(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Think Mutual Bank Mobile Banking App SSL Certificate Validation Security Bypass Vulnerability
 

Gebhard pointed us to an article at Heise, which reports that researchers are working towards a universal fingerprint - a master pattern (or small number of master patterns) that ring enough bells to unlock any of todays fingerprint readers. They are currently have an approach that takes partial impressions and combines them until it matches enough to unlock a phone (or otherwise match a biometric reader) - essentially a dictionary attack against your fingerprint. They are currently at a 65% success rate, but of course that can only get better.

Their advice? Get better readers (that can read depth of fingerprint patterns, add in heartbeat sensors etc), or combine multiple authentication mechanisms if your plan needs to account for attacks of this type. Id say nation-state attacks, but this sounds like its something anyone whos reasonably funded and motivated could take on, especially after the research is formally published.

Add this to the well-known fact that once compromised, you cannot revoke your fingerprints, or change them either. If a successful and simple fingerprint attack is possible, either we need to look at better fingerprint readers going forward, or this takes fingerprint authentication off the table entirely.

References:

https://www.heise.de/newsticker/meldung/Mit-Master-Fingerabdruck-Zugriff-auf-fremde-Smartphones-bekommen-3702411.html
https://www.heise.de/tr/artikel/Kuenstlicher-Fingerabdruck-entsperrt-fremde-Smartphones-3697183.html

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Advantech WebAccess CVE-2017-7929 Directory Traversal Vulnerability
 
Multiple Rockwell Automation Products CVE-2017-6024 Remote Denial of Service Vulnerability
 
IBM Maximo Asset Management CVE-2016-9976 Unspecified Remote Code Execution Vulnerability
 
Google Android Qualcomm Driver CVE-2017-0613 Privilege Escalation Vulnerability
 
Google Android Qualcomm Video Driver CVE-2016-10285 Privilege Escalation Vulnerability
 
Google Android Qualcomm Sound Codec Driver CVE-2016-5858 Information Disclosure Vulnerability
 
Google Android Qualcomm Video Driver CVE-2016-10284 Privilege Escalation Vulnerability
 
QEMU 'megasas_mmio_write()' Function Out-of-Bounds Read Vulnerability
 
Google Android Qualcomm Networking Driver CVE-2016-5868 Privilege Escalation Vulnerability
 
Google Android Qualcomm Wi-fi Driver CVE-2017-0624 Information Disclosure Vulnerability
 
Trend Micro OfficeScan Multiple Privilege Escalation and Cross Site Scripting Vulnerabilities
 
IBM BigFix Remote Control CVE-2016-2930 Security Bypass Vulnerability
 
QEMU CVE-2017-8309 Denial of Service Vulnerability
 

I recently had a security assessment / internal pentest project, and one of the findings was I found an AS/400 running telnet services (actually unencrypted tn5250, but it comes to the same thing)
The clients response was that this host was up for history purposes only, it was not longer production system. So it was only used occassionally when they needed transaction history from before their migration to the current system. Which doesnt really address risk around their clients information on that host.

Weve all been there. Weve found a telnet service that should be migrated to SSH, but the affected device either doesnt support SSH, or the client for one reason or another cant put resources into enabling encrypted services. In the case of the AS400 above, theyd need to do an OS update, which would require an application update to an app they had retired, on a system that isnt production anymore.

We see this in legacy systems, but in Industrial Control Systems (ICS) that control factories, water or hydro utilities we see this all the time in production - and the answer there is the gear doesnt support ssh, and in some cases doesnt support credentials. In ICS systems in particular, gear like this is often on the same 5,7 or 10 year depreciation cycle as might be seen on an industrial press or other manufacturing equipment, so upgrades are really a long-term thing, there are no quick fixes. Even finding where all the vulnerable gear is (physically, not on the network) can be a challenge

So what to do?

In some cases, Ive front-ended the problem child gear with a cheap SSH gateway. A Raspberry Pi does a decent job here for less than $100 per node. The Pi runs real linux, so you can secure it. The solution looks like this:

base64,iVBORw0KGgoAAAANSUhEUgAAA5gAAADQCAIAAADtSVl2AAAgAElEQVR4nO2d/3MbZ37f8x/wOlNHSZvwprmGUSZVpp0Lpzetbqa6YdKZ8vqL2ckP7PUHq85MNJk2w5N9ImOeTd+Zx7AuebJ8Qe9CU4QFkwZtSBQh0iIDERccaUpGTMMCKZM8UaQgU+YXiTZMWgBBfNn+sMBi99nn2V0AC2D3wfs17x8kYHfxAALFFx58ns/zGwIAAAAAAAA25DeqPQAAQJGs7kT7Z8ItA75mx5SY9vHgxGKk2uMCAAAAKgREFgD7EX64d7LPW3fWSU1950j/TLjaYwQAAADKDkQWAJvRPxM+ds7FslgpTRcmV3ei1R4sAAAAUEZqRWS392Oza1uza1u+5U1H4E40lqj2iAAomHgy1Trk11VY+dSsb3mz2qMGAAAAygXPIru9H/OE1ts8Nxt7x8Tf68fOubomF2CxwKacdgWMW6z0ng8/3Kv2wAEAAICywKfIhh/uqSeuzrjntvdjqzvR4eDd7f1YdUcYvL8rzhDHk6nqjgTYhYnFSKEWK+Zkn7faYwcAAADKAoci2+a5Sfwibx3yR/YOxHvjyVRD16h4oye0XuHJqmgsMRy8K80QS4ZdyTEAOyK9b9X5Ts/IM6+PPvP66NN97q93XKIe83f/uFTtZwAAAACYD28ie8Y9J//93eyYUqvq7NqWdMDg/ErFxtY+HmSt0TnjnuufCVd9nhhYlp7pkPpt8/WOS72XLntluK+Mf/fVt9VHfu2s83dfGEaNAQAAAM7gSmQJi6076zztClCPFAsP6jtHKvbNfvjhnu5XwLNrW5UZDLAdJ7o9xLvlGy9ccl8Z99L4K8c71DfY2Edr1X4eAAAAgJnwI7LB+7vUlS7UaU7f8mbdWacjcKdiw2t2TOmKLFahASrRWEL9bnnFeZlqsSLffPkt9Snff/O9aj8VAAAAwEz4EVn1dKwYqZXm9n5MqpSdWIyc7PNWbDqWtUxHrDRodkyJze0bukZ7pkOVGRKwEeLnLnm++fJbanm9cePGrVu3QqHQ7OzsK87L6vfb033uzU104wIAAMAP/IgsqzORIPtaX+ypecY919A1Wsl6waYLk4S/tl8NNjumHL+6c7LPG40l2jw3268G67DwC8iIJ1Nia4v2qx8Q7+o//6lbrrATExP37t2Tn/vw0efqn4Vvdw+/995777///pMnT6r1pAAAAAAT4UdkuyYX1L+5mx1TgiBEYwlRCMQjI3sHwfu7FRuYujr22DmXODcsryUQl6VjOQ7Y3o91TS4QrS2I/PXP35Es9vr16wcHB+rr/N6L5Kqvp55/03N13Ov1bm2hGhsAAAAP8COy1BpZK3xTT92KiSqsz499UPnhAUsxsRip7xzRLaf+3mujkshubGyorxNPpqgnipW1xPQtAAAAYFP4EVkhV11wxj0XjSXOuOeoK72Gg3crvAcB1UviydTEYqRnOtQzHYrGEv0z4Yau0foXRqQqXlCDUHtsUSPVyAYC9L4crC4ZT/e5vV7v0pKirWxk74B446lvqS47O7ufAqDkK1TI8MVnn21V+z0FLEc8fqj7zuFKZLf3Y8fOuYaDd8W/qneZj8YSPdMhaflXZWgZ8BEy0dg7JghCPJnqnwk7AnfiyZQntD67tnXaFajvHEETrtrEE1o3aLFifvb2FbWSSrSPB6lnfeOFS16vNxgMSkfOrm2Jiw6lJh7S2rJKtvXQICMIt27deuUNL4JIuXjZt/jJSiYjZKr9/gSmED88fH8eP+aIIhM3Znd2djKZTEbz55wrkRVyc1qVLIHVRa0UrBVd4nqvhq7RCo8QVJ3t/Rhr4y5WvvE3l7xeL7ULgXbT4pcueq5fvy4dLP+gJX6IktYmHjvnqnrRdkYQ0hnh1q1bp9reQBApz73mCd9ZSaUzcFkOyAhCLH74j3M3q/6+QiyVi1dmtnd20hkhkxE0XJY3kY0nUye6PerN5aOxhCNwp+nCZH3nSCU1dzh4V11aoJ5z9S1vbu/HpGpaNJStNdT7KhvJqZ6RT359l7jU7NqWthPXd7z5w4ueqdtr4gpI+cEn+7yza1vyd2zLgE88rPJZ3YmK/3kl0xmILELkudc8t5dWDpPpVFpvugZYm4wgpDOZr57EIbIIkYtXbmx+tp1IplOan1d5E1kh98Uo1QU9ofWq1xVQJ1xn17aisYS0UN0RuNMy4BMEYWIxYqnZZVAm1J92nnr+zb/++Tuvj1zxer29ly43/oiywUHdWeeJl9/2hNbFd3vw/i5FiL9fsB9bJGfccxlBSKUziRREFiHz3Gue0OLyk0Q6mcpAZW2N+K3LAUQWUeXilRuRze1YIp1Ma/2McyiygiCcdgUsMqmp3gpB7AgmEdk7mF3bmliMzN3bJo50BO409o5RdyYDnKHWuJcueoj9Dv4tbbMuI/latZW0RJGNH6UhsgiR517zfBRePjhMJVKZNKoL7Ewmk0mlhS+/iv1yFiKLKDJ45cb6p9sHh6kjzc+rfIpshfsSsDjjnlPvN1bfOUKsQgs/3OuZDl1TKe/JPq+lVo6D8kH803+7e1i9cdfbV64Wp6TN/0e/n5cFc8Y9J/6Gg8gi6jz3mmchvLwfTx0epVNpTMjaGLF86IuDJxBZhMjglRv3Hmztx3OfV2tKZC2CI3BH/eu56cIk/eBfZQ9u6BptHfJPLEYqPFpQRYg3ibxNrJzjna5CdfC7r77t9Xq/+yq5OYL1I4psMpWJJVIQWYSIKLJfxlLZMtlq/wiDoslkhKNU5osDzMgiZAav3Fh7sPVlPHWYTNecyL5/b/vDyKPqjmF7PxaNJdS/no+dczX2jhGTstv7sZN9XukY8V4UFdQOxJvkL36mENmFhYXNzc3Hjx//u1feKVQHn3l91Ov1eq6O/3tGla1lIyq41+tdurMMkUWIPPea58PwsvgbDiJra7Iiu48ZWYTM4JUba5HP9uOpRK2JbDyZuvDLpQ8jjzyhdfVdP50JV2AM0ViCtQ5dvX5LvZlTQ9dofedI+3iQdX3AGcSb5Ds9I5LFSrtwxZOpf3b2zSKMUNzNy31l/KkfFHM6RBaxYCCy3ACRRVipUZGNJ1MXb66KNbLRWGJwfkVeLzv9yafb+7EXJz4sa+1p8P7uyT5v1+QC9ddzv8qkqUe2DvktUukLKgDlffLWFWLjrj9/40ZxRvj1jkueq+Ner/cPXrJTsSxEFtEIRJYbILIIK7Uosp7Q+oluDyGp8+vb9x59Kf5578mhIAj9M+G6s86WAZ8ntF4OWaRWFMhD1BVQt3QSd/wyfWzAmoh7axH2+Yrz8vLysiAI8WTqxWsfUt9Lv33uzWdeH/3BwLt/5Xin7RfvfOvHw9TDnu5z37p16/cL3HMBIotYNhBZboDIIqzUkMjOrm21eW5K384Pzq8QB3wZT8ze27q9md2jaDh4V/plWd850ua5aXpz2f6ZsFpNRHtWHxyNJU50e4gj1Xs6AI457