back to article Ever wonder how hackers could possibly pwn power plants? Here are 54 Siemens bugs that could explain things

Siemens industrial control systems designed specifically for energy plant gear are riddled with dozens of security vulnerabilities that are, luckily enough, tricky to exploit from the outside. The teams at Positive Technologies, Kaspersky Lab, and Biznet Bilisim took credit for finding and reporting 54 CVE-listed flaws in the …

  1. Pascal Monett Silver badge

    So reassuring

    "Both highways should not be exposed if the environment has been set up according to the recommended system configuration in the Siemens SPPA-T3000 security manual."

    Given how often certified electricians can apparently get it wrong when wiring potentially deadly electrical outlets, I'm not sure that Siemens' recommendations are followed as much as we would all like them to be.

    I would be grateful for a rebuttal on that.

    1. kmedcalf

      Re: So reassuring

      You can be assured that in most instances when this sort of thing is added to a plant there is a considerable amount of design work done before installation, then copious amounts of testing to ensure that it is working according to that design before it is put into service. And each of these steps require multiple risk assessments and sign-offs, and then continuous monitoring and maintenance procedures designed to ensure that it continues to work according to design.

      It is highly unlikely that the Systems Engineers or Instrumentation will get it wrong. It is almost entirely certain that something is the way it is because that is how a "whole bunch of somebodies" thought it should be and not because someone made a mistake.

      However, it is possible that the design itself, even after passing through all the hoops and reviews, might be bad -- and that is dependent on the Company culture and the people involved.

      1. Carpet Deal 'em Bronze badge

        Re: So reassuring

        Fukushima was caused by ignoring multiple analyses over multiple years that the seawall needed to be higher. If people can't take predictable, physical threats seriously, I wouldn't give an industry blanket credit for cybersecurity.

        1. Anonymous Coward
          Anonymous Coward

          Re: So reassuring

          Would've helped if they hadn't built atop an underground spring. And put the backup generators in the subterranean basement. And hey, given that conspiracy nuts drew attention to Stuxnet you'd think Siemen's would be, should be pretty secure by now...

    2. thames

      Re: So reassuring

      SPPA-T3000 is basically a big Java program that runs on a set of MS Windows servers, with operator access being via Windows client workstations. The "highways" are the networks connecting them together and to the plant equipment. It shows equipment status, records performance for analysis, and allows operators to change equipment settings as needed.

      Given that software systems based on similar technologies in more routine business environments seem to have security vulnerabilities being reported all the time, it shouldn't be too surprising that we are seeing some here, even if Siemens goes to great lengths to obfuscate just what their system is.

      Basically though, the security challenges here are in essence the same as in any piece of big enterprise software and there's no reason to expect it to be immune from the same vulnerabilities.

    3. AdamWill

      Re: So reassuring

      In my department we call 'should' the 's-word', and you get raspberries for using it like this...

  2. Rich 11 Silver badge

    Asking the obvious question...

    Siemens recommends administrators lock down the server from any sort of external network access.

    It doesn't take much searching to discover that Siemens offers remote support as an integral part of its tech support package. Ho hum.

    1. Peter Gathercole Silver badge

      Re: Asking the obvious question...

      But do they have high security VPN connections or cryptography secured dedicated lines, so the Internet per se is not involved in support?

      I would hope that these systems should have more than a one-tier firewall to protect their internal networks.

      1. BebopWeBop Silver badge

        Re: Asking the obvious question...

        Hope might be the only option given the 'security' measures employed by many of these sites.

      2. kmedcalf

        Re: Asking the obvious question...

        Some companies do asinine things, and they then reap what they sow.

        Before I retired there were indeed firewalls between the Internet and the Business network, between the Business network (run by those yahoo IT types) and the Control network, and multiple layered, segregated, firewalled, and isolated networks within the Control network sphere. The Business network was considered to be a filthy malware infested bastion of evil malcontent crackheads from which the Control systems must be protected.

        Vendors were not permitted to access control systems remotely, nor to connect *anything* that they brought on-site to the network (no laptops, no floppy discs, no CD/DVD, no media of any type whatsoever -- absolutely nothing at all ever) -- in fact they were not permitted to actually touch anything at all, only supervise and provide information to work performed by employees. If the vendor claimed they needed some custom software or other for whatever they were doing, the company bought a machine and the software and configured it for their use, and they came on-site to use it.

      3. A random security guy

        Re: Asking the obvious question...

