July 2010 Archives

Dave Navetta of InfoLaw Group posted a review of the "EMI v. Comerica: Comerica's Motion for Summary Judgment" a few weeks ago. Part of the case revolved around the use of one-time code tokens for providing a second authentication factor. The argument, which seems to have succeeded, was that these tokens do not provide a reasonable level of protection for accounts. I couldn't agree more!

Folks, as much as one-time code tokens seem like a good idea, and can have a useful place in authentication schemes, they are also not foolproof. In fact, worse than that, organizations that have deployed these tokens in the foolish belief that they will magically halt all phishing and account hacking attempts are laboring under a delusion.

I have to admit that I don't have any background in SCADA or Smart Grid, nor have I done any research into the topic. That being said, I'd have to be blind to not notice all the references in infosec these past few years to these systems. Shoot, just in the past couple weeks Siemens SCADA network was having issues with a new 0-day of malware (related to LNK files).

Why are SCADA systems connected to the Internet? I just don't see the upside. At all. It seems like these systems were designed to be closed, and that there's not really any good reason for that status to have been changed. So, what am I missing? 10 years ago the hubris-drenched response from energy companies was that we needn't worry as their systems weren't Internet-connected. Now, it seems, we're at the other extreme, with what seems to be no appreciable improvements to infrastructure security.

Wow, where in the world has July gone? I was just looking at my site and realized that I've not posted anything here all month. Oops! I have a few other posts in the hopper, but for the time being, a quick announcement...

David Navetta and I have been accepted to speak at the 2010 ISSA International Conference. The conference will be held in Atlanta, GA, this year on September 16th. Talk details below...