The attack targeted a Windows 7 PC used to run software for one of the company's manufacturing machines.

    So they make good fences to segment areas of land, but lacked a firewall to segment areas of the internal network?

    1. Pascal Monett Silver badge

      They lacked a firewall, someone with a clue, and a CTO with the bare minimum of knowledge of IT.

      Basically, it's a company that makes fences. What could possibly go wrong ?

      1. Trigonoceps occipitalis

        and a CTO with the bare minimum of knowledge of IT

        and a CTO with any knowledge of IT and unwilling to spend the money in any case.

        FTFY

        1. Anonymous Coward
          Anonymous Coward

          Re: and a CTO with the bare minimum of knowledge of IT

          Assuming they have a CTO (I'm probably being optimistic there), I imagine their response to the question "Do you have an effective firewall in place?" would be something along the lines of "Of course we do, ours has prevented anyone from getting burned while welding red hot fence slats together for over 50 years now..."

    2. Korev Silver badge
      Coat

      > So they make good fences to segment areas of land, but lacked a firewall to segment areas of the internal network?

      Nope, it was a fence post error...

    3. wub

      I laughed when I read the headline, but when I got the sentence you quoted, I sobered up. I used to work in an environment the depended on some very sophisticated scientific equipment which was computer controlled. We could not afford to throw out perfectly functional half-a-megabuck hardware just because M$ excreted a new OS, and the manufacturer hadn't bothered to update their software for prior customers. Sometimes we could move the software to a newer OS, but most often not.

      I do have sympathy for these guys - I expect they had their reasons for not air-gaping the old systems, but I'm going to guess that convenience was the main one.

      1. cyberdemon Silver badge
        Linux

        I often find that software designed for ancient versions of Windows runs better on Wine than it ever did on 'Blows.

        Try it, it could possibly save you choosing between 500k and the risk of a ransom attack.

        1. katrinab Silver badge
          Unhappy

          Stuff that interfaces directly with hardware doesn't generally work in Wine though.

    4. bo111

      > but lacked a firewall

      You are assuming IT specialists are in unlimited supply and cheap. Besides cyber-security is intellectually hard and typically a 53-th priority for small and mid-size business.

      At the same time elReg readers seem to fervently protest large layoffs by Big IT, but this is exactly what is needed to fill job gaps of other businesses. In another news, actors and video game workers form guilds and strike, protecting their (easier?) jobs, instead of doing more in-demand IT or medical jobs, for example. This is an important example of how job security can be harmful for a country as a whole.

      Well, government must support people while they are retraining. But firing people should be easy. The economy will thrive and compensate the unemployment costs and retraining.

      1. Nifty

        Re: > but lacked a firewall

        "actors and video game workers form guilds and strike, protecting their (easier?) jobs, instead of doing more in-demand IT or medical jobs"

        Haven't we been here before?

        Government scraps ballet dancer reskilling ad criticised as 'crass'

        https://www.theguardian.com/politics/2020/oct/12/ballet-dancer-could-reskill-with-job-in-cyber-security-suggests-uk-government-ad

        1. bo111

          > ballet dancer reskilling

          I feel uneasy passing by huge fancy gov-funded offices providing zero-value services. Same with bailed-out banks.

          While many private businesses are paying huge taxes and huddle in tiny boxed spaces to stay afloat.

          Ballet is great. But everyone needs a nurse one day. Economy is a bitch.

    5. 43300 Silver badge

      The bigger problem is using unsupported software!

      1. Cris E

        Some of the control software for older equipment in printing and manufacturing is ancient but attached to perfectly cromulent hardware that still does a fine job. There are incredibly old PCs running a museum full of DOS and Win3.1 and OS/2 apps to support these things. It's quite a challenge, and frequently the best you can do is a VM (and the worst is having to support a dongle in a parallel port.) Regardless, these machines are helpless in the face of modern attacks and need to be kept in a very controlled environment.

        1. Nick Ryan Silver badge

          Which is perfectly fine until some numpty connects them directly to a network. A cheap no-name firewall cost a few 10s of £, a branded one a little more but best value is probably to be had with one that can have a third party Firewall OS loaded onto it. Point the "external" end at the untrusted kit and only allow the absolute minimum routes in and out. Even a monitoring application is probably excessive and not required, and maintenance can be performed in person.

          Doesn't work when there's lots of such kit, but for most scenarios of individual, usually very expensive, machinery it's all that is required.

          While a VM would work, the trouble with doing so is usually where the VM is run and it adds a lot of extra complexity and potential for failure or attack.

    6. Roland6 Silver badge

      But did they actually target Windows 7?

