Posts Tagged ‘software’

Wednesday, December 17, 2014 @ 11:12 AM gHale

The supply chain ends up being the focal point for too many breaches. Your organization may very well be secure, but how about your partners and suppliers?

Hackers just prey on weaker vendors that have remote access to a larger company’s global IT systems, software and networks.

One case in point is the classic 2013 Target breach where the attackers infiltrated a vulnerable link: A refrigeration system supplier connected to the retailer’s IT system. After that breach, all bets were off.

RELATED STORIES
Deploying IPS to Secure ICS
API: ‘Threat is Bad,’ Solutions Available
Dragonfly: Offense in Depth
Dragonfly: Pharma Industry Targeted

But it doesn’t have to be that way. A counter-measure, via a user-ready online portal, is in development by researchers in the Supply Chain Management Center at the University of Maryland’s Robert H. Smith School of Business.

The portal comes from a new management science called “cyber supply chain risk management.” It combines conventionally-separate disciplines cyber security, enterprise risk management and supply chain management.

Funded by the National Institute of Standards and Technology (NIST), the UMD researchers developed the formula, in part, after surveying 200 different-sized companies in various industries.

“We found that, collectively, the cyber supply chain is fragmented and stovepiped, and companies are ill-prepared to sense and respond to risks in real time,” said research professor and center co-director Sandor Boyson, who collaborated on the study and portal design with faculty-colleague/center co-director Thomas Corsi, research fellow Hart Rossman and UMD-Smith CIO Holly Mann. “Just half of our subjects used an executive advisory committee such as a risk board to govern their IT-system risks.”

The findings ended up published in a study entitled “Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems.”

The researchers leveraged the study into the portal. Companies can log on cost-free, and track developing threats, plus map their IT supply chains and anonymously measure themselves against industry peers and NIST standards.

The benchmarking covers operations and allocating for cyber insurance via separate functions:

A self-evaluation exercise shows a company’s structure for cyber protecting the supply chain. For example, users reply to: “To what degree is your CIO and-or IT shop isolated from, or collaborative with, your supply chain specialists who actually procure the hardware and software for your IT system?”

A special formula measures the risk levels of each company asset. The Common Vulnerability Scoring System — standard for analyzing software systems – can analyze the entire range of assets connected to the cyber supply chain.

Firms can compare corporate disclosures, exposures and vulnerabilities to those of peer companies via an insurance-risk analysis framework provided by The Willis Group. The global insurance broker’s database of aggregated SEC-reported cyber attacks — mandated for public companies — supports this tool.

The portal is scalable. About 150 various-sized companies have completed at least one or more of the functions. Fifteen of those firms completed all three assessments and represent industries including high-tech aerospace manufacturing, telecommunication, real estate, and medical and professional services.

“The portal helps individual organizations understand their risk and how they can better manage it. This bolsters the resilience and security posture of the entire ecosystem of the U.S. economy,” said Jon Boyens, senior advisor for information security in NIST’s computer security division. “While this ecosystem has evolved to provide a set of highly refined, cost-effective, reusable products and services that support the U.S. economy, it has also increased opportunities for adversaries and made it increasingly difficult for organizations to understand their risks.”

Friday, November 14, 2014 @ 04:11 PM gHale

Patch Tuesday this month means 14 bulletins with new versions and patches for Microsoft software, operating systems and applications.

The most important bulletin MS14-064 addresses a current Zero Day vulnerability – CVE-2014-6352 in the Windows OLE packager for Vista and newer OS versions. Attackers have been leveraging the vulnerability to gain code execution by sending PowerPoint files to their targets. Microsoft had previously acknowledged the vulnerability in security advisory KB3010060 and offered a work-around using EMET and a temporary FixIt patch. This is the final fix for OLE Packager that should address all known exploit vectors.

RELATED STORIES
New Windows Zero Day
Microsoft Mulls a Patch for The Patch
Patch Tuesday Fixes 3 Zero Days
Chrome 38 Fixes 159 Security Bugs

MS14-066 is a new version of Internet Explorer that addresses 17 vulnerabilities. The most severe of these vulnerabilities could end up used to gain control over the targeted machine. An attack will take the form of a malicious webpage the targeted user lands on.

There are two basic scenarios that attackers use frequently: One is the user browses to the site on their own, maybe as part of a daily routine, but the attacker has gained control over the website in question through a separate vulnerability and is able to plant malicious content on the site.

A second scenario has the attacker setting up a new site and then directs traffic to it through Search Engine Manipulations, i.e. sites purporting to have the latest pictures on a recent event of general or specific interest.