        If you look at VPN related CVE’s you would realize that there is nothing like high security VPN especially if the software is not patched.

      4. John Brown (no body) Silver badge
        Coat

        Re: Asking the obvious question...

        I would hope that these systems should have more than a one-tier firewall to protect their internal networks.

        ...amd is Cisco ir Huawei?

        1. John Brown (no body) Silver badge

          Re: Asking the obvious question...

          "...amd is Cisco ir Huawei?"

          Oh dear! I really should not post comments in the early hours of the morning after being disappointed that the Geminids are again happening behind the cloud cover!

          That comment should, of course, read "and is it Cisco or Huawei?"

          1. TimMaher Bronze badge
            Thumb Up

            Re: Asking the obvious question...

            Also Geminids always hide behind cloud cover. It is part of their allure.

            Was there a bottle of port involved for the cold Winter night?

    2. Anonymous Coward
      Anonymous Coward

      Re: Asking the obvious question...

      This is Siemens standard response to any vulnerability or weakness in any of their products. Rather than actually address things like the communications protocol on one of their main PLC families having been reverse engineered over a decade ago with libraries freely available online, they just say "well the devices should be on an isolated network with controlled access" and then also sell products to allow you to control the devices remotely (albeit with a warning that you're increasing your threat landscape)

    3. kmedcalf

      Remote Support

      Many vendors offer "Remote Support". Sitting in the Process Control Computer Room and calling a Siemens engineer on the telephone to describe, debug, and correct an issue is "remote support". If the issue cannot be resolved remotely then anyone using Siemens equipment to do anything of consequence will gladly pay whatever is required for Siemens to put a qualified engineer with sufficient expertise to solve the issue on a plane and get them to the site as quickly as possible.

      Paying airfare, lodging, and a thousand dollars an hour to have a suitable qualified expert on the next airplane from anywhere in the world to resolve an issue is a mere pittance compared to the cost and consequence of not doing so.

      (1) Why would one assume that "remote support" means "remote access"?

      (2) Why would one assume that a Company would permit "remote support" to mean "remote access"?

      Quite frankly, in environments with which I am familiar if a vendor required "remote access" as a condition of sale or support, that vendors' products would not be selected for use. Similarly if there was no provision for "put an expert on the next plane and we will pay" as part of the support agreement, that vendors' product would not be selected for use.

  3. steviebuk Silver badge

    Difficult..

    "So far, Siemens says it has only been able to patch three of the bugs. Siemens recommends administrators lock down the server from any sort of external network access."

    ....with certain software vendors pushing more and more of their stuff to the cloud.

    1. GnuTzu Silver badge

      Re: Difficult..

      "...with certain software vendors pushing more and more of their stuff to the cloud."

      Yup, and...

      ...while serious air-gap environments still have security checkpoints with metal detectors and x-ray and will put your cell phone and USB drives through crushers and dump the fragments in the burn bin if you don't leave those things in the car.

      Why? Because this is exactly what stuxnet is about.

      1. kmedcalf

        Re: Difficult..

        Actually StuxNet was about allowing "external" things to be connected to your Control Systems, and the consequence of ignoring alarms.

        1. Anonymous Coward
          Anonymous Coward

          Re: Stuxnet was about ...

          "StuxNet was about allowing "external" things to be connected to your Control Systems, and the consequence of ignoring alarms."

          Care to expand on that?

          Meanwhile, here's Ralph Langner's own analysis, which tallies nicely with what I know about PLC and DCS-based automation and the associated industrial networking, and the nuclear industry, etc. Well worth a look, if folk are not familiar with the story so far:

          https://www.langner.com/stuxnet/

          There's also a llink to a ten minute TED talk (from 2011) by Langner (a good place to start), and other variations on the same theme.

          Other resources can be found via

          https://en.wikipedia.org/wiki/Stuxnet

          1. kmedcalf

            Re: Stuxnet was about ...

            Lovely stuff, but too busy talking about how the latest Automobile virus locks all the doors and will not unlock them while you starve to death inside the car, and zero attention to the actual problem: letting the virus get into your Automobile at all.

            While it is fascinating what the virus *does* after you catch it, that is useless information. Why do I care what a virus does *after* it manages to invade the system? The useful information is how to prevent the virus from getting a foothold in the first place.

            What StuxNet was "good for" was demonstrating the methods by which malicious code could be transported into a secure environment. Obviously, once it is in there it can do whatever the hell executing code can do, and that fact goes without the necessity of saying.

