http://www.digitalbond.com This Month in Control System Security Wed, 07 May 2008 17:58:08 +0000 http://backend.userland.com/rss092 en Typing scada as the search key in a Google news search http://news.google.com reveals that as a whole the industry (vendors, asset owners, and security players) still needs to raise the bar on security awareness and must change its mindset in a couple of key areas. While I don't want to become ... http://www.digitalbond.com/index.php/2008/05/07/just-surfing-the-web/ No, this is not what you think it is. In fact, it is almost the opposite. Control system applications and components are increasingly being used to monitor critical IT Data Centers. We heard quite a bit about this at the PI Developers Conference, especially related to monitoring the power, environmental and ... http://www.digitalbond.com/index.php/2008/05/07/it-and-operations-unite/ I couldn’t let the Wonderware Suitelink vulnerability go by without commenting on it, and even Jason commenting on it below won’t steal my thunder. First, lets talk about the vulnerability from a technical perspective. It appears that this is a fairly classic example of the program allocating an amount of ... http://www.digitalbond.com/index.php/2008/05/06/wonderware-suitelink-denial-of-service-vulnerability-part-2/ Sebastian Muniz from Core Security Technologies discovered a denial of service vulnerability in the Wonderware SuiteLink service that was made public today. Here are some links: Core Security Advisory National Vulnerability Database Wonderware Tech Alert (login required) This SuiteLink vulnerability affects the same version of Wonderware InTouch that had the NetDDE problem. When ... http://www.digitalbond.com/index.php/2008/05/06/wonderware-suitelink-denial-of-service-vulnerability/ It looks like the DNS service for a few top level domains will be more secure in the future.  Announcements, by way of Dark Reading, have been made that the .org, .uk, and .arpa will soon be turning on DNSSEC and joining .swe (Sweden), .br (Brazil), and .bg (Bulgaria ).  ... http://www.digitalbond.com/index.php/2008/05/05/major-dnssec-deployments-on-the-horizon/ I've been involved to varying degrees with security standards efforts for way too long now - - almost twenty years. Most recently with the ISA 99 Part 4 effort. For a while I was actively involved in that effort in support of a contract with Wurldtech. When Bryan Singer joined ... http://www.digitalbond.com/index.php/2008/05/05/control-systems-security-standards-efforts-roi/ I mentioned this back in March -- Another hacker conference SCADA presentation. The presentation is now available for download. A quick review doesn't show anything too groundbreaking but it was interesting to learn about an Italian project called CrISTAL (Critical Infrastructures Security Testing and Analysis Lab). From the website: CrISTAL aims ... http://www.digitalbond.com/index.php/2008/05/04/hitbsecconf2008-dubai-penetration-testing-scada-presentation/ To give our readers a taste of what Daniel and I do most days I thought I would post a little code snippet and ask you all to find the overflow (if there is one). Any discussion on the feasibility of exploiting the overflow (again if there is one) is ... http://www.digitalbond.com/index.php/2008/05/02/spot-the-overflow/ Great blog entry from the guys at Matasano on hacking a 'toaster' running a VxWorks OS. The PCSF Annual Meeting will be held on August 26 - 28 in San Diego. The call for papers/solutions is out, and an agenda and registration is forthcoming. This is our top recommendation if you ... http://www.digitalbond.com/index.php/2008/05/02/friday-news-and-notes-44/ Joshua Corman of IBM/ISS gave a presentation at Interop Las Vegas yesterday titled “Unsafe at any speed: 7 Dirty Secrets of the Security Industry”. Here’s the Network World report. The title alone is interesting – making a reference to automobile safety – especially considering some recent discussion about the relationship ... http://www.digitalbond.com/index.php/2008/05/01/thoughts-on-the-7-dirty-secrets-of-the-security-industry/