MS14-069 addresses Microsoft Word 2007 and provides fixes for a Remote Code Execution (RCE) vulnerability. The attack scenario here is a malicious document the attacker prepares to exploit the vulnerability. Attackers then send the document directly or a link to their targets and use social engineering techniques, such as legitimate sounding file names and content descriptions that likely interest the targets in question. If you run newer versions of Microsoft Office you are not vulnerable, but users of Office 2007 are susceptible to the weakness.

Microsoft ranks highly the next bulletin, which addresses a number of vulnerabilities in an encryption component of Windows called Schannel, which sees use in SSL and TLS connections. The fixes in this bulletin are the result of an internal code review at Microsoft that uncovered a number of memory corruption issues in Schannel in both server and client roles. The vulnerabilities are private as researchers within Microsoft found it.

The remaining bulletins address a mix of different operating systems and platforms and include a number of server vulnerabilities: MS14-073 in Microsoft SharePoint and MS14-076 in IIS.

Thursday, February 27, 2014 @ 05:02 PM gHale

Third-party programs end up culpable for three quarters of the vulnerabilities discovered in the 50 most popular programs in 2013, new research found.

Those 50 programs pervade enterprise IT infrastructures, either as integral business tools approved, monitored and maintained by IT operations – for example PDF readers and Internet browsers; or as apps on the private devices of employees and management, used in the workplace with or without permission, according to Secunia’s Vulnerability Review 2014.

RELATED STORIES
Attacks a Top Risk after Target Hack
Awareness Awakening: Firms Assume Compromise
ARC: Securing Internet of Things
Cyber Threat: Managed Services

In these Top 50 programs, there were 1,208 vulnerabilities. Third-party programs were responsible for 76 percent of those vulnerabilities, although these programs only account for 34 percent of the 50 most popular programs on private PCs.

The share of Microsoft programs (including the Windows 7 operating system) in the Top 50 is a prominent 33 products, or 66 percent. Having said that, Microsoft programs were responsible for 24 percent of the vulnerabilities in the Top 50 programs in 2013.

In the classic lexicon of a home seller, all you need is one buyer. The same is true for attackers: All you need is one vulnerability. One well-documented case how one vulnerability can open a door for a security breach is the U.S. Department of Energy (DoE) in 2013, which incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families.

The DoE security breach was the result of a combination of managerial and technological system weaknesses – the perfect feeding ground for hackers, enabling them to exploit vulnerabilities present in an infrastructure.

“It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs,” said Secunia CTO, Morten R. Stengaard.

“Another very important security factor is how easy it is to update Microsoft programs compared to third-party programs,” he said. “Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available.”

Wednesday, February 5, 2014 @ 02:02 PM gHale

Rockwell Automation produced a new version that mitigates a password vulnerability in the Rockwell Automation RSLogix 5000 software, according to a report on ICS-CERT.

The following RSLogix 5000 software versions suffer from the issue, discovered by Independent researcher Stephen Dunlap: Project files (.ACD) created using RSLogix 5000 software, V7 through V20.01 and V21.0 containing password protected content.

RELATED STORIES
3S Fixes CoDeSys Runtime Toolkit Hole
Schneider Patches DNP3 Vulnerability
GE Proficy Vulnerabilities
S4 Report: Ecava Vulnerability

The RSLogix 5000 software vulnerability may allow customer-defined passwords, used to protect certain user-configured content, to end up compromised. Successful exploitation may result in an unauthorized disclosure of user-created content. Exploitation will not directly disrupt operation of Rockwell Automation programmable controllers or other devices in the control system.

Rockwell Automation, which is a U.S.-based company, provides industrial automation control and information products worldwide across a wide range of industries.

The affected product, RSLogix 5000 software, is design and configuration software used with certain Rockwell Automation products. The software is in systems deployed across several sectors including chemical, critical manufacturing, food and agriculture, water and wastewater, and others, according to Rockwell Automation. It is a globally available product used in the United States and the rest of the world.

The vulnerability in RSLogix 5000 software, V7 through V20.01 and V21.0 may allow customer-defined passwords, used to protect certain user-configured content, to end up compromised. Such passwords can help prevent unauthorized access and viewing or tampering of particular content stored in controller configuration programs. Successful exploitation will not directly disrupt operation of Rockwell Automation programmable controllers or other devices in the control system.

CVE-2014-0755 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.

This vulnerability is not exploitable remotely and cannot undergo exploitation without user interaction. The exploit only ends up triggered when a local user accesses the password file.

No known public exploits specifically target this vulnerability. An attacker with a medium skill would be able to exploit this vulnerability.

