ISSSource White Papers

Posts Tagged ‘software’

Tuesday, September 29, 2015 @ 07:09 AM gHale

There is a new version of the Kovter Trojan able to exist in a computer’s registry, without needing to be in the hard drive.

Kovter, first spotted in 2013, constantly changes its approach and adapts to new hacking campaigns and security measures put in place, said researchers at Symantec.

Websites a Ransomware Risk
Stealthy Ransomware for Android
Cyber Criminal Minds Working Overtime
Simple, Sophisticated Attacks Growing

Starting with version 2.0.3 of the Kovter malware, first spotted in May this year, the Trojan borrowed survival methods from the Poweliks malware and can hide itself in the PC’s registry, Symantec researchers said.

The registry is a Windows-specific feature, a database of data about user profiles, settings, software, and hardware, which the Windows OS is using on a regular basis.

By storing its code in the registry, Kovter lasts longer on infected machines and serves as an entry point for other more serious infections.

While in the past Kovter has gone out with ransomware, Symantec said that now, in its deadlier form, Kovter only focuses on click-fraud.

As for the way it initially infects users, Symantec said attackers are distributing this new version of Kovter mainly via malvertising campaigns and file attachments in spam email.

In the past, the Angler, Fiesta, Nuclear, Neutrino, and the Sweet Orange exploit kits have spread the malware, so they are likely suspects as well.

In its most recent outbreak, Symantec said the malware has been predominantly infecting users in the U.S. (56 percent), UK (13 percent), Canda (9 percent), Germany (8 percent), and Australia (2 percent).

“The Kovter malware family has continually evolved since it was first discovered and shows no signs of leaving the threat landscape anytime soon,” Symantec said.

To help users infected with the Kovter malware, Symantec is providing the Trojan.Kotver Removal Tool as a free download.

Monday, July 13, 2015 @ 03:07 PM gHale

Oil, pharmaceutical, metal mining, software, and Internet-centric multi-billion dollar companies are now the focus of a team of hackers looking to spy on and steal any and all intellectual property, researchers said.

The group originally tied to Apple, Facebook, Microsoft, and Twitter, expanded its cyber espionage operation. They mainly focused on companies in the U.S., Europe, and Canada.

Breaking System Down to Find APT
Security Schism Front and Center
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk

But unlike most cyber espionage groups, this is not a nation state-sponsored operation, according to researchers at Symantec who have been investigating the Morpho organization for the past two years.

This appears to be an organized crime ring with possible U.S. ties. Research found 49 different organizations, most in the U.S., across 20 countries suffered a hit by the Morpho group, which focuses on the Microsoft Exchange and Lotus Domino email servers to spy on corporate correspondence or possibly insert phony emails.

And unlike China’s stealing intellectual property to then pass on to its own companies to manufacture copycat products and technologies, these spies appear to be in the business to make money based on a company’s R&D or other business moves.

“There are two theories, that they are stealing the data for themselves, or selling it to someone else,” said Vikram Thakur, principal research manager on Symantec’s Security Response team. “But it’s more likely that they are using the information to make investments … buying stocks” for financial gain, he said.

One common thread in the attacks at victim organizations who have shared some details on the attacks with Symantec’s team is the Morpho group hit R&D-related computer systems in these firms. Such futuristic intelligence indeed would be valuable to an investor.

Kaspersky Lab also published a report on Morpho, which it calls “Wild Neutron.” According to Kaspersky, the gang uses a stolen valid code certificate, and a Zero Day Flash Player exploit to infect victims.

Costin Raiu, director of Kaspersky’s global research and analysis team, said the gang has been active since 2011, and has hit other interesting targets: “The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mindset and interests,” Raiu said.

They have been infecting high profile companies for several years by using a combination of exploits, watering holes and multi-platform malware, researchers said.

Among its victims, which Symantec did not name, are five additional technology firms (most in the U.S.), three major European pharmaceutical companies, gold and oil commodities firms, and law firms that specialize in the industries in which Morpho is targeting. In the case of one tech company, the attackers hacked the firm’s physical security system, which would have given them a way to track an employee’s movements and even spy on them via a video feed, according to Symantec.

Wednesday, December 17, 2014 @ 11:12 AM gHale

The supply chain ends up being the focal point for too many breaches. Your organization may very well be secure, but how about your partners and suppliers?

Hackers just prey on weaker vendors that have remote access to a larger company’s global IT systems, software and networks.

