Here I am going to Las Vegas for Black Hat and DefCON again! It's funny that this time I have really lower expectations for the event. My feeling from the last news in the field is that it's too much the 0-day of the week and buzzword contest (APT/Cloud). Anyway, it's always the place to be when talking about information security, and I hope to be wrong about it. It will also be a great opportunity to meet friends and colleagues. If you are there, please feel free to drop a tweet (@apbarros), I'll be tweeting live there.And let's see that B-Sides stuff. Honestly, from what I've seen from the last editions and the current schedule, it may become the A-Side quite soon.
Thursday, July 22, 2010
As everybody in the field had predicted, malware targetting SCADA system has finally come true. The lucky thing is this one is looking for information to steal only, not actually doing anything. I wonder what outcome could we have if this nasty little thing was designed to force systems to fail.
SCADA systems are one of the most critical blind spots in organizations Today. Few people have access to then and know how they work, so there is a false perception of security about them. Specialized systems, such as SCADA and ATMs, often rely on obscurity as their main security strategy. It's not even something done intentionally, but as result of a neverending vicious cycle. Internal security resources don't know about security on those systems and the specialists in that technology don't understand security. You can think about hiring external consultants to check the systems, but the consultants also don't have much contact with that technology. Of course they won't tell you that, they will run their off-the-shelf tools anyway. The results will tell you nothing, what you will interpret as "secure", perpetuating the notion that there are no security issues with that technology. As there are no security concerns there, the security team won't spend time learning that technology and the specialists will keep saying that this security thing is for those Internet-web-2.0-cloud-stuff guys. Until the next Black Hat briefings or sexy malware.
I wonder when this is going to hit the old mainframe. I must say it will be fun to watch.