Internet of Shite, Nightmare of IoT Commences →
NIST Releases Revision 2, Guide to Industrial Control Systems (ICS) Security
The National Institute of Standards and Technology (NIST) has announced the release of Special Publication 800-82, Revision 2, Guide to Industrial Control Systems (ICS) Security. Outstanding.
Quiando Lake, China Photo Courtesy of Felix Wong of Fort Collins, Colorado
CyberLock Versus IOActive, Targets Lock Research As DMCA Violation →
Reports of threats made by attorneys for CyberLock targeting security researchers at IOActive have appeared at Ars Technica. The piece, written by the inimitable Dan Goodin, details the work accomplished by the researchers. We've seen this form of bad behavior by outed lock manufacturers before, interestingly - most (if not all) to no avail.
The money quote:
'Thursday's advisory from security firm IOActive is notable not only for the serious security issues it reported in the CyberLock line of access control systems, which are certified to meet a wide range of US governmental requirements and certifications. The report is also the topic of a legal threat from CyberLock attorneys who invoked draconian provisions of the Digital Millennium Copyright Act if IOActive disclosed the vulnerabilities. A redacted version of a letter CyberLock outside attorneys sent IOActive researcher Mike Davis has reignited a long-standing tension between whether it should be legally permissible for researchers to publicly disclose unfixed vulnerabilities in the products they test.' - via Dan Goodin at ArsTechnica
NIST Announces New Internal Report Targeting Smart Metering →
The National Institute of Standards and Technology (NIST) has announced a new internal report detailing a framework targeting Smart Meter Upgradability (NIST Internal Report NISTIR 7823), Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework). Authored by Michaela Iorga (a member of the Computer Security Division, in the Information Technology Laboratory (ITL) at NIST) and Scott Shorter (of Electrosoft Services, Inc. in Reston, Virgina), the document is also available at the International DOI System under NIST.IR.7823.
I reckon the document's abstract sums it up quite nicely:
"As electric utilities turn to Advanced Metering Infrastructures (AMIs) to promote the development and deployment of the Smart Grid, one aspect that can benefit from standardization is the upgradeability of Smart Meters. The National Electrical Manufacturers Association (NEMA) standard SG-AMI 1-2009, “Requirements for Smart Meter Upgradeability,” describes functional and security requirements for the secure upgrade—both local and remote—of Smart Meters. This report describes conformance test requirements that may be used voluntarily by testers and/or test laboratories to determine whether Smart Meters and Upgrade Management Systems conform to the requirements of NEMA SG-AMI 1-2009. For each relevant requirement in NEMA SG-AMI 1-2009, the document identifies the information to be provided by the vendor to facilitate testing, and the high-level test procedures to be conducted by the tester/laboratory to determine conformance." - via NIST IR 7823
Meanwhile, you can also track, examine and attempt to contain your surprise at the latest, recognized industiral control systems & supervisory control and data acquisition systems vulnerabilities from our colleagues st US-CERT, here.
Gatekeeper
via MacObserver's John F. Braun, comes this chilling tale of a fundamental flaw in Apple Inc.'s MAC OS X Gatekeeper, and how to apply apropos bandaidery, as it were...
NIST Internal Report: Risk Management for Replication Drives Released
NIST, the National Institute of Standards and Technology, has released a new internal report targeting replication device risk management (Replication devices reproduce images, objects or documents from an electronic or physical source, et cetera).
Entitled NIST Internal Report 8023 Risk Management for Replication Devices, the report provides clear and correct guidance to establish in-house methods, policies and procedures in the effort to provision the data stored within replication systems using the well-used infosecurity triad (Confidentiality, Integrity and Availability) as a baseline.
Replication devices are the perfect example of the so-called 'soft-underbelly' in many (if not all) organizations. These systems are quite often utilized for intelligence gathering activities due to on-board storage and other facilities that enable footprinting of historical data, thereby establishing timelines, and of course, all important raw data to accompany those timelines.
Equation Group →
Going dark in 2014, the Equation Group's malware command and control servers have reportedly been migrated onto United States soil... This, after a nefariously successful run targeting thousands of victims in at least 40 countries. Focusing on vertical industry segments such as medical, telecom and aerospace sectors, including diplomatic missions, research institutions, military, governments, the Equation Groups' malware is apaprently fostering speculation as to connections between and betwixt US agencies.
"In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency." - via ArsTechnica's Dan Goodin