tag:blogger.com,1999:blog-74103637476811092442024-02-20T07:28:52.282+00:00Comments on securitySecurity bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-7410363747681109244.post-5695359294911080122008-05-01T07:30:00.015+01:002008-12-09T10:08:55.227+00:00Inauguration of OWASP SwedenSweden have gotten a local chapter of <a href="http://www.owasp.org/index.php/Main_Page">OWASP</a>, the worldwide free and open community focused on improving the security of application software. On tuesday the 1st of april 2008 a seminar was scheduled to become the kick-off to startup this local chapter. The man behind all this was John Wilander, who have gotten the blessing of the OWASP board to start a Swedish chapter.<br /><br />The agenda for the day called for three speakers that covered various areas including development methodology, computer languages with built-in support of secure programming paradigms and unusual and hard-to-spot flaws.<br /><br />John Wilander of Omegapoint made the welcome speech and gave an introduction of OWASP and the his vision for setting up a local chapter.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs54qaY-nqZ9YLtLflE1xUaXplwXjp3_WRYlWCRv6O3OZr8HH-7uOXBgvknXBJ3KT5hkc3Dnjq10QtSDsnaCJL8Gv5sImTqaiqjtsb3nM0nGXhbkt_dPEBK1PxI2i_PaAVoZu3qqbNH_w/s1600-h/Small-John_intro.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs54qaY-nqZ9YLtLflE1xUaXplwXjp3_WRYlWCRv6O3OZr8HH-7uOXBgvknXBJ3KT5hkc3Dnjq10QtSDsnaCJL8Gv5sImTqaiqjtsb3nM0nGXhbkt_dPEBK1PxI2i_PaAVoZu3qqbNH_w/s320/Small-John_intro.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5195317804701424898" /></a><br /><br /><a href="http://blogs.technet.com/michand/">Michael Anderberg</a> of Microsoft gave an overview of the Secure Software Development Lifecycle concept and model that Microsoft have developed. The model was created as part of Microsoft’s Trustworthy Computing initiative. His main point was that everyone should use it. It was developed for the needs of Microsoft, but the model has been documented in various <a href="http://www.amazon.com/Security-Development-Lifecycle-Michael-Howard/dp/0735622140">books</a>, etc<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRmdmHRe3PbeUgaH7KdNwKROkZOliexnl3YRWZOQIcT56xiimrwuanM-CB_h0-ChhROx0D-fkCzZ5_AytSxAYrc9xuaW1jzlZRzxoqYRndlIMhcjWmrpx4zY4K2AvwH1pP2AJAhUuIwl4/s1600-h/Small-Michael_Anderberg.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRmdmHRe3PbeUgaH7KdNwKROkZOliexnl3YRWZOQIcT56xiimrwuanM-CB_h0-ChhROx0D-fkCzZ5_AytSxAYrc9xuaW1jzlZRzxoqYRndlIMhcjWmrpx4zY4K2AvwH1pP2AJAhUuIwl4/s320/Small-Michael_Anderberg.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5195317589953060082" /></a><br /><br /><a href="http://www.cs.chalmers.se/~andrei/">Andrei Sabelfeld</a> of Chalmer unversity gave an overview of the research performed by his research group, mainly information flow based security. He also gave some examples of the problems with some concurrent languages approach to this, e.g. the taint feature of perl.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUQ5IyLK42OHk0rQwvOZRQy_mmlAJHfGi371QCHOuPgzsp8AvltYaEQe129dERicSbbItXJgzdir_yRJQitgEaaVrK5W7GkG3J234KGcXbTxp8oG6_1abomuHUVO-1E_vTjzZz0YQ_xBk/s1600-h/Small-Andrei_Sabelfeld.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUQ5IyLK42OHk0rQwvOZRQy_mmlAJHfGi371QCHOuPgzsp8AvltYaEQe129dERicSbbItXJgzdir_yRJQitgEaaVrK5W7GkG3J234KGcXbTxp8oG6_1abomuHUVO-1E_vTjzZz0YQ_xBk/s320/Small-Andrei_Sabelfeld.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5195316374477315298" /></a><br /><br />Per Mellstrand of Sony Ericsson gave a good show beeing somewhat provocative and a lightning fast talker. His bughunting safari was quite nice where he pointed to the, now classic, subtle double free bug in the zlib compression library, and the effects of this - in everything from OSS kernels to commercial application code.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit0gcO2jD2c0QnmzhpWQ5uociqBshdhfEyJP_mzcCYpMbP-OFF9GLHk5tBy5CelMR8ZT-csMDMhGM0YZvmTJphK9T7tHiZ_KmHuZcZCRS-p1eG48erLWrFfSnPOQGpXSG_F1AMezcSHR8/s1600-h/Small-Per_Mellberg.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit0gcO2jD2c0QnmzhpWQ5uociqBshdhfEyJP_mzcCYpMbP-OFF9GLHk5tBy5CelMR8ZT-csMDMhGM0YZvmTJphK9T7tHiZ_KmHuZcZCRS-p1eG48erLWrFfSnPOQGpXSG_F1AMezcSHR8/s320/Small-Per_Mellberg.