One case in point is the classic 2013 Target breach where the attackers infiltrated a vulnerable link: A refrigeration system supplier connected to the retailer’s IT system. After that breach, all bets were off.

Deploying IPS to Secure ICS
API: ‘Threat is Bad,’ Solutions Available
Dragonfly: Offense in Depth
Dragonfly: Pharma Industry Targeted

But it doesn’t have to be that way. A counter-measure, via a user-ready online portal, is in development by researchers in the Supply Chain Management Center at the University of Maryland’s Robert H. Smith School of Business.

The portal comes from a new management science called “cyber supply chain risk management.” It combines conventionally-separate disciplines cyber security, enterprise risk management and supply chain management.

Funded by the National Institute of Standards and Technology (NIST), the UMD researchers developed the formula, in part, after surveying 200 different-sized companies in various industries.

“We found that, collectively, the cyber supply chain is fragmented and stovepiped, and companies are ill-prepared to sense and respond to risks in real time,” said research professor and center co-director Sandor Boyson, who collaborated on the study and portal design with faculty-colleague/center co-director Thomas Corsi, research fellow Hart Rossman and UMD-Smith CIO Holly Mann. “Just half of our subjects used an executive advisory committee such as a risk board to govern their IT-system risks.”

The findings ended up published in a study entitled “Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems.”

The researchers leveraged the study into the portal. Companies can log on cost-free, and track developing threats, plus map their IT supply chains and anonymously measure themselves against industry peers and NIST standards.

The benchmarking covers operations and allocating for cyber insurance via separate functions:

A self-evaluation exercise shows a company’s structure for cyber protecting the supply chain. For example, users reply to: “To what degree is your CIO and-or IT shop isolated from, or collaborative with, your supply chain specialists who actually procure the hardware and software for your IT system?”

A special formula measures the risk levels of each company asset. The Common Vulnerability Scoring System — standard for analyzing software systems – can analyze the entire range of assets connected to the cyber supply chain.

Firms can compare corporate disclosures, exposures and vulnerabilities to those of peer companies via an insurance-risk analysis framework provided by The Willis Group. The global insurance broker’s database of aggregated SEC-reported cyber attacks — mandated for public companies — supports this tool.

The portal is scalable. About 150 various-sized companies have completed at least one or more of the functions. Fifteen of those firms completed all three assessments and represent industries including high-tech aerospace manufacturing, telecommunication, real estate, and medical and professional services.

“The portal helps individual organizations understand their risk and how they can better manage it. This bolsters the resilience and security posture of the entire ecosystem of the U.S. economy,” said Jon Boyens, senior advisor for information security in NIST’s computer security division. “While this ecosystem has evolved to provide a set of highly refined, cost-effective, reusable products and services that support the U.S. economy, it has also increased opportunities for adversaries and made it increasingly difficult for organizations to understand their risks.”

Friday, November 14, 2014 @ 04:11 PM gHale

Patch Tuesday this month means 14 bulletins with new versions and patches for Microsoft software, operating systems and applications.

The most important bulletin MS14-064 addresses a current Zero Day vulnerability – CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions. Attackers have been leveraging the vulnerability to gain code execution by sending PowerPoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary FixIt patch. This is the final fix for OLE Packager that should address all known exploit vectors.

New Windows Zero Day
Microsoft Mulls a Patch for The Patch
Patch Tuesday Fixes 3 Zero Days
Chrome 38 Fixes 159 Security Bugs

MS14-066 is a new version of Internet Explorer that addresses 17 vulnerabilities. The most severe of these vulnerabilities could end up used to gain control over the targeted machine. An attack will take the form of a malicious webpage the targeted user lands on.

There are two basic scenarios that attackers use frequently: One is the user browses to the site on their own, maybe as part of a daily routine, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site.

A second scenario has the attacker setting up a new site and then directs traffic to it through Search Engine Manipulations, i.e. sites purporting to have the latest pictures on a recent event of general or specific interest.

MS14-069 addresses Microsoft Word 2007 and provides fixes for a Remote Code Execution (RCE) vulnerability. The attack scenario here is a malicious document the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that likely interest the targets in question. If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 are susceptible to the weakness.

Microsoft ranks highly the next bulletin, which addresses a number of vulnerabilities in an encryption component of Windows called Schannel, which sees use in SSL and TLS connections. The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as researchers within Microsoft found it.

The remaining bulletins address a mix of different operating systems and platforms and include a number of server vulnerabilities: MS14-073 in Microsoft SharePoint and MS14-076 in IIS.

