Page 9 - cdm-2014
P. 9







#$. &$-.$(" $(/2 3-. '-



Application whitelisting has quickly become the de-facto standard level-0 protection system for
the enterprise and industrial control systems globally. There are several players in the space
and many are quite successful, but very few, if any, support Linux, the most widely deployed
operating system for servers and embedded systems. This begs the question - “Why?” “Who
knows” is the answer, but it’s probably because Linux is a moving target and it’s hard to zero in
on a generic application that meets all requirements. Or, maybe it’s just too hard to do.

This notion is ridiculous of course, as most software companies worth their salt in this age of the
Internet are creating sophisticated technology products and the phrase, “the difficult we do
every day, the impossible just takes a little longer” carries great weight. Just look at some of the
great things that are out there, from bare metal (e.g. Google Glass) to Facebook, the most
ginormous social media operation in the galaxy as we know it. The more likely problem is that
Linux is a moving target (unlike Windows) and changes are made and adopted too quickly to
make software that a) runs at a low enough level and b) maintains stability across versions is
just too much effort. From a security standpoint, that’s insane considering the depth and
breadth of the O/S in the Internet and now the “Internet of Things” or IoT.

The IoT aggregates huge numbers of devices in virtually every market sector worldwide.
Consider Consumer Electronics. This sector includes a broad range of devices including
network attached endpoints like stand alone digital video/audio streamers (e.g. AppleTV, Roku),
whole house HVAC controllers (e.g. Nest), digital refrigerators, network attached storage (NAS)
for music and video libraries, and other “stuff.” Almost all devices inside the home are
connected via a wireless network and some devices allow remote access to networked devices
via mobile devices (e.g. the Nest HVAC controller), and most of them rely on embedded Linux.

Given the plethora of devices, their connection to the public Internet, and the generally low level
of secure configuration knowledge in the user base, it’s simple to imagine attack vectors that
could possibly be exploited. For example:


1.1. Drive-by wireless — a wireless access point left open with default passwords or weak
security such as WEP. A break-in would give an attacker complete access to the network and
the local IoT (i.e. think of a Quicken database on a computer where the password is “password.”

1.2. Drive-by browser — a PC or Laptop user downloads a virus that propagates across the
network looking for devices holding credit card/account information.

1.3. Video stream rider — a super-hack rides in on a video stream/movie through an edge
connected streaming system and takes it over. Similar to previous examples, should the
attacker manage to get root on the system, the entire network becomes vulnerable.

These scenarios are a bit frightening, but it’s reality. Consumer electronics are generally not
locked down well and several approaches from brute force to social engineering can allow an

! " $ !
! # ! "
   4   5   6   7   8   9   10   11   12   13   14