Code Signing, Misconceptions and Realities

2009/10/20

Code signing is a security feature that has been around for quite some time, and has been proven in many other areas, but is uncommon to find it in any control system component and very rare to find in control devices where firmware uploading is an important feature. Without a doubt the technology is useful, and provides a high level of assurance that the code running on the device is the code that you want running on it, but lately I’ve been in too many conversations where code signing is seen as a panacea for any and all security issue we may ever face and many involved in securing, administering, or pontificating about control systems don’t have a real understanding of the technology even as they praise or denigrate it.

Do the Dumb Thing First

2009/01/09

This phrase was hammered into my head during an uncharacteristically interesting AI class during college (I later dropped the class, my hats off to those of you who enjoy writing search algorithms all day, I’ll never compete with you for a job), and it’s something that I remind myself of constantly when doing assessments. Much of the work of attacking systems is doing the dumb thing first, a burglar wouldn’t bother to kick in a door without seeing if it’s unlocked first and neither would a hacker. As exciting as vulnerability research is, the truth is that systems usually aren’t compromised by using 0day, and most vulnerabilities aren’t going to be exploited until someone has put it in an easy to use tool.