Posts Tagged ‘software’
Tuesday, May 14, 2013 @ 04:05 PM gHale
Self detecting devices are under development for SCADA systems. A prototype lets SCADA devices police one another in order to catch and cut off a power plant or factory floor device that has suffered a compromise.
A new algorithm can detect devices not conducting their usual work. The secure distributed control program can work within SCADA systems, such as robots or PLCs, with embedded software. The software, developed by researchers at North Carolina State University, detects and then isolates a compromised device.
This software uses a reputation manager for the devices, so if one robot or PLC starts doing something it’s not supposed to do, or it even exceeds a certain threshold such as improperly accelerating or slowing its speed, other robots or devices can detect the uncharacteristic behavior, sound an alarm, and cut it off from their operations to minimize or stop any damage.
This peer-level SCADA security would augment existing and emerging SCADA security products and features, the researchers said. The algorithm could add into existing software in control systems, with some minor coding modifications, the researchers said.
“Commercial SCADA security uses a police car and travels and monitors the area. Ours is more like a community [neighborhood] watch,” said Mo-Yuen Chow, a professor of electrical and computer engineering at NC State and co-author of research on the subject. “Each of the devices watch each other and talk to [their] neighbor.”
It’s a next-generation security technology for those that truly understand they will suffer a breach. This will help minimize the damage.
“Our [technology] assumes the attack is already [occurring] and the device is already compromised,” said Wente Zeng, an NC State Ph.D. student who worked on the prototype. “After that, it [focuses on] how can we still make sure the rest of the system can work well” and uninterrupted, he said.
Each local SCADA device monitors the others so if one device behaves abnormally, the others shut down its communications, Zeng said. “So we can isolate the attack from the system.”
The researchers ran a simulation with robots containing the embedded software and controller.
“If one robot is compromised, it will affect other robots, so some of them would go to the wrong place,” Zeng said. “With our code, each is monitoring each other, so if this robot behaves weirdly,” it is cut off. “There’s a controller on the robot … and they talk to each other with the simple algorithm.”
The researchers said they plan to patent the algorithm and explore commercialization prospects for the technology.
Distinguishing between normal and abnormal behavior isn’t always so straightforward, and sophisticated attackers could find ways to taint the information in some way, according to some security experts.
Click here to read the researchers’ technical paper, “Convergence and Recovery Analysis of the Secure Distributed Control Methodology for D-NCS.”
Thursday, May 9, 2013 @ 12:05 PM gHale
Invensys created an update that mitigates multiple vulnerabilities that impact the Invensys Wonderware Information Server (WIS) software, according to a report on ICS-CERT.
Researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team, who found the vulnerabilities, tested the update and validated that it fixes the remotely exploitable issues.
Exploitation of these vulnerabilities could impact systems deployed in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater sectors.
The following Invensys WIS versions suffer from the issue: WIS 4.0 SP1SP1 and 4.5– Portal, and WIS 5.0– Portal.
Successful exploitation of these vulnerabilities could allow an attacker to execute remote code, disclose information, or perform session credential high jacking of WIS.
Invensys works with industrial, commercial, rail operators, and appliance operators in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys WIS software sees use in the critical manufacturing, energy, food and beverage, chemical, and water and wastewater industries.
WIS provides industrial information content including process graphics, trends, and reports on a single Web page. WIS Web clients allow access to real-time dashboards, predesigned reports of industrial activities, and provide analysis or write back capabilities to the process.
One of the vulnerabilities enables an attacker to inject client-side script into Web pages viewed by other users or bypass client-side security mechanisms imposed by modern Web browsers. This vulnerability, if exploited, could allow arbitrary code execution and may require social engineering to exploit.
CVE-2013-0688 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
Another vulnerability could allow an attacker to perform database operations unintended by the Web application designer and, in some instances, can lead to total compromise of the database server. This vulnerability, if exploited, could allow arbitrary code execution.
CVE-2013-0684 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
WIS allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause WIS to send the contents of local or remote resources to the attacker’s server or cause a denial of service (DoS) of the system.
CVE-2013-0686 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
WIS does not properly restrict the size or amount of resources requested, allowing the attacker to consume more resources than intended. This vulnerability, if exploited, could allow remote code execution and DoS.