Thursday, February 27, 2014 @ 05:02 PM gHale

Third-party programs end up culpable for three quarters of the vulnerabilities discovered in the 50 most popular programs in 2013, new research found.

Those 50 programs pervade enterprise IT infrastructures, either as integral business tools approved, monitored and maintained by IT operations – for example PDF readers and Internet browsers; or as apps on the private devices of employees and management, used in the workplace with or without permission, according to Secunia’s Vulnerability Review 2014.

Attacks a Top Risk after Target Hack
Awareness Awakening: Firms Assume Compromise
ARC: Securing Internet of Things
Cyber Threat: Managed Services

In these Top 50 programs, there were 1,208 vulnerabilities. Third-party programs were responsible for 76 percent of those vulnerabilities, although these programs only account for 34 percent of the 50 most popular programs on private PCs.

The share of Microsoft programs (including the Windows 7 operating system) in the Top 50 is a prominent 33 products, or 66 percent. Having said that, Microsoft programs were responsible for 24 percent of the vulnerabilities in the Top 50 programs in 2013.

In the classic lexicon of a home seller, all you need is one buyer. The same is true for attackers: All you need is one vulnerability. One well-documented case how one vulnerability can open a door for a security breach is the U.S. Department of Energy (DoE) in 2013, which incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families.

The DoE security breach was the result of a combination of managerial and technological system weaknesses – the perfect feeding ground for hackers, enabling them to exploit vulnerabilities present in an infrastructure.

“It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs,” said Secunia CTO, Morten R. Stengaard.

“Another very important security factor is how easy it is to update Microsoft programs compared to third-party programs,” he said. “Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available.”

Wednesday, February 5, 2014 @ 02:02 PM gHale

Rockwell Automation produced a new version that mitigates a password vulnerability in the Rockwell Automation RSLogix 5000 software, according to a report on ICS-CERT.

The following RSLogix 5000 software versions suffer from the issue, discovered by Independent researcher Stephen Dunlap: Project files (.ACD) created using RSLogix 5000 software, V7 through V20.01 and V21.0 containing password protected content.

3S Fixes CoDeSys Runtime Toolkit Hole
Schneider Patches DNP3 Vulnerability
GE Proficy Vulnerabilities
S4 Report: Ecava Vulnerability

The RSLogix 5000 software vulnerability may allow customer-defined passwords, used to protect certain user-configured content, to end up compromised. Successful exploitation may result in an unauthorized disclosure of user-created content. Exploitation will not directly disrupt operation of Rockwell Automation programmable controllers or other devices in the control system.

Rockwell Automation, which is a U.S.-based company, provides industrial automation control and information products worldwide across a wide range of industries.

The affected product, RSLogix 5000 software, is design and configuration software used with certain Rockwell Automation products. The software is in systems deployed across several sectors including chemical, critical manufacturing, food and agriculture, water and wastewater, and others, according to Rockwell Automation. It is a globally available product used in the United States and the rest of the world.

The vulnerability in RSLogix 5000 software, V7 through V20.01 and V21.0 may allow customer-defined passwords, used to protect certain user-configured content, to end up compromised. Such passwords can help prevent unauthorized access and viewing or tampering of particular content stored in controller configuration programs. Successful exploitation will not directly disrupt operation of Rockwell Automation programmable controllers or other devices in the control system.

CVE-2014-0755 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.

This vulnerability is not exploitable remotely and cannot undergo exploitation without user interaction. The exploit only ends up triggered when a local user accesses the password file.

No known public exploits specifically target this vulnerability. An attacker with a medium skill would be able to exploit this vulnerability.

New RSLogix 5000 versions, V20.03 and V21.03, address this vulnerability, Rockwell said. These releases include mitigations that enhance password protection.

Project files created in earlier affected RSLogix 5000 versions of software must end up opened, resaved, and then downloaded to the appropriate controller to mitigate the risk associated with this discovered vulnerability.

One important note Rockwell said was files with protected content opened and updated using enhanced software will no longer be compatible with earlier versions of RSLogix 5000 software. For example, a V20.01 project file with protected content opened and resaved using V20.03 software can only open with V20.03 and higher versions of software. Also, a V21.00 project file with protected content opened and resaved using V21.03 software can only open with V21.03 and higher versions of software.

For the procedure to update project files, please refer to Rockwell Automation Knowledgebase AID:565204.

