Posts Tagged ‘software’
Wednesday, October 9, 2013 @ 05:10 PM gHale
Safety awards may not garner the publicity of the big name shows like the Academy Awards, but rest assured they are more important as they help keep people and property safe.
Along those lines, functional safety and cyber security certification provider exida named the winners of its first Safety Awards 2013.
Awards were for three categories: Sensors, Logic Solvers, and Software products that best demonstrate innovative work and have the ability to play a key role in the continuous journey of making the world a safer place.
The following companies/products have earned this year’s honors:
• Sensors, and the winner is: Det-tronics’ FlexSonic Acoustic Detector
• Logic Solvers, and the winner is: Emerson Process Management’s DeltaV SIS with Electronic Marshalling
• Software, and the winner is: System Engineering Consultants Co., Ltd.’s RTMSafety
“We received several nominations for products that demonstrated exceptional work, making the decision process very difficult,” said Dr. William Goble, exida principal partner.
“exida recognizes the importance of excellence in functional safety, and congratulates the winners of this year’s awards,” he said. “We commend their commitments to manufacturing/designing products that are sure to make a difference in the ever-evolving world of functional safety.”
This is the first year exida conducted the awards and they are looking to make this an annual event.
Wednesday, October 9, 2013 @ 01:10 PM gHale
Alstom created a patch that mitigates an improper input validation in its e-terracontrol software vulnerability, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the patch to validate that it resolves the remotely exploitable vulnerability.
The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.
Successful exploitation of this vulnerability could allow an attacker to affect the availability of the Alstom e-terracontrol software.
Alstom is a France-based company that maintains offices worldwide. The affected product, Alstom e-terracontrol software, applies mainly to SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software is mainly in the electric energy sector. Alstom estimates these products are primarily in the U.S. and Europe with a small percentage in Asia.
The Alstom e-terracontrol software does not validate or incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. To clear the problem, a user would have to manually restart the system.
CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
No known public exploits specifically target this vulnerability, but an attacker with a moderate skill level would be able to exploit this vulnerability.
Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal.
Tuesday, August 20, 2013 @ 04:08 PM gHale
Vulnerabilities in software and firmware are the easiest ways to attack a system, and two revised publications provide guidance for software patching and warding off malware.
A common method to avoid attacks is to fix the vulnerabilities as soon as possible after the software company develops a patch for the problem. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems, according to the National Institute of Standards and Technology (NIST), which revised the two publications.
The earlier guidance on patching, “Creating a Patch and Vulnerability Management Program,” was for when patching was a manual process. The revision, “Guide to Enterprise Patch Management Technologies,” is for agencies that take advantage of automated patch management systems such as those based on NIST’s Security Content Automation Protocol (SCAP).
“Guide to Enterprise Patch Management Technologies” explains the technology basics and covers metrics for assessing the technologies’ effectiveness.
The second security document provides guidance to protect computer systems from malware or malicious code. Malware is the most common external threat to most systems and can cause widespread damage and disruption.
NIST’s “Guide to Malware Incident Prevention and Handling for Desktops and Laptops” should help agencies protect against modern malware attacks that are more difficult to detect and eradicate than when the last version published in 2005. The new guidance reflects the growing use of social engineering and the harvesting of social networking information for targeting attacks.
The new malware guide provides information on how to modernize an organization’s malware incident prevention measures and suggests recommendations to enhance an organization’s existing incident response capability to handle modern malware.
Tuesday, June 18, 2013 @ 08:06 PM gHale
Microsoft released of version 4.0 of its Enhanced Mitigation Experience Toolkit (EMET), a free utility that helps prevent memory corruption vulnerabilities in software from suffering exploitation for code execution.
This latest version has a redesigned user interface and addresses known application compatibility issues.
A new exception to the SSL certificate pinning rules ended up added in. If enabled, it makes EMET verify just the Public Key component of the Root CAs present in the rule without matching subject name and serial number.
The Certificate Trust feature is also available on 64-bit versions of Internet Explorer, and new rules for Twitter, Facebook, and Yahoo! added in to the previous default ones for Microsoft online services.
“When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. For enterprise customers collecting error reports via tools like Microsoft Desktop Optimization Package or the Client Monitoring feature of System Center Operations Manager, these error reports can be triaged locally and used as an early warning program indicating possible attacks against the corporate network,” said the EMET team two months ago when introducing the beta version of EMET 4.0.