New RSLogix 5000 versions, V20.03 and V21.03, address this vulnerability, Rockwell said. These releases include mitigations that enhance password protection.

Project files created in earlier affected RSLogix 5000 versions of software must end up opened, resaved, and then downloaded to the appropriate controller to mitigate the risk associated with this discovered vulnerability.

One important note Rockwell said was files with protected content opened and updated using enhanced software will no longer be compatible with earlier versions of RSLogix 5000 software. For example, a V20.01 project file with protected content opened and resaved using V20.03 software can only open with V20.03 and higher versions of software. Also, a V21.00 project file with protected content opened and resaved using V21.03 software can only open with V21.03 and higher versions of software.

For the procedure to update project files, please refer to Rockwell Automation Knowledgebase AID:565204.

In addition to using current RSLogix 5000 software, Rockwell Automation also recommends the following actions to all concerned customers:
• Where possible, adopt a practice to track creation and distribution of protected ACD files, including duplicates and derivatives that contain protected content.
• Where possible, securely archive protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, store protected ACD files in physical and logical locations where access can end up controlled and the files are stored in a protected, potentially encrypted manner.
• Where possible, securely transmit protected ACD files or those that contain protected content in a manner that prevents unauthorized access. For instance, email protected ACD files only to known recipients and encrypted the files such that only the target recipient can decrypt the content.
• Where possible, restrict physical and network access to controllers containing protected content only to authorized parties in order to help prevent unauthorized uploading of protected material into an ACD file. For some customers, FactoryTalk Security software may be a suitable option to assist customers with applying a Role-based Access Control (RBAC) solution to their system. FactoryTalk Security integrated into RSLogix 5000 Version 10.00.
• Where possible, use a unique and complex password for each routine or Add-On Instruction desirable to protect, so as to reduce the risk that multiple files and protected content could end up compromised, should a single password become learned.
• Where possible, adopt a password management practice to periodically change passwords applied to routines and Add-On Instructions to help mitigate the risk that a learned password may remain usable for an extended period of time or indefinitely.

Rockwell Automation encourages their customers to subscribe to Rockwell Automation’s Security Advisory Index (AID:54102) for new and relevant information relating to this and other security-related matters.

For more information and for assistance with assessing the state of security of your existing control system, including improving your system-level security when using Rockwell Automation and other vendor controls products, you can visit the Rockwell Automation Security Solutions web page.

Monday, January 20, 2014 @ 02:01 PM gHale

By Ellen Fussell Policastro
With manufacturing moving more toward a digital environment, security will gain greater importance in the years to come.

“With manufacturing going digital, that leads to extraordinary improvements,” said Helmuth Ludwig, chief executive of Siemens Industry Sector U.S. during a conference call Friday discussing the outlook for the manufacturing sector.

RELATED STORIES
Outlook 2014 III: New Threats
Outlook 2014 II: Bad Guys Getting Better
Outlook 2014: Mobile Attacks will Intensify
Firms Average 9 Targeted Attacks a Year

Moving more toward a digital environment means more use of, and reliance upon, software, which could bring great benefits and opportunities for manufacturers. However, that can also introduce the potential for security issues.

“The ability to optimize manufacturing flow with minimized downtime and at the same time supporting this with security systems where the leading companies are working with Siemens very strongly can ensure the manufacturing environment is as secure as possible, which then generates these optimizations.”

Ludwig conducted the conference call from the Detroit Motor Show which was an appropriate backdrop to discuss manufacturing because he saw great promise for the industry as a whole, but especially for the auto industry. Two other industries that showed great promise, he said, were oil and gas and chemical.

Touching the treetops of many reasons to be optimistic this year, Ludwig landed firmly on three main reasons: Virtual planning, software, and education – making manufacturing attractive to students.

Virtual Planning
One of the trends that will increase optimism in 2014 is the use of virtual planning for physical realizations.

“You not only see cars at the motor show, but you see assembly lines – a great example of today’s modern manufacturing — virtually planned and physically realized,” Ludwig said. “Industrial production is at a ten-year high. We’re at a five-year high in sales. Some voices say next year, the gross might flatten off. At the same time you see the automotive industry positive around the future. Volkswagen announced they will invest $7 billion here in North America.”

Ludwig pointed to the Mars Rover as another prime example of virtual planning.

“We hear again and again about the Mars Rover bringing new observations to Earth. It is larger than anything ever sent to Mars.” The mission was to bring it down safely on the surface of Mars. To study this, scientists came up with a complex version of ways to virtually bring it down. “There was no physical alternative; they couldn’t send physical test modules up to Mars.” But they used an integration of virtual testing to accomplish a physical realization.