QqwfE7qLqzO8R+6LnmuEgvC/uJno089Tykh+PDXG//qh2/XnXX+4UsjvZcuS/l6xyXpmD9+6a3eS5flp4u3lCPfe03HqiGyiEYgstwAkUVY4Vxk48nUxGLkjHtOvYkR0ahVJPxwb3UnKhanykVWLo6D8yumdJ/d3o/1TIeo/tF60c96Ot9z+us7R+o7R/5dz+Vmx/Wrt++j91btENk7oH7y0chv/eBNamcDr9f7ivOy+vimnuwnPaJD7Tdl7WnFu/7why7ilnLw/N+/C5FFig5ElhsgsggrfIpsPJnyhNZPuwLav/WJ9f7b+zHxeHGyVr1JgZRj51ynXYHS95eX2sf+VrvrX7/k/p0Xsl/4qjenlRALHtRpdky1eW4S1QiAPwbnV4xb7NfOOn/kvKyhiep+W+I86x+/9BZx5DOvj0qTr+ItT/e5iVvKgVpkv909LJ+y/bl7TDwSIouoA5HlBogswgpvIhuNJXqmQ+qdPKlx/OoOcXrPdEiaqZ1d29K9QtfkQtFDFVWbelkNH6XOE0tp7B0rejzALvzl27MGRfbfvOgivHBiYuKDDz74+OOPP/nkk48++ujv3p2knqieYb3kufrb59586vk3xe1wvV7vxXeuPvW84pbKiKw0BUsAkUXUgchyA0QWYYUrkVU3qNKOetMBuciGH+4ZuUihLru9H+uaXFCXOsjTOuRn1eP2TH+sPR7TC3mBBekcvk6tcCXy5z91y1Vvenr6888/l1/n86/i6rPUM6xTU1Pr6+sfrz34eO3BxMSEdPtbV9/7eO2B/MgbN248NpVf+EMQWaToQGS5ASKLsMKVyPZMk7/zdEMUmLZ5bkqTmpG9A4MXMTi87f1Y+3jQSI1jY+/Y/Pq264O75OlXg+rNbIn0TIdMeTGBlfn8889/7h77Tg/jY9tz2T88//fvSp43MTGRTCbVl1KvICSmYwOBwJMnT6Tj/X6/dNfGxoYgCDdu3JBukdrZmoX6K4g/fumtZ14fFSMfKkQWUQciyw0QWYSVWhdZondBy4CvvnNE/LNueyyWDVMZnF8xvkznT3rHAnc/E3vZ/sPy5itToe6p0HDwriv463+KPFKbByHBZXlxgcVYXl72er2eq+O9ly7/xc9Gn3l99E97yKZa8hnZ9XVy4w+B9ib/2lmn3GKvX79+eHgoP+XevXviXcFgdieOUCgkKW86nTb3aWrX0rT+YnJlZWVlZeWT5ZWH248gsggRiCw3QGQRVrgSWd3ZSnWI3gXiBrBiUwLjIluOsa3uRDe/+Or9e9tjH2+8f2976pNPb2/u7ezHBMbOCMS55Xh5gaVIp9OBQEAunS9dJD/hfLt7WLxrZmaGepHg/V3ilN9/QVFWGwpRJvgfPHjw4MED6a/RaFSc8X38+LHpT1NbZM+45wRByGQyyVQmlkhDZBEiEFlugMgirNS6yBLaJ5bYircYrJE90e0px9h6pj9mXUotH6pzUV1QE6TT6aWlJUk6L3muEu8EaSWWuGOCGsVyw+876846n+5TlNVubhrqg7G5uVkOixUgskhpgchyA0QWYYUrkW0d8hchsu1Xs9+QxpMp8Rax+5XjV3eMGachayx0bNoVAqguABI7OzvS1OxvnyNXgH3z5bdYPupb3lS/ef7K8Y5cZI+Ojir/jORo1Mj+5d9f/cXUvFhasPnwM4gsog5ElhsgsggrXIlss2OqCJE9ds4l1hJIq7uGg3cFQWjz3DRyukbP1xLHNrEYYV1NV4tRXVBrRKPRBw8ePPPGdfWb4Zsvv3Xjw0XieOquck89/6Z8D7BAIFCV5yJHLbLUrgULH4Ugsog6EFlugMgirHAlshq7dGpHbCgrNY7tnwkLgtB0gd5ikwixqwKLIkT2ZJ83nkxRr0bMyIqlvfKguqDcRGMJ3/Jmz3SoZzrUOuRvdkyJ/yj1nSPNjikx6o9MzY6pM+65numQb3mzHB82pE091Iba5rk5sRiZXdvqnwmzflK+99qo3A6XlpZMH2GhqEVWviGCtBsCRBahBiLLDRBZhBWuRLbQ3TuliHWu0q/MNs9N41czODaDWkw1bAL5KrSGrlFPaD0aS0wsRuT1jqguKAfSjseNvWP1nSMtAz5RZEVB1G1eEU+mZte2hoN3e6ZDLQM+0SZP9nl7pkMmSq0jYKgkRp1vvHDJc3VcLrJid63qol0jK83OQmQRaiCy3ACRRVjhR2SNNxmgZmIxIu3+Ku5HYPBEgzOy2lWtrDR0jaonZeWljY29Y9JOue1Xg/JzUV1gIrNrW6ddgfrOkdYh/3DwromvbfjhXs90qLF3rLF3zCyjVc/QG8krqs1sy7R+qyC0Rfa/vT42Pz8/Pz+/srIKkUXUgchyA0QWYYUfkTXYZICVZseUVBTbdGHSE1o3eKKRJrJCsSJbR5uUla9CE51bnOojCmdRXWAKvuXNpguTzY4pT2idVelhCqs7UcloHYE7pTxWZO+g4UWyp6x2nnl99Nq1a7YTWXQtQLQDkeUGiCzCCj8iS12CXVC++/+yRY0NXaPE7KZGgvd3jQxPe09ajagnZYlVaE0XJld3or7lTWIeDtUFJRKNJc6451oGfAb/ic1idSfaPh5s7B3zhChbGBjk/mc73331bSNvsK93XJLmYq9duybX2YMDQx/SyopveVMsOG766fi3fjwsz7f/9p1Xrt16/Pjxo0ePotF9iCyiDkSWGyCyCCv8iOzg/EqJIvtHr7wr/dn42izfsqFGm6UMjJiUJcptJxYjrUP+2bUt9SuA6oKiiewdnOzziv0rqjWA065A65BfbKlRBOFw+BXn5a93XNJ4az3d53ZfGScmYqenp4ndvKzAgwcP1M0K0LUA0Q5Elhsgsggr/Iis7n5Xuvnnz2d/5R875zK+bozY5JZFKQMjJmXlY2voGtVoE4bqguKI7B00O6YMFo2UlYnFiDjjXsS56XT6xo0bXq/3pYue77769rd+PCxK7Tdffuvb3cN//fN35J225Mh37bIOEFmkiEBkuQEii7DCj8gWtxsCkX/5N8N1Z50FtfHqmlwwMrwSByZNyqpXobUM+FhnobpAEITZtS2xt0DLgE9qjCWldcjfMx3qnwnPrm3Nrm2JHxiaHVMG2wNXgNWdaGPv2Mk+L2vww8G7s2tb1InbaDR6/fp1Df9Ts7Ji6INZ5YHIIkUEIssNEFmEFX5EtriV2kR+52+G6846//TCe8ZPEZebaFPiQrQ62aSs8VVoYmqzukCUV7E+pNkxJYqsb3lTtFV5JhYjPdOhrskFUQ2PnXOd6PacdlV/IwCC8MM91uDPuOeaHVP1nSMn+7yOwB2ijcbh4eHs7KwRhb1+/bo152JFILJIEYHIcgNEFmGFH5Gt7xwpXWTrzjrrXxgpaPOCZseU7ti0V14bjLiVbqEVFLVWXTAcvHui2yPKa3GzqmIXCNMHVgHCD/fax4MNXaNijwX5Xb/+9a+1LXZ2dvbJkyfVGnmJoGsBwgpElhsgsggr/IisKRZbd