In addition to strengthened mitigation and bypass-blocking techniques, the new version occasionally also allows users to switch to “Audit Mode,” which allows them to report an exploitation attempt but not terminate the application. This option is not on by default.
Finally, Group Policy profiles updated to include the ability to configure system and application mitigations, the reporting mechanisms, the advanced mitigation configurations, and the exploit action.
Click here to download the toolkit.
Tuesday, June 11, 2013 @ 04:06 PM gHale
A piece of malware called Bicololo, originally designed to target Russian Internet users, is now evolving.
A new version of the malware is on a Russian Android app site, said researchers at ThreatTrack Security. Designers of the malicious software actually disguised it as one of ThreatTrack’s products, VIPRE Antivirus.
After analyzing the app site, experts determined its sole purpose is to distribute malware disguised as software, games, movies and music. To make it more legitimate looking, the logos of various IT security companies end up displayed on the website.
When users press the button to download the bogus antivirus, they end up getting an archive file that contains an executable, “_vipre.exe” and a text file.
Once run, the executable deploys other malicious files. The HOSTS file on the infected system ends up modified to make sure every time victims visit a certain website, such as my.mail.ru, odnoklassniki.ru, ok.ru, m.odnoklassniki.ru or vk.ru, they go to corresponding phishing pages.
It was said that once Bicololo is run on a system, it drops and executes component files, such as batch (.bat) and script (.vbs) files, and then modifies the HOSTS file, said ThreatTrack researchers.
ThreatTrack Security’s Jovi Umawing reports the phishing pages have very nice designs.
Additional technical details regarding this Bicololo variant are available on ThreatTrack Security’s blog.
Monday, May 20, 2013 @ 04:05 PM gHale
The developers of the open source cloud storage and collaboration suite ownCloud released an update to their software that closes critical vulnerabilities.
Version 5.0.6 of ownCloud closes holes that allowed authenticated users to inject SQL commands and execute PHP code on the server or allowed them to download other users’ calendars.
Another flaw allows unauthenticated attackers to execute API commands with admin privileges by making use of cross-site request forgery (CSRF).
The ownCloud server can also end up misused as a spam source by turning it into an open email redirector, a problem, which the developers fixed with the update. The update also fixes a number of additional, non security-related bugs; a complete list of all improvements is available on ownCloud’s Change Log web page.
Because of the serious nature of the vulnerabilities, users should upgrade to ownCloud 5.0.6 as soon as possible.
Some of the security vulnerabilities also affect ownCloud 4.0.x and 4.5.x, for these versions the developers released ownCloud 4.0.15 and 4.5.11 that exclusively fix the security problems and include no further bug fixes. Users can download the updated versions of ownCloud from the project’s web site.
Tuesday, May 14, 2013 @ 04:05 PM gHale
Self detecting devices are under development for SCADA systems. A prototype lets SCADA devices police one another in order to catch and cut off a power plant or factory floor device that has suffered a compromise.
A new algorithm can detect devices not conducting their usual work. The secure distributed control program can work within SCADA systems, such as robots or PLCs, with embedded software. The software, developed by researchers at North Carolina State University, detects and then isolates a compromised device.
This software uses a reputation manager for the devices, so if one robot or PLC starts doing something it’s not supposed to do, or it even exceeds a certain threshold such as improperly accelerating or slowing its speed, other robots or devices can detect the uncharacteristic behavior, sound an alarm, and cut it off from their operations to minimize or stop any damage.
This peer-level SCADA security would augment existing and emerging SCADA security products and features, the researchers said. The algorithm could add into existing software in control systems, with some minor coding modifications, the researchers said.
“Commercial SCADA security uses a police car and travels and monitors the area. Ours is more like a community [neighborhood] watch,” said Mo-Yuen Chow, a professor of electrical and computer engineering at NC State and co-author of research on the subject. “Each of the devices watch each other and talk to [their] neighbor.”
It’s a next-generation security technology for those that truly understand they will suffer a breach. This will help minimize the damage.
“Our [technology] assumes the attack is already [occurring] and the device is already compromised,” said Wente Zeng, an NC State Ph.D. student who worked on the prototype. “After that, it [focuses on] how can we still make sure the rest of the system can work well” and uninterrupted, he said.