            In other words, it is the same thing as saying that if you let John Q. Public walk around inside your refinery, that he can turn valves willy nilly. The problem isn't that the valves can be turned, but that you are letting John Q. walk around inside to be able to do whatever he wants. Don't let John Q. in, and it does not matter what mischief he can cause.

      2. TimMaher Bronze badge
        Facepalm

        Re: Difficult..

        Didn’t that FaceBlank HR staffer leave their USB sticks in their car?

        Oh... wait... different thread.

  4. Andy The Hat Silver badge

    Siemens recommends administrators lock down the server from any sort of external network access.

    Errr ... doh! :-) This is a damn infra-structure power plant not an IoT light bulb in Jonny's bedroom, I would hope that's *always* the case.

    1. A random security guy

      In theory, yes. In practice, the said infrastructure can span miles of wiring. The information has to be sent to other systems. Nothing is isolated.

  5. Mike Shepherd
    Meh

    54 security bugs?

    Why do we hear so many reports of "vulnerable to arbitrary code execution", even in safety-critical products? Is it poor-quality staff who don't think beyond "get it working"? Is it poor education about dangers like buffer overflow? Is it because someone is told "Get feature PQR done this week, because feature XYZ should have been ready last month and you need to get on with that"? Probably the same people will write the "fixes": will they be any more reliable than the original?

    1. Alister Silver badge

      Re: 54 security bugs?

      Is it poor-quality staff who don't think beyond "get it working"? Yes

      Is it poor education about dangers like buffer overflow? Yes

      Is it because someone is told "Get feature PQR done this week, because feature XYZ should have been ready last month and you need to get on with that". Yes

      Did I pass?

      1. BebopWeBop Silver badge

        Re: 54 security bugs?

        Yes

      2. Mike Moyle Silver badge

        Re: 54 security bugs?

        You forgot: "Is it because sales has promised bug feature 'X' to the potential customer and the engineers don't find out until after the contract is signed and they have to rush things out without adequate testing to meet the contracted (unrealistic) delivery deadline?"

    2. Crisp Silver badge

      Re: Is it poor-quality staff who don't think beyond "get it working"?

      In my experience it's usually a manager saying things like "We don't have the time or the budget to do that."

    3. kmedcalf

      Re: 54 security bugs?

      Control systems and controllers being being vulnerable to malicious attack is nothing whatsoever to be concerned about. Valves controlling the flow of toxic/explosive/corrosive/carcinogenic/flammable chemicals are vulnerable to malicious attack as well, simply by turning them.

      There are security procedures in place to protect the valves from being turned by malicious attackers (physical security, aka 3G, aka Guards, Guns and Gates). There are security procedures in place to prevent control systems and controlers from being manipulated by malicious attackers.

      There is really no difference -- as long as you keep the IT yahoo's constrained to their own litterbox outside the security perimeter.

      1. Anonymous Coward
        Anonymous Coward

        Re: 54 security bugs?

        Given Siemens's association with certain "final solution" products...

    4. Kevin McMurtrie Silver badge

      Re: 54 security bugs?

      It was probably never designed with hardening beyond preventing employees from accidentally performing dangerous unauthorized tasks. Some control systems have so many complex interconnecting components that network isolation is a thousand times easier than hardening the software. Just managing the keystores for everything would drive you mad.

      OK, buffer overflows are always bad because they can happen by accident. I'm just never surprised when there's an ACL bypass or content injection vulnerability in software that was not meant for the WAN side of the Ethernet cables.

  6. Anonymous Coward
    Anonymous Coward

    Production control systems were built before the internet

    When I was implementing systems in a COMAH chemical plant around the millennium it was acknowledged that the control systems had to be air gapped from the rest of the plant network as there was no way the kit could be secured. In effect there we had 3 disparate cabling systems

    The hard wired connections between sensors, machinery and the control room. The cat 3 wired network (yes really) which provided voice and data services to the plant and all offices and the hard wired 50+ year old 'red phone' network which was to be used in the case if an emergency. Needless to say these 3 networks shared ducts along the 1/4 mile long production processing plant the air gap approach did mean that it was necessary to lay serial cab;es hundreds of meters between the control room and tanks to allow the tank levels to be reported. Add in the fact that it was necessary to get feeds on tank levels, flow rates etc into the AS400 Business Planning and control system and we had a bit of a conundrum.

    It was done and I was told it was secure but I had many doubts. Bearing in mind that access to the control room systems could potentially allow the release of large volumes of Chlorine as one of the less nasty ingredients I was glad I lived 20 miles away.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: Production control systems were built before the internet

      ...these 3 networks shared ducts along the 1/4 mile long production processing plant the air gap approach did mean that it was necessary to lay serial cab;es hundreds of meters between the control room and tanks...

      What you describe here is an insecure implementation of an air gapped network. Simply running the cables from different networks beside each other may allow an adversary to pull information across networks.

      1. kmedcalf

        Re: Production control systems were built before the internet

        Assuming that they could get past the 3G security (Guards, Guns, Gates) and not be noticed walking about in the plant and doing what appears to be "work" without displaying the appropriate permits.

        1. TimMaher Bronze badge
          Coat

          Re: Production control systems were built before the internet

          Just like in a James Bond film.

      2. Cynic_999 Silver badge

        Re: Production control systems were built before the internet

        "

        Simply running the cables from different networks beside each other may allow an adversary to pull information across networks.

        "

        I assume you are thinking of crosstalk. That's unlikely to be significant enough to be exploitable on a couple of km of separate twisted-pair cables carrying similar digital signals. Even if it is, any "hacking" would require data to be *pushed* from one cable to another, which is not possible even if the crosstalk is ridiculously high.

        1. Robert Helpmann?? Silver badge
          Childcatcher

          Re: Production control systems were built before the internet

          I assume you are thinking of crosstalk. That's unlikely to be significant enough to be exploitable on a couple of km of separate twisted-pair cables carrying similar digital signals. Even if it is, any "hacking" would require data to be *pushed* from one cable to another, which is not possible even if the crosstalk is ridiculously high.

          Yes, I was referring to crosstalk. Yes, it is exploitable and yes I meant only in the sense of a pull. However, there are other means to push commands to an isolated network and having access to a relatively fast and reliable way to pull info makes that aspect much easier if only by dint of having a means to perform footprinting. If you know what to target on the closed network, it makes it that much easier to put something together that will do the job once you gain access.

          1. kmedcalf

            Re: Production control systems were built before the internet

            "... once you gain access"

            And right there you have completed a root cause analysis which indicates that the risk is actually "gaining access" and failing to be able to "shoot the interloper in the head" when detected. So clearly the appropriate place to spend dollars to mitigate the risk is (a) access controls, (b) detection systems for those who manage to bypass (a), and; (c) weapon systems capable of killing them efficiently and completely.

            Not only will dollars spent on those things effectively mitigate this one particular vulnerability for which the root cause is "gain access", it also addresses the other 487 vulnerabilities which also have the same root cause. This has the effect of making the pot of money available to address the "root cause of gain access" 488 times larger than it would have been if directed to "use diverse paths and separate conduit" plus addresses 488 vulnerabilities rather than merely one.

            1. Robert Helpmann?? Silver badge
              Childcatcher

              Re: Production control systems were built before the internet

              ...failing to be able to "shoot the interloper in the head" when detected.

              You say this like this is the best way to stop an intruder. I like the way you think! More seriously, while you bring up a good point concerning allocation of resources, the reality is that there are other ways to avoid cross talk than you describe (the environments I work in use a lot of fiber). Also, the more common ways I am aware of to attack isolated systems are to compromise adjacent systems (which we are talking about here), to get someone who has access to the isolated systems to do so on your behalf (intentionally or otherwise) or to gain physical access themselves. In my experience, the first two are a lot more common. If information can flow in either direction, the isolated systems aren't as isolated as all that. If you are trying to prevent changes from being made, which seems to be the main concern in the example given by the AC above, then cross talk may be less of a concern. If the danger is leaking data to competitors, that's a different story.

              Your point raises another question. If it is worth isolating assets, what is the best way to deal with a previous implementation that you do not feel does the job properly?

              1. kmedcalf

                Re: Production control systems were built before the internet

                "Your point raises another question. If it is worth isolating assets, what is the best way to deal with a previous implementation that you do not feel does the job properly?"

                This is an interesting question because it once again raises an issue that is more one of Corporate culture and the people involved than it is a purely technical issue, so once again how this is handled is up for grabs as it were and I can only relate how it would be handled in environments with which I am familiar.

                Firstly the concern would be documented and the risk and consequences of the current configuration assessed. Then a desired end-state would be generated and the same risk and consequence level assessed, and the Company would have to decide whether they (a) wished to remediate the problem (and bear the applicable costs) or (b) accept the risk and consequence (presumably elevated risk and consequence) of doing nothing. This is often a decision based on whether the cost of doing it is sufficient to justify the benefit

                If option (b) is chosen, you now have perhaps more accurate documentation of the level of risk and consequences which the Company has decided to accept and the matter is effectively closed until next time it is reviewed.