      Nowhere in the article is there reference to evidence that Windows 7 was specifically targeted because of known security holes that have only come to light since MS stopped releasing security updates for W7.

      I would not be surprised if once the attack vector used is identified, it is discovered the attack also works against W10/11…

      So whilst running an unsupported OS in production is questionable, what should be more troubling is the failure of security layers to prevent access to the more vulnerable W7 machine.

  2. Pascal Monett Silver badge
    Facepalm

    "the UK's Ministry of Defence [..] does not comment on security matters"

    Then what does it comment on ? Security is it's job, isn't it ?

    Ah, silly me. I forgot : we're talking about Government. Reality is on the other side of the door.

    1. Version 1.0 Silver badge
      Thumb Up

      Re: "the UK's Ministry of Defence [..] does not comment on security matters"

      I can fix this problem and prevent all hackers in the future ... I'll just replace the Windows PC with an S-100 computer, the control software running from an 8" floppy disk, or maybe I could use a PDP-11 and a tape drive?

      This is not a "joke" it's just that I see daily malware and attempted attacks on Windows computers, all hackers have Windows computers and can work on all the infections and access but if you have a situation like the Ministry of Defense then building your own unique CPU's and operating systems and hardware systems (but not selling them at all) has the possibilities of 98% safety. And good, well paid, jobs for all the digital engineers reading about this on El Reg (icon).

      1. Clausewitz4.0 Bronze badge
        Black Helicopters

        Re: "the UK's Ministry of Defence [..] does not comment on security matters"

        "replace the Windows PC with an S-100 computer, the control software running from an 8" floppy disk, or maybe I could use a PDP-11 and a tape drive?"

        I make offensive security software using assembly language (processor language) since the floppies and BBS (that thing before the internet). That won't work.

        1. Paul Crawford Silver badge

          Re: "the UK's Ministry of Defence [..] does not comment on security matters"

          I also write offensive software, but that is more down to not studying software engineering...

          1. Clausewitz4.0 Bronze badge
            Black Helicopters

            Re: "the UK's Ministry of Defence [..] does not comment on security matters"

            "I also write offensive software, but that is more down to not studying software engineering..."

            This one was funny

          2. Doctor Syntax Silver badge

            Re: "the UK's Ministry of Defence [..] does not comment on security matters"

            "I also write offensive software, but that is more down to"

            ... using swear words as variable and function names.

            1. Korev Silver badge
              Pirate

              Re: "the UK's Ministry of Defence [..] does not comment on security matters"

              We had someone do exactly that years ago, his replacement was quite surprised to find this and not hugely happy that her first job was to literally clean up the code.

              1. Anonymous Coward
                Anonymous Coward

                Re: "the UK's Ministry of Defence [..] does not comment on security matters"

                Decades ago I found the variables turd1, turd2, etc in production code. Password was more creative: "drut".

        2. Martin-73 Silver badge
          Mushroom

          Re: "the UK's Ministry of Defence [..] does not comment on security matters"

          yeah but you could use the redundant hardware combined with a trebuchet, and do some real damage to the enemy...

          1. Dave559
            Coat

            Re: "the UK's Ministry of Defence [..] does not comment on security matters"

            "yeah but you could use the redundant hardware combined with a trebuchet, and do some real damage to the enemy..."

            Hmm, but wouldn't a proper heavyweight like Impact Extra Bold perhaps do so much more damage?

            (Or even just Comic Sans, to send them running away screaming with madness…)

            [I'll get my coat…]

      2. veti Silver badge

        Re: "the UK's Ministry of Defence [..] does not comment on security matters"

        Yep, I'm sure you can rebuild an entire system from the ground up and not leave any kind of security loopholes whatever. That's easy, isn't it? - I mean, whoever heard of anyone failing at that?

        Your post advocates, basically, security by obscurity. Even if it lasts so long, it'll be broken the minute an employee starts to feel less than completely gruntled.

        1. chuckufarley Silver badge
          Coffee/keyboard

          Re: "the UK's Ministry of Defence [..] does not comment on security matters"

          I doesn't even even have to be an employee. Just a relative that finds your laptop unlocked while visiting.

          1. Anonymous Coward
            Anonymous Coward

            Re: "the UK's Ministry of Defence [..] does not comment on security matters"

            Note to MoD personnel: always lock your laptop when Uncle Vladimir is in town.

        2. Anonymous Coward
          Anonymous Coward

          Re: "the UK's Ministry of Defence [..] does not comment on security matters"

          Doesn't the government cryptography unit (near MK) use that technique?

          All the politicians who want no cryptography, obviously don't know how the UK foreign embassy communications work.

