I got an interesting email from Adam Crain today. It was
part of a continuing message chain, but he tossed off a new subject:
“FYI, I just announced the release
of the DNP3 fuzzer at SANS SCADA in March 2014”
He then provided a link to a new page on his Automatak.com web site - http://www.automatak.com/aegis/.
Adam and his compatriot, Chris Sistrunk, have demonstrated a
talent for finding vulnerabilities in DNP3 applications. They have made a name
for themselves in the last couple of weeks from their being listed as the
responsible researcher on 8 ICS-CERT advisories. I don’t know the details of
their disclosure agreements with the affected vendors, but I seriously doubt that
they have made much, if any, money off of these disclosures.
BTW: There are
now 17 ‘pending’ disclosures on the Project
Robus web site; two more than earlier this week. So, contrary to my
earlier supposition, they haven’t stopped their testing efforts.
This is the problem that most ‘ethical researchers’ have run
in to; there is little or no money to be made from coordinated disclosures.
This is one of the reasons that so many cybersecurity researchers have turned
to selling vulnerabilities on either the black or grey markets; it’s a way to
pay the bills and keep food on the table. The rub, of course, is that these
markets put owner/operators at risk.
Adam, it seems has come up with a slightly different
marketing angle. Instead of selling vulnerabilities he is effectively going to
sell tools he develops to find vulnerabilities. It is not explicitly pointed
out on his web site, but his email makes clear that he is looking to vendors
and utility owner/operators to be members of his “consortium of industrial
control system (ICS) stakeholders” thus staying on the side of ‘ethical hackers’.
BTW: I made the
comment in
an earlier blog post that other ICS protocols might undergo examination by
Crain-Sistrunk. A side-bar on the AEGIS page points out that there is a “Modbus
master/slave” under development. I suspect that we will shortly begin seeing
ICS-CERT advisories pointing out vulnerabilities in Modbus related
applications. Fortunately (sarcasm warning) there aren’t too many of those out
there. In fact, some of those 17 pending disclosures might be Modbus related
instead of DNP3. Some people would be happy to see that.
It will be interesting to see how well Automatak does with
this project. I hope that he succeeds, we need more owner/operator-friendly hacker
business-models.
Posts
No comments:
Post a Comment