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5195320557775461650" /></a><br /><br /><br /><br />The program comittee have manage to put together a really nice seminar that included both more industrial type experiences and knowledge as well as hot research topics.<br /><br />The overall impression of this OWASP Sweden kick-off cannot be described with any other words than pure success. Without any real budget or advertisment close to 100 persons, from industry, government and academia showed up at the World Trade Center in Stockholm to participate.<br /><br />OWASP Sweden have all the possibilities to become a hot-house and focal point for some of the security community in Sweden. <br /><br />If youre interested in application security, you can join the OWASP Sweden mailinglist <a href="https://lists.owasp.org/mailman/listinfo/owasp-sweden">here</a>. The next OWASP Sweden seminar is scheduled to be in Clarion Hotel, Skanstull, at 6pm (snacks from 5pm) on the 27th of may. See you there.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-41758251915450642872008-02-07T00:24:00.000+00:002008-02-07T00:34:04.621+00:00Why SCADA still is insecureMy friend Erik pointed me to this piece of information on the SCADA mailing list. A new SCADA security mailing list is in the works. This snippet is taken from the invitation mail sent to other mailing lists:<br /><span style="font-style:italic;"><blockquote>"Due to heightened security and awareness levels worldwide, ALL MESSAGES ARE WATCHED CAREFULLY.<br />Violators who report methods that are going to disable, damage, dismember, destroy, or disarm any control system,<br />SCADA device, or infrastructure will be reported to DHS (and/or their respective national or federal authority)." </blockquote></span><br />Ex hacker-now-turned-to-tech-journalist Keving Poulsen, of wired magazine, had this <a href="http://blog.wired.com/27bstroke6/2008/02/scada-security.html">remark</a>:<br /><div><br /><blockquote><span style="font-style:italic;">"Only the SCADA community could conceive of a mailing list that tries to get you arrested for discussing security issues. And we wonder why SCADA is still insecure." </span></blockquote><br /></div><div><br />he might have a point there....<br /></div>Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-43944778043343624132008-02-07T00:21:00.000+00:002008-02-07T00:39:49.244+00:00SCADA security in upcoming issue of IEEE Security & Privacy magazine<div>The very relevant and interesting IEEE Security & Privacy magazine will have the November/december issue focused on Process control security. The submission deadline is 4th of april of you would think of submitting an article.<br /><br />See <a href?"http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/index.jsp?&pName=security_level1_article&path=security/content&file=cfp.xml&xsl=article.xsl&;jsessionid=HfftTBDnJ392Vsvvnf6J3jhLq7vFtv65G21B5CtC9TTT417M2VZl!1786731190">here</a> for more information on the PCS IEEE issue. </div>Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-54268059101930779812008-02-06T12:55:00.000+00:002008-12-09T10:08:55.706+00:00The 2008 S4 Scada security conference<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhkQoK83AClJSCakrU7u8ey6FZlIz4rLxAoONhSRDiQyY1Lyl81_cZfwg93tu_ElQxgaowiuYRlaBM9YswNPvt2VXC0b32_aFsUGq9nHOTXVcjqcQuPrVgnowjOBffdxL7Kpdna5CJIlQ/s1600-h/DSC_0287_small.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhkQoK83AClJSCakrU7u8ey6FZlIz4rLxAoONhSRDiQyY1Lyl81_cZfwg93tu_ElQxgaowiuYRlaBM9YswNPvt2VXC0b32_aFsUGq9nHOTXVcjqcQuPrVgnowjOBffdxL7Kpdna5CJIlQ/s320/DSC_0287_small.jpg" border="0" alt="" id="BLOGGER_PHOTO_ID_5163875304522616194"></a><br />We recently atteded the S4 conference in Miami, USA, facilitated by Dale Peterson and the good people of Digital Bond. <div><br /></div><div>S4 is the SCADA Security Scientific Symphosium, a yearly event held in the end of january.</div><div><br /></div><div>S4 is a rather small and intimate event that makes you feel that you are on the first row in the conference room and at the same time really have first hand access to the worlds technical expertise to the professionals in the SCADA Security arena. It is amazing to realize that there are only a few handful of people qualifying for that title.</div><div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNro6pUT2Ng_bkMcYWabE6-OeA0FdGQUBf29Jb8XnHT531DO-a2qR5TfcCeacO4gBI56VpTYhcLbCVY9TF2v5t_89FzeFCvbiWRIJSwuP3qu0fmfkDtcFZIfOm40zvBb6xiHmHuJJEeOI/s1600-h/DSC_0321_small.