lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4D8A4B1C.7090604@nmrc.org>
Date: Wed, 23 Mar 2011 14:33:48 -0500
From: Simple Nomad <thegnome@...c.org>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

On 03/23/2011 01:36 PM, J. Oquendo wrote:
> You're flawed in your response: "Public exposure increases the
> visibility, and therefore customersinstall the patches quicker." ...
> When someone "full discloses" a vulnerability, there is no patch to
> install quicker. This is obvious because there is no patch until either
> the vendor releases one, or staff using the product are capable of
> creating a work-around. In the case of the SCADA environment, we (again)
> are not talking about the potential of a defacement, blue screen, silly
> shell, we're talking about sensor, gears and often so much automation
> that it would be absurd for a SCADA engineer to "go it alone" and try
> create their own patch. Many of these systems don't have the option of
> failing or being taken offline. You also state: "Without public
> visibility, they will keep running the old code" the reality is, no one
> is going to outright replace some of these systems in these
> environments. These are not applications and or systems one can plop
> onto donated boxes. They have no choice BUT to run the code.

Actually they have the choice to not run SCADA systems open to the 
Internet. If they are so critical that you are "playing with fire" like 
you mentioned in another email, why would they be accessible via script 
kiddie attack, or any remote over-the-tubes attack? Running SCADA 
systems open to the entire Internet is what I would call irresponsible.

At this point, it is academic anyway. The cat is out of the bag. Thanks 
Luigi, I at least know about these issues now.

-SN

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