                If option (a) is chosen then a remediation project is commenced to "fix" the problem and the Company again has to decide whether or not to accept the risk associated with continuing interim operations while the remediation is executed. Eventually the project is complete and the new risk and consequence analysis is signed off by the Company.

                The more interesting question is how does someone raise this issue to be sure that it gets dealt with at all and not just ignored? This is again a matter of Corporate culture and depends on whether the Company has in place procedures to continuously review and audit the already approved risk and consequence documentation that has been accepted by the Company, and whether or not this process operates without consequence for previous reviewers who may have made a different choice at that time.

                The world and technology is continuously changing and what may have been unfeasible a few years ago may very will have a better and more feasible solution today. The Company should be recognizing this fact by encouraging a continuous review process, and that new methods and technologies might just exist to make things better, and that this in no way detracts from what someone thought was adequate in the past -- you cannot assume that those decision makers were making bad decisions, merely that something better exists and that is the direction which ought to be pursued.

    2. Anonymous Coward
      Anonymous Coward

      Re: Production control systems were built before the internet

      Tank levels? Release of large volumes of unpleasantness? Does Buncefield ring any bells? And Buncefield was an "accident" (or maybe an accident waiting to happen: see e.g. https://www.hse.gov.uk/comah/buncefield/buncefield-report.pdf

      Lack of competence can do a lot of harm. So can complacency.

      On the afternoon after it happened, and before I knew what had happened, I was on the road in south Oxfordshire heading north for the Midlands. Buncefield was 50 miles away, but the smoke cloud still managed to fill half the sky. Never seen anything like it, never want to again. Good job it happened at a weekend.

    3. Alsibbo

      Re: Production control systems were built before the internet

      The magic 2 wire serial cable trick here - only connect GND and TX on the secure system and GND and RX on AS400 side....

  7. imanidiot Silver badge

    What works shall remain

    The problem with industrial hardware is that much of it HAS to work with the 30 year old (or older) predecessor. Especially for things like PLCs this means a lot of them are bodge jobs with a lot of baggage from previous implementations that we NOW know to be insufficiently protected (But were considered good enough in the past). It's VERY hard moving away to completely new systems in any plant that already exists.

    The best that can be done is proper air-gapping and a security conscious implementation of network access protocols. If getting on the network requires physical access you can provide more lines of defense in the form of (as called above) Guards, Guns and Gates. There's a reason you'd get rugby tackled in many chemical plants if you carry around a laptop within the security boundry without the proper credentials. Paranoid doesn't begin to cover it in some instances.

  8. Palpy

    Optimal design is often a unicorn.

    In my experience in the field, real-world design --

    -- may have to run machine-level kit which uses decades-old software;

    -- may compromise security to facilitate process data handling across networks;

    -- may come under pressure from management to permit remote or wireless monitoring-and-control;

    -- may have to implement back compatibility in order to interface with existing control subsystems.

    And so forth.

    I hope that when commentard kmedcalf wrote, "It is highly unlikely that the Systems Engineers or Instrumentation will get it wrong" he or she was being sarcastic. For one example, Boeing system engineers and instrumentation experts certainly managed to "get it wrong" multiple times in designing the control automation for the 737 Max.

    1. kmedcalf

      Re: Optimal design is often a unicorn.

      To be clear, that comment was directed to the question of *implementation* error in that it was extremely unlikely with all the checks in place that Systems Engineers or Instrumentation are unlikely to "connect the wires wrong" and still have that mistake present at commissioning. The implemented system commissioned on production will 100% comply with the design.

      I also pointed out that it is quite possible for the *design* to be faulty. 100% flawless implementation of a defective design is not an implementation fault, it is a design fault. The occurrence of faulty design reaching the implementation stage is a matter of Corporate process and culture and the people involved in the process. If you have incompetent designers *and* incompetent reviewers and approvers, then it is possible to have a perfectly implemented faulty (or stupid) design.

      Your other points are well taken, and compromises are often required. Once again, how far those compromises go is a matter of the people and the culture. In all cases you need to have thorough and complete risk and consequence assessments. If management is willing to accept the risk and consequence on behalf of the Company, then who is to argue with it? If management wants to hide the risks and consequences then they can go shove themselves where the sun doesn't shine!