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNro6pUT2Ng_bkMcYWabE6-OeA0FdGQUBf29Jb8XnHT531DO-a2qR5TfcCeacO4gBI56VpTYhcLbCVY9TF2v5t_89FzeFCvbiWRIJSwuP3qu0fmfkDtcFZIfOm40zvBb6xiHmHuJJEeOI/s320/DSC_0321_small.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5164036395860987346" /></a><br />The symposium had eight invited speakers, some very good, some less scientific or relevant. Both keynote speakers where really good. Day one Steve Lipner the Microsoft’s Senior Director of Security Engineering Strategy gave a talk on security with regards to systems and software development. If only SCADA vendors and other in the automation business would start to work according to this methods, things would certainly look a lot better.<br /><br />Day two, Dave Aitel described the way a serious security researcher or a skilled attacker works when he (she?) reverse engineers executable code and proprietary and unpublished communications protocols. I just hope that this is the eye opener that many people really need. They all should know <span style="font-style:italic;">Shannons maxim</span> and the <span style="font-style:italic;">Kerckhoff principle</span>. The enemy knows the system. And the security should really depend on other factors that obscurity.</div><br />One of the better speakers with a really interesting topic, security in wireless systems, was Denis Foo Kune (depicted above) of Honeywell Research. His talk on ISA 100, Zigbee, WLAN and radio systems security was really nice.<br /><div><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikt1Qps96W7F34ozZZuY04H098i5PZUIG2v49Tk_xf3wh5SJUE4hVfoiP5zTwShF-KLbq7w6pZZj3rWXpPUV4OeF0BAafCsA3OAY2aW2ClN_EFQDtHN8wB_oMMKXMgnSkNJX_ezLqdepw/s1600-h/DSC_0297_small.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikt1Qps96W7F34ozZZuY04H098i5PZUIG2v49Tk_xf3wh5SJUE4hVfoiP5zTwShF-KLbq7w6pZZj3rWXpPUV4OeF0BAafCsA3OAY2aW2ClN_EFQDtHN8wB_oMMKXMgnSkNJX_ezLqdepw/s320/DSC_0297_small.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5164032732253883794" /></a><br /><br />For those of you not attending the symphosium, now there is a new opportunity for you to order the <a href="http://www.digitalbond.com/index.php/2008/02/06/2008-s4-proceedings-book-available-for-purchase/">conference proceedings</a> from Digital Bond.<br /><br />According to Dale, Digital Bond plan to run S4 2009 again. The same dates and the same place. Mark your calendars.<br /><br /></div>Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com1tag:blogger.com,1999:blog-7410363747681109244.post-83719666937694180252007-05-29T23:32:00.000+01:002007-05-29T23:37:14.290+01:00New mailing list on SCADA security and IT/infosec in relation to Critical InfrastructureI've started a mailing list on SCADA security "cyber security" and IT/infosec in relation to Critical Infrastructure. It is already a number of good, initiated, members from academia, vendors, users, government agencies, etc. <br /><br />Drop me a note at <i>rom * romab * com</i> if you are interested to participate.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-47806223911778257582007-05-29T22:01:00.000+01:002007-05-29T22:43:26.548+01:00An explicitly vulnerable linuxSomeone pointed me to a new Linux distribution, <a href="http://www.damnvulnerablelinux.org"> http://www.damnvulnerablelinux.org</a>. The distribution is a derivative of the <a href="http://www.damnsmalllinux.org/">Damn Small Linux </a> suite. It is a tool for IT-Security & IT-Anti-Security and Attack & Defense. It was initiated for training tasks during university lessons.<br /><br />On the Internet, this was just bound to happened....Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-70464341308989804602007-05-28T22:41:00.000+01:002007-05-28T22:53:34.568+01:00A different aproach to wardrive Bluetooth securityThe guys in the BlueBag project have done some interesting work with their trolley. Check out their <a href="http://www.computer.org/portal/cms_docs_security/security/2007/n2/j2zan.pdf">article</a> in the excellent <a href="http://www.computer.org/portal/site/security/">IEEE Security & Privacy magazine</a>. The same guys also did a presentation on the subject at <a href="http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html">Black Hat '06</a>Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-42675514592478786502007-05-28T22:32:00.000+01:002007-05-28T22:36:46.043+01:00Calendar with a comprehensive compilation of security conferences and seminarsI've compiled a iCal calendar with most known major IT security, infosec, network security and cryptograpy related conferences and events. I've made a public web version available <a href="http://www.romab.com/calendar.html">here</a>. <br /><br />A known defect is that iCal doesn't provide a good URL field (to the conference) in the exported version. I will try to add these manually in the comment field in upcoming releases.<br /><br />Enjoy!Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-71455549588767802372007-05-28T20:02:00.000+01:002007-05-28T21:52:02.353+01:00The Browns Ferry incidentThe reactor of an Alabama Nuclear Power Plant, Browns Ferry, Unit 3, was shutdown on August 19, 2006 as a result of a failure of a device, a special type of PLC. Whats interesting with this shutdown, is that the report of the incident actually pinpoint IT related errors, i.e. network overload, as the root cause. The report state that there was an Ethernet network installed that was to blame. This is the really, really interesting part. In a Nuclear plant, there should not be a design or implementation that could fail like this.<br /><br />The incident log <a href="http://www.nrc.gov/reading-rm/doc-collections/event-status/event/2006/20060821en.html#en42787">here</a> and a full report from the Nuclear Regulatory Commission, NRC is available <a href="http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-notices/2007/in200715.pdf">here</a>.<br /><br />As a result of this incident, the Committee on Homeland Security Committee Chairman Bennie G. Thompson (D-MS) and Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology Chairman James R. Langevin (D-RI) sent a <a href="http://homeland.house.gov/press/index.asp?ID=212">letter</a> to Dale E. Klein, Chairman of the U.S. Nuclear Regulatory Commission regarding the Cybersecurity at the nation’s nuclear power plants. One interesting excerpt of the letter is the following:<br /><br /><blockquote><br /><i>We have deep reservations about the NRC’s hesitation to conduct a special investigation into this incident. First, although NRC regulations only specify cyber requirements for safety systems, it is clear from the Notice that the disruption of a non-safety system can impact a plant’s safety systems. The manual scram by the operators was the only reason that the excessive network traffic in this incident did not trigger a scram by the plant’s safety systems. It is clear, therefore, that a nuclear plant’s safety systems are directly impacted by the security of its non-safety systems; a weakness or vulnerability in the non-safety network can disrupt operations and trigger a safety system shutdown.</i><br /></blockquote><br /><br />The letter ends with seven important cybersecurity questions that the Comittee require the NRC is answering.<br /><br />The details on this incident is still very scarce, with lot of interpretations by different journalists, experts, and others. We'll probably see over time what really was the source of the problem. The SCADA security bloggers at <a href="http://www.digitalbond.com">DigitalBond</a> have several more interesting <a href="http://www.digitalbond.com/index.php/2007/05/20/more-on-the-incident-at-browns-ferry">comments</a> on the incident.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-5915851569717722562007-05-28T18:47:00.000+01:002007-05-28T21:45:49.202+01:00The attacks on EstoniaThis post is to summarize the attacks last month on the digitaly interconnected parts of one of Sweden's neighboring country, Estonia. <br /><br />The network attacks, different types of <a href="">DoS</a> and DDoS attacks, have spurred a flood of articles on newspapers and magazines. The attacks against Estonian Web sites started after the April 27 removal of a statue known as the Bronze Soldier, an old Soviet monument. The attacks have been seen to and from for close to a month.