Fuzzing, as a practice, has been around for a while. Throw garbage at an input to a program and see what falls apart. Analyze the crashes and dumps, and see if any involve commonly exploitable issues, such as buffer overflows, off by one errors, etc. I’ve seen...
A draft of ISA-62443-3-2 is out for comment now. Previously it was called Zones and Conduits, but the latest draft recommends a title change to Security Risk Assessment and System Design. The recommended new title is more accurate for the content. Readers looking for...
Apologies for being late with the Friday News & Notes this week. I spent the end of last week getting some inspiration from people that achieve amazing things through passion and incredibly high standards in unrelated fields. Heise, a major German publisher,...
A lot has been said about the effectiveness of awareness training recently. While Training and awareness are necessary to build a solid foundation, practicing with real tools and hardware elevates your knowledge and hones your craft. As part of my series about...
Earlier this year at the SANS SCADA Security Summit, Michael Assante used his position as program chair to ask various speakers and panels whether People, Process or Technology was the most important issue to address to improve ICS security. The answer he wanted was...
Well, I’ve spent about a week off and on working on this project, and have some limited analysis to report. I’ve developed the python code that will run through all of the @VXShare zip files, and pull out the strings. Don’t laugh, the way...
A second NIST led 3-day workshop on the Cybersecurity Framework required by President Obama’s begins tomorrow in Pittsburgh. I’ve been quiet and non-participative on this effort to this point. The reason for not participating is primarily because I...
Documented within The Rack is Kismet, a tool that can be used for analysis of wireless within control systems and automation applications. With the use of wireless devices on the rise, we need to ensure they do not mistakenly get put into control systems. Scanning...
The ISA99 committee has always been the most prolific of the ICS security standards and guidelines writing bodies, although NERC CIP may put up an argument. The coordination of the ISA99 and IEC-62443 efforts has only increased the pace as the international...
HD Moore and Rapid7 highlighted security issues related to serial port servers, aka terminal servers in the ICS world. They found a large number that were Internet accessible and highlighted some vulnerabilities that have published Metasploit modules. Paul Roberts...