In addition to using current RSLogix 5000 software, Rockwell Automation also recommends the following actions to all concerned customers:
• Where possible, adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivatives that contain protected content.
• Where possible, securely archive protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, store protected ACD files in physical and logical locations where access can end up controlled and the files are stored in a protected, potentially encrypted manner.
• Where possible, securely transmit protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, email protected ACD files only to known recipients and encrypted the files such that only the target recipient can decrypt the content.
• Where possible, restrict physical and network access to controllers containing protected content only to authorized parties in order to help prevent unauthorized uploading of protected material into an ACD file. For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a Role-based Access Control (RBAC) solution to their system. FactoryTalk Security integrated into RSLogix 5000 Version 10.00.
• Where possible, use a unique and complex password for each routine or Add-On Instruction desirable to protect, so as to reduce the risk that multiple files and protected content could end up compromised, should a single password become learned.
• Where possible, adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain usable for an extended period of time or indefinitely.

Rockwell Automation encourages their customers to subscribe to Rockwell Automation’s Security Advisory Index (AID:54102) for new and relevant information relating to this and other security-related matters.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web page.

Monday, January 20, 2014 @ 02:01 PM gHale

By Ellen Fussell Policastro
With manufacturing moving more toward a digital environment, security will gain greater importance in the years to come.

“With manufacturing going digital, that leads to extraordinary improvements,” said Helmuth Ludwig, chief executive of Siemens Industry Sector U.S. during a conference call Friday discussing the outlook for the manufacturing sector.

Outlook 2014 III: New Threats
Outlook 2014 II: Bad Guys Getting Better
Outlook 2014: Mobile Attacks will Intensify
Firms Average 9 Targeted Attacks a Year

Moving more toward a digital environment means more use of, and reliance upon, software, which could bring great benefits and opportunities for manufacturers. However, that can also introduce the potential for security issues.

“The ability to optimize manufacturing flow with minimized downtime and at the same time supporting this with security systems where the leading companies are working with Siemens very strongly can ensure the manufacturing environment is as secure as possible, which then generates these optimizations.”

Ludwig conducted the conference call from the Detroit Motor Show which was an appropriate backdrop to discuss manufacturing because he saw great promise for the industry as a whole, but especially for the auto industry. Two other industries that showed great promise, he said, were oil and gas and chemical.

Touching the treetops of many reasons to be optimistic this year, Ludwig landed firmly on three main reasons: Virtual planning, software, and education – making manufacturing attractive to students.

Virtual Planning
One of the trends that will increase optimism in 2014 is the use of virtual planning for physical realizations.

“You not only see cars at the motor show, but you see assembly lines – a great example of today’s modern manufacturing — virtually planned and physically realized,” Ludwig said. “Industrial production is at a ten-year high. We’re at a five-year high in sales. Some voices say next year, the gross might flatten off. At the same time you see the automotive industry positive around the future. Volkswagen announced they will invest $7 billion here in North America.”

Ludwig pointed to the Mars Rover as another prime example of virtual planning.

“We hear again and again about the Mars Rover bringing new observations to Earth. It is larger than anything ever sent to Mars.” The mission was to bring it down safely on the surface of Mars. To study this, scientists came up with a complex version of ways to virtually bring it down. “There was no physical alternative; they couldn’t send physical test modules up to Mars.” But they used an integration of virtual testing to accomplish a physical realization.

Software the Key
The key to virtual planning is the use of software, which can change productivity enormously in manufacturing.

“One of our partners is running a virtual machine in parallel with their physical machines,” he said. “They test the new parts introduction in virtual environments, and the downtime of the machine during the changeover process is significantly reduced.”

Software will lead to manufacturing optimism especially in the U.S. because, “there is no country where software is more advanced than in the U.S.,” he said. “People are thinking day and night about software, and 65 percent of all the top hundred software companies are actually headquartered in the U.S.” This becomes even more extreme when you look at the revenue. In fact, 79 percent of the top hundred software companies see their revenue coming from U.S. software companies.

Luring Young People
With an aging population, especially in the manufacturing sector, the need to make manufacturing attractive to young people is even more crucial now. The economic recovery in several technical markets and the strength of physical and virtual manufacturing mean nothing without the right people in place, Ludwig said.

“While so many years the focus has gone away from education, now we’re back on track, making the job of making things attractive to young people,” he said. One way is with 3D printing and expanding apprenticeship programs. One such program is Siemens’ apprenticeship program with Central Piedmont Community College in Charlotte, NC. After three and a half years of training, students learn all aspects of electronics and have a chance to apply it when they leave the program. “They’ll be paid a higher salary than the average college graduate, and they have no debt,” he said. “So there’s another reason that makes manufacturing attractive.”