CVE-2013-0685 is the number assigned to this vulnerability, which has a CVSS v2 base score of 9.3.
To date, there are no public exploits specifically target these vulnerabilities and an attacker with a medium skill would be able to exploit these vulnerabilities.
Invensys has developed an update to the WIS software that mitigates these vulnerabilities. Click here to download and install the update from the Invensys download page.
Invensys said users running any machine with one or more of the products listed should undergo a patch. No other components of the WIS installed products have an issue. Users should install the update using instructions provided in the ReadMe file for the product and component they are installing. Invensys recommended users should set the Security level settings in the Internet browser to “Medium – High” to minimize the risks presented by these vulnerabilities.
Friday, April 12, 2013 @ 12:04 PM gHale
Software under development can work like a stoplight to control increasingly clogged wireless airwaves and reduce interference.
From WiFi laptops to Bluetooth headsets to ZigBee sensor nodes, busy airwaves are becoming a big problem and it is resulting in dropped calls, wasted bandwidth and botched connections.
The software, GapSense, lets these devices that can’t normally talk to one another exchange simple stop and warning messages so their communications collide less often, said researchers at the University of Michigan.
GapSense creates a common language of energy pulses and gaps. The length of the gaps conveys the stop or warning message. Devices could send them at the start of a communication, or in between information packets to let other gadgets in the vicinity know about their plans.
“All these devices are supposed to perform their designated functions but they’re using the same highway and fighting for space,” said Kang Shin, the Kevin and Nancy O’Connor Professor of Computer Science at U-M. “Since they don’t have a direct means of communicating with each other because they use different protocols, we thought, ‘How can we coordinate them so that each can perform their functions while minimizing interference with the others?’”
Testing on GapSense found it could reduce interference by more than 88 percent on some networks with diverse devices.
To get a sense of how many wireless devices exist today, in 2013, CTIA, the Wireless Association, counted more than 321 million WiFi-enabled cell phones, laptops and tablets in the United States. That’s more than one device per person, and it’s just the items that use WiFi, the protocol that transmits big chunks of data over relatively long distances.
Bluetooth and ZigBee use the same wireless spectrum as WiFi, but they all speak different languages. Bluetooth, shorter range and less powerful, can connect headsets and keyboards to phones and computers, for example. ZigBee, the lowest powered of the group, links networks of small radios to automate home and building systems such as lighting, security alarms and thermostats. It’s also in hospitals, where it gathers medical data from patients.
All these devices come equipped with the standard “carrier sense multiple access,” or CSMA, protocol that programs them to listen for radio silence before they send their own transmissions. But often it doesn’t work.
ZigBee takes 16 times longer than WiFi to gear up from its idle state to transmit information, so sometimes it might sound to WiFi that the coast is clear when a ZigBee packet is on its way out.
“The little guy might be talking, but big guy cannot hear it,” Shin said. “So the little guy’s communication will be destroyed.”
That’s just one of several potential problems GapSense can help remedy. The researchers tested the software in a simulated office environment. With moderate WiFi traffic, they detected a 45 percent collision rate between ZigBee and WiFi, and GapSense reduced that to 8 percent.
The software could also address the “hidden terminal” problem. Newer WiFi standards allow for faster data rates on wider bandwidths than the standard 20 megahertz, but devices on different bandwidths can’t hear one another’s communications to avoid talking over them. GapSense could enable these devices on different standards to talk in turn. At moderate WiFi traffic, the researchers detected around 40 percent collision rate between wider- and narrower-bandwidth devices and GapSense reduced it to virtually zero.
GapSense could also reduce energy consumption of WiFi devices by 44 percent. It would accomplish this by allowing the WiFi receiver to operate at low clock rates. With the software, the faster-clocked WiFi transmitter could send a wake-up message to the slower-clocked receiver in time for it to synch and catch an information packet.
“The impact of GapSense is huge in my opinion,” Shin said. “It could be the Tower of Babel for the increasingly diversified world of wireless devices.”
Thursday, April 11, 2013 @ 02:04 PM gHale
When the software for most of today’s aircraft was in its development, its creators went to painstaking extremes to make sure planes were as safe as possible. Redundancy was the name of the game as they wanted to make sure in case one system failed, there would be a backup, and in case the backup system failed, there was another failsafe mechanism.
