Bandolier_Leaderboard
AAA  AAA 

Archive for 'Vulnerability Disclosure'

Stuxnet Panel Afterthoughts

I hope you had a chance to listen in to the Industrial Defender sponsored webinar on Tuesday. If not click on this link to hear Patrick Miller, Eric Byres, Andrew Ginter, Mark Zanotti and myself opine on the subject.
I think the webinar had a great overview on Stuxnet from Patrick Miller and some additional detail [...]

Stuxnet Panel Discussion

On Tuesday I’ll be participating in a panel discussion / webinar on the Stuxnet worm. Industrial Defender is organizing it, and there is still time to register. I’ll post a replay link when it is available as well.
It should be an interesting discussion with Patrick Miller moderating and Eric Byres, Andrew Ginter, myself and Mark [...]

Trojan Targeting Siemens and APT Thoughts

Pay attention to the P in Advanced Persistent Threat [APT]. Most of the attention paid to the trojan with a payload targeting Siemens control system applications has been on the Advanced nature of this malware. And that attention is warranted because there has not been a public example of malware targeting control systems prior to [...]

A Peek Into A Control System App Assessment, Part 1

First things first, we’ve been given the application we’re going to access, we’ve built up our testing environment, usually a virtual machine or some sort, and we’re ready to get going.  The application in question serves as a SCADA server, historian, and can serve HMI displays through a native client or a web interface.  Using [...]

A Peek Into A Control System App Assessment

We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications.
Recently Daniel spent a couple of days black box testing a widely used control system application for an in-house project, and as we were writing [...]

Odd NERC Advisory

NERC issued an advisory on Rockwell Automation PLC/PAC vulnerabilities. It is odd in many ways.
1. There is no new information. This is all old news.
2. So many field devices used in this electric sector have these same or equally important security deficiencies. Are we going to see NERC Advisories on every brand and model? If [...]

Software Security – The State of Things

It’s RSA Conference time so companies have reports and studies to release. One that I actually found interesting is Veracode’s State of Software Security. The data comes from assessment of “billions of lines of codes and thousands of applications.” It provides some good data points and observations on the state of things.
I’ve gotten to where [...]

Google, Adobe, Timely Info for APT Keynote

We selected Kris Harms from Mandiant to give next week’s S4 Keynote on the topic of Advanced Persistent Threat [APT]. This week Google and Adobe announce investigations of some more serious than normal attacks. A couple of key excerpts from the Google blog:
In mid-December, we detected a highly sophisticated and targeted attack on our [...]

60 Minutes

I wanted to wait to hear the reactions to the segment on 60 Minutes before commenting. If you missed it, see it here or read the transcript. Here are a few thoughts on the story.
It is probably a net plus because 60 Minutes reaches an audience that might not be aware of the problem. Like [...]

Distribution of INL Assessment Results

I was out at EnergySec in Seattle last week, and tweeted on it @digitalbond.
An INL presentation showed that they have found about 325 vulns in the control system assessments they have performed over the last four years. This revived my long held and stated frustration about who gets this information. When INL does a vendor [...]