[SCADASEC] Protect All Industrial Controllers, Stat!

[Adriel Desautels]

I don't think that "why" matters. I think that the fact that it was
leaked matters. It has since been removed and the URL returns a 404. But
now pesky blackhat's can hack the site and find the document. :)

Regards,
	Adriel T. Desautels
	Chief Technology Officer
	Netragard, LLC.
	Office : 617-934-0269
	Mobile : 617-633-3821
	http://www.linkedin.com/pub/1/118/a45

	Join the Netragard, LLC. Linked In Group:
	http://www.linkedin.com/e/gis/48683/0B98E1705142

---------------------------------------------------------------
Netragard, LLC - http://www.netragard.com  -  "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security

Netragard Whitepaper Downloads:
-------------------------------
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know  : http://tinyurl.com/26pjsn


Toecker, Michael wrote:
> Myrc,
> 
> Thanks.  I understand that the search works for both.  
> 
> My question was 'why' those search terms ("Boreas Vulnerability
> Checklist ") would be used.  Those terms are part of the advisory, which
> a person who didn't have access to the advisory wouldn't use.  They
> appear nowhere in Kevin's email.  If an uninformed person hadn't had
> access to the original advisory, that person would have used the words
> in Kevin's email ("Boreas Firmware Vulnerability ").  
> 
> While both return the same results, it tells me that Myrc has access to
> the ISACs (at least one of them), and access to the advisories that come
> from those ISACs.  Otherwise, he would have been ignorant of the
> advisories, and used the listserv (and "Boreas Firmware Vulnerability")
> to find the information.
> 
> It's a small tidbit, but important, since the ISACs (and ISAC members)
> are pretty particular about whom they send advisories to.  
> 
> Sincerely,
>  
> Michael Toecker
> Control Systems Security Designer
> Compliance & Infrastructure Protection
> Burns & McDonnell Engineering
> 425 South Woods Mill Road
> Suite 300
> Chesterfield, MO 63017
>  
> Office: 314-682-1545
> Cell: 615-948-6954
> www.burnsmcd.com 
> 
> 
> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com
> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Myrcurial
> Sent: Thursday, August 28, 2008 9:09 AM
> To: scadasec at news.infracritical.com
> Subject: Re: [SCADASEC] Protect All Industrial Controllers, Stat!
> 
> I had assumed that like all security professionals, members of this
> list spent sufficient time in the seedier alleys of the internet so as
> to be aware of as much as possible.
> 
> Just because the bad guys and the hackers are focussed on the wrong
> attack methodology doesn't mean that they can't do bad things or that
> they fail to have interesting or useful information.
> 
> Oh - and your search terms are as effective as mine, in fact, I was
> just being sufficiently precise so as to ensure a perfect search
> return. (Try it - you'd be surprised)
> 
> ~M
> 
> On Thu, Aug 28, 2008 at 10:04 AM, Toecker, Michael
> <mtoecker at burnsmcd.com> wrote:
>> Now why would you search for "Boreas Vulnerability Checklist"?  That
>> wasn't in any of these emails....  "Boreas Firmware Vulnerability"
> would
>> have been my search term if all I had seen was Kevin's email.
>>
>> Mayhaps you have already seen the advisory?
>>
>> Sincerely,
>>
>> Michael Toecker
>> Control Systems Security Designer
>> Compliance & Infrastructure Protection
>> Burns & McDonnell Engineering
>> 425 South Woods Mill Road
>> Suite 300
>> Chesterfield, MO 63017
>>
>> Office: 314-682-1545
>> Cell: 615-948-6954
>> www.burnsmcd.com
>>
>>
>> -----Original Message-----
>> From: scadasec-bounces at news.infracritical.com
>> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of
> Myrcurial
>> Sent: Thursday, August 28, 2008 8:56 AM
>> To: scadasec at news.infracritical.com
>> Subject: Re: [SCADASEC] Protect All Industrial Controllers, Stat!
