Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
urbanists.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
We're a server for people who like bikes, transit, and walkable cities. Let's get to know each other!

Administered by:

Server stats:

527
active users

urbanists.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#otsecurity

2 posts2 participants0 posts today
Public
Pen Test Partners

We found unauthenticated remote code execution on an industrial PLC without ever touching the hardware.
 
By unpacking publicly available firmware for the KUNBUS Revolution Pi, our Adam Bromiley discovered four vulnerabilities. Two of them allowed RCE with no authentication required.
 
We dug into a misconfigured Node-RED instance, bypassed authentication in PiCtory, and chained bugs together to gain full control. This could affect safety-critical systems in the real world.
 
The upside? Disclosure was handled properly. KUNBUS and CISA coordinated the response well, and advisories and fixes for all four CVEs are now live.
 
📌Get the full breakdown and links to the advisories here: pentestpartners.com/security-b

#ICS#PLC#CyberSecurity
Public
Kerry Tomlinson

It's rap time! This year's #S4x25 OT security conf rap riffed on organizer Dale Peterson's keynote re: be an "OT security artist."

References to his talk, Grammy's Song of the Year "Not Like Us" by
Kendrick Lamar w/line "I see dead people" & a Picasso-attributed quote re: wield the rules like a pro, then break them like an artist.

Read the rap straight up in bold & yellow highlight and/or read the reference notes below each line.

OT Security Artist Long cyber checklists are such a hassle (Dale’s keynote talked about the frustration of completing complex & overwhelming security tasks) And you got a losing record like season one Ted Lasso (Show about a losing-but-lovable soccer coach) 50-page deliverables that get stuffed in a drawer for a year, so you come back and nothing's changed and everyone's frustrated? Nah, so (Almost word-for-word reference to Dale’s keynote mentions of security reports that aren’t followed) You gotta break the rules just like Picasso (The keynote quoted Picasso: “Learn the rules like a pro so you can break them like an artist,” encouraging you to think outside the box to solve security problems) I see red people. Red team, that is. (Grammy-winning song of the year starts with the line “I see dead people.” Red team=ethical hackers who help test defenses) Pablo's a cubist, you do Kube-ernetes (Cubism=Picasso art form, Kubernetes=type of software) Kerberoasting tickets & Edvard Munching your spaghettis (Kerberoasting tickets=type of cyberattack, Edvard Munch=famous artist) Ultimate firewalls, pleasantly-odored ICS IDS rules, hunting Bessie, time to be throwing our confettis (References various conference talks, including one titled, “Your IDS Rules for ICS Stink…”) No Frosty Goop in your control loop while you're sipping on your YETIS (Frosty Goop=industrial systems malware, YETIS=kind of water bottles) There's still life in this sector. (Still life=art style)
Part 2 Attackers paint, too, they're con artists (I think you have this one on your own  ) Not Eureka --- Guernica and a Heart of Darkness (Eureka=exclamation, Guernica=Picasso masterpiece depicting war, Heart of Darkness = famous novel) The horror, the horror shows us where their heart is (“The horror, the horror”=famous quote from Heart of Darkness) Van Gogh and show them that, hey, you're the smartest (Van Gogh=famous artist) They not like us, they not like us. (Line from Song of the Year, "Not Like Us") You got TMI on your HMI and you got a sick sensor (TMI=too much info, HMI=human machine interface (industrial machine computer screen), sensor=used in industrial control systems) Use your sixth sense or give your six cents or (Sixth Sense=movie with quote, “I see dead people,” give your two cents=offer your opinion) Make guideline volumes less immenser (In Dale’s talk, he explained that writing out long security reports contributes to immense volumes of guidelines) Become a brave priority dispenser (Dale encouraged security people to be brave & use insight to help prioritize security issues rather than just tell everyone to do everything all at once). You wanna pop calc, but it's time to pop paint. (Popping calc=hacking a device or software so you can bring up the calculator function & illustrate your skills, pop paint=doing the same with the Paint program, but this time it also refers to becoming an OT security artist)
#OTSecurity#OTCybersecurity#ICS
ExploreLive feeds
About