September 2013 Archives

Whose FDA Is It, Anyway?

| No Comments | No TrackBacks
watchmen_smiley_dannybirchall.jpgI was rather happy to see a news headline touting that the FDA would begin regulating safety and security in medical software.  Upon reading the full story, however, I have to say that I'm rather disappointed.

Why disappointed?  Because mobile platforms are not designed to do anything critical.  Take for example this excerpt from the End User License Agreement of iOS 7:

"""
7.5 YOU FURTHER ACKNOWLEDGE THAT THE iOS SOFTWARE AND SERVICES ARE NOT INTENDED OR SUITABLE FOR USE IN SITUATIONS OR ENVIRONMENTS WHERE THE FAILURE OR TIME DELAYS OF, OR ERRORS OR INACCURACIES IN, THE CONTENT, DATA OR INFORMATION PROVIDED BY THE iOS SOFTWARE OR SERVICES COULD LEAD TO DEATH, PERSONAL INJURY, OR SEVERE PHYSICAL OR ENVIRONMENTAL DAMAGE, INCLUDING WITHOUT LIMITATION THE OPERATION OF NUCLEAR FACILITIES, AIRCRAFT NAVIGATION OR COMMUNICATION SYSTEMS, AIR TRAFFIC CONTROL, LIFE SUPPORT OR WEAPONS SYSTEMS.
""

Schneider Doesn't Fix a Thing

| No Comments | No TrackBacks
epicfail_faldrian.jpgYesterday ICS-CERT released an updated advisory about the Schneider Modicon Quantum Ethernet boards. The advisory is vaguely-written and hides the fact that Schneider's firmware update breaks important functionality.

From the advisory:

"""
This upgrade includes a new feature that allows the user to enable or disable both the FTP and HTTP services on the modules. Disabling these services will mitigate the vulnerability mentioned above. The following products support the HTTP and FTP service enable and disable feature:

  • 140NOE77101 Firmware Version 06.00 or greater, and
  • 140NOE77111 Firmware Version: 06.00 or greater.

"""

shine_gcattiaux.jpgThe Tofino blog has a post by Bob Radvanovsky that is quite an important issue for many ICS owners and operators.  I've seen internet-connected water control systems with my own eyes, and have reported everything from building management to electric substations directly connected to the internet to ICS-CERT, vendors, owners, and anybody who will listen.

It's a great irony to me that the blog post appears on Tofino's website.  I have a great deal of respect for Tofino's hardware and software, but their overarching message concerning field device security is muddled.  Eric Byres and other SCADA Apologists say that removing insecure-by-design field devices in favor of secure-by-design ones is simply impossible for asset owners.

About this Archive

This page is an archive of entries from September 2013 listed from newest to oldest.

June 2013 is the previous archive.

October 2013 is the next archive.

Find recent content on the main index or look in the archives to find all content.