Software the Key
The key to virtual planning is the use of software, which can change productivity enormously in manufacturing.

“One of our partners is running a virtual machine in parallel with their physical machines,” he said. “They test the new parts introduction in virtual environments, and the downtime of the machine during the changeover process is significantly reduced.”

Software will lead to manufacturing optimism especially in the U.S. because, “there is no country where software is more advanced than in the U.S.,” he said. “People are thinking day and night about software, and 65 percent of all the top hundred software companies are actually headquartered in the U.S.” This becomes even more extreme when you look at the revenue. In fact, 79 percent of the top hundred software companies see their revenue coming from U.S. software companies.

Luring Young People
With an aging population, especially in the manufacturing sector, the need to make manufacturing attractive to young people is even more crucial now. The economic recovery in several technical markets and the strength of physical and virtual manufacturing mean nothing without the right people in place, Ludwig said.

“While so many years the focus has gone away from education, now we’re back on track, making the job of making things attractive to young people,” he said. One way is with 3D printing and expanding apprenticeship programs. One such program is Siemens’ apprenticeship program with Central Piedmont Community College in Charlotte, NC. After three and a half years of training, students learn all aspects of electronics and have a chance to apply it when they leave the program. “They’ll be paid a higher salary than the average college graduate, and they have no debt,” he said. “So there’s another reason that makes manufacturing attractive.”

Siemens is also working with top universities, also supported by government initiatives in advanced manufacturing partnership.

“We’re working together with manufacturing institutes in North Carolina,” he said. “In the first year we (appropriated) $40 million in software. Why? We believe this is the best way of assuring sustainable manufacturing.”
Ellen Fussell Policastro is a freelance writer in Raleigh, NC. Her email is efpolicastro@gmail.com.

Wednesday, October 9, 2013 @ 05:10 PM gHale

Safety awards may not garner the publicity of the big name shows like the Academy Awards, but rest assured they are more important as they help keep people and property safe.

Along those lines, functional safety and cyber security certification provider exida named the winners of its first Safety Awards 2013.

RELATED STORIES
Siemens Earns Machine Safety Award
Machine Safety Market Keeps Growing
Machine Safety: Comply with Standards
Safety Excellence Award Nominations Open

Awards were for three categories: Sensors, Logic Solvers, and Software products that best demonstrate innovative work and have the ability to play a key role in the continuous journey of making the world a safer place.

The following companies/products have earned this year’s honors:
• Sensors, and the winner is: Det-tronics’ FlexSonic Acoustic Detector
• Logic Solvers, and the winner is: Emerson Process Management’s DeltaV SIS with Electronic Marshalling
• Software, and the winner is: System Engineering Consultants Co., Ltd.’s RTMSafety

“We received several nominations for products that demonstrated exceptional work, making the decision process very difficult,” said Dr. William Goble, exida principal partner.

“exida recognizes the importance of excellence in functional safety, and congratulates the winners of this year’s awards,” he said. “We commend their commitments to manufacturing/designing products that are sure to make a difference in the ever-evolving world of functional safety.”

This is the first year exida conducted the awards and they are looking to make this an annual event.

Wednesday, October 9, 2013 @ 01:10 PM gHale

Alstom created a patch that mitigates an improper input validation in its e-terracontrol software vulnerability, according to a report on ICS-CERT.

Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the patch to validate that it resolves the remotely exploitable vulnerability.

RELATED STORIES
Additional Patches for Rockwell
Philips Fixes Buffer Overflow
Bug in Siemens SCALANCE X-200
Emerson Patches RTU Holes

The following Alstom product suffers from the issue: e-terracontrol, Version 3.5, 3.6, and 3.7.

Successful exploitation of this vulnerability could allow an attacker to affect the availability of the Alstom e-terracontrol software.

Alstom is a France-based company that maintains offices worldwide. The affected product, Alstom e-terracontrol software, applies mainly to SCADA systems to monitor and control electrical energy systems. According to Alstom, e-terracontrol software is mainly in the electric energy sector. Alstom estimates these products are primarily in the U.S. and Europe with a small percentage in Asia.

The Alstom e-terracontrol software does not validate or incorrectly validates input. An attacker could cause the software to go into an infinite loop, causing the process to crash. To clear the problem, a user would have to manually restart the system.

CVE-2013-2787 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

No known public exploits specifically target this vulnerability, but an attacker with a moderate skill level would be able to exploit this vulnerability.

Alstom produced a patch that is available for download from the Alstom Grid Customer Wise portal.

