First Post

Welcome Aboard

I am excited to announce that I have started working at Digital Bond. I have a bachelors degree in Computer Science from Southern Illinois University – Carbondale. Before joining Digital Bond I worked at the Tennessee Valley Authority for over 6 years. In that time I learned a lot about Control Systems Security.

While at TVA I worked as a Network Engineer that was performing routing and switching functions as well as security functions with firewalls and security tools. From there I moved into the security group where I was performing Incident Response, Monitoring, and Assessment functions. In the assessment role I served as subject matter expert for CIP 005-R4 and CIP 007-R8. I also performed security Assessments of control systems and corporate networks, and penetration testing. I used a range of open source and commercial products, such as Nessus/Security Center and Metapsloit.

In my spare time, I enjoy drone research topics as well as flying my quadcopters and finding new ways to use the technology that is coming out on the private drone industry. I hope to bring to Digital Bond my knowledge of both Control Systems environments and corporate environments to leverage techniques and new technologies to make Critical Infrastructures more secure.

Spear Phishing Attempt

Spear Phishing (image by Cleanplait)

UPDATE: Added picture of email text

Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee.  The attack linked to a probably-malicious .zip file based upon an old research paper that we published.  There are no AV signatures for the payload.  It was a one-shot deal: the nameserver for the domain used in the attack is located on a compromised box.

It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished.  The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server.  It is likely that the perpetrator also compromised a second server to serve up the malicious file goodness (the domain server is in Philadelphia, PA for the interested, and may or may not have hosted the malicious file as well).  The DNS records have been updating constantly since we began investigating.

Thankfully the attack was unsuccessful — paranoia pays off.  It is definitely a lesson in ‘be careful what you open’…even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it…

DP Update – I added the email below. It is text I have written before and I believe the file title is from a paper that Daniel Peck and I wrote for S4 2009. The file that that was linked was a .zip. The only thing that was unbelievable was the signature of just “Peterson”.

Bad English

Read More

Digital Bond Vulnerability Disclosure Policy

There has been some misunderstanding and misstating of Digital Bond’s vulnerability disclosure policy.  So we decided to follow the Matasano example and state our policy.  Click here for Digital Bond’s Vulnerability Disclosure Policy.

In a nutshell, we honor our customer confidentiality agreements; disclose to the vendor, US-CERT, and CERT-CC simultaneously; and let US-CERT as the independent coordination center determine if and when public disclosure is appropriate.

We know a large number of asset owners and consultants have identified vulnerabilities in SCADA devices and applications. Unfortunately it is not that difficult today. We encourage others to come up with a responsible disclosure policy and involve the coordination centers.