<br /><br />Infoworld had an article on the subject of<a href="http://www.infoworld.com/article/07/05/24/21OPentinsight_1.html"> picking someone your own size</a> In <a href="http://ap.washingtontimes.com/dynamic/stories/E/ESTONIA_CYBER_ATTACKS?SITE=DCTMS&SECTION=HOME">Washington Post</a> they quote the Estonian defence minister saying: "We identified in the initial attacks IP numbers from the Russian governmental offices". If its true, that assault, and the way it was initially executed, is really bad politics. <br /><br />There have been several longer articles on the recent events. The well known magazine <a href="www.economist.com">The Economist</a> pointed out in an article titled <a href="http://www.economist.com/world/international/displaystory.cfm?story_id=E1_JNNRSVS">Newly nasty</a> with subheading <i>Defences against cyberwarfare are still rudimentary</i> that:<br /><blockquote><br /> <i>For the first time, a state faced a frontal, anonymous attack that swamped the websites of banks, ministries, newspapers and broadcasters; that hobbled Estonia's efforts to make its case abroad. </i><br /></blockquote ><br /><br />Many accusations are pointing to Russia, but it is not very much (yet) in the news to give any clear indication on who, what or where the attacks are ultimately directed from. The head of the Estonian CERT, Hillar Aarelaid, made an <a href="http://www.valitsus.ee/?id=6721">estonian government web</a>. Even the Estonian defense minister made some strong comments, according to the article <a href="http://www.smh.com.au/news/Technology/Estonia-urges-firm-EU-NATO-response-to-new-form-of-warfarecyberattacks/2007/05/16/1178995207414.html">Estonia urges firm EU, NATO response to new form of warfare: cyber-attacks</a> in <a href="http://www.smh.com.au">The Sydney Morning Herald</a>:<br /><br /><blockquote><br />"The EU and NATO need to work out a common legal basis to deal with cyber attacks. For example, we have to agree on how to tackle different levels of criminal cyber-activities, depending on whether what we are dealing with is vandalism, cyber-terror or cyber-war," he [Hillar Aarelaid, head of CERT-EE] said.<br /></blockquote><br /><br />The ariticle also notes that the NATO defence ministers will discuss cyber defence at a meeting in Brussels in June. It might be both good and bad to have the big players starting to have an interest in this area. Probably mostly bad since the questions will get out of hands of skilled people and into the hands of politicians.<br /><br />On the positive side, there are two good articles on the subject from two Internet Guru's. Kurt-Erik "kurtis" Lindqvist has a very good writeup on the whole situation <a href="http://www.kurtis.pp.se/blog/2007/05/real_lessons_learned_from_the.html"> Real lessons learned from the attacks on Estonia</a>. Patrik "paf" Fältstrom have a shorter, but more <a href="http://stupid.domain.name/node/215">graphical</a> overview of the situation. These statements can certainly show how much media manage to twist a media covered story to change from the original story.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-16560950567167605692006-10-13T23:38:00.001+01:002007-05-28T21:03:20.133+01:00Process control networks and critical information infrastructureSecurity in the societys information infrastructure or critical base infrastructure is a major concern these days. The reasons for this is, among other things:<br /><li> The trend is that events that happens in the physical domain (e.g. sabotage, obstruction) also starts to happen in the electronical (often called "cyber") domain.<br /><li> Many systems where designed long ago according to simple functional requirements, not to withstand a modern (potentially) hostile IT environment.<br /><li>There is many people looking for new hot topics in the information security market....<br /><br />Anyway, this article can serve as a simple starting point for this topic<br /><br />The helpful people at UK's National Infrastructure Security Co-ordination Centre <a href="http://www.niscc.gov.uk/niscc/index-en.html">NISCC</a> has produced quite some information in this area including best practise documents, architecture and design recommendations, etc.<br /><br />A good place to get fresh information on embedded systems security, process control systems security, etc. is the <a href="http://www.digitalbond.com/SCADA_Blog/SCADA_blog.htm">SCADA Security Blog</a> hosted by Digital Bond. Not only do they have some nice information, they've also produced a number of tools that might be useful. <a href="http://www.cisco.com/web/about/security/security_services/ciag">Cisco's Critical Infrastructure Group (CIAG) </a> is another interesting place with some information.<br /><br />SANS recently held a webcast on <a href="https://www.sans.org/webcasts/show.php?webcastid=90748">Cyber Attacks Against SCADA and Control Systems</a>. Eric Byer talked about "his" ISID database on published incidents or attacks against process control systems and the sponsor Symantec talked some on their pen tests against process control systems. I have several problems with the ISID database:<br /><li> The researchers draw a number of conclusions from a statistically limited number of incidents<br /><li> The lack of publicly available information. I can live with fact that some data is hidden to protect the participating organizations, but the basic stuff - such as the definitions of "accidents", "incidents", etc, should be available for the<br />data to be usable.<br />I also have problems with not beeing able to get the research articles they've written on the subject.<br />I've tried to get some info from Eric and others at BCIT. So far all I've got is bounced mail....<br /><br />DHS have released a report on the <a href="http://www.dhs.gov/interweb/assetlibrary/prep_cyberstormreport_sep06.pdf">CyberStorm excercise</a>, a large scale excercise with simulated attacks on critical infrastructure components. It describes, among other things, how important it is to get communication (oral, human communication) and trust working between involved parties during a crisis situation. In a context where you have a mix of govermental bodies, commercial entities and other organisations without established and trustworthy channels this might be a major problem. The excercise was done in the US, but I'd say that the conclusion is general and would be apropriate to most contries in the event of an attack against the critical infrastructure.<br /><br />Other, older, reports and documents of interest include:<br /><li> The GOA has also released an interesting report called <a href="http://www.gao.gov/new.items/d061087t.pdf">CRITICAL <br />INFRASTRUCTURE PROTECTION -DHS Leadership Needed to Enhance Cybersecurity</a>.<br /><li> National infrastructure advisory council report on <a href="http://www.dhs.gov/interweb/assetlibrary/NIAC_CyberVulnerabilitiesPaper_Feb05.pdf"> prioritizing cyber vulnerabilities</a>Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-33685807385194142792006-09-15T16:03:00.000+01:002006-10-13T20:02:30.454+01:00Americas funniest home videos, cyber styleMany security related movies can be found on the Internet. Some are fun. Some are sad. Most of them are educational. It could be argued that it is not a good thing to have them in a blog like this, but, the are all very easily find using google video or any other search engine. I would argue against that and raise two objections; first I believe that we (good guys) need to share information - the bad guys already do, which gives them the advantage. Secondly, I do not think that most people understand the waste diversity of information available - anything from breaking into WLANs to manipulating vending machines. If you think a bit philosoplical about that, you soon realize that most things are vulnerable. That piece of thinking is something that is good to always remember in the back of your head when you design any solution. You don't want to have a web page or a video dedicated to your failures or mailing list discussion on why your solution suck. Anyway, This is a collection of some "home videos" i found by browsing the web for half an hour.<br /><br />The first video is about a Berkeley Professor giving some serious <a href="http://www.break.com/movies/stolenlaptop.html">rant</a> about the consequences for the one who have stolen his laptop.<br /><br />Magnus Ranum (internet security guru) have a <a href="http://www.ranum.com/fun/bsu/">collection of home videos</a>, including <a href = "http://www.ranum.com/fun/bsu/babyfoodbomb/index.html">Detonating baby food</a> or <a href="http://www.ranum.com/fun/bsu/safecracking/index.html">safe cracking</a><br /><br />IT related videos include several types of cathegories. Wireless network videos seem to be quite popular. <a href="http://video.google.com/videoplay?docid=-1021256519470427962&q=hacking">WEP hacking</a> is a short(4 mins) on how to break into someones wireless network. Here's another one where they hack a <a href="http://video.google.com/videoplay?docid=-5945746769102330353&q=cracking&hl=en">128 bit WEP network</a>.