Posts Tagged ‘software’
Thursday, February 27, 2014 @ 05:02 PM gHale
Third-party programs end up culpable for three quarters of the vulnerabilities discovered in the 50 most popular programs in 2013, new research found.
Those 50 programs pervade enterprise IT infrastructures, either as integral business tools approved, monitored and maintained by IT operations – for example PDF readers and Internet browsers; or as apps on the private devices of employees and management, used in the workplace with or without permission, according to Secunia’s Vulnerability Review 2014.
In these Top 50 programs, there were 1,208 vulnerabilities. Third-party programs were responsible for 76 percent of those vulnerabilities, although these programs only account for 34 percent of the 50 most popular programs on private PCs.
The share of Microsoft programs (including the Windows 7 operating system) in the Top 50 is a prominent 33 products, or 66 percent. Having said that, Microsoft programs were responsible for 24 percent of the vulnerabilities in the Top 50 programs in 2013.
In the classic lexicon of a home seller, all you need is one buyer. The same is true for attackers: All you need is one vulnerability. One well-documented case how one vulnerability can open a door for a security breach is the U.S. Department of Energy (DoE) in 2013, which incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families.
The DoE security breach was the result of a combination of managerial and technological system weaknesses – the perfect feeding ground for hackers, enabling them to exploit vulnerabilities present in an infrastructure.
“It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs,” said Secunia CTO, Morten R. Stengaard.
“Another very important security factor is how easy it is to update Microsoft programs compared to third-party programs,” he said. “Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available.”
Monday, January 20, 2014 @ 02:01 PM gHale
By Ellen Fussell Policastro
With manufacturing moving more toward a digital environment, security will gain greater importance in the years to come.
“With manufacturing going digital, that leads to extraordinary improvements,” said Helmuth Ludwig, chief executive of Siemens Industry Sector U.S. during a conference call Friday discussing the outlook for the manufacturing sector.
Moving more toward a digital environment means more use of, and reliance upon, software, which could bring great benefits and opportunities for manufacturers. However, that can also introduce the potential for security issues.
“The ability to optimize manufacturing flow with minimized downtime and at the same time supporting this with security systems where the leading companies are working with Siemens very strongly can ensure the manufacturing environment is as secure as possible, which then generates these optimizations.”
Ludwig conducted the conference call from the Detroit Motor Show which was an appropriate backdrop to discuss manufacturing because he saw great promise for the industry as a whole, but especially for the auto industry. Two other industries that showed great promise, he said, were oil and gas and chemical.
Touching the treetops of many reasons to be optimistic this year, Ludwig landed firmly on three main reasons: Virtual planning, software, and education – making manufacturing attractive to students.
One of the trends that will increase optimism in 2014 is the use of virtual planning for physical realizations.
“You not only see cars at the motor show, but you see assembly lines – a great example of today’s modern manufacturing — virtually planned and physically realized,” Ludwig said. “Industrial production is at a ten-year high. We’re at a five-year high in sales. Some voices say next year, the gross might flatten off. At the same time you see the automotive industry positive around the future. Volkswagen announced they will invest $7 billion here in North America.”
Ludwig pointed to the Mars Rover as another prime example of virtual planning.
“We hear again and again about the Mars Rover bringing new observations to Earth. It is larger than anything ever sent to Mars.” The mission was to bring it down safely on the surface of Mars. To study this, scientists came up with a complex version of ways to virtually bring it down. “There was no physical alternative; they couldn’t send physical test modules up to Mars.” But they used an integration of virtual testing to accomplish a physical realization.
Software the Key
The key to virtual planning is the use of software, which can change productivity enormously in manufacturing.
“One of our partners is running a virtual machine in parallel with their physical machines,” he said. “They test the new parts introduction in virtual environments, and the downtime of the machine during the changeover process is significantly reduced.”
Software will lead to manufacturing optimism especially in the U.S. because, “there is no country where software is more advanced than in the U.S.,” he said. “People are thinking day and night about software, and 65 percent of all the top hundred software companies are actually headquartered in the U.S.” This becomes even more extreme when you look at the revenue. In fact, 79 percent of the top hundred software companies see their revenue coming from U.S. software companies.
Luring Young People
With an aging population, especially in the manufacturing sector, the need to make manufacturing attractive to young people is even more crucial now. The economic recovery in several technical markets and the strength of physical and virtual manufacturing mean nothing without the right people in place, Ludwig said.
“While so many years the focus has gone away from education, now we’re back on track, making the job of making things attractive to young people,” he said. One way is with 3D printing and expanding apprenticeship programs. One such program is Siemens’ apprenticeship program with Central Piedmont Community College in Charlotte, NC. After three and a half years of training, students learn all aspects of electronics and have a chance to apply it when they leave the program. “They’ll be paid a higher salary than the average college graduate, and they have no debt,” he said. “So there’s another reason that makes manufacturing attractive.”
