[EAS] [BC] EAS Zombie Attack

Dave Turnmire eassbelist at cableone.net
Wed Feb 13 14:35:03 CST 2013 

Thanks Barry.  That is good info and I generally agree with your assessment.  Still, a few things I'd like to see in the coming days or weeks (not months):

1. EAS manufacturers (many or most who monitor this list) should:

 1. If not already present, incorporate into their next software update code that nags or requires the user to alter the default factory password(s).
 2. If not already present, support for complex passwords of at least 20 character length.  And a display indicating the relative "strength" of the user's password.  And rejection of certain common BAD choices (password, 12345678, station call sign, etc)
 3. If not already present, provisions to "lock out" an account for a period of time (at least an hour, no more than a day) if there has been more than five sequential failed login attempts.  And provision to automatically email the engineer about any such lockouts along with IP addresses.
 4. If not already present, provides a user configurable option to alter the default IP port numbers for the protocols it responds to.  This is useful not only for security reasons, but also the pragmatic issue that commonly used routers won't allow remote access to more than one device with the same port number.
 5. If not already present, provide a user friendly means to disable protocols not needed by the end user.
 6. If not already present, and if the box supports "pushed" CAP alerts... provision for restricting such alerts to specific IP ranges.
 7. If there is a way to do this that is practical (not excessively resource intensive), an option (checked by default) to lock-out access from IP addresses outside the USA.
 8. A security "application note" on their website, emailed to their registered users, and to this mail list, that

  1. Identifies any factory default passwords that may not be readily apparent (such as root pw for OS... typically different than web authentication).  And whether those default passwords are made known to anyone other than the manufacturer.  If so... detailed and user friendly instructions about how to alter those.
  2. Identifies all protocols that the box responds to (http, https, telnet, SSH, FTP, etc) and user friendly guidance and recommendations as to why those protocols are supported and why you may wish to disable them
  3. Includes a statement of the vendor's policy regarding whether their software updates will also include periodic OS updates to deal with known security vulnerabilities.
  4. Includes any other security related issues the vendor deems important to their customers.

2. A free or sharply subsidized SBE online course on IT security focused on the needs of engineers with limited IT skills and limited budget.  Might be a good thing for some enterprising EAS box or remote control system vendor to talk to SBE about?
3. Some vendor (maybe they already exist?) that would provide a box for under $1K ($500 would be better) that provides a user friendly router that includes a secure remote access mechanism and basic network intrusion defense mechanisms.  This would be target ted to the oft-cited "over 40 engineer"... but also to the small radio station manager who doubles as janitor and engineer.  REALLY simple.  Plug-and-play with simple setup wizards that walk you through the setup with the default options suitable for most users.  That will automatically lock out IP sources from non-USA sources (but allow you to enable with a check box if need be).  That will automatically lock out IP sources that are scanning your network for security vulnerabilities.  That will automatically email you about serious penetration attempts (not just the "normal" stuff on the public internet).

   Don't talk to me a about the plethora of "free" Linux or BSD based solutions that you can assemble on the old computer hardware.  YOU might be able to... but then in that case, YOU aren't the target audience.  I'm looking for a box that is relatively inexpensive, but provides features needed by a broadcast station that the $50 router at Staples doesn't provide.  My target audience can't figure out how to "port forward" (or know what I mean by that).  Something that is compatible with the real-world issue of the engineer connecting from off-site with a dynamically changing IP address that doesn't lend itself to IP based filters.

In short, I tried to address things that from my standpoint are practical and address the practical needs of engineers who don't have the IT skills that some on this list do, don't have a budget to speak of, and don't have time to learn about esoteric things like "putty", "VPN", etc, etc.
Dave
On 2/13/2013 12:06 PM, Barry Mishkind wrote:

>...        So ... ratchet the alert level down a bit. More information will
>        come out.  I specifically plan some direct firewall information
>        in the next few days on the BDR.

More information about the EAS mailing list