<br /><br />We have included some mandatory <a href="http://video.google.com/videoplay?docid=8278906058943586340&q=hacking">Windows hacking</a> and another one called <a href="http://www.youtube.com/watch?v=SdrnPGtpnmc&NR">get "r00t" privlages</a> (note their bad spelling :-). It's easy to find videos of <a href="http://www.youtube.com/watch?v=Cl-vlRL7WK8">Windows Password hacking</a> and another one using <a href="http://www.youtube.com/watch?v=FwpEkm_oays&mode=related&search=">LC4</a>. <br /><br />One cathegory of videos are interviews with "hackers". One <a href="http://video.google.com/videoplay?docid=-4763839195279486500&q=hacker&hl=en">interesting video</a> was shot at the DefCon conference.<br /><br />There is also a number of hardware hacking videos: how to crack open a <a href="http://video.google.com/videoplay?docid=7680383411313302901&q=cracking&hl=en">iPod nano</a>, <a href="http://video.google.com/videoplay?docid=-5267267656761882743&q=xbox+hacking">Xbox</a> (2h3m) and <a href="http://video.google.com/videoplay?docid=-2583977718449607978&q=xbox+hacking&hl=en">Xbox 360</a> (2 mins). Someone even taped a video on how to hack the menu system of a <a href="http://video.google.com/videoplay?docid=284513238711939702&q=hacking&hl=en">vending machine</a>. Academic video on how to hack a <a href="http://www.youtube.com/watch?v=OJOyz7_sk8I">Voting machine</a> was taped by researchers in Princeton. Some more fun videos, from a <I>classical hacker definition</i> type of fun, is <a href="http://www.blinkenlights.de/video.en.html">these videos</a> from Chaos Computer Club.<br /><br />There is some IPTV shows floating around, including <a href="http://video.google.com/videosearch?q=thebroken&hl=en">thebroken</a>, <a href="http://video.google.com/videosearch?q=doug+tv&hl=en">DougTV</a>, etc.<br /><br />Google have had some interesting guest lecturers for their engineers speaking on <a href="http://video.google.com/videoplay?docid=5159636580663884360&q=security">How To Break Web Software - A look at security vulnerabilities in web software</a> (1h30m) or <a href="http://video.google.com/videoplay?docid=2575564563023304756&q=security">Crime: The Real Internet Security Problem</a> (1h).<br /><br />As a short summary, it is also important to remember all the interesting webcasts made available by Microsoft, SANS and others where you can find tons of information on security problems as well as fixing security.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-66334011160561923792006-09-15T11:14:00.000+01:002006-09-15T13:44:41.695+01:00The twilight zoneI have developed a specific interest in the twilight zone between different aspects of security, where security and safety issues crosses, or where there are physical and logical security issues or differences between technical issues and psychological acceptance of security (even usability).<br /><br /><a href="http://www.oreilly.com/catalog/securityusability/">Usability AND security</a> (not OR) is the name of an excellent book edited by Lorrie Faith Cranor and Simson Garfinkel. They cover psychological acceptance of security, secure systems, privacy and anonymity systems, etc. One of the pioneers in the <i> softer aspects of information security</i> is Ka-Ping Yee with his <a href="http://www.ischool.berkeley.edu/~ping/sid/">Secure Interaction Design, SID</a>, which contain some really good ideas and rule of thumb. He have provided some nice <a href="http://www.ischool.berkeley.edu/~ping/sid/sid72.jpg">posters</a> on the matter.<br /><br />Matt Blaze have written several excelent articles on this subject, including <a href="http://www.crypto.com/papers/safelocks.pdf">Safecracking for the Computer Scientist</a> and <a href="http://www.crypto.com/papers/mk.pdf">Cryptology and Physical Security: Rights Amplification in Master-Keyed Mechanical Locks</a>, where he applies modern ideas from computer science to attack traditional security systems. By performing his research he have received some critic from locksmiths and others. Hey, even Nobel laureate Richard Feynman is known to be a <a href="http://en.wikipedia.org/wiki/Surely_You%27re_Joking%2C_Mr._Feynman%21">safe cracker!</a><br /><br />Another, similar type of interesting research where real-world security meets information security is the research performed by <a href="http://www.cl.cam.ac.uk/~rja14/">Ross Anderson</a> on ATM machines in <a href="http://www.cl.cam.ac.uk/~rja14/wcf.html">Why Cryptosystems fail</a>, by <a href="http://avirubin.com/">Avi Rubin</a> of Johns Hopkins and <a href="http://www.cs.princeton.edu/~felten/">Ed Felen</a> of Princeton on <a href="http://itpolicy.princeton.edu/voting/">Electronic voting machines</a>, etc.<br /><br />The last couple of years I've found Process Control Systems, SCADA and similar industrial applicactions of special interest, since it is an area where there security and safety meets (collide?). Another aspect of this collision is the cultural differences in the groups working, i.e. IT staff versus the staff working with process control. There are many security aspects in the industrial IT field that is simply different from traditional IT - scarce resources, unwillingness to change (upgrade software? no way!), and, many systems have a completely different life cycle. I will write more on this in coming articles.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-17820850540012084122006-09-14T23:34:00.000+01:002006-09-14T23:52:48.532+01:00IT and politicians, part 2The subject of IT, going from beeing a stone cold subject in the beginning of the swedish election campaign, have become red hot, especially if it can be tied to some kind of missusage or scandal. <br /><br />Discussions on some chat channels and mailing lists revealed that by using some <a href="http://www.google.com/search?hl=sv&q=ssu.se+mysql_connect+root">google hacking</a>, it was quite easy to recover sensitive configuration information (root password) to one of the political parties youth section. More on that in <a href="http://aftonbladet.se/vss/nyheter/story/0,2789,887132,00.html">this article</a> (in swedish) in one of the major newspapers. Google and friends are powerful tools - remeber that it could be used for both good and malicious intent.<br /><br />One swedish politician had the <a href="http://hd.se/helsingborg/2006/09/14/toppolitikers_haarddisk_laag_ute"> content of his hard disk</a> (swedish) available on one of the major file sharing networks. He blame his kids to have used the computer to connect to DC++. This is still to be verified. However, common sense give that you should not share a computer used for professional work with your teenagers.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0tag:blogger.com,1999:blog-7410363747681109244.post-89448188557634683362006-09-14T22:37:00.000+01:002006-09-14T23:33:57.196+01:00IT and politicians, part 1The run-up of the swedish elections specifically lacked one major area - information technology. It was a non-existing subject. No politicians was interested in discussing aspects of information technology. This changed overnight with the spy scandal, where representants of the liberal party mis-used a login of a user beloning to the competing social democratic party. The story <a href="http://di.se/Nyheter/?page=%2fAvdelningar%2fArtikel.aspx%3fO%3dRSS%26ArticleId%3d2006%5c09%5c09%5c200755">broke</a> in the begining of september, and this has been in the head lines in all major swedish media for the last couple of weeks. According to <a href="http://di.se/Nyheter/?page=%2fAvdelningar%2fArtikel.aspx%3fO%3dRSS%26ArticleId%3d2006%5c09%5c09%5c200755">media</a>, different types of information where leaked (or stolen) by a number of intruders. The "attack" where performed using a simple username - sigge, a nick-name, with a password of sigge (great security there!). The compomised account could be used to access not only tactics for the upcoming election or political strategies, but also more sensitive information such as reports from the secret police, etc. It is clearly not a very good security to allow weak passwords. But common sense and basic knowledge in security should not lead to the design of internet accessible systems with static passwords that is used for a mix of documents of different level of confidentiality.Security bloghttp://www.blogger.com/profile/14552731618783422498noreply@blogger.com0