Dailydave mailing list archives

Re: SCADA fun

From: "Prof Srs" <pr0f_srs () gmx com>
Date: Mon, 05 Dec 2011 12:18:11 +0100

No, DHS (Marty Edwards, he is the top guy, who's blackberry goes off
for all things SCADA) latest comment yesterday is that they cannot >comment on Water Utility hack #2, since it is a 
ongoing criminal >investigation. NB, this is the Texas one, the pastebin one referred to >below. Not the Springfield, 
Illinois, one referred to in the Wired >article and elsewhere. Yeah, there were two "hacks". The one in Illinois, 
which was apparently due to someone on holiday in Russia, and my one, in South Houston.

I specifically commented that it wasn't much of a "hack", though.

" >Asked if the fusion center is investigating how information that was >uncorroborated and was based on false 
assumptions got into a distributed >report, spokeswoman Bond said an investigation of that sort is the

responsibility of DHS and the other agencies who compiled the report. The >center’s focus, she said, was on how

Weiss received a copy of the report >that he should never have received. >" > >No need to investigate why people are 
able to log into your SCADA system >from all over the world...

Well... The culture in this business is a bit of an Old Gentleman's Club, where people simply do not care about 
security. The recent Conficker/Stuxnet "link" was published by some guy who has done work for .gov, after all. 
Unfortunately, nowadays, many people don't even understand basic security practices. This might not be as much of a 
problem when it comes to webservers on *nix boxes where absolutely everything is logged and forensics can be performed 
and Serious Punishments can be handed out and Examples Can Be Made, but have you ever tried peforming forensic analysis 
on an embedded device? It's not going to happen.
 We need to move away from trying to legislate security and move towards proactive security. Laws against greyhat 
hacking should be trashed; it's not the 90s, there's millions of people out there with an interest in security, markets 
for 0-day 'sploits and PII for use in identity theft, and more scripts than you can shake a groundhog's tail at. Making 
An Example of drug-dealers and drug barons hasn't worked, so to think it'll work against organized cybercrime, 
nation-state-supported-attackers or malicious rm-monkeys is just beyond words, especially as I do believe cyber crime 
is now the most lucrative kind of crime in the world.
 But hey, I'm just a kid who picked up a few books on ICS, I've no IT qualifications, why should anyone listen to me?
 -pr0f

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

SCADA fun Dave Aitel (Nov 19)
- Re: SCADA fun Alex Scoble (Dec 03)
  - Re: SCADA fun Robert Malmgren (Dec 03)
- Re: SCADA fun Joel Bruner (Dec 03)
  - Re: SCADA fun Dave Aitel (Dec 03)
- <Possible follow-ups>
- Re: SCADA fun Prof Srs (Dec 06)