9b5Rz9+9z/2jxs/XtxMQZv2caM9EDRy7Jxrez+mUUhATe1UF4gKe8Y9Z4Xa1uoidr1tdkzJ5+OfPHmysrISCATk/jo9PR0KhXZ2dqo42tKByCKsQGS5ASKLsAKRpeSpH2gt9FZHdwLPlLKHurPO9qvBItp4cV9dsLoThcKqmV3bauwd65pcsOkEs3EgsggrEFlugMgirEBkTYi2KcaTqaL3ziVSXPkE39UF4rp+KCyL/plw65Cfb5eFyCKsQGS5ASKLsAKRNSHarWRn17aqOLa6s86Tfd6K/StUGEfgTimdVmsE3/Im3y4LkUVYgchyA0QWYaUGRPa5spuiditZR+BOuQegnWPnXBX7V6gk7ePB9vFgtUdhD/h2WYgswgpElhv4EVnXhviMHvguV38wbW+canvjJ2FxRF+MvGqnYUupAZEtf7RbyWpsWACRLZrZtS0j/SKAhCNwh1fvh8girEBkuaFaIpuTPIbAvRrK9iwM+41e03pGCJG1ClU0Re22o6ddgeqKLH81stFYorF3jGiYCrSJJ1Mnuj1cvmgQWYQViCw3VG1GNidwwnboWdW9z/q+EO8sQO+sZ4QQWatQRVPULkLtnwlXcWxcTlu2DvknFiPVHoUl8Ludx9udx92GXg1eJ2UhsggrEFluqF5pgT+36dHGT8i7Lo9ss+5ix3pGCJG1ClWURW058C1vVmtg9Z0j/C3nj+wdaPfuzbpde8CvPK+jvQDnswsFiez2fqyha7TcQ6o8EFmEFYgsN1SxRlaqLphzKe8qoq6gzYpGCJG1CtWSxcbeMe01NNFYolpjI7Z34oP+mbB2UTJEVoO6s86yjqcqQGQRViCy3FDNxV5SdYFSWKW6AklwKUaoll2VEWbP2g49m5/iFehaKY2ENh7ZdXKzyFI5BHGi8uLyYUvWTg6AJbKaQ6pMILIl5dg5V/jhnu7YCtrz1qyccc/pDsyONF2YDN7f1TjAHJFdChxvdx5vHx/UeqjSMOMhChXZhq5R/spkIbIIKxBZbqhq1wJqdQGlrqAkkaVA1U0C1aNvf/FAunM79CzzxPzFDQ2AJrK6Q6pM+BFZU7aBLTT9M8x/fzme0HqFB6Y7T2xTjHw5DpHV4ES3h79qE4gswgpElhuqKrL5idJ8dQGtrqBkkc2eqF5DRllVpponlmulvAriJ2FBIZdaJ5IDUM/pFjSkyoQfkY3GEie6PZWUxYLWUU0sRsza30s39Z0jvG5Lq1sgKxgWWfGwjiVhwz9+XLyr3dnij8qu4FTeHh08L56S/cPx87c3cjfKVVIll7ljZNrKeAhBEARh93YL9XaRrP5m7ypIZOPJVH3nCH+fcCCyCCsQWW6obh9ZDbNUKaNQrMhqnJUzaWXnhNyJWUnN+6iOR+YmmFUiK5ttVU1Ck8M2NKTKhB+RFQRhdSda3CauRcRgUQExvKYLkxUYm/ZOY7bGdJFVp2NJR2TzMSSyucdVnMUWWZmn5iNdnHqvYZEN3t9tujBp5Eh7AZFFWIHIckOVN0SQzDLrbfR+BaaJLOmafs1KQUJkacW10jDkkCIrP1F6grkbyWEbGlJlwpXIChVsEVB0G6OuyYWyDswRuGPuS2opyiGyuSlP5QGU7/3zIiubJdUT2ez0au46u7dbpIGxHyJ/fcUx0gCyV8jPJRsT2TPuueHgXSNH2guILMIKRJYbqr2zl1LsGP0KyiWyVA3NoyOyzBJYLZFV3UgM29iQKhPeRFaoSN/Whq7RaCxR9AiD93cbe8fKMbA2z00TX0lLsboTHZxfaR3ya3ftFQoV2fO3N4gTxVs0RFZhjQXMyDKKBGQPoSwqIOaJpXvl1zFeWrC9H6vvHOFvpZcAkUXYgchyQ7VFVlFdQK0rOFWBGVnapgxajy4fQF4uWaUFRc3Iag6pMuFQZIXyb6ZV+rRWNJZoGfCZO6qmC5P8lT8KgjC7ttU65G/sHWvz3PSE1nVVzGIiq9JTsk5A9hCsygHxmNx1OpZUT9aAyEZjiTPuuYau0dOuAGfFJxBZhBWILDdUXWRl1QUbc4x9EChGqF7/VIzIGtp5QVtkKfWvqhpZmZcbrpGteI8CdfgU2XgyZbomSmnsHTNrnOZW9LYO+fUf0lZs78daBnzNjqmC9vHKfeGu7Aagms40SWQpKsmQy3xlQtZE2TOyclVVP4XiRFYknkx5QustA74z7jluPvZAZBFWILLcUH2RVTR5FQSBsqYqv9hfXRJQksjS2gjkDtO8jkZ1r7GuBexhGxlSZcKnyArldFndGk3jWNawrYBvebOxd6yYuUNpBjQvqZJE5q3RmMjKrVFTZFl1q/Ki2NysMLGuS/YQuWlj2aiEpUDur+S9hdbIyhkO3m0Z8JVSIWMdILIIKxBZbrCAyMrUTRAKWFMlUprIUjQ6h47Isk8kRVbegFb9HCl9ZPWHVJlwK7JCOV3WlF//qztR0wfGzRxb+OFes2Oq6NdZ3lGL0hlAEARdkVV2G1B0LSCsUbuTAKXsVZJp9UMwRq42V+pjFcjs2lYpL7J1KLfIEksl1P9Hax3AbqzI3PdS59en0bOQUxBZjrCCyCo8lVUbSh6Ts71SRfaNU5T/CjSXZ+WjMM4HvsvZI0mRJbYWU9YMMHb20h5SZcKzyAplc1lTSgyHg3dNHxgf7WPFPmWlChZpkETJrK7IKgy1Y0lgiqyg6kQrnpg7TGmfymGQD0EbuXx2Vu+xCsURuFN0/w3rUEaRZcyv5P8r1z2gNJGlKizlUYw/kWpsIFnFQGS5wRIii1gynIusUB5f7JkOlT6wcqxIK6iW1LLobkILzCKeTJ3s89r980/5RJa1BkK9JQ/rgFJEVm6x5DGuDQEiayAQWW6AyCKs8C+y5fDF065A6QM7454zd1Qnuj0cNJEdnF/huImYBZlYjNh9mWDZRFa3v4yBBjRFi2x+rteMr+ogshBZmwORRVjhX2TLsdeXbitTI5guspG9g9JHVXVO9nkL3TINlAIH+9aWXWSZ/WV0DyheZGmbRmpGeqAsef2ltkNXPChxrmyotH6ZtLY77GaZ6vFQWlSyLlJyILLcAJFFWOFcZGfXtky32LqzzvrOkdLH1tA1au6oZte2Sh9VdVndiXLWe8EWNDumbP3mKZvIytc9UKdFdQ8oWmQL69HI2LknOyRtkWWcSzaPlI0/vzVlfuTKhSDa4zlF27medWOJgchyA0QWYYVzkW3z3CyHyNaV3LggeH/X9CF5QutmvW7VgoOvue1I1+RC/wxrE0MbUMbFXuS0osqxjB9QmMiqixYonW6UMipTXvWDMiY7Ke5Inqsaiewps5ZdFzAeWVWG1k7xxQYiyw0QWYQVzkVWEIT28aC5vnii21P64hirLUHzfvzolYn7Vc9//btfvTixUOJrCwqlZzr0X372j1X/1y8lP752/0fejRffud30/Jsm/y+pUlVWVxr6AZR7SSgiS/E8isiyZy5VvXvoIpu7prLGNyeU4rMgywAUjRSIFuu6xcSUppiStpZlx8v/9bPr50Y/6fJu/Ojaxo+vVf+NipSSH1+73zV+78XR29/5/sXqmhNiqfAvsuGHe+b6YrNjqvRRWU1ke69H/vvAnarnmz3vlb79LyiUnulQY88/VP1fv/ScvnjnzzreLsv/lYSPqmWLdYBpIpsP/St4aiMwHZHNFwnQyOq4skw2K6APtsUbvxh5lXFx7fG0qdpSMrpUlpi/dPyy6m9LxNw8e3HJ/M+riJ3Dv8iavu+AKSLbPxM2XWQ5UMCWAZ8pPXpBQfRMh0zpKFctKrezV95K9SpipQNKLC2g1ciqRZZRk6onshq7EMkfWnGuOLAvRlzZG+dc+eeoV3fL0Ojt0LPlqSs4hdICjkBpAcIK/yLrW9401xdNWY3UMx0yXWRtvV5HpH08yEEHMduBxV7Go9v8lTyg5K4F6ntJkc37qGS9BksLDH6bL1t5ln06Gz+R7VekLEUwNh7yOZalruAURJYjILIIK/yLrOlznye6PaWPqmtywVDEMZ0AAB0bSURBVHSR5aD9FprIVp5oLGFKF44qUkGRZfSN0jig6D6y+cldclKWJbKyL+ULrJHV640gTZfOhb+QLpIdxvbG3Db9sbTGQz5HzZeihEBkuQEii7DCv8iaviGCKb/1TW8iW3fWWfqoqk7w/m7Thclqj8JCqPfRNR0OPjyUS2RdGwKr36o4cah7QFsJIqv8gl5+DNliliyolS0Lo/TMUjhrfuWWYipUuTlZG2mcRFWr4kaj4yFGRRmbKYHIcgNEFmGFf5FtdkxZUBnLsa1X6aOqOtFYoqFr1PTm/Bv+8ePtzuPtzuPtAXlzr6wmuq27r2+5RXZ7P3ayz7u9HyvP5StEWUWWhqrHKuuAtpJE9pRGsakgCHl3pDQ0UD8ocancgzLPVS66khunqs+A4kaj4xGj6IFQhl3HILLcAJFlRLdnSLEpz/pLRhhf2hgLRLY6Imv6qExZgmYFylEmm9XBdufxdmeLP0reXqsiu70faxnwTSxa9+kbhMc+srRfVHLIX1qKYx74LmcvTi8kEIjSCIVNqu4lRivX9PyNxYznjVNtigVnptcVnILIckSJIkt8kKuInCl+uMrx9j7VptZN7VYkQgHfe1RUZEta7sm/yDb2jpkusqVPGZousmfceu9em7C9HzvR7TF3Ujang+MtSiksTGSXAsfbncfbxwd3TRyaDmUS2fDDvTbPzRPdHg420RAqu9gLMTsGtvktIRBZbiheZBndOSrrZ2X5wuEUxf/sILKaTVSKeDj+RfZEt8d0kS19WdXJPq+5Q2ofD5ryclmBNs9Nczeaygnr7cHzzuPtzo4l4vbaEtnI3sGxc67B+RXTSziqBUTWxmHPWJsSiCw3FC2ytK8+VFXgZUuZZ2S1232U9imxwiJbwpYo/ItsQ9eoBUXWdL22dR9QgngydcY9Z2Jb3LywijKaM1eKyO7ebmmn1CHIixOku1SWGRVFWXZB4pZIh+IicieO5iQ7d8r52xtqkc3KdN7Fi6O+c6TEPZYtBUTWvjFcX1FkILLcUKzIlquzmyXC2HqafO72ENniqwv4F1nTLdaaIjs4v2LKy2UdzrjneqZDpqxDkgmrqJJZgyRFNqeJirgjAkNkVXO0kqdKS8qyt3QsMS6ed+Wcv0pRi6x0hZKLeluH/ByUxkpAZO0aSsdZkwOR5YZSRVb3PUbUu6sXSm6HnlVoMasZn1KdaTqorEpXeRt7JET0pnv1nrv2A6lGLnsdmAX3Rl9MJeL4i569hsjmU985YvDISo7KYPgodiTomQ41dI02XZhsdkyFH+4VfR25sIodDER9VIpsViXzq8EIT6WUFmQ9NXuKTFWzM6bZWwL+vKdKjkvckhdZynK087c3clPF8nuLxhG4w1MtCkQWYQUiyw3FiqyecrW9cYrZHiTrfzmB+yJfa7sdepa1WbTO3svUnh60BZSMA2jDZj0vLZHVfyCWyFJQDMDQi6mE2D6m0DlgzkU2GksYd8GmC5P2FVlb78ykTfD+buuQv5RWBkphFe0z4CduVxYVyKO0Uko9gHzWtuX8ODmPK9NQRUmA4oLqsgTZyGktF0phOHiXm9WBAkQWYQciyw3FL/bSay1C8VFl6Taro7OqZfIbp9RyqZSz/FysNEnp2pAkT3ckRIoWWUMPpCWy2UdUX8fQlVkVETqVEsxwLrKRvQPjLtjmuVkZkY0nU6aL7OqOOYpjTUosmSVKCKRJWcXtjK/+NWdkpQ610pzr+KA/kCsGkM3XUheKKexWU2TFfgvmrfqCyCI1EogsN5TUfovS8llyO3ofVvnGy+zOA+rqAlVJrkIHtffS0x8J49FZVRMskTX2QEyRlXkzqZ7GrqwrsgUWNENk83EE7hg5rKFrtPSBmS6ydu9pr03X5EIpfQxUi7oiHe3O4+dvD9JmZJnrqLRl1H+7ReGv44NL4l3jg7uMixufkT1/e8O8AlmBi9285EBkEVYgstxgwoYIhM5mbUm7X5VcZCkTn2RZp/rLccUtBpsMMEeiPL5okTX2QEZEltzIwNiVmTOvRa7M41xkZ9e2jLugb3nTyGGm7KFlusiWPiQr41vebBnwFX26ujuB3+083j7eQm0pIJ/1XArodQzIVdaeV5XeKq6mvjhxi57IyvYnK7FlgSAIPdMhntpcQGQRViCy3GDazl55nf1i5FVml9kcOiJLOBnlSLkOas84GhiJ8pRiRdbgAxUhsgavDJEtCOMi29g7ZvBgC4qsKZPEFudEt6foZhE6bbaUJQdk1OqpLFeVn6WspmUeRinANSCyqvVhxdMy4PMtb5Z2DQsBkUVYgchyg4lb1CqbvunLk2YpqtwmaZcqYkbWqMaVPCOr/UClzMhqXxmlBQUxsRgx6IKtQ36DItt0YbL0gZkrsqa4tcWZWIy0DhXpb9SNDySzVKygIpZ8ETWp6r4EilNyfpm/hV6HcLxd7aNGRFbIy3QJBQbl2DutukBkEVZMEtlIB/HVjYX3tbYypewKbp7IEoWtujqos6YqX10Q3hD/wG5iYKxG1nA3umIXexl7oGJE1tiVsdirIIaDdw26YNfkgkGRbXZMlT4wc0XWlCFZn/bxYCm9C4AIZ723BIgswo4pIivql/jZVaxKUjSiJr8hMeHTJq9UQWRdGwLRakAqLchN++U7CSgmAvO7f+n4Ivl9uvIw3a4Fr4YeqLoWsEZCRG8/Ef2uBVoPVIzIGnwKjIGh/RYV4yLrCa1XUmTN3W+s6KlK23HGPWfu7rU1yMk+bylNeS0IRBZhxQSRXQrkvxWR/xkiWzjVElkacoWi9nYVBIMiS5xOfC1Oyhl1OZSqhQJjJETojWzz0egja+CBihJZg0+B6CaLDRG0MC6y4Yd7BkXWFGs0d2cvnlop6dI1ucDTQqUK0z8T7ppcqPYoTAYii7BSssjK90kh90ypLZGltm0pkOqUFuj1kRWj3G1LkOua7tap8nPJi9NmGZUaR15WYyRkStuiVueBihRZg0+BslEFtqilY7CjVt1ZZzyZMiiyplijuSJba2LXMx067Qrw3XGsHATv7zY7pniqjhWByCKsQGRNw74iy3OKXOZvyRT/XDgX2Z7pkBERFBdL2VdkS9kswKZ4QuuNvWP9M2H+tKxMRGOJk33eojs/WBmILMJK1UVWqq+V9y0ht+hTLgNVb1Ktc7p8Mxdlh5OOpdwq0vOBDtVy0uw1z9/ekNcB05quEFsMKsbAHjwxNnIPmgKByFJT9Cym5VJsgewpiKwYsUepQZE1pZO8uSLL8f60GkRjia7JhZN93olFvmY+ykBk76DpwiRPLbfkQGQRVsrafsu4yLL77jH2FMypnu7plL5+7oisVV9ecP3ZI6UpVcoO2+pQemPLhVVz8MztEiGyJiZXXVCE/1kqpRg5RNZZd9YpLuIOP9yr2Pf45opsLX/JvroTbR3yn+j29EyHiphuXN2Jcj+nO7u2xd8CLzkQWYQV64hsbqqSKDwgZ3mJb/D1TifLGDb844TIqqdOiUvJujHQHkh6dpTSAu3Bk32v884NkTUz9F1h7RZ6ra3BQGSddWedg/MrguH9bE0R2WbHlFkWe+ycq/Tx2J3I3kHPdOhEt6dlwOcJrRuRtuD93f6ZcGPvGE+btRLEk6n+mXCzYyoaS1R7LGUEIouwYhWRlXWkVtxC9pYm51x1TmfWrRroS509Nzt49QNtEDO46sfSHjzpzbJHgcgipgYi66w76wze3xUMi6wp7Z9MFNnG3rHSx8MNvuXN067AyT5v3Vlns2OqfTwobscqT+uQv75zpOnCZNfkQjSWaHZM8VebEY0leqZDDV2j/PUoUAORRVixusiyvnwnZmRNEln5PtuEU6ofiLy4+rG0B58TWfmW2hBZpBzhXGTPuOeMuKA4X2VQZE1ZWdU+HvwP/3fcFJH9H85flj4eLpld23IE7qhFdmIxIp+hjOwdNPaOcTNnGdk7aB8PirUW3DwpbSCyCCtlFVlyzlJEORNpcEZWbntyTBbZ/O23c6vBmA9kfEaWPniILFKpQGSdDV2j4sGVFFlB1eP22DlXcSL74HMO16FXGN/yZtOFSZuu6Bc7x/VMh1oGfPWdIye6PY7AnRpRWBGILMJKWUU2/9163v+kwlBjU6rS9C0xFUrsuaBbmSBfXyWvkVUpo3JxWH4umVkjKz20bDY3h/bgyXtRI4uUKRDZbMsCoVoi+xx5/ad+cKl/Jjy7tuVb3hTttmXANxy8+5s00/1NFMiaxOpO9GSf17I1BpG9A9YCwWPnXM2OqZ7pkG95s6b8VQIii7BSXpGlNg1QFobqiSzjCgZFltptQFNkFYWtsnv1uyvkl3/ln6D24FkvDkQWMTcQWae077xBkTXLdVj1u29/uCYdMzi/4gmti3+mHix2wAWmINbLtg75rbbAP/xwj9cWsKYAkUVYKbfICoJ6zZOiZFbXRClX0DyYXQMgv50tsjJnpXzpn+/SRasZkBXF5u9iD54YW4s/mr0CRBYxNRDZbMsCwTIiSz04GktQD252TJkyGCAxsRg52edtHfJboT1tPJnqmlxoujBZm1OtBoHIIqxUQmTtRk4udYTbakBkEVY4F9nWIb+umIotCwTLiCxVWVg9bk+7AqYMBhBMLEZah/zHzrlOuwKe0Hrle81u78cG51ewe5kRILIIKxBZFQY6c1kSiCzCCucia6TLlSSOBkXWrG94WbPF1Ov7ljepB0t1EaAcxJMpT2j9tCtw7JzrRLendcgvlqJKH35MR/TXZsdUQ9dom+cmygmMAJFFWIHIklDWbAkCRBaxczgX2cbeMW0rlVoWCNYW2dWdKPVgU5raAiNE9g4mFiNic4CmC5NSaUezY6plwCdv7+UJrc+ubYnRUN7g/V3xGE9ovWc6dNoVaLowKfqrZdecWROILMIKRJYgVyBLduyCyCL2Deciq7sTrNSyQLC2yMaTKerBZrVQAMUhmqhveVMusqddAVFwmx1TkvKq03RhUjzmtCsg6m/5Jnr5BiKLsAKR5QaILMIK5yKra6Xyr+YNiqxZBYussgfWsh5xtyoimLoDACKLsAKR5QaILMIKzyLLmsWUxxG4Ix3P6gxAxKzhUUW2vnOEdTx1Bnd1J8o6HoAaASKLsAKR5QaILMIKzyJrZIbVt7wpP0X3+GPmbUBAFVmNLgSD8yvGp28BqB0gsggrEFlugMgirPAssqyWVfJs78fkp+geb+IGBNT6Xe21QeWbHgbAvkBkEVYgstwAkUVY4VlkWS2rNL7Hr67InuzzahyvrnzQqEMAoHaAyCKsQGS5ASKLsMKzyFK/i5en6cIkcYquyJq4k5ZaZOUFu1QaukbLZNUA2BeILMIKRFYLsafs+dsb0nZfaL+F2DA8iyxr6ywpbZ6bxCmVFFniysfOuXQLXlsGfNoiDkANApFFWLGLyOa2jVWGuvlWu/N4u7PFr1rmm9vpQHHi7u0W9WVz+9PK96qFyCL2Dc8iy2rUqjEDqiuyrUN+6mMVAXHlM+453VPax4NlsmoA7AtEFmHF3iKr3IJLLrKifcrIbTxbhMjKZ2SV6mwpILIIKzyLrO7+tETLAsGAyBrRTYPoDkYNUSyh0eIAgNoBIouwYjeRlelp3kGzu3DlNt8ab1HvMZs9eLzlPGUqV3WYeEDWfTuWBOWfLQpEFmGFZ5HV3Z+WaFkgVFBkidZg9Z0jRvZZIJavmWjVANgXiCzCio1FViC8Myey7tuDKluV5lYH3RoiK83aBvzSxcUjxbIEC0/HChBZhB2eRfbYOZeGklKX/OuKbM90yJSxESKrrtalsr0fk5/VNblgymAAsDUQWYQVe4tsvpwg4M+LbER1cNZQW/xRv4bI5opoxfpav5uY6yUf2mpAZBFWuBVZ3W26qCulqiWyxneaLcdgALA1EFmEFbuLbM4+xwd38yIrzdRmKwFydQWKY0giHeLkroWXc2kDkUVY4VZkdXdDoE6C6oqsbocsg8yubckva/xE+VnDwbumDAYAWwORRVjhU2SlIgF3RFCu2WKJbG5mNzsFa0cgsggr3IrsxGKkCCXVFVmz3FEusg1do8ZPhMgCQACRRVixu8jmbidnW2XH5+sKBJbI5mZwKU277ANEFmGFW5F1BO5oKyn12/z6zhHts4z0FjCCXGS1N/QikA9mcH7FlMEAYGsgsggrdhdZao2sIOTdtMOfrysQ6CKrXONlWyCyCCvcimzX5IK2klJ3H1DvtkUkeN+cL2bkWxu0DPiMnygfDLoWACBAZBF27C2y9K4FoqQqG8fmKl/VIit1qLVyay0jQGQRVrgV2dOugIaPsr7N1xXZyN5B6WMj2sEabFkgQjwLI027AOAbiCzCio1FltVHNiep8j0UpJoBlcjm1nhZu7WWESCyCCvcimzThUkNH2Vt0KUrsqWLI7HMq66Q5gMLDx4R53pC6yWOBwC7A5FFWLGbyBrY2Yuya1d+CRd5jHzfWkXst+oLIouwwq3INnSNavgoqwOrtsgeO+cqcVSRvYO2