Siemens is also working with top universities, also supported by government initiatives in advanced manufacturing partnership.
“We’re working together with manufacturing institutes in North Carolina,” he said. “In the first year we (appropriated) $40 million in software. Why? We believe this is the best way of assuring sustainable manufacturing.”
Ellen Fussell Policastro is a freelance writer in Raleigh, NC. Her email is email@example.com.
Wednesday, October 9, 2013 @ 05:10 PM gHale
Safety awards may not garner the publicity of the big name shows like the Academy Awards, but rest assured they are more important as they help keep people and property safe.
Along those lines, functional safety and cyber security certification provider exida named the winners of its first Safety Awards 2013.
Awards were for three categories: Sensors, Logic Solvers, and Software products that best demonstrate innovative work and have the ability to play a key role in the continuous journey of making the world a safer place.
The following companies/products have earned this year’s honors:
• Sensors, and the winner is: Det-tronics’ FlexSonic Acoustic Detector
• Logic Solvers, and the winner is: Emerson Process Management’s DeltaV SIS with Electronic Marshalling
• Software, and the winner is: System Engineering Consultants Co., Ltd.’s RTMSafety
“We received several nominations for products that demonstrated exceptional work, making the decision process very difficult,” said Dr. William Goble, exida principal partner.
“exida recognizes the importance of excellence in functional safety, and congratulates the winners of this year’s awards,” he said. “We commend their commitments to manufacturing/designing products that are sure to make a difference in the ever-evolving world of functional safety.”
This is the first year exida conducted the awards and they are looking to make this an annual event.
Wednesday, October 9, 2013 @ 01:10 PM gHale
Alstom created a patch that mitigates an improper input validation in its e-terracontrol software vulnerability, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the patch to validate that it resolves the remotely exploitable vulnerability.
The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.
Successful exploitation of this vulnerability could allow an attacker to affect the availability of the Alstom e-terracontrol software.
Alstom is a France-based company that maintains offices worldwide. The affected product, Alstom e-terracontrol software, applies mainly to SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software is mainly in the electric energy sector. Alstom estimates these products are primarily in the U.S. and Europe with a small percentage in Asia.
The Alstom e-terracontrol software does not validate or incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. To clear the problem, a user would have to manually restart the system.
CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
No known public exploits specifically target this vulnerability, but an attacker with a moderate skill level would be able to exploit this vulnerability.
Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal.
Tuesday, August 20, 2013 @ 04:08 PM gHale
Vulnerabilities in software and firmware are the easiest ways to attack a system, and two revised publications provide guidance for software patching and warding off malware.
A common method to avoid attacks is to fix the vulnerabilities as soon as possible after the software company develops a patch for the problem. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems, according to the National Institute of Standards and Technology (NIST), which revised the two publications.
The earlier guidance on patching, “Creating a Patch and Vulnerability Management Program,” was for when patching was a manual process. The revision, “Guide to Enterprise Patch Management Technologies,” is for agencies that take advantage of automated patch management systems such as those based on NIST’s Security Content Automation Protocol (SCAP).
“Guide to Enterprise Patch Management Technologies” explains the technology basics and covers metrics for assessing the technologies’ effectiveness.
The second security document provides guidance to protect computer systems from malware or malicious code. Malware is the most common external threat to most systems and can cause widespread damage and disruption.
NIST’s “Guide to Malware Incident Prevention and Handling for Desktops and Laptops” should help agencies protect against modern malware attacks that are more difficult to detect and eradicate than when the last version published in 2005. The new guidance reflects the growing use of social engineering and the harvesting of social networking information for targeting attacks.
The new malware guide provides information on how to modernize an organization’s malware incident prevention measures and suggests recommendations to enhance an organization’s existing incident response capability to handle modern malware.
Tuesday, June 18, 2013 @ 08:06 PM gHale
Microsoft released of version 4.0 of its Enhanced Mitigation Experience Toolkit (EMET), a free utility that helps prevent memory corruption vulnerabilities in software from suffering exploitation for code execution.
This latest version has a redesigned user interface and addresses known application compatibility issues.
A new exception to the SSL certificate pinning rules ended up added in. If enabled, it makes EMET verify just the Public Key component of the Root CAs present in the rule without matching subject name and serial number.
The Certificate Trust feature is also available on 64-bit versions of Internet Explorer, and new rules for Twitter, Facebook, and Yahoo! added in to the previous default ones for Microsoft online services.
“When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. For enterprise customers collecting error reports via tools like Microsoft Desktop Optimization Package or the Client Monitoring feature of System Center Operations Manager, these error reports can be triaged locally and used as an early warning program indicating possible attacks against the corporate network,” said the EMET team two months ago when introducing the beta version of EMET 4.0.
In addition to strengthened mitigation and bypass-blocking techniques, the new version occasionally also allows users to switch to “Audit Mode,” which allows them to report an exploitation attempt but not terminate the application. This option is not on by default.
Finally, Group Policy profiles updated to include the ability to configure system and application mitigations, the reporting mechanisms, the advanced mitigation configurations, and the exploit action.
Click here to download the toolkit.
Tuesday, June 11, 2013 @ 04:06 PM gHale
A piece of malware called Bicololo, originally designed to target Russian Internet users, is now evolving.
A new version of the malware is on a Russian Android app site, said researchers at ThreatTrack Security. Designers of the malicious software actually disguised it as one of ThreatTrack’s products, VIPRE Antivirus.
After analyzing the app site, experts determined its sole purpose is to distribute malware disguised as software, games, movies and music. To make it more legitimate looking, the logos of various IT security companies end up displayed on the website.
When users press the button to download the bogus antivirus, they end up getting an archive file that contains an executable, “_vipre.exe” and a text file.
Once run, the executable deploys other malicious files. The HOSTS file on the infected system ends up modified to make sure every time victims visit a certain website, such as my.mail.ru, odnoklassniki.ru, ok.ru, m.odnoklassniki.ru or vk.ru, they go to corresponding phishing pages.
It was said that once Bicololo is run on a system, it drops and executes component files, such as batch (.bat) and script (.vbs) files, and then modifies the HOSTS file, said ThreatTrack researchers.
ThreatTrack Security’s Jovi Umawing reports the phishing pages have very nice designs.
Additional technical details regarding this Bicololo variant are available on ThreatTrack Security’s blog.
Monday, May 20, 2013 @ 04:05 PM gHale
The developers of the open source cloud storage and collaboration suite ownCloud released an update to their software that closes critical vulnerabilities.
Version 5.0.6 of ownCloud closes holes that allowed authenticated users to inject SQL commands and execute PHP code on the server or allowed them to download other users’ calendars.
Another flaw allows unauthenticated attackers to execute API commands with admin privileges by making use of cross-site request forgery (CSRF).
The ownCloud server can also end up misused as a spam source by turning it into an open email redirector, a problem, which the developers fixed with the update. The update also fixes a number of additional, non security-related bugs; a complete list of all improvements is available on ownCloud’s Change Log web page.
Because of the serious nature of the vulnerabilities, users should upgrade to ownCloud 5.0.6 as soon as possible.
Some of the security vulnerabilities also affect ownCloud 4.0.x and 4.5.x, for these versions the developers released ownCloud 4.0.15 and 4.5.11 that exclusively fix the security problems and include no further bug fixes. Users can download the updated versions of ownCloud from the project’s web site.
Tuesday, May 14, 2013 @ 04:05 PM gHale
Self detecting devices are under development for SCADA systems. A prototype lets SCADA devices police one another in order to catch and cut off a power plant or factory floor device that has suffered a compromise.
A new algorithm can detect devices not conducting their usual work. The secure distributed control program can work within SCADA systems, such as robots or PLCs, with embedded software. The software, developed by researchers at North Carolina State University, detects and then isolates a compromised device.
This software uses a reputation manager for the devices, so if one robot or PLC starts doing something it’s not supposed to do, or it even exceeds a certain threshold such as improperly accelerating or slowing its speed, other robots or devices can detect the uncharacteristic behavior, sound an alarm, and cut it off from their operations to minimize or stop any damage.
This peer-level SCADA security would augment existing and emerging SCADA security products and features, the researchers said. The algorithm could add into existing software in control systems, with some minor coding modifications, the researchers said.
“Commercial SCADA security uses a police car and travels and monitors the area. Ours is more like a community [neighborhood] watch,” said Mo-Yuen Chow, a professor of electrical and computer engineering at NC State and co-author of research on the subject. “Each of the devices watch each other and talk to [their] neighbor.”
It’s a next-generation security technology for those that truly understand they will suffer a breach. This will help minimize the damage.
“Our [technology] assumes the attack is already [occurring] and the device is already compromised,” said Wente Zeng, an NC State Ph.D. student who worked on the prototype. “After that, it [focuses on] how can we still make sure the rest of the system can work well” and uninterrupted, he said.
Each local SCADA device monitors the others so if one device behaves abnormally, the others shut down its communications, Zeng said. “So we can isolate the attack from the system.”
The researchers ran a simulation with robots containing the embedded software and controller.
“If one robot is compromised, it will affect other robots, so some of them would go to the wrong place,” Zeng said. “With our code, each is monitoring each other, so if this robot behaves weirdly,” it is cut off. “There’s a controller on the robot … and they talk to each other with the simple algorithm.”
The researchers said they plan to patent the algorithm and explore commercialization prospects for the technology.
Distinguishing between normal and abnormal behavior isn’t always so straightforward, and sophisticated attackers could find ways to taint the information in some way, according to some security experts.
Click here to read the researchers’ technical paper, “Convergence and Recovery Analysis of the Secure Distributed Control Methodology for D-NCS.”