lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAH8yC8=AMGVUG0zjEmQ8xXsNMmND6SX=ZeX-PShK26PNFe4DxQ@mail.gmail.com>
Date: Wed, 14 Sep 2011 14:26:53 -0400
From: Jeffrey Walton <noloader@...il.com>
To: fergal.cassidy@...suresoft.com
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in trading and SCADA softwares

On Wed, Sep 14, 2011 at 5:13 AM,  <fergal.cassidy@...suresoft.com> wrote:

Please take this constructively...

> The so called vulnerability in ScadaPro does not apply when the Windows firewall is enabled and under normal circumstances the TCP-IP port is not used to communicate with the ScadaPro service.
Measuresoft should not stake its security on the hopes that a firewall
is running. There will be plenty of folks who will do dumb things with
it.

> In the next release of ScadaPro the TCP/IP port will not be available and instead a secure web service will be available.
>
> Also please note these tests were performed independently of Measuresoft on a demo version and without seeking or obtaining any advice from Measuresoft on how to securely deploy ScadaPro.
Measuresoft should be deploying securely out of the box. Require the
user make manual changes to punch holes in the firewall (or do it for
them after they answer a yes/no with no as the default). Secure out of
the box is a good thing, even if it causes a few immediate hardships.

Jeff

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