yzeLE9l4MvX7XaO/95Jbfm5954gpk8QA2BeILMKKvUVWOY2qmm3NVRfIOmpBZJEaDLciqz2xyprI1BbZE92eEkc1OL+i3qbhB2O3jJwrtp79vRfdv6m8QtOFSRQYgFoGIouwYheRBbpAZBFW+BRZYrsBdVZ36F1ItEWWuoeCcfpnwv/73Xnimt94yT2xaKh6SXpS33r1KnGRlgEfde0aALUARBZhBSLLDRBZhBU+RVZdh2qwQkBbZAtqL0CwuhNtHfIT07F/8PJoXSELyKTuYN969eo3lDUG33ltAi4LahOILMIKRJYbILIIK3yK7HDwroaPavRt1RbZUtpdNTummh1TRHnrn/ztWEGzvGfcc/WdI8PBu/WdI7/7wsh/+uk16WqNvWMn+7xwWVCDyEX2f/a8jSBSeoeuQWT5QBLZwNzNqr+vEEvFPfFLDkW2Zzqk4aMa7a60RZa1REwXT2i97qzzqR9cOv7yO/WdI/+i46263DqtgnZYGA7eFfstrO5Excnd//yz95od1//s9fdQLwtqlpzIpkKLy+8HQ3PBj+Y++GgWqfnMffDRXPCjX9//7MsYRNb2iCJ7EE9++PHS+8HQ3Af4MUc+mv3go7kPPpr/p9CDnS/Ez6v8iKz2bgjUzWlFtEW2fyZc3HjULRTqO0fCD/cKvc72fkzakIw164xdEkCtkclkUulM/CgdjSW3v0w82DvceBxffxS/txtDajbrj+Ibj+Kffn64u3+0H08lkhmIrK3JZDLJdCZ2lP78SXIrmog8jq8/wo95rUf2Y57Yj6cSqQw/IqtdWkDdnFZEW2SHg3eLGEz44R5xndOugCk9s1gTz2btowuALcgIQiqdOUxm9uOp3f2jh18cfvr5YWQvHtk7RGo48c3PD7eiib2vkl8dphLJTDojQGTti/zzqvhj/gA/48he/NPPDz+LJh4fHH11mDpKZTQ+rtpMZDVKC1qH/BqFpNoiW5wgTixGGrpGT3R7Wof8jsCd7f1YCc+MZHUn2j8TPu0KNDumWgZ8PdOh/pkwKmVBTSGKbCKZfpJIRWPJxwdHu/tHO/tH218mkJrNzv7R7v7R46+OvoylYon0USqTYU/VAOuT/TFPZb5KpL94knx0cLTzZQI/5jWenf2j3f3E3lfJ/XgqfpROpjMaP+N2Etl4MqXho9rnvjy50Oy43uy4frLPK0Vqd9XYOxa8b7cu0gDwjigoqXTmMJmOHaW/Okztx1NfxlP7SA1HfAMcHKbiR+mjVCaVEbR+xQHLI/6YJ1OZw6P0k0T6oNpvMMQKEX/Mv8r+mOvUwdtGZKOxhPbmtNprobT7dklLvrCgCgBLkRGETEZIZ4SjVOYolUmkMofJdAKp4Rwm04lU5iiVSaYzqTSmY3kgIwjpTCaVziRTmUQyjR9zRPVjbv8Z2cjeQWPvmLaGahen+pY3dUUWU7MAWJCMIIj/i6UzmXRGQJB0RkhnMplM9nMO4AD8mCO0GPoxt4fIqpsDENHtTrW9H1NvIUvNsXOuopsYAADKhzj3hiBiAJdU/X2FWCpGsIHIRmMJbe802AV2ez/WPh4U9y/onwmHH+61DvlZl20Z8Jm7eAsAAAAAAJiLDUR2dSeqoZsltrta3Ym2eW5KO8QSFzfrKQAAAAAAANOxgchSy1tP9nlPuwJmPUQ8mZpd2yJiSkdYAAAAAABQJmwgsuKuV1LQWAAAAAAAAAi2EFkAAAAAAADUQGQBAAAAAIAtgcgCAAAAAABbApEFAAAAAAC2BCILAAAAAABsCUQWAAAAAADYEogsAAAAAACwJRBZAAAAAABgSyCyAAAAAADAlkBkAQAAAACALYHIAgAAAAAAWwKRBQAAAAAAtgQiCwAAAAAAbAlEFgAAAAAA2BKILAAAAAAAsCUQWQAAAAAAYEsgsgAAAAAAwJZAZAEAAAAAgC2ByAIAAAAAAFsCkQUAAAAAALYEIgsAAAAAAGwJRBYAAAAAANgSiCwAAAAAALAlEFkAAAAAAGBLILIAAAAAAMCWQGQBAAAAAIAtgcgCAAAAAABbApEFAAAAAAC2BCILAAAAAABsCUQWAAAAAADYEogsAAAAAACwJRBZAAAAAABgS8wXWb/bebzdedwdMf3KpbIUON7uPN4+Prhb7ZHYiN3bLe3O4+3OjqVqjwQAAAAAQEkpIhsdPO883i4lK4iEyGb/ev72RumDLQ0rGHYZX42sposJ+I3dteEfpxwvRDrancfbnS3+qGCN1w0AAAAAQE2xIqtwI4XLKr1Hkl1ClSpPVs6qOrNYrlcj56Oy5FxZ4y7BmMjm/q2r/i8IAAAAAKCgKJHNfd2s+Jp+93YLRWTNns8rujzAGnUF5ZndzHpn/rJLgZytatwlCAZFFtUFAAAAALAkxYhs1sYYUljeb6KL9dGssVmgwsF8cqKZ9U6DdwmCYFBkcxPJrIsAAAAAAFSFIkQ2N8nHkEL9Gdn8hC6pR+LBHUuKL8SlA3ICTZwrL9VlCq5qGNmzOpZyp5+/vSFdSjZa6tPRHiHr3kKvRn3KtK/4c/8ihd0lCEZF1kKFzgAAAAAAEoWLrN4kn47IUotriYNVEb/Upons7Q7iYLpsqQ2VWKlWmMgaH6H83gKvphohW0mV11EcoHGXQK2gpX3G4Hk+GwAAAAC2pcIiq/qSWlkqIFlX7gBaiad85jU7GPlfqVOP5BSjXBMpNxoQWeoIdcdfwNUoT405sSqonFhjWld+V2Eii/VeAAAAALASlRVZZVEBc0ZTNvNH3kLWyEpfnWtXcLJFVlHLa1hkGSPUHX8BVytQZBXjV7xEWncZLC2AyAIAAADAgpRQI8tYzqUlsvSmXaoZ2QJEViXH9FHZUGSppQVGltDlXmSK2avugsgCAAAAwL4UIbKSYBnqWkCdkWU1cipGZMlRUS9uUGQpS9MsJLJGG0GonyzzLogsAAAAAOxLUX1k8xOrMrMx1EeW1vFA1tnUsMjmbFVRFKshcOzFXlSRzV0zX0JaeZEVn6mR9VVLAfk/hDTmjiXNuxS3oGsBAAAAAOxHkTt7MRYJ6W+IQD/RuMjKimKPtztb3AFV0a3mPHH+OnSRZRY/VEtkjZQWaBypdxGILAAAAADsS7Fb1ArqlVvKOlfDfWQ1tZWmUDI5Izqwanz3rTI2hsgKqpau4sNVobSAIf00lyWO1OhLQExXY0MEAAAAANiXEkTWXlhji9oCUJUWEGUPlQNb1AIAAADAktSMyGpV0FoRQ5PTFQErvQAAAABgTWpHZG1W6MnaqqDi06LMGgwAAAAAgOpSQyJL7pVleVQuW405UdQVAAAAAMCq1JLIAgAAAAAAjoDIAgAAAAAAWwKRBQAAAAAAtgQiCwAAAAAAbAlEFgAAAAAA2BKILAAAAAAAsCUQWQAAAAAAYEsgsgAAAAAAwJZAZAEAAAAAgC2ByAIAAAAAAFsCkQUAAAAAALYEIgsAAAAAAGzJ/wfePjyaVr7VcAAAAABJRU5ErkJggg==" />