Tuesday, August 20, 2013 @ 04:08 PM gHale

Vulnerabilities in software and firmware are the easiest ways to attack a system, and two revised publications provide guidance for software patching and warding off malware.

A common method to avoid attacks is to fix the vulnerabilities as soon as possible after the software company develops a patch for the problem. Patch management is the process of identifying, acquiring, installing and verifying patches for products and systems, according to the National Institute of Standards and Technology (NIST), which revised the two publications.

RELATED STORIES
Infrastructure Security Framework Workshop
Cyber Security Framework Workshop
U.S., Russia Cyber Hotline
Feds Watching, Listening and Reading

The earlier guidance on patching, “Creating a Patch and Vulnerability Management Program,” was for when patching was a manual process. The revision, “Guide to Enterprise Patch Management Technologies,” is for agencies that take advantage of automated patch management systems such as those based on NIST’s Security Content Automation Protocol (SCAP).

Guide to Enterprise Patch Management Technologies” explains the technology basics and covers metrics for assessing the technologies’ effectiveness.

The second security document provides guidance to protect computer systems from malware or malicious code. Malware is the most common external threat to most systems and can cause widespread damage and disruption.

NIST’s “Guide to Malware Incident Prevention and Handling for Desktops and Laptops” should help agencies protect against modern malware attacks that are more difficult to detect and eradicate than when the last version published in 2005. The new guidance reflects the growing use of social engineering and the harvesting of social networking information for targeting attacks.

The new malware guide provides information on how to modernize an organization’s malware incident prevention measures and suggests recommendations to enhance an organization’s existing incident response capability to handle modern malware.

Tuesday, June 18, 2013 @ 08:06 PM gHale

Microsoft released of version 4.0 of its Enhanced Mitigation Experience Toolkit (EMET), a free utility that helps prevent memory corruption vulnerabilities in software from suffering exploitation for code execution.

This latest version has a redesigned user interface and addresses known application compatibility issues.

RELATED STORIES
EMET 4.0 Enables Certificate Pinning
Keeping Systems Running and Profitable
Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available

A new exception to the SSL certificate pinning rules ended up added in. If enabled, it makes EMET verify just the Public Key component of the Root CAs present in the rule without matching subject name and serial number.

The Certificate Trust feature is also available on 64-bit versions of Internet Explorer, and new rules for Twitter, Facebook, and Yahoo! added in to the previous default ones for Microsoft online services.

“When an exploitation attempt is detected and blocked by EMET, a set of information related to the attack is prepared with the Microsoft Error Reporting (MER) functionality. For enterprise customers collecting error reports via tools like Microsoft Desktop Optimization Package or the Client Monitoring feature of System Center Operations Manager, these error reports can be triaged locally and used as an early warning program indicating possible attacks against the corporate network,” said the EMET team two months ago when introducing the beta version of EMET 4.0.

In addition to strengthened mitigation and bypass-blocking techniques, the new version occasionally also allows users to switch to “Audit Mode,” which allows them to report an exploitation attempt but not terminate the application. This option is not on by default.

Finally, Group Policy profiles updated to include the ability to configure system and application mitigations, the reporting mechanisms, the advanced mitigation configurations, and the exploit action.

Click here to download the toolkit.

Tuesday, June 11, 2013 @ 04:06 PM gHale

A piece of malware called Bicololo, originally designed to target Russian Internet users, is now evolving.

A new version of the malware is on a Russian Android app site, said researchers at ThreatTrack Security. Designers of the malicious software actually disguised it as one of ThreatTrack’s products, VIPRE Antivirus.

RELATED STORIES
Self-Propagating Trojan Lives On
BIND 9 DoS Hole Patched
P2P Botnets Keep Growing
Global Cybercrime Botnet Breached

After analyzing the app site, experts determined its sole purpose is to distribute malware disguised as software, games, movies and music. To make it more legitimate looking, the logos of various IT security companies end up displayed on the website.

When users press the button to download the bogus antivirus, they end up getting an archive file that contains an executable, “_vipre.exe” and a text file.

Once run, the executable deploys other malicious files. The HOSTS file on the infected system ends up modified to make sure every time victims visit a certain website, such as my.mail.ru, odnoklassniki.ru, ok.ru, m.odnoklassniki.ru or vk.ru, they go to corresponding phishing pages.

It was said that once Bicololo is run on a system, it drops and executes component files, such as batch (.bat) and script (.vbs) files, and then modifies the HOSTS file, said ThreatTrack researchers.

ThreatTrack Security’s Jovi Umawing reports the phishing pages have very nice designs.

Additional technical details regarding this Bicololo variant are available on ThreatTrack Security’s blog.

 
 
Archived Entries