We will have an article next week summarizing the Black Hat, BSides and Defcon ICS related papers. So far the most interesting items are Ruben Santamarta’s backdoor in the Schneider ION smart meter and two tools that test and hack optical ports on smart...
There is a new version of the PwniePlug, which was previously reported on by Dale. This model comes in surge-strip form factor. This project is interesting for a few reasons. First, the PwniePlug/SheevaPlug/etc devices have always turned me off a little as...
Last week I hinted at a vendor which included internal source code repository information in their firmware. I contacted the vendor and am told that the secret password has been changed, so it’s time to talk about it. When I went hunting for NTP appliances...
A lot’s happening this week in ICS vulnerability handling and a lot of it is positive. 1. ICS-CERT Takes Control I have been critical in the past of ICS-CERT’s letting vendors determine when a vulnerability is disclosed. They have changed their policy....
After my previous blog post on the NERC-CIP Plant Tour, colleagues asked questions about the systems mentioned. One of the questions that took some time to answer, and required a lot of explanation, was regarding vibration monitoring systems, specifically the Bently...
<< Note – I edited one paragraph after further thought and uncertainty of the exact time this was released. My change log says Friday, the date says Thursday. Apologies if the Friday comments are in error, but this is a big impact vuln that is being...
The S4 call for papers announcement and submission page will come out on Monday — sorry for the delay. You will have two months to submit, but early submittal improves your chances. Speaking of conferences, next week in Las Vegas is BlackHat, BSides and Defcon....
A few months ago I was lucky enough to do a lab assessment demoing a secure control system network. One component of the lab network got my attention a bit: an embedded Network Time server that gets its time from GPS. Its sole function in life is to get time via...
The Billy Rios / Terry McCorkle article about the vulnerability handling of Tridium and ICS-CERT is a must read. I started to pull quotes from it and found I wanted to include almost everything. It’s clear that Tridium was unresponsive not only to Rios/McCorkle...
Bob O’Harrow of the Washington Post continued his cybersecurity series, this time focusing on vulnerabilities in Honeywell’s Tridium that is used in a large number of building management systems, including many directly connected to the Internet....