Each local SCADA device monitors the others so if one device behaves abnormally, the others shut down its communications, Zeng said. “So we can isolate the attack from the system.”
The researchers ran a simulation with robots containing the embedded software and controller.
“If one robot is compromised, it will affect other robots, so some of them would go to the wrong place,” Zeng said. “With our code, each is monitoring each other, so if this robot behaves weirdly,” it is cut off. “There’s a controller on the robot … and they talk to each other with the simple algorithm.”
The researchers said they plan to patent the algorithm and explore commercialization prospects for the technology.
Distinguishing between normal and abnormal behavior isn’t always so straightforward, and sophisticated attackers could find ways to taint the information in some way, according to some security experts.
Click here to read the researchers’ technical paper, “Convergence and Recovery Analysis of the Secure Distributed Control Methodology for D-NCS.”
Thursday, May 9, 2013 @ 12:05 PM gHale
Invensys created an update that mitigates multiple vulnerabilities that impact the Invensys Wonderware Information Server (WIS) software, according to a report on ICS-CERT.
Researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team, who found the vulnerabilities, tested the update and validated that it fixes the remotely exploitable issues.
Exploitation of these vulnerabilities could impact systems deployed in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater sectors.
The following Invensys WIS versions suffer from the issue: WIS 4.0 SP1SP1 and 4.5– Portal, and WIS 5.0– Portal.
Successful exploitation of these vulnerabilities could allow an attacker to execute remote code, disclose information, or perform session credential high jacking of WIS.
Invensys works with industrial, commercial, rail operators, and appliance operators in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys WIS software sees use in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater industries.
WIS provides industrial information content including process graphics, trends, and reports on a single Web page. WIS Web clients allow access to real-time dashboards, predesigned reports of industrial activities, and provide analysis or write back capabilities to the process.
One of the vulnerabilities enables an attacker to inject client-side script into Web pages viewed by other users or bypass client-side security mechanisms imposed by modern Web browsers. This vulnerability, if exploited, could allow arbitrary code execution and may require social engineering to exploit.
CVE-2013-0688 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Another vulnerability could allow an attacker to perform database operations unintended by the Web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if exploited, could allow arbitrary code execution.
CVE-2013-0684 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
WIS allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause WIS to send the contents of local or remote resources to the attacker’s server or cause a denial of service (DoS) of the system.
CVE-2013-0686 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
WIS does not properly restrict the size or amount of resources requested, allowing the attacker to consume more resources than intended. This vulnerability, if exploited, could allow remote code execution and DoS.
CVE-2013-0685 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
To date, there are no public exploits specifically target these vulnerabilities and an attacker with a medium skill would be able to exploit these vulnerabilities.
Invensys has developed an update to the WIS software that mitigates these vulnerabilities. Click here to download and install the update from the Invensys download page.
Invensys said users running any machine with one or more of the products listed should undergo a patch. No other components of the WIS installed products have an issue. Users should install the update using instructions provided in the ReadMe file for the product and component they are installing. Invensys recommended users should set the Security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities.
Friday, April 12, 2013 @ 12:04 PM gHale
Software under development can work like a stoplight to control increasingly clogged wireless airwaves and reduce interference.
From WiFi laptops to Bluetooth headsets to ZigBee sensor nodes, busy airwaves are becoming a big problem and it is resulting in dropped calls, wasted bandwidth and botched connections.
The software, GapSense, lets these devices that can’t normally talk to one another exchange simple stop and warning messages so their communications collide less often, said researchers at the University of Michigan.
GapSense creates a common language of energy pulses and gaps. The length of the gaps conveys the stop or warning message. Devices could send them at the start of a communication, or in between information packets to let other gadgets in the vicinity know about their plans.
“All these devices are supposed to perform their designated functions but they’re using the same highway and fighting for space,” said Kang Shin, the Kevin and Nancy O’Connor Professor of Computer Science at U-M. “Since they don’t have a direct means of communicating with each other because they use different protocols, we thought, ‘How can we coordinate them so that each can perform their functions while minimizing interference with the others?’”
Testing on GapSense found it could reduce interference by more than 88 percent on some networks with diverse devices.