          Anon, as even knowing that there is such a place may be secret.

      3. bo111

        > I can fix this problem ... with an S-100 computer

        How much do you charge per hour? Are you available?

        1. Version 1.0 Silver badge

          Re: > I can fix this problem ... with an S-100 computer

          I've spent 50 years working to try and fix peoples problems with their working environments, mostly I can help them get things fixed but telling their employers or designers that the problems exist means that I am always seen as a critic. It's been that way for years now ... discovering a problem can be a problem.

      4. Plest Silver badge
        Facepalm

        Re: "the UK's Ministry of Defence [..] does not comment on security matters"

        So you're suggesting that they implement "security thorugh obscurity" as a mandate? Cool, I totally agree until the time someone sneaks out with the blueprints, finds the weakness and decimates the whole shooting match in minutes 'cos only 10 people on the plannet have enough indepth knowledge about the systems!

        Perfect!

    2. Martin-73 Silver badge

      Re: "the UK's Ministry of Defence [..] does not comment on security matters"

      I'm personally ANGRY that they don't... i'm paying for their expensive useless crap, the bare minimum they can do is comment. Where do i tick on HMRC's website to remove the donation to the military?

      1. Fred Daggy Silver badge
        Black Helicopters

        Re: "the UK's Ministry of Defence [..] does not comment on security matters"

        Department by department nomination of taxation might make a number of bureaucracies very nervous. So, it won't happen as there would be too many vested interests upset.

        But if it would happen, for example the police, military, might suddenly become very customer friendly. Fits right in with free market economy.

        A nice compromise might be 90% is pre allocated and then 10% you can freely nominate. If you don't nominate, it get distributed according to the pre-allocated formula. (Need an icon for greybeard scratching the chin.)

  3. John Brown (no body) Silver badge

    e vigilant regarding every link in the supply chain.

    I saw what you did there!

    e vigilant regarding every link in the supply chain-link fence :-)

  4. Anonymous Coward
    Anonymous Coward

    ..., including toppings ...

    I want mine with chocolate, raspberries, and powerdered sugar.

    On a serious note, if your company requires a computer to function, you have data that is valuable to someone, even ignoring your duty to your customers and/or suppliers.

  5. Trigonoceps occipitalis

    "We do not believe that any classified documents were stored ... "

    Back in the day, when I was responsible for classified information, there was the concept of bulk data. Just because an individual item of data was in itself unclassified did not mean that a complete table of the information was also unclassified.

    1. veti Silver badge

      Re: "We do not believe that any classified documents were stored ... "

      If you were responsible, you probably know this - shouldn't they know where classified documents were stored?

      1. Anonymous Coward
        Anonymous Coward

        Re: "We do not believe that any classified documents were stored ... "

        oh that one’s easy. Classified docs are stored in bathrooms at hotel-resorts in Florida.

        1. Updraft102

          Re: "We do not believe that any classified documents were stored ... "

          Nah, those were declassified. Classified documents are stored in a garage next to an old car.

    2. gryphon

      Re: "We do not believe that any classified documents were stored ... "

      Correct, even for something as simple as e-mail addresses.

      One e-mail address = Official

      100 e-mail addresses = Likely to be Official-Sensitive

      10 e-mail addresses = Maybes O, maybes O-S - ask security guys

      1. Roland6 Silver badge

        Re: "We do not believe that any classified documents were stored ... "

        > 10 e-mail addresses = Maybes O, maybes O-S - ask security guys

        Depends on whose email addresses they are.

        I worked on one project where I was permitted to name the 2 pilot data centers in a (restricted) technical design document, I could not give addresses or list the names of all the data centres in the estate to be covered by the design and neither could I give a precise total number, as these items of information would mean the document would have to be classified at level the majority of the intended audience did not have clearance to read, even though many of the intended audience through their work had committed this information to memory.

  6. Doctor Syntax Silver badge

    If some expensive and otherwise functional manufacturing kit specifically required W7 then that's what have to be installed. But did it really have to be exposed to the net?

    1. IGotOut Silver badge

      It probably wasn't on purpose. My guess it had something like uPnP enabled, punched a hole through a badly configured firewall and hey presto, easy access

  7. chuckufarley Silver badge
    Facepalm

    As a point of order...

    ...I would like to draw your attention the fact that the entire genome for one human being can be stored in 1 gigabyte of data. So 10 gigabytes of data is bound to contain at least one thing that really matters.

  8. Richard Gray 1
    Flame

    From the other side

    Right,

    before I start and get flamed, their setup was just wrong and it should not have had access to external internet, been fire walled etc, I think we can all agree on that...

