lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 23 Mar 2011 16:10:43 -0400
From: "J. Oquendo" <sil@...iltrated.net>
To: Kent Borg <kentborg@...g.org>
Cc: Luigi Auriemma <aluigi@...istici.org>, bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

On 3/23/2011 11:27 AM, Kent Borg wrote:
> Would I install a stack of SCADA upgrades to *my* functioning
> factory?  Maybe not.
>
> Scary, scary stuff.
>
> Security needs to be designed in, implemented carefully each step
> along the way, and reviewed.  Instead people with "security" in their
> job title so often seem to think security is firewalls, buying
> anti-virus support contracts, and requiring use of MS Outlook and
> Internet Explorer.
>
>
> -kb, the Kent who will shut up now.
>

This is a big fact that many are overlooking. Regardless if the vendor
is a complete and utter moron, patches don't come easy for these
systems. Secondly, many of these systems are very old and are being
"propped' up by new software. There is no running out to deploy PLCs
that can fail because of a glitch.

Security wasn't a factor in the 50s, 60s, 70s and so on as it has become
now. No one foresaw that by even sending one too many ICMPs at a modbus
would crash it. THIS is the reality of SCADA systems. It has nothing to
do with "hiding the bugs hoping they will go away." It isn't about:
"they attacked Linux, then Windows, now SCADA" boo-hooisms. Completely
separate playing field.

Sure these need to be designed properly however the reality is, many of
these systems are old. Many of these systems control the quality of the
water we drink, the pollution leaving a plant, the power being
generated. This isn't: "release it... make em fix it fast... that'll
teach them." I wonder how the author would feel if say a water treatment
plant in his area was affected causing all the water around him to be toxic.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