We’ve had a lot of posts about fuzzing on the blog lately. We’ve looked at the latest technologies and techniques, we’ve talked about fuzzers, intelligent versus dumb, some of the tradeoffs involved with design choices, and in the future we’re going to talk some more...
It’s RSA Conference time so companies have reports and studies to release. One that I actually found interesting is Veracode’s State of Software Security. The data comes from assessment of “billions of lines of codes and thousands of...
Yesterday I blogged on the scan results, configuration issues and increasing use of Verizon, AT&T and other carriers’ broadband services for SCADA. Today I’ll address the question of whether these networks should be used in SCADA systems. Like most...
I’ll start with the stats: we found 1,420 Raven Airlink devices in a wireless class B network that any customer with a wireless card from the carrier could access. These are ruggedized devices with Ethernet and serial connectors used for sending monitoring and...
One of the rules we try to live by and inculcate with our clients is “don’t try or promise the impossible”. This is a simple and certainly not brilliant concept to avoid a path doomed to failure and frustration and wasted effort. An example of...
This past Wednesday, SANS and CWE released their 2010 top 25 programming errors list. The list contains many errors that are present in control systems both developed recently or a few years back. For example, Daniel Peck of Digital Bond wrote a paper showing what can...
I have had talks with a number of other vendors about how control system life cycles will have to change, and slowly are changing. For a long time it has been buy and install a SCADA or DCS, change it as little as possible for ten to twenty years, and then completely...
In January the Nuclear Regulatory Commission issued NRC 5.71 Cyber Security Program for Nuclear Facilities. It is interesting that the NRC took a very NIST SP800 approach specifically using the NIST documents high impact baseline as a starting point. We did not do an...
I’m a week or two late on this, but I think that the community as a whole has paid far too little attention to the advisory released a few weeks ago by the folks at C4/CERT, and the response to them by Rockwell. Full disclosure, I have not personally verified...
A few thoughts after the intelligent comments, additional info, sound and fury: Microsoft is in the very rare top tier of companies spending time and money on security. In gross $ and time probably number 1 and very high on a percentage of security to software...