Physically, it looks like this - often well just velcro the Pi to the host its protecting, the Unencrypted DMZ width:500px" />


The linux account that the user will use gets a .profile file, which lookslike this:

telnet x.x.x.x (the target host)
exit (which logs out the SSH session when the telnet session ends)

When the user logs in, their session immediately telnets to the back-end device. You can expand this with NAT and port forwarding to expose other services in either direction, depending on your appetite for complexity. In most cases I do this for, all were shooting for is an SSH gateway solution - backups and other services go out via another path.

Of course, there are limits to this:

  • A Pi is not the most reliable solution - they boot off of SD cards, and those do fail. Keep some spare, imaged SD cards
  • Its not the fastest solution - the Pi only supports 100mbps ethernet, and the ethernet NICs are USB based so you wont ever see it reach 100, but for telnet thats fine.
  • Disable the Pis wireless if youre not using it as one of the NICs.
  • If the client doesnt have Linux skills in-house, keeping things patched and properly maintained can be a challenge. If theyve got linux chops, thisll plug right into their ansible/puppet/chef or whatever infrastructure.
  • More on the above, no Linux distro is secure out of the gate, least of all the Pi which comes out of the box with default or no credentials (or no password more like). Youll want to secure the device with something like the CIS Hardening Guide for whatever comes close to your distro (My Pi runs Raspian, so I used the CIS Debian guide, but there are Redhat or Ubuntu distros for the Pi as well).
  • Using NISTR 7966 to further address SSH can also be a huge help (http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7966.pdf ) - if you can simplify things so that the client uses SSH keys for the SSH session, then only has to login once to the telnet back-end, that can keep everyone a lot happier (and more secure to boot)
  • If you need more reliability or speed, you can keep the same approach with something like an Intel NUC or one step up (something with 2 NICs) - a cheap, compact SSD based computer with 2 NICs. Using a real host allows you to go with an easier to manage, more full featured solution - Ill often use pfSense or even OpenWRT instead of a self-secured Linux distro for something like this.

Other approaches?
The ICS / SCADA approach I often see at client sites is to put all the problem devices in one VLAN, then segregate that VLAN. That works well, and you likely still want to do that even with the SSH approach above. Often well require a VPN session to get to that VLAN, which is pretty easy if that VLAN is off the same firewall that already has an internet VPN configured on it. This works well in hospital situations as well.

The risk in this approach is that if an attacker does get access to that VLAN, its just too easy to pivot or spread out, all the vulnerable hosts are in one place - its really a wolf amongs the chickens situation. So well try to further segregate or secure services as much as possible within that VLAN, or split it up into smaller pieces at least. Anything you can do to reduce the splatter zone after the security incident is a good thing!

What have you done to secure unsecurable (for whatever reason) services? Please, use our comment form to tell us the neat and free or almost free approach youve adopted!

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
IBM Tealeaf Customer Experience CVE-2016-0382 Local Information Disclosure Vulnerability
 
Google Android Htc Bootloader CVE-2017-0623 Privilege Escalation Vulnerability
 
Multiple Google Devices Qualcomm Camera Driver CVE-2017-0631 Information Disclosure Vulnerability
 
WordPress Password Reset CVE-2017-8295 Security Bypass Vulnerability
 
Cisco Wide Area Application Services CVE-2017-6628 Remote Denial of Service Vulnerability
 
Cisco TelePresence Collaboration Endpoint CVE-2017-3825 Denial of Service Vulnerability
 
Cisco Firepower System Software CVE-2016-6368 Denial of Service Vulnerability
 
ESA-2017-036: EMC Data Domain Privilege Escalation Vulnerability
 
Cisco Finesse CVE-2017-6626 Information Disclosure Vulnerability
 
WordPress Core <= 4.7.4 Potential Unauthorized Password Reset (0day) [CVE-2017-8295]
 
Internet Storm Center Infocon Status