    But.... having had to deal with some lab analysis machines that you were not allowed to put any form of windows update on, will never have their software upgraded / patched, and is generally not written by software people but by (probably Chemistry / Biology) students who worked at the place developing the thing a decade ago I do have some sympathy (not a lot see above)

    I can't imagine that any process control software for the specific machine that does a thing will be any different. With weird hardware that won't / can't run on anything but the exact equipment that is now no longer available, and the the replacement (equally as bad but enough breaking changes that nothing done previously would work) is probably in the 10s or 100s of pounds.

    Oh and they might just want to verify the licence information on their servers before it starts to work.

    Don't get me started on BMS etc....

    The installation was probably done not by the IT guy but an Engineering tech who has nothing to do with IT and wouldn't know a packet other than his packet of fags (cigarettes for our American cousins)..he would have just plugged the yellow cable into the network port as the instructions said and left it at that.

    So yes is should have been done better but so should all the control software for all the little bits that people don't think about. Not every computer is in a nice clean office doing Word Documents or spreadsheets.

    1. gryphon

      Re: From the other side

      Yup.

      Been there, done that.

      BT call management server on Windows 2003, provided and 'maintained' entirely by them but had to be on our AD domain for some reason.

      Never patched, no A/V, we weren't allowed to touch it by contract.

      Always flagged up on every security report but there was nothing we could do about it. :-(

    2. Anonymous Coward Silver badge
      Boffin

      Re: From the other side

      But when he plugged it into the network port it shouldn't have worked. Any site with classified data should at a minimum use managed switches with unused ports disabled and in-use ports locked to client MAC addresses at a minimum.

      So he should have plugged it into the network port, then discovered that it didn't work and ring the IT people. Who would then ask for proper authorisation etc before putting it into its own VLAN.

      Yeah, I know "should" is very optimistic.

      1. katrinab Silver badge
        Alert

        Re: From the other side

        I don't think the BT Business Hub 5 does vlans or MAC control.

        1. Anonymous Coward
          Anonymous Coward

          Re: From the other side

          Imagine the grandparent support calls if it did …

    3. John Brown (no body) Silver badge

      Re: From the other side

      "So yes is should have been done better but so should all the control software for all the little bits that people don't think about. Not every computer is in a nice clean office doing Word Documents or spreadsheets."

      Agreed. We regularly are regaled with tales of "the unknown box" on networks that might do "something important", or the "box that does" but can't be physically located. A new build network is probably fully documented. But there are networks out there that started on older technology and just growed and growed.

    4. Plest Silver badge

      Re: From the other side

      Yes and no.

      If you're so reliant on old kit then you need to hire the right people and that costs money. You can't simply complain and make excuses when things fail or get had by some miscreant, simply put it's all a game of swings and roundabouts. Would the same people consider eye glasses and masks an affectation when working in the lab with dangerous substances? Of course not! A computer is a tool, like using good quality glassware for experiments or proper safety equipment, a computer is not immune to common sense, it's a tool and it needs the same consideration as any other tool.

      1. Cris E

        Re: From the other side

        That assumes someone knows what is installed throughout the plant, which is likely untrue if they don't have competent IT staff on hand. Not knowing what you don't know is frequently the biggest problem facing companies that don't have proper staffing.

  9. garwhale Bronze badge

    BTW, "Zaun" is German for "fence"...

  10. drand

    No Cyber Essentials?

    No Government contracts for you!

    How did they get themselves in this mess?

    1. Anonymous Coward
      Anonymous Coward

      Re: No Cyber Essentials?

      you do know that is just security theatre, a tick box type thing

      1. bo111

        > is just security theatre

        and very complicated IT systems with 0.001% of country population able to understand it, if not already retired or busy with something better paid, like mobile game development.

        1. wyatt

          Re: > is just security theatre

          Even CE+ is just a dip test, not a 100% check. If you do actually implement it well, it does help out.

      2. Anonymous Coward
        Anonymous Coward

        Re: No Cyber Essentials?

        There is a lot wrong with cyber essentials imho, primarily it is not risk based.

        One of the few things I like about cyber essentials, is it that you has a zero tolerance policy towards unsupported OSs. this would have removed the entry point of a Windows 7 box.

        1. Anonymous Coward
          Anonymous Coward

          Re: No Cyber Essentials?

          Cyber essentials will allow you to run an unsupported OS where there's a business case (e.g. required to run very expensive old manufacturing equipment) and risk mitigating measures have been taken (e.g. incredibly limited LAN access). It's not 'zero tolerance' at all.