To get a sense of how many wireless devices exist today, in 2013, CTIA, the Wireless Association, counted more than 321 million WiFi-enabled cell phones, laptops and tablets in the United States. That’s more than one device per person, and it’s just the items that use WiFi, the protocol that transmits big chunks of data over relatively long distances.
Bluetooth and ZigBee use the same wireless spectrum as WiFi, but they all speak different languages. Bluetooth, shorter range and less powerful, can connect headsets and keyboards to phones and computers, for example. ZigBee, the lowest powered of the group, links networks of small radios to automate home and building systems such as lighting, security alarms and thermostats. It’s also in hospitals, where it gathers medical data from patients.
All these devices come equipped with the standard “carrier sense multiple access,” or CSMA, protocol that programs them to listen for radio silence before they send their own transmissions. But often it doesn’t work.
ZigBee takes 16 times longer than WiFi to gear up from its idle state to transmit information, so sometimes it might sound to WiFi that the coast is clear when a ZigBee packet is on its way out.
“The little guy might be talking, but big guy cannot hear it,” Shin said. “So the little guy’s communication will be destroyed.”
That’s just one of several potential problems GapSense can help remedy. The researchers tested the software in a simulated office environment. With moderate WiFi traffic, they detected a 45 percent collision rate between ZigBee and WiFi, and GapSense reduced that to 8 percent.
The software could also address the “hidden terminal” problem. Newer WiFi standards allow for faster data rates on wider bandwidths than the standard 20 megahertz, but devices on different bandwidths can’t hear one another’s communications to avoid talking over them. GapSense could enable these devices on different standards to talk in turn. At moderate WiFi traffic, the researchers detected around 40 percent collision rate between wider- and narrower-bandwidth devices and GapSense reduced it to virtually zero.
GapSense could also reduce energy consumption of WiFi devices by 44 percent. It would accomplish this by allowing the WiFi receiver to operate at low clock rates. With the software, the faster-clocked WiFi transmitter could send a wake-up message to the slower-clocked receiver in time for it to synch and catch an information packet.
“The impact of GapSense is huge in my opinion,” Shin said. “It could be the Tower of Babel for the increasingly diversified world of wireless devices.”
Thursday, April 11, 2013 @ 02:04 PM gHale
When the software for most of today’s aircraft was in its development, its creators went to painstaking extremes to make sure planes were as safe as possible. Redundancy was the name of the game as they wanted to make sure in case one system failed, there would be a backup, and in case the backup system failed, there was another failsafe mechanism.
What they didn’t do was take into consideration the software they developed might fall into the hands of an attacker.
That is where Spanish security researcher Hugo Teso, of n.runs AG in Germany, comes in because he said it possible to hack into aircraft controls.
The problem is fixable, but the changes will be costly and difficult, he said at the Hack in the Box conference in Amsterdam. But, it appears the organizations he and his company contacted appear interested in learning more about these problems.
Everyone knows today’s aircraft rely on computers. Automatic Dependent Surveillance-Broadcast (ADS-B) is a sort of radar that represents the primary surveillance method for aircraft control.
Aircraft Communications Addressing and Reporting System (ACARS) sees use for exchanging messages between aircrafts and ground stations via radio (VHF) or satellite.
The flight management system (FMS) is also highly important for modern aviation for a wide range of tasks designed to reduce the workload of the flight crew, including navigation, flight planning, trajectory prediction, performance computations and guidance.
While these systems are highly efficient, they’re also highly vulnerable, Teso said.
The attack method developed by Teso has four phases: Discovery, information gathering, exploitation and post-exploitation.
By utilizing publicly available equipment, obtained for fairly small prices from places such as eBay, he has managed to simulate airplane systems.
In his Hack in the Box presentation, Teso showed how, in theory, he could take complete control of an aircraft. The attacker could perform a wide range of tasks depending on what systems are active on the plane.
For instance, for the attacker to modify the aircraft’s trajectory and altitude, the autopilot would have to be on. The attack method he developed focused on commercial aircraft.
During the presentation, he utilized an Android app to simulate the hijacking of an airplane. However, he said the application was only to simplify the presentation.
Some might have believed an attacker could hijack an aircraft from a smartphone but, that is not the case.
For a real life equipment hijack, an attacker would need quite a few more resources. But it could be possible in the future, Teso said.
Click here to download the presentation.