>No, DHS (Marty Edwards, he is the top guy, who's blackberry goes off >for all things SCADA) latest comment yesterday is that they cannot >comment >on Water Utility hack #2, since it is a ongoing criminal >investigation. NB, >this is the Texas one, the pastebin one referred to >below. Not the >Springfield, Illinois, one referred to in the Wired >article and elsewhere. >Yeah, there were two "hacks". The one in Illinois, which was apparently due >to someone on holiday in Russia, and my one, in South Houston. I specifically commented that it wasn't much of a "hack", though. >" >Asked if the fusion center is investigating how information that was >>uncorroborated and was based on false assumptions got into a distributed >>report, spokeswoman Bond said an investigation of that sort is the >>responsibility of DHS and the other agencies who compiled the report. The >>center’s focus, she said, was on how Weiss received a copy of the report >>that he should never have received. >" > >No need to investigate why people >are able to log into your SCADA system >from all over the world... Well... The culture in this business is a bit of an Old Gentleman's Club, where people simply do not care about security. The recent Conficker/Stuxnet "link" was published by some guy who has done work for .gov, after all. Unfortunately, nowadays, many people don't even understand basic security practices. This might not be as much of a problem when it comes to webservers on *nix boxes where absolutely everything is logged and forensics can be performed and Serious Punishments can be handed out and Examples Can Be Made, but have you ever tried peforming forensic analysis on an embedded device? It's not going to happen. We need to move away from trying to legislate security and move towards proactive security. Laws against greyhat hacking should be trashed; it's not the 90s, there's millions of people out there with an interest in security, markets for 0-day 'sploits and PII for use in identity theft, and more scripts than you can shake a groundhog's tail at. Making An Example of drug-dealers and drug barons hasn't worked, so to think it'll work against organized cybercrime, nation-state-supported-attackers or malicious rm-monkeys is just beyond words, especially as I do believe cyber crime is now the most lucrative kind of crime in the world. But hey, I'm just a kid who picked up a few books on ICS, I've no IT qualifications, why should anyone listen to me? -pr0f
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