          1. Anonymous Coward
            Anonymous Coward

            Re: No Cyber Essentials?

            not true, unsupported OS is instant fail. there is no option for risk mitigation.

            1. Anonymous Coward
              Anonymous Coward

              Re: No Cyber Essentials?

              thats why you turn it off for a bit, then turn it back on later!!!

    2. Nick Ryan Silver badge

      Re: No Cyber Essentials?

      Unfortunately Cyber Essentials has also wound up tarred by the usual collection of shysters and snake oilers who lie about what it involves in order to sell add-on services.

      The principle is good, they have it mostly right, and it's a validation of a minimum level of IT security, but it doesn't make anything actually secure. That requires ongoing thought, consideration and experience.

      I'd rather that the (self) assessment and checking process is formalised to ensure consistency as well as periodic re-checks to continue with the good start that Cyber Essentials is (hell, it's in the name: Essentials) and to encourage ongoing thought, consideration and application.

  11. Nifty

    Who else read the headline as 'accessed military data data through high-security fencing' ;-)

  12. Anonymous Coward
    Anonymous Coward

    weird statement

    "We do not believe that any classified documents were stored on the system or have been compromised,"

    Sorry, but wouldn't it better to please go check again and be sure ? This sounds like someone who doesn't give a damn !

  13. Anonymous Coward
    Anonymous Coward

    It wasn't all that long ago I was visiting RAF Wattisham for a work-related shindig. XP systems were everywhere.

    Embedded, operational tech is even older. There's a reason why cockpit video recorders use obscure tape formats rather than a USB stick...

  14. Anonymous Coward
    Anonymous Coward

    "The risk of running obsolete code and hardware was highlighted"

    Interestingly, in both this article and a statement from Zaun, it just mentions it was a Windows 7 PC and doesn't actually state the vulnerability/exploit and if this was somehow Windows 7 specific. For all I know, it may have just been a CNC controller someone had given a local account full admin rights to then left a very bored user with free reign over some lunchtime browsing - Windows 10+ isn't immune to general poor practice.

    Updating to an in-support version of Windows doesn't automatically mean 'job done' on security, in fact, it's a bloody long way down the list.

    1. 43300 Silver badge

      Re: "The risk of running obsolete code and hardware was highlighted"

      "Updating to an in-support version of Windows doesn't automatically mean 'job done' on security, in fact, it's a bloody long way down the list."

      True, but it's certainly an important step. Using an unsupported OS is also likely to invalidate any cyber insurance (the policies I've seen all have a clause about this).

  15. Alistair
    Windows

    Cyber essential ring fencing basics.

    The last thing I am is a hyper specialist. What I am is a damn good all rounder in the IT space.

    I've posted a few times before about ring fencing specialist windows (7/NT/etc) installs to talk to ridiculously expensive hardware that does a specialist job, for which the vendor either no longer exists, or has no interest in updating the software for that set of hardware. (CAT and Xray kit mostly, but also a pair of 60 ton sheet steel presses with awesome capabilities, for which the *next* generation with updated software, running on newer windows has *cough* a) monthly baseline fees and b) for each of the awesome capabilities, monthly additional fees).

    I'll note someone suggested Wine, above, and for *some* hardware connections its just fine, audio tends to be okay, printer port type connections are fine, but serial and USB connections tend (with this type of hardware) to be proprietary and Wine *really* doesn't like stuff like that. I *have* gotten parallel port connections with proprietary protocols working with Wine, but that was back when I was contributing. I don't know how far it got taken.

    I'm a *very* firm believer in stuffing these instances into VM's and using the host firewalling to manage the connections directly for the guest. In my experience, it has worked the best, as VLAN management in windows 7 didn't exist. Yes, that can be done at the switch, but there are morons *who swap cables around* -- I'd hope there was mac address control on those ports as well, but I *really* haven't seen *that* much in the instances where I've done this, it seems to be an afterthought brought on by my ranting at the local tech. Hardware passthrough in KVM tends to work with somewhat more reliability than with Wine in my *personal* experience.

    The *host* system can be backed up using standard processes, so long as we snapshot the VM beforehand, and get all the image files. With appropriate documentation, a system that was in use in this way, recently suffered complete meltdown (there was a serious fire, took out much of the plastic, wood, and non-hardened steel in the zone) where, when the rebuild completed on the press, and the software was restored from backup on new hardware, things picked up from where they left off. Documentation is *absolutely* required in these cases, careful, complete, and concise.

  16. Dave559

    fencing firm

    Am I the only person who read the headline and whose first thought was wondering how a (sword) fencing training company was somehow bizarrely involved in all this (for the chaps in the officer class, eh, what, what?)…?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like