#Introductions Hello to the fediverse, I guess?
I'm John, a systems administrator/devops/monitoring guy from Montana. Not sure how I'll use this, but setting it up was a fun way to test DigitalOcean doplets...
@cybergibbons: Another interesting week on a ship. As with every previous maritime test, we found a system installed that no one really knew about or understood. Shoreside was totally unaware of its existence.
@cybergibbons: The crew knew it was there but didn't really know what it did - they thought it was a system installed by shoreside for monitoring. It had been installed by a third-party and the box was unlabelled. As were the wires going into it.
@cybergibbons: Business LAN was obvious. Ethernet out to a console on the bridge - not so obvious, as the crew had covered the console up. The console didn't provide any useful information but also didn't dim enough.
@cybergibbons: It's vital that equipment dims on the bridge so that you don't ruin night vision. We've seen several of these systems installed without this consideration. It's a typical case of IT people not looking at the user's needs.
@cybergibbons: Then another Ethernet connection. No idea. So, after doing a risk assessment, we unplug it and run it through a passive tap. NMEA data over UDP, being sent to broadcast. This is a typical pattern in ICS. The format of it showed it was aggregate sensor data - they began $IN
@cybergibbons: It took a fair amount of effort to work out that one of the four ECDIS was outputting the same data over serial. Only the TX line was connected. Even if RX was connected, this wasn't the bus that ECDIS consumed, so no risk. We didn't find where it was converted to UDP.
@cybergibbons: But then there was a Moxa RS485->Serial converter connected. This was totally unlabelled and immediately entered a shielded cable and then through a deck penetration. You can't use a cable tracer on these.
@cybergibbons: So, another risk assessment to "passively" sniff the bus. Why the inverted commas? By passive, I mean "not actively put traffic onto the bus". But from an electrical perspective, there is always a risk you short the bus or add some noise.
@cybergibbons: It would be very uncommon for any ship control system to react negatively to a brief interruption to a serial bus, but not unheard of. It's certainly not something to do when coming into port.
@cybergibbons: So, it turns out it's Modbus. One master reading registers from one slave. There are rapidly changing values, some more steady, some unchanging. One is 169, and we're currently underway at 16.9kts.
@cybergibbons: There are others in groups of 10, all similar numbers. The main engine is a MAN B&W 10G90ME - 10 units. Looks like mean pressure, possibly exhaust gas temp. Now this undocumented system has a Modbus connection to something that is connected to the main engine.
@cybergibbons: There's no trivial way to determine which end of a serial bus is the Modbus master and which is the slave. What's next? We can't trace the cable - it's shielded, and using a tracer on a live RS485 bus is a bad idea.
@cybergibbons: So we wait until we are in port, and get admin on the box using a USB live distro. It's running Windows and acting as a Modbus master to continuously poll a slave.
@cybergibbons: One of the side effects of using Modbus is that you can't make the bus physically read-only. You can't cut the TX, as the master needs to poll to get data from the slave. It's up to the slave to handle the "security".
@cybergibbons: The software that is acting as a Master is only reading values. But can we - the attacker - write? Another risk assessment, and we try to write a different windspeed back to a register. It sends and persists for a few seconds.
@cybergibbons: The slave accepts writes, but that doesn't mean it's acting on them. It depends on what it is and how it's configured. It took several hours to find where it ended up - 11 decks down on the main engine middle plates, going into an auxiliary serial connection on a PLC.
@cybergibbons: The main control system bus is CAN though, so this PLC has been configured to run as a Modbus slave. Unfortunately, the trail had to end here. The PLC has no available documentation and just has a serial connection - no IP. It probably needs a proprietary tool to make sense of.
@cybergibbons: More importantly, this PLC was immediately adjacent to another PLC dealing with the main engine safety systems - slowdown and shutdown. If this triggered mistakenly, the ship could lose power. If it didn't trigger, the engine could be destroyed.
@cybergibbons: That might seem extreme, but these shutdowns are absolutely vital. There are several triggers than need acting on very quickly to prevent catastrophic events happening - such as a crankcase explosion.
@cybergibbons: There is a device called an oil mist detector (OMD) on the side of the crankcase, continuously sampling the air inside. If a fine mist of oil is detected above a certain level, it may mean a hotspot is vapourising oil. This oil vapour can explode.
@cybergibbons: Bear in mind this engine is bigger than a house. A crankcase explosion could destroy the main engine, or kill crew. This is just one of many inputs to the shutdown.
@cybergibbons: That was too much risk for us, too much risk for the customer. But we'd found a Windows machine that was connected to main engine controls, and no one knew. The kicker? The Windows machine had Team Viewer running on it.
@cybergibbons: A third-party that no one really knew about had remote access to a box connected to the main engine. It turns out the commercial arrangement with the third-party stopped in 2014. Let that sink in.
@cybergibbons: Jesus that was long.
I need some help.
My spouse and i are trying to figure out a better way to track our finances, while using software i can host on my servers, and that is open source. We have a piece of software but it's double entry accounting. So, are there non-double entry systems that are self hosted, open source, and still allow secure access from external systems? We use a LDAP authentication.
Alternately, any *simplistic* explanations of double entry accounting would be very appreciated. I'm in the process of doing my own research, but any help would be really nice.
Boosts and answers appreciated!!
HKPOL, cyberpunk orchestral
amazing that this is our world.
"The most serious form of attack can take place in data centers and cloud environments that have both DDIO and remote direct memory access enabled to allow servers to exchange data."
The term RDMA (*Remote* Direct Memory Access) has always made my skin crawl.
Remember that above all things, the right hates free markets. https://twitter.com/benshapiro/status/1169258358240473090
Today I got promoted to IT manager position after my proposal got approved by the management to use multiple open source solutions and replace propriety products the company is using.
Tests went well and they were happy with the services. I will be handling the migration and training for the coming months.
To thank the wonderful open source community I will be donating a part of my pay for the coming 3 months.
don't spy on our neighbors
Sysadmin by day. Also kind of a SysAdmin by night (when I'm on-call).
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!