Siemens is also working with top universities, also supported by government initiatives in advanced manufacturing partnership.

“We’re working together with manufacturing institutes in North Carolina,” he said. “In the first year we (appropriated) $40 million in software. Why? We believe this is the best way of assuring sustainable manufacturing.”
Ellen Fussell Policastro is a freelance writer in Raleigh, NC. Her email is

Wednesday, October 9, 2013 @ 05:10 PM gHale

Safety awards may not garner the publicity of the big name shows like the Academy Awards, but rest assured they are more important as they help keep people and property safe.

Along those lines, functional safety and cyber security certification provider exida named the winners of its first Safety Awards 2013.

Siemens Earns Machine Safety Award
Machine Safety Market Keeps Growing
Machine Safety: Comply with Standards
Safety Excellence Award Nominations Open

Awards were for three categories: Sensors, Logic Solvers, and Software products that best demonstrate innovative work and have the ability to play a key role in the continuous journey of making the world a safer place.

The following companies/products have earned this year’s honors:
• Sensors, and the winner is: Det-tronics’ FlexSonic Acoustic Detector
• Logic Solvers, and the winner is: Emerson Process Management’s DeltaV SIS with Electronic Marshalling
• Software, and the winner is: System Engineering Consultants Co., Ltd.’s RTMSafety

“We received several nominations for products that demonstrated exceptional work, making the decision process very difficult,” said Dr. William Goble, exida principal partner.

“exida recognizes the importance of excellence in functional safety, and congratulates the winners of this year’s awards,” he said. “We commend their commitments to manufacturing/designing products that are sure to make a difference in the ever-evolving world of functional safety.”

This is the first year exida conducted the awards and they are looking to make this an annual event.

Wednesday, October 9, 2013 @ 01:10 PM gHale

Alstom created a patch that mitigates an improper input validation in its e-terracontrol software vulnerability, according to a report on ICS-CERT.

Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the patch to validate that it resolves the remotely exploitable vulnerability.

Additional Patches for Rockwell
Philips Fixes Buffer Overflow
Bug in Siemens SCALANCE X-200
Emerson Patches RTU Holes

The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.

Successful exploitation of this vulnerability could allow an attacker to affect the availability of the Alstom e-terracontrol software.

Alstom is a France-based company that maintains offices worldwide. The affected product, Alstom e-terracontrol software, applies mainly to SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software is mainly in the electric energy sector. Alstom estimates these products are primarily in the U.S. and Europe with a small percentage in Asia.

The Alstom e-terracontrol software does not validate or incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. To clear the problem, a user would have to manually restart the system.

CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this vulnerability, but an attacker with a moderate skill level would be able to exploit this vulnerability.

Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal.

Tuesday, August 20, 2013 @ 04:08 PM gHale

Vulnerabilities in software and firmware are the easiest ways to attack a system, and two revised publications provide guidance for software patching and warding off malware.

A common method to avoid attacks is to fix the vulnerabilities as soon as possible after the software company develops a patch for the problem. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems, according to the National Institute of Standards and Technology (NIST), which revised the two publications.

Infrastructure Security Framework Workshop
Cyber Security Framework Workshop
U.S., Russia Cyber Hotline
Feds Watching, Listening and Reading

The earlier guidance on patching, “Creating a Patch and Vulnerability Management Program,” was for when patching was a manual process. The revision, “Guide to Enterprise Patch Management Technologies,” is for agencies that take advantage of automated patch management systems such as those based on NIST’s Security Content Automation Protocol (SCAP).

Guide to Enterprise Patch Management Technologies” explains the technology basics and covers metrics for assessing the technologies’ effectiveness.

The second security document provides guidance to protect computer systems from malware or malicious code. Malware is the most common external threat to most systems and can cause widespread damage and disruption.

NIST’s “Guide to Malware Incident Prevention and Handling for Desktops and Laptops” should help agencies protect against modern malware attacks that are more difficult to detect and eradicate than when the last version published in 2005. The new guidance reflects the growing use of social engineering and the harvesting of social networking information for targeting attacks.

The new malware guide provides information on how to modernize an organization’s malware incident prevention measures and suggests recommendations to enhance an organization’s existing incident response capability to handle modern malware.

Archived Entries