  9. Will Godfrey Silver badge
    Unhappy

    Ah, that old favouite turns up again

    Have a guess which make of PLC controls almost all the traffic lights in the UK.

    And while you're at it guess what the primary factor in the decision was.

    {hint: it's not quality}

  10. John Smith 19 Gold badge
    Joke

    Translation

    Thanks for telling people about the vulns.

    Yeah, we're not bothered. Just make sure its not connected to the Intenet and you're golden

    Merry Christmas. We're off to put our feet up and munch a nice slab of Stollen.

  11. Triumphantape

    My question has always been why are they online and accessible to hackers? Critical infrastructure components should have their own lines dropped, a closed system.

    1. kmedcalf

      The Risk was accepted on behalf of the Company by the person in the position to accept risk on behalf of the Company. That is, the Company accepted and agreed to be responsible for whatever the consequence of their decision.

      This could be because the appropriate level of risk and consequence was *knowingly* accepted, or perhaps the risk and consequence was analyzed by incompetent people who failed to recognize the risk, and the approvers/reviews also failed to question that assessment.

      It is also possible that there is a Corporate Culture of willful blindness where the Management accepting the risks directs the people doing the assessment to exclude risks and consequences that they do not like and those people went along with the conspiracy.

      In any event, the Company chose to accept the risk and consequence and they are on the hook for that decision and any consequence that might occur, whether they were knowledgeable or that risk and consequence or not. Pleading incompetence is not much of a defense.

  12. Anonymous Coward
    Anonymous Coward

    Having seen many PLCs and allegedly industrially hardened IT over the years; examples where they are really hardened seem to be few and far between.

    Siemens are certainly not the only culprit in this arena. Leaving wide attack surfaces seems to be a common feature of almost all current PLC; for inevitably the PLC itself is attached to a Windows box for "user interface". I've seen XP boxes being installed as late as 2015 as UI to a PLC. Not even the embedded edition!

    Some would argue that airgapping is a defence, but one well placed USB stick soon beats that. And don't mention the difficulties of patching an air-gapped, USB-banned network.

    1. kmedcalf

      Do you think there is some sort of "magic" attached to USB that does not apply to other attachment methods? While this is a common error amongst the young-uns, it is not the case. There are no risks associated with USB attachment that do not also apply to FireWire, SCSI, PATA, SATA, ISA, ISA32, EISA, MCA, PCIe or just about any other device attachment method that can be named.

      Isolation, properly used, works very well. However, you must almost always "break" this isolation in some form -- and choosing the appropriate method so as to reduce Risk to tolerable levels is what this is really all about.

      The tolerance for risk varies considerably, as does the amount of money and effort that a Company is willing to spend in order to reduce (mitigate) that risk to a tolerable level.

      1. Anonymous Coward
        Anonymous Coward

        There's a reason we used to hot glue gun the serial ports on the airgapped network...

      2. Anonymous Coward
        Anonymous Coward

        There is of course an obvious solution to pluggable media vuln. WORM media of known provenance plus physical security on the recieving device. USB is just the most obvious target because it's rather convenient

        1. kmedcalf

          What is the basis for believing that WORM media (of known provenance) has a risk profile any different from re-writable or updateable media of the same provenance?

          One can write malicious code to a CD or paper-tape just as easily as one can write it to updateable media, and that code can also be executed just as easily from CD or paper-tape as it can from updateable media.

          The same applies to a "network attached file store".

          There are, however, some vulnerabilities and attack vectors which are applicable to one (removeable media, whether write once or updateable) but not the other (network attached file store), and vice versa.

          Taking a simplistic view is not helpful in addressing the issues.

  13. PeterM42
    Trollface

    Apply the patches

    And nothing ca go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    go wrong.......

    1. kmedcalf

      Re: Apply the patches

      Or simply be secure in the knowledge that the so-called problems are not really problems at all because other mitigations are in place.

      The discovery that the glazing that the vendor swore upside down and sideways was "one way glass" and the peeper over the road could not take photographs of the goings in in your bedroom does not become a "problem" simply because someone discovered that the vendor was incorrect because naughty pictures of you appeared on the front page of the local rag. It was a highly likely vulnerability all along which could have been mitigated by simply hanging drapes over the windows and closing them when you were engaged in naughtiness.

      Those who had the foresight to mitigate the possibility of a vulnerability by hanging drapes and closing them at the appropriate times can merely sit back with popcorn and crisps and watch with amusement the hysterical goings-on amongst the ill-prepared.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020