What they didn’t do was take into consideration the software they developed might fall into the hands of an attacker.
That is where Spanish security researcher Hugo Teso, of n.runs AG in Germany, comes in because he said it possible to hack into aircraft controls.
The problem is fixable, but the changes will be costly and difficult, he said at the Hack in the Box conference in Amsterdam. But, it appears the organizations he and his company contacted appear interested in learning more about these problems.
Everyone knows today’s aircraft rely on computers. Automatic Dependent Surveillance-Broadcast (ADS-B) is a sort of radar that represents the primary surveillance method for aircraft control.
Aircraft Communications Addressing and Reporting System (ACARS) sees use for exchanging messages between aircrafts and ground stations via radio (VHF) or satellite.
The flight management system (FMS) is also highly important for modern aviation for a wide range of tasks designed to reduce the workload of the flight crew, including navigation, flight planning, trajectory prediction, performance computations and guidance.
While these systems are highly efficient, they’re also highly vulnerable, Teso said.
The attack method developed by Teso has four phases: Discovery, information gathering, exploitation and post-exploitation.
By utilizing publicly available equipment, obtained for fairly small prices from places such as eBay, he has managed to simulate airplane systems.
In his Hack in the Box presentation, Teso showed how, in theory, he could take complete control of an aircraft. The attacker could perform a wide range of tasks depending on what systems are active on the plane.
For instance, for the attacker to modify the aircraft’s trajectory and altitude, the autopilot would have to be on. The attack method he developed focused on commercial aircraft.
During the presentation, he utilized an Android app to simulate the hijacking of an airplane. However, he said the application was only to simplify the presentation.
Some might have believed an attacker could hijack an aircraft from a smartphone but, that is not the case.
For a real life equipment hijack, an attacker would need quite a few more resources. But it could be possible in the future, Teso said.
Click here to download the presentation.
Friday, March 29, 2013 @ 05:03 PM gHale
New malicious software uses Evernote, which is a note-taking service, as a place to pick up new instructions.
The malware is a backdoor, or a kind of software that allows an attacker to execute various actions on a hacked computer, said researchers at Trend Micro. What the malware does is it tries to connect to Evernote in order to obtain new commands.
“The backdoor may also use the Evernote account as a drop-off point for its stolen information,” said Nikko Tamana, a Trend Micro threat response engineer.
It’s not unheard of for hackers to design malware to abuse legitimate services, either to make the malware more difficult to trace or give it a less suspicious profile. In the past, hackers have used Twitter and Google Docs to post instructions for their botnets.
“As stealth is the name of the game, misusing legitimate services like Evernote is the perfect way to hide the bad guys’ tracks and prevent efforts done by the security researchers,” Tamana said.
This particular malware, which Trend Micro named “BKDR_VERNOT.A,” tries to obtain instructions from a note in an Evernote account. For some reason, the login credentials within the malware did not appear to work when Trend Micro was testing it.
“This is possibly a security measure imposed by Evernote following its recent hacking issue,” Tamana said.
Earlier this month, Evernote reset the passwords for 50 million of its users after hackers obtained access to account usernames, email addresses and encrypted passwords.
Thursday, March 21, 2013 @ 07:03 PM gHale
There are mitigation details available for a vulnerability affecting the Schweitzer Engineering Laboratories (SEL) AcSELerator QuickSet software, according to a report on ICS-CERT.
Independent researcher Michael Toecker of Digital Bond identified an improper authorization vulnerability in the SEL AcSELerator application using the Microsoft Attack Surface Analyzer tool.
The vulnerability went to the vendors prior to the 2013 Digital Bond S4 Conference and then presented at the conference. The function of AcSELerator QuickSet is to configure, read, and send settings to supported SEL devices such as relays, meters, and communication products.
This vulnerability is not exploitable remotely and cannot suffer from exploitation without access to the computer as an authorized user. No known public exploits specifically target this vulnerability.
SEL AcSELerator QuickSet versions older than Version 18.104.22.168 suffer from the issue.