>>
>> It's as public as it can be... Google's got it.
>>
>> http://www.google.com/search?q=boreas%20vulnerability%20checklist
>>
>> It appears that DHS leaks through the water isac. (wow, that was bad
>> even for me...)
>>
>> The trick appears to be "do what?"
>>
>> ~M
>>
>> On Thu, Aug 28, 2008 at 9:47 AM, Toecker, Michael
>> <mtoecker at burnsmcd.com> wrote:
>>> Kevin,
>>>
>>> I've received this advisory as well.  To answer your questions:
>>>
>>> 1.  Yes, both advisories appear to be talking about the same
>>> vulnerability.
>>> 2.  No, no discussion has taken place to my knowledge about this
>>> vulnerability on this listserve.  The advisories were released as DHS
>>> "FOUO", which means that the information contained within the
>> disclosure
>>> cannot be released to the public, media, or other personnel without
>>> valid need-to-know or DHS approval.
>>>
>>> Sincerely,
>>>
>>> Michael Toecker
>>> Control Systems Security Designer
>>> Compliance & Infrastructure Protection
>>> Burns & McDonnell Engineering
>>> 425 South Woods Mill Road
>>> Suite 300
>>> Chesterfield, MO 63017
>>>
>>> Office: 314-682-1545
>>> Cell: 615-948-6954
>>> www.burnsmcd.com
>>>
>>>
>>> -----Original Message-----
>>> From: scadasec-bounces at news.infracritical.com
>>> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Kevin
>>> McGrath
>>> Sent: Thursday, August 28, 2008 8:17 AM
>>> To: scadasec at news.infracritical.com
>>> Subject: [SCADASEC] Protect All Industrial Controllers, Stat!
>>>
>>> Howdy,
>>>
>>>> INDUSTRIAL CONTROLLER SYSTEM VULNERABILITY
>>> We received a 8/11/08 "Cyber Security Communique" from the AGA on
> 8/15
>>> and today I get forwarded a NERC advisory with the below heading
> dated
>>> 8/27/08:
>>>
>>>> INDUSTRY ADVISORY: ES-ISAC: "Boreas" Firmware Vulnerability
>>> 1) Are they talking about the same thing?
>>>
>>> 2) Has this been discussed here or elsewhere already & I may have
>> missed
>>> it?
>>>
>>> INL testing results seem to have generated at least the NERC alert.
>>>
>>> IMHO, both alerts seemed to be of a very general nature as in "check
>> all
>>> your controllers ASAP and do something".
>>>
>>> Thanks,
>>> Kevin
>>>
>>>
>>>
>>>
> ************************************************************************
>>> ********
>>> This e-mail and any files transmitted with it, are confidential to
>>> National Grid and are intended solely for the use of the individual
> or
>>> entity to whom they are addressed.  If you have received this e-mail
>> in
>>> error, please reply to this message and let the sender know.
>>>
>>> _______________________________________________
>>> To unsubscribe from this mailing list, please visit:
>>> http://news.infracritical.com/mailman/listinfo/scadasec
>>>
>>> To review our usage policy, please visit:
>>> http://www.infracritical.com/usage-scadasec.html
>>> _______________________________________________
>>> To unsubscribe from this mailing list, please visit:
>>> http://news.infracritical.com/mailman/listinfo/scadasec
>>>
>>> To review our usage policy, please visit:
>>> http://www.infracritical.com/usage-scadasec.html
>>>
>> _______________________________________________
>> To unsubscribe from this mailing list, please visit:
>> http://news.infracritical.com/mailman/listinfo/scadasec
>>
>> To review our usage policy, please visit:
>> http://www.infracritical.com/usage-scadasec.html
>> _______________________________________________
>> To unsubscribe from this mailing list, please visit:
>> http://news.infracritical.com/mailman/listinfo/scadasec
>>
>> To review our usage policy, please visit:
>> http://www.infracritical.com/usage-scadasec.html
>>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our usage policy, please visit:
> http://www.infracritical.com/usage-scadasec.html
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our usage policy, please visit:
> http://www.infracritical.com/usage-scadasec.html