OUCH on Passwords

May 13, 2013

One of the “Useful Links” in the sidebar here is to the SANS Internet Storm Center [ISC].  The site, staffed by volunteer “handlers”, a group of highly skilled and experienced security professionals and systems/network administrators,  is a very valuable source of the latest security news.  It is, however, a site aimed at IT professionals, and tends, understandably, to be fairly technical, and to assume a fair amount of basic IT knowledge for starters.

However, to their credit, the folks at ISC have not neglected the ordinary user.  It has had, for a couple of years now, an initiative called Securing the Human, which attempts to address security policy issues considering the users’ perspective.  (In the interests of honesty, from personal experience, I am bound to say that this is probably not entirely from altruistic motives — better educated users are, on the whole, less likely to make terminally stupid mistakes.)    The Securing the Human initiative has also involved publishing a newsletter called OUCH!, which is oriented toward end users.

The latest issue of OUCH! has a short (three-page) article on good password practice [PDF].  It has some good, common sense advice that will help you use passwords securely.  If you are a systems admin person, you might want to consider giving copies to your users.

I’d just make one final suggestion: using a password manager, such as Bruce Schneier’s PasswordSafe, can be a big help in managing your passwords, and using them well.


Exploring SCADA Security

August 20, 2012

I’ve written here a few times about the security risks associated with some industrial control systems, sometimes called SCADA systems (for Supervisory Control And Data Acquisition).    Many of these systems were designed initially for an isolated environment; when connected to the Internet, there are often significant security vulnerabilities that can be exploited.  The notable recent example of this is, of course, the Stuxnet worm, which attacked the Siemens control system used at the Iranian nuclear facility at Natanz, destroying several centrifuges.

If you are interested in learning a bit more about how these systems are put together, and how they can be attacked, there is a diary post at the SANS Internet Storm Center, by Manuel Humberto Santander Pelaez, one of the ISC’s volunteer handlers, that gives a good overview of the problem in the context of a specific type of attack.  He describes the system architecture, as well as the protocols used, and shows how spoofed messages can be injected to cause mischief.  Reading it will not make you an expert on SCADA security, but it may provide a useful bit of context.


%d bloggers like this: