Episode 255: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending Feb 18, 2018 features our interview and cyber security discussion with two of our industry’s most venerated experts from Intelligent Buildings, Darryl Benson and Fred Gordy. Darryl and Fred offer the ControlTrends Community some astute advice and pose an interesting question to system integrators: Do you want to maintain the cyber security risks [Read more…]
Mitigating Meltdown and Spectre Vulnerabilities
Dear valued partner,
On January 3, 2018, a group of researchers from Google Project Zero, Cyberus Technology and several universities revealed two major flaws in computer chips that could leave a huge number of computers and smartphones vulnerable to security concerns. Called “Meltdown” and “Spectre,” the flaws exist in processor families and could allow an attacker to read sensitive data stored in the memory, like passwords, or look at what tabs someone has open on their computer. Researchers indicate almost every computing system – desktops, laptops, smartphones, and cloud servers – is affected by these flaws.
Tridium takes the security of our customers and products seriously. Upon learning about this CPU issue, we began a company-wide product review to determine which of our devices are affected, and what corrective actions are necessary. Our findings to date are summarized below.
IMPACTED TRIDIUM PRODUCTS:
Niagara Supervisor running on Windows or Linux
If you have a Niagara Supervisor that runs on Windows or Linux, your machine may be affected.
Recommended Customer Actions:
* Update your operating systems with the latest patches, making sure that your organization has a patch management plan that is always executed.
* For Windows, please follow the instructions from Microsoft for patching your systems. You may access this information via this link.
* For Linux, please follow the instructions for Red Hat for patching your systems. You may access this information via this link.
* Ensure anti-virus software is up-to-date.
* Ensure that your Supervisor machine, which is a mission-critical system, is not being used for email access or general web browsing. The Spectre/Meltdown threats require malware be executed on a target machine. Malware attacks typically come from malicious web links, malware-based email attachments and infected USB disks.
* Control physical access to your mission critical systems to prevent attackers from using infected USB disks to infect your machines. Physical security is critical, and your systems must be protected.
We are continuing to work with our vendors in our investigation, but at this point, we know the following:
* The JACE 2/3/6/7 families use a much older PPC architecture, and the processor vendor has determined that they are not susceptible to Spectre and Meltdown.
The JACE-8000 is not affected by Meltdown.
The JACE-8000 uses an ARM chip that is reportedly vulnerable to a Spectre The vendor of the operating system of the JACE is doing further investigation into what patches could possibly apply. Tridium will be working closely with them to determine what OS changes, if any, should be made to mitigate any threat. In the meantime, Tridium has employed significant security measures that mitigate the threat of malware executing on a device.
A Spectre attack requires malware execution. The security controls that are employed by the JACE-8000 include (but are not limited to) the following:
* Niagara’s JACE-8000 employs a “secure boot” process, providing integrity validation of the image at boot time, providing non-repudiated assurance that the root image wasn’t tampered with.
* Niagara 4 employs integrity validation of the core framework at run-time, validating the digital signatures of all Niagara run-time components, ensuring that core Tridