Yesterday I received a few of the Raven ZigBee USB sticks with the KillerBee firmware loaded on it, thank you Joshua Wright. I grabbed the latest version of Killerbee and started playing around with KillerBee and the ZigBee sticks. KillerBee is an 802.15.4 exploration and exploitation framework. It was extremely easy to get running, I [...]

A few thoughts after the intelligent comments, additional info, sound and fury:

Microsoft is in the very rare top tier of companies spending time and money on security. In gross $ and time probably number 1 and very high on a percentage of security to software development time. They are also among the most attacked. So [...]

There was an interesting discussion and information on what is the “best way from an ROI measure” to fuzz test at the CERT sponsored Vulnerablity Disclosure Workshop in DC this week. It led to some tweets back and forth between Digital Bond alumni Matt Franz and myself. First some background:
Fuzz testing is used by vendors, [...]

I was first encouraged and then disappointed to read the press release announcing Honeywell’s Experion C300 Controller had achieved Achilles Level 1 Certification.
I was pleased to see another vendor stepping up to get their controller protocol stack tested. Controller protocol stack crashes are still a serious problem with many falling over with simple fuzz testing [...]

Reversing patches to create exploits is nothing new, and it tends to occupy the time of a lot of security researchers around the 2nd Tuesday of every month, but an interesting research paper was published recently from a few graduate students at CMU, Berkeley, and Pittsburgh that offers a new twist on an old topic. [...]

I’m very pleased to announce that Steve Lipner, Microsoft’s Senior Director of Security Engineering Strategy in Trustworthy Computing, is the Day One Keynote at our SCADA Security Scientific Symposium (S4). All physical attendees will also receive a copy of his book, The Security Development Lifecycle. See the full agenda and register.
Steve’s keynote is titled [...]

The headline on this blog is hardly shocking, but software quality does not get enough attention in the control system community. We now have three strong data points that show all OPC servers are not created equal.
1. The latest is Landon’s work to verify configuration recommendations in Part III of the OPC Security whitepaper series. [...]

Not like it’s a topic that needs any more attention, but I thought I would share some opinions from some attendees who gave me a call right after the talk was over with. Within the first two minutes Ganesh and Tipping Point/3Com revealed that they would not be releasing the tool as it would “make [...]

If you pay close attention to the pen-test mailing list you’re probably aware of the LLDP fuzzer that was released a few days ago. The fuzzer is accompanied by a very nice white paper explaining the protocol and the individual test cases.
I looked around for different SCADA devices that support LLDP and only ran [...]

Digital Bond is a small, I like to say boutique, SCADA security research and consulting practice. We try to focus on projects that will have a significant and near term positive impact on the SCADA security community. I believe we have a pretty good track record with our SCADA IDS signatures, Nessus plugins, S4 [...]