Successful exploitation of this vulnerability may allow an attacker with user rights to read or modify files in the AcSELerator QuickSet file system, possibly affecting the availability of the application. Unauthorized attackers can then access the AcSELerator Quickset executable files. This vulnerability can affect products deployed in the electric sector.
SEL is a U.S.-based company that maintains offices around the world. The affected product, SEL AcSELerator QuickSet, is a software package used to configure, read, and send settings to supported SEL devices such as relays, meters, and communication products. According to SEL, AcSELerator QuickSet works across the electric utilities sector.
The SEL AcSELerator QuickSet software does not limit user access to its installed executables to only authenticated administrative users. A malicious user with any level of access to the computer could replace executables within the SEL Program Files directory with their own executables. If any user ran the SEL application, the malicious executable would run instead. Successful exploitation of this vulnerability could cause loss of availability, integrity, confidentiality, and a disruption in communications with other connected devices.
CVE-2013-0665 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.2.
An attacker with a high skill would be able to exploit this vulnerability.
To mitigate this vulnerability, SEL developed and released AcSELerator QuickSet Version 22.214.171.124 February 12. This version adds user access restrictions to the SEL AcSELerator QuickSet software so only authenticated administrative users can modify or replace executables. This version is available for download and installation through SEL Compass.
Wednesday, February 27, 2013 @ 11:02 AM gHale
A form of the Stuxnet worm used to cripple Iran’s nuclear program was in existence two years longer than first believed.
In addition, there is also evidence the military-grade malware’s origins date back to 2005, and possibly earlier, a new report from Symantec said.
Members of the Symantec Security Response team found an earlier version of the highly sophisticated malcode called “Stuxnet 0.5.” Experts previously thought the earliest version dated back to 2007. Discovered in July 2010, the plan of the virus was to surreptitiously disrupt the Natanz uranium enrichment facility in Iran.
Cyber War Stakes Rising
U.S., Israel behind New Iran Attack
Flame: ‘20 Times Larger than Stuxnet’
Shamoon Target: Aramco Production
Stuxnet Hit 4 Oil Companies
Impact of Shamoon on SCADA Security
Iran behind Shamoon Attack
First reports had Stuxnet getting its attack green light in the waning moments of George W. Bush’s presidency in 2009. At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, said former senior intelligence officials, one of whom worked for the National Intelligence office.
Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.
Widely considered among the most complicated coding in the malware world, Stuxnet honed in on computers running the Siemens software at 14 known industrial sites. The malware shut off valves that supplied uranium hexafluoride gas into centrifuges, thereby damaging a uranium enrichment system by letting pressure build until the gas solidified.
“In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally,” the Symantec researchers said. “It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.”
In analyzing the oldest known version of Stuxnet, researchers found the worm was in development as early as November 2005 and released in the wild two years later. Its programming called for it to stop communicating with its command-and-control servers on Jan. 11, 2009 and stop spreading via infected USB keys on July 4 of the same year. But a number of dormant infections ended up detected last year around the world, almost half in Iran and 21 percent in the United States.
Later versions became far more aggressive in propogating and exploiting vulnerabilities. It also appears its developers were people with access to Flamer source code, unlike later versions built on the Tilded platform.
“The existence of unrecovered versions of Stuxnet, both before version 0.5 and especially between versions 0.5 and 1.001, are likely,” according to a Symantec blog post.
As ISSSource reported back in October 2011, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.
The groundwork for the attack plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.
Monday, February 18, 2013 @ 11:02 AM gHale
There is now a patch available to fix a directory traversal vulnerability in the Tridium NiagaraAX software, according to a report on ICS-CERT.
With a valid user account or guest privileges enabled, security researchers Billy Rios and Terry McCorkle found remotely exploitable privilege escalation is possible on a NiagaraAX system. Exploitation of this vulnerability could allow loss of availability, integrity, and confidentiality of the system.
All versions of Tridium NiagaraAX suffers from the issue.
A loss of integrity, data, and possibly physical damage can result if the software sees use in controlling a physical process. Another consequence might be the compromise of facility security where NiagaraAX works for facility access control and administration.
Tridium is a U.S-based company that maintains offices in several countries around the world, including the U.S., UK, Singapore, and China. Tridium also deploys systems to Latin America.
NiagaraAX is a general framework that can integrate and manage diverse industrial control system components, e.g., HVAC, building automation controls, and facility management that can a user can control over the Internet from a Web browser. Tridium said more than 350,000 instances of the NiagaraAX Framework are in play worldwide.
Tridium estimates these products work mainly in the commercial facilities (88 percent), energy (5 percent), education (5 percent), and government facilities and other sectors (2 percent).
If an installed NiagaraAX has its Web interface accessible from the Internet, and the user has valid user credentials, or if the system’s guest user function is working, the application could end up subverted to escalate the user’s credentials and gain control of the system. The attacker could read the contents of unexpected files, expose sensitive data, execute arbitrary code, and affect the availability by sending a specially crafted packet to the Web server on Port 80/TCP.
CVE-2012-4701 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.
No known public exploits specifically target this vulnerability. An attacker with medium skill may be able to exploit this vulnerability.
Tridium has developed patches for all current versions (Versions 3.5, 3.6, and 3.7) of the NiagaraAX software. Links to the patches, along with instructions on their use are available on the Tridium Security Update Web page.
For users of older versions of NiagaraAX software (prior to Version 3.5), Tridium said users should either upgrade to the newest version or take careful measures to isolate access to the Web interface from the Internet.
Thursday, February 14, 2013 @ 12:02 AM gHale
By Gregory Hale
Safety just got a bit safer this week.
That is because safety provider Triconex now has its Safety View software offering for alarm and bypass management certified by TÜV Rheinland to IEC61508 Systematic Capability 3 for use in applications up to Safety Integrity Level 3, Invensys officials said at the ARC Advisory Group World Industry Forum Monday in Orlando, FL.
“Industry is collaborating more now than ever before,” said Steve Elliott, certified functional safety engineer and director of safety excellence at Invensys Operations Management. “Safety view is an online tool. It helps give context around alarm incidents.”
Triconex Trident and Triconex General Purpose safety instrumented systems now support OPC Universal Architecture for greater communications connectivity.
Safety View will allow for the ability to bypassing safety systems during startup and shutdown, as well as the risks associated with integrating safety systems across different vendor platforms.
Safety View provides the highest levels of safety integrity for critical alarm management applications. The TÜV-certified software solution for alarm and bypass management works in applications up to SIL3, Safety View improves situational awareness and broadens visibility into the risks that come with system startups, shutdowns and other critical process transitions that plant workers must manage. It draws attention to changes in process conditions that require immediate attention, giving operators, maintenance engineers and shift personnel more visibility into the process so they can take actions that reduce risk, optimize total cost of ownership and increase overall asset performance.
In other Triconex news, Invensys also embedded OPC UA communications with its Triconex Trident and Triconex General Purpose safety instrumented systems. OPC UA brings interoperability between systems and streamlines connectivity through open platform architecture and future-proof design. The new communications interface module contains an embedded OPC UA server that supports up to 10 concurrent clients, delivering high performance and secure, reliable communication of real-time data, alarms and historical events.
Friday, February 1, 2013 @ 04:02 PM gHale
Systems running older versions of Juniper Networks’ Junos OS software could fall prey to a transmission control protocol (TCP) flaw that can enable an attacker to crash and reboot routers.
An attacker could send a specially crafted TCP packet to a listening port on a Juniper Routing Engine that could crash the kernel and reboot the system. Systems that use versions of Junos older than Jan. 17 suffer from the issue, but recent versions contain a fix for the problem.
Juniper Networks officials confirmed the TCP vulnerability, saying they found the problem during routine internal product testing. Cindy Ta, the director of corporate communications at Juniper Networks said the company’s Security Incident Response Team (SIRT) has been unable to document any malicious exploits that use the vulnerability.
The company is instructing any concerned customers to contact Juniper Customer Support, which classifies the issue as a “high alert” vulnerability, for further information and solutions.
Juniper’s advisory suggests users use access lists or firewall filters for their routers, “deployed on both the edge and control plane, and source address anti-spoofing to prevent traffic from bogus addresses reaching the devices.”
Unicast reverse-path-forwarding, a tool that can reduce the forwarding of potentially dangerous IP packets can also prevent exploits, Juniper said.