Bugtraq mailing list archives
Re: Vulnerabilities in trading and SCADA softwares
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 14 Sep 2011 14:26:53 -0400
On Wed, Sep 14, 2011 at 5:13 AM, <fergal.cassidy () measuresoft com> wrote: Please take this constructively...
The so called vulnerability in ScadaPro does not apply when the Windows firewall is enabled and under normal circumstances the TCP-IP port is not used to communicate with the ScadaPro service.
Measuresoft should not stake its security on the hopes that a firewall is running. There will be plenty of folks who will do dumb things with it.
In the next release of ScadaPro the TCP/IP port will not be available and instead a secure web service will be available. Also please note these tests were performed independently of Measuresoft on a demo version and without seeking or obtaining any advice from Measuresoft on how to securely deploy ScadaPro.
Measuresoft should be deploying securely out of the box. Require the user make manual changes to punch holes in the firewall (or do it for them after they answer a yes/no with no as the default). Secure out of the box is a good thing, even if it causes a few immediate hardships. Jeff
Current thread:
- Vulnerabilities in trading and SCADA softwares Luigi Auriemma (Sep 13)
- <Possible follow-ups>
- Re: Vulnerabilities in trading and SCADA softwares fergal . cassidy (Sep 14)
- Re: Vulnerabilities in trading and SCADA softwares Jeffrey Walton (Sep 15)