There is not a single piece of software that exists today that is free from flaws and many of those flaws are security risks. Every time a new security technology is added to an Infrastructure, a host of flaws are also introduced. Â The majority of these flaws are undiscovered but in some cases the vendor already knows about them.
Before 2008 nobody had done any high visibility vulnerability research and exploit development against critical systems used to maintain our critical infrastructure. Â In early to mid 2008 that all changed. Â Initially Core Security released a security vulnerability for Citect SCADA. That security vulnerability got media attention because it was one that could be used to penetrate into important control systems that are used to control our infrastructure. (Electricity, Water, Gas, Oil, etc).
Something that I keep on hearing from engineers (power, water, etc) on the SCADASEC mailing list is that they are more concerned about human error causing an outage than an attack over the internet. Most of the incidents that I hear about are operator error and they involve accidentally shutting down a computer system or perhaps configuring one improperly (The utility guys like to call these “cyber” incidents). When that happens things “go to hell in a hand basket” fast and people can and do die. They seem to be more concerned about those types of “cyber” incidents than they are the hacker threat… but they’re not getting it right?
The fact of the matter is that a malicious hacker could trigger any number of these “cyber” incidents either deliberatley or accidently, and the end result is the same. How do we get these guys to take the threat more seriously? I think its happening, but I don’t feel like its happening fast enough.
So I’ve been participating in the penetration testing mailing list that is hosted by securityfocus and I can’t say that I am impressed. In fact, I might even go so far as to say that I am concerned about the caliber of the people that are offering paid services, here’s why.
When a customer hires a security professional to perform a Penetration Test, Web Application Security Assessment, or any other service that customer should be getting a real expert. That expert should be able to assess the customers target infrastructure, application, or whatever and should be able to determine points of vulnerability and their respective risks. But that is not what I am seeing.
The other day a self proclaimed “expert” asked how dangerous a SQL Injection vulnerability was. They apparently identified a SQL Injection vulnerability in their customer’s website but didn’t know what to do with it!!! They also asked about how to exploit the vulnerability and what successful exploitation might do.
Well the first thing that came to mind was “Why the hell are you offering services if you don’t know what you […]
I recently gave a speech with Green Hills Software, Inc. in California. The presentation covered the real threat that businesses face as opposed to the theoretical threat that most people seem to worry more about. I also made it a point to uncover some of the more unorthodox attack methods that hackers use like the spreading of infected USB Sticks in parking lots or the use of rapid Distributed Metastasis.
Here are some articles that were written as a result of the conference: