Inauguration of OWASP Sweden

Sweden have gotten a local chapter of OWASP, the worldwide free and open community focused on improving the security of application software. On tuesday the 1st of april 2008 a seminar was scheduled to become the kick-off to startup this local chapter. The man behind all this was John Wilander, who have gotten the blessing of the OWASP board to start a Swedish chapter.

The agenda for the day called for three speakers that covered various areas including development methodology, computer languages with built-in support of secure programming paradigms and unusual and hard-to-spot flaws.

John Wilander of Omegapoint made the welcome speech and gave an introduction of OWASP and the his vision for setting up a local chapter.



Michael Anderberg of Microsoft gave an overview of the Secure Software Development Lifecycle concept and model that Microsoft have developed. The model was created as part of Microsoft’s Trustworthy Computing initiative. His main point was that everyone should use it. It was developed for the needs of Microsoft, but the model has been documented in various books, etc



Andrei Sabelfeld of Chalmer unversity gave an overview of the research performed by his research group, mainly information flow based security. He also gave some examples of the problems with some concurrent languages approach to this, e.g. the taint feature of perl.



Per Mellstrand of Sony Ericsson gave a good show beeing somewhat provocative and a lightning fast talker. His bughunting safari was quite nice where he pointed to the, now classic, subtle double free bug in the zlib compression library, and the effects of this - in everything from OSS kernels to commercial application code.





The program comittee have manage to put together a really nice seminar that included both more industrial type experiences and knowledge as well as hot research topics.

The overall impression of this OWASP Sweden kick-off cannot be described with any other words than pure success. Without any real budget or advertisment close to 100 persons, from industry, government and academia showed up at the World Trade Center in Stockholm to participate.

OWASP Sweden have all the possibilities to become a hot-house and focal point for some of the security community in Sweden.

If youre interested in application security, you can join the OWASP Sweden mailinglist here. The next OWASP Sweden seminar is scheduled to be in Clarion Hotel, Skanstull, at 6pm (snacks from 5pm) on the 27th of may. See you there.

Why SCADA still is insecure

My friend Erik pointed me to this piece of information on the SCADA mailing list. A new SCADA security mailing list is in the works. This snippet is taken from the invitation mail sent to other mailing lists:

"Due to heightened security and awareness levels worldwide, ALL MESSAGES ARE WATCHED CAREFULLY.
Violators who report methods that are going to disable, damage, dismember, destroy, or disarm any control system,
SCADA device, or infrastructure will be reported to DHS (and/or their respective national or federal authority)."

Ex hacker-now-turned-to-tech-journalist Keving Poulsen, of wired magazine, had this remark:

"Only the SCADA community could conceive of a mailing list that tries to get you arrested for discussing security issues. And we wonder why SCADA is still insecure."

he might have a point there....

SCADA security in upcoming issue of IEEE Security & Privacy magazine

The very relevant and interesting IEEE Security & Privacy magazine will have the November/december issue focused on Process control security. The submission deadline is 4th of april of you would think of submitting an article.

See here for more information on the PCS IEEE issue.

The 2008 S4 Scada security conference

We recently atteded the S4 conference in Miami, USA, facilitated by Dale Peterson and the good people of Digital Bond. 

S4 is the SCADA Security Scientific Symphosium, a yearly event held in the end of january.

S4 is a rather small and intimate event that makes you feel that you are on the first row in the conference room and at the same time really have first hand access to the worlds technical expertise to the professionals in the SCADA Security arena. It is amazing to realize that there are only a few handful of people qualifying for that title.

The symposium had eight invited speakers, some very good, some less scientific or relevant. Both keynote speakers where really good. Day one Steve Lipner the Microsoft’s Senior Director of Security Engineering Strategy gave a talk on security with regards to systems and software development. If only SCADA vendors and other in the automation business would start to work according to this methods, things would certainly look a lot better.

Day two, Dave Aitel described the way a serious security researcher or a skilled attacker works when he (she?) reverse engineers executable code and proprietary and unpublished communications protocols. I just hope that this is the eye opener that many people really need. They all should know Shannons maxim and the Kerckhoff principle. The enemy knows the system. And the security should really depend on other factors that obscurity.

One of the better speakers with a really interesting topic, security in wireless systems, was Denis Foo Kune (depicted above) of Honeywell Research. His talk on ISA 100, Zigbee, WLAN and radio systems security was really nice.

For those of you not attending the symphosium, now there is a new opportunity for you to order the conference proceedings from Digital Bond.

According to Dale, Digital Bond plan to run S4 2009 again. The same dates and the same place. Mark your calendars.

New mailing list on SCADA security and IT/infosec in relation to Critical Infrastructure

I've started a mailing list on SCADA security "cyber security" and IT/infosec in relation to Critical Infrastructure. It is already a number of good, initiated, members from academia, vendors, users, government agencies, etc.

Drop me a note at rom * romab * com if you are interested to participate.

An explicitly vulnerable linux

Someone pointed me to a new Linux distribution, http://www.damnvulnerablelinux.org. The distribution is a derivative of the Damn Small Linux suite. It is a tool for IT-Security & IT-Anti-Security and Attack & Defense. It was initiated for training tasks during university lessons.

On the Internet, this was just bound to happened....

A different aproach to wardrive Bluetooth security

The guys in the BlueBag project have done some interesting work with their trolley. Check out their article in the excellent IEEE Security & Privacy magazine. The same guys also did a presentation on the subject at Black Hat '06