Siemens SCADA Hacking Talk Pulled From TakeDownCon 104
alphadogg writes "A planned presentation on security vulnerabilities in Siemens industrial control systems was pulled Wednesday over worries that the information in the talk was too dangerous to be released. Independent security researcher Brian Meixell and Dillon Beresford, with NSS Labs, had been planning to talk Wednesday at a Dallas security conference about problems in Siemens PLC systems, the industrial computers widely used to open and shut valves on factory floors and power plants, control centrifuges, and even operate systems on warships. But the researchers decided to pull the talk at the last minute after Siemens and the US Department of Homeland Security pointed out the possible scope of the problem."
Security through obscurity (Score:4, Insightful)
Perfect example of security through obscurity. Yeah, everyday script kiddies won't be messing around in the systems, but those dedicated to do damage or spy have the time and means to get to know the systems. And it's even easier for them because the systems aren't properly secured.
Secrecy (Score:1, Insightful)
The argument that some knowledge is too dangerous to know is specious and flawed. But I can't tell you how or why for fear of undermining our existing regime of ignorance and ineptitude.
Ummmm.... (Score:2, Insightful)
...doesn't the existance of a virus that can attack such devices make this a zero-day flaw? The hack is public, since anyone can disassemble the virus that's in the wild and see how it works.
And, frankly, I don't see it being awfully difficult for any Black Hat with a mind to to rip out the prior payload and install one that can attack a wider range of devices. Surely it is in the interests of security for corporations to understand what they can do to mitigate the risk of this.
The DHS, IMHO, is acting in a manner that directly threatens US interests and US corporations by preventing those at risk from knowing as much as those who pose a risk. This argument has been had out before, with regards to CERT and when it should post alerts. It was accepted that there would be a reasonable pause to allow a fix. The virus was first discovered in July 15 2010. So the vulnerabilities have been zero-day for 10 months now.
Re:Secrecy (Score:5, Insightful)
Reponsible Disclosure (Score:5, Insightful)