Thursday, May 29, 2008

Do your part!

Mozilla aims to set a one day world Download record with the official release of Firefox 3. The date isn't set, but you can sign up to pledge to download it on day one here. I for one, love Firefox and have been running the beta for some time now.

Saturday, May 17, 2008

SCADA Security unnoticed

Core Security released an advisory on a Denial of Service attack where an unauthenticated user can take down a Wonderware system running Suitelink with a malformed packet. This was first brought to Wonderware's attention at the end of January. They acknowledged the bug by late March and provided a fix by late April. The advisory published in June.


Is it just me? A lot of people talk the talk about how important stability is with industrial control software. But nobody really cares. Trivial bugs (by comparison) get much more press. Could you imagine if a simple program could send a packet to crash a Windows server application? The press would go nuts! By Wonderware's account, they've sold 500 thousand copies that are running in 100,000 plants worldwide in virtually every industry. These plants are not all on closed networks! Good thing terrorists don't have access to Google, like I do.

Besides not wanting to share details with the public and not recognizing the problem in a timely manner, Wonderware did their part. It's a learning process that will hopefully go more smoothly next time. What astounds me is the fact that you don't see or hear about this except in a few very specific sites and blogs. I bet there will be a significant percentage of vulnerable systems several years from now - a combination of the weak promulgation of information and the reluctance of industrial users to upgrade unless forced. The latter caused by vendors releasing patches that haven't been adequately QA'd. This is one point where Inductive Automation is ahead of the power curve. Since FactorySQL and FactoryPMI upgrades nearly always come with free feature additions, IA users have created a culture of frequently upgrading their software.

But I digress. SCADA security is a huge bomb waiting to go off. There's a little talk on the subject, but the industry fails to take it seriously. I hope we can figure things out before the next 9/11 forces government intervention - how would you like your plant to operation like an airport? I'd like to think that level of regulation is unnecessary. We should each do our part in tightening down industrial security.

http://www.coresecurity.com/?action=item&id=2187
http://isc.sans.org/diary.html?storyid=4390

Inductive Automation Videos

Between traveling to New Zealand and Japan I've been pretty busy. I'll try to keep up with small blog posts. I've had lots of great ideas that haven't come to fruition.

I've been working on training videos for Inductive Automation. I'd love to hear your feedback. Once I finish a few more basic series I'll be taking requests.