Sign up to our newsletter
Perhaps you're getting as tired of this thing as I am (though with the information still coming in, I'm not going to be finished with this issue for a good while, I suspect). But without wishing to hype, I figure it's worth adding links to some further resources.
There's a very useful comment by Jake Brodsky to my previous post at http://blog.eset.com/2010/07/20/theres-passwording-and-theres-security, which explains very clearly the difficulties that Siemens ineptitude has imposed on people working in the SCADA space. As he rightly says, that's not an area in which I have first-hand experience, but I am aware of those difficulties (and sympathetic to them, having worked at a level of responsibility within other areas of a critical national infrastructure). I am certainly not suggesting that they can be overcome "on a whim".
The ICS-CERT advisory at http://www.us-cert.gov/control_systems/pdf/ICSA-10-201-01%20-%20USB%20Malware%20Targeting%20Siemens%20Control%20Software.pdf suggests that ICS CERT and Siemens CERT are working together on some aspects of the problem, and hopefully this will lead to a more realistic approach to resolving the SCADA aspects of the problem. (D
SC Magazine's Dan Raywood has picked up on some more issues, including the SCADA issue and the Microsoft interim fix at http://support.microsoft.com/kb/2286198#FixItForMe (see also Heise's story at http://www.h-online.com/security/news/item/lnk-vulnerability-Microsoft-fix-causes-icon-chaos-1042888.html).
Chet Wisniewski and Sean Sullivan, on the other hand, have explored the digital certificate issue that Pierre-Marc blogged on two days ago, and Paul Ducklin stresses the privacy and encryption issues.
The Irish Software Developers Network focuses on some of the figures originally blogged here and mentioned in a press release here. In case there's any confusion, perhaps it's worth stressing a few points.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow
Author David Harley, ESET