lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4D8A5D4B.4040300@nmrc.org>
Date: Wed, 23 Mar 2011 15:51:23 -0500
From: Simple Nomad <thegnome@...c.org>
To: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

On 03/23/2011 03:01 PM, Jim Harrison wrote:
> BTW, now that you know about it and there is no defined mitigation, what
> exactly*will*  you do about it?

This seems rather obvious, but....

1. Ensure none of the affected SCADA systems are present on my work's 
network (BTW none are present on my home LAN).
2. Ensure that these systems, if they exist, are not accessible from 
either the Internet or even the local network where most of the users are.

(BTW those first two are a given as far as security 101 is concerned, 
the rest seem like common sense)

3. Use Luigi's advisories and POC to understand the nature of the 
vulnerabilities.
4. Write custom IDS/IPS signatures to detect said vulnerabilities (not 
the exploits, big difference).
5. *If* these systems must, for whatever stupid reason, be attached to 
the regular LAN with the regular users, the IDS/IPS signatures will 
disallow the malicious connectivity they detect. If I am really 
paranoid, or feel that I cannot construct an adequate mitigation 
strategy that allows access, then all access is disallowed until a patch 
is available.
6. *If* the systems are not accessible, but in the future they have to 
be, for whatever stupid reason, I have some sigs and some steps I can take.

Is that perfect? No of course not. Can I sell this plan to upper 
management? Sure. All of the "bad" info is public, remember? Can I now 
lean on the vendor and bitch about how vulnerable we are? Absolutely.

I have worked at large corporations, done full/limited/responsible 
disclosure professionally and as a hobby, and have worked for vendors 
who sold security solutions and who have had bugs in their products 
reported to them. There is no solution for bug disclosure, period. 
Someone somewhere will get pissed off, and no matter what the "rules" 
are someone will break them.

The disclosure method is irrelevant actually. One learns to adapt 
quickly to new information whether "good" or "bad", or dies standing 
around bitching about something that didn't go their way they can't 
control anyway.

-SN

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