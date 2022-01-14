Security Leftovers
Got the security controls wrong in OT and maritime? Watch as engineers work around them
Industrial control systems security is slowly improving, partly a result of attention from regulators and lawmakers. However, we often see security controls implemented that don’t take account of the unique challenges that engineers looking after OT environments face. We see controls brought in from IT environments that just don’t work in OT. No-one sat down with the engineers to discuss how systems are used and agreed controls that actually worked in practice.
So what happens?
No surprises – the engineers will work around the control. The controls are broken down, possibly exposing the systems. It’s a familiar story.
Here are a few examples we’ve seen of security controls not taking the real world of OT and / or maritime in to account.
The NSA Says that There are No Known Flaws in NIST’s Quantum-Resistant Algorithms [Ed: Bruce Schneier is an NSA parrot. He used to care about real security.]
I believe him. This is what the NSA did with NIST’s candidate algorithms for AES and then for SHA-3. NIST’s Post-Quantum Cryptography Standardization Process looks good.
Can we fix bearer tokens? [Ed: Microsoft GitHub is the opposite of security. Start there...]
Last month I wrote about how bearer tokens are just awful, and a week later Github announced that someone had managed to exfiltrate bearer tokens from Heroku that gave them access to, well, a lot of Github repositories. This has inevitably resulted in a whole bunch of discussion about a number of things, but people seem to be largely ignoring the fundamental issue that maybe we just shouldn't have magical blobs that grant you access to basically everything even if you've copied them from a legitimate holder to Honest John's Totally Legitimate API Consumer.
Rst vs Go – Open Source is about enabling users – Rust lang will complement C around the GNU Linux Kernel (for better safety) “Amazon, Microsoft, Google” and the White House, want to make Open Source more secure [Ed: These companies do not speak for "Open Source" or fro security]
Security updates for Monday [LWN.net]
Security updates have been issued by CentOS (gzip, java-1.8.0-openjdk, java-11-openjdk, and zlib), Debian (adminer, htmldoc, imagemagick, libgoogle-gson-java, lrzip, openjdk-8, openssl, and ruby-nokogiri), Fedora (ecdsautils, et, libxml2, podman, and supertux), Mageia (cairo, clamav, curl, fish, freetype2, golang-github-prometheus-client, python-django-registration, python-nbxmpp, python-waitress, and xmlrpc-c), Red Hat (pcs), SUSE (curl, kernel, pidgin, and webkit2gtk3), and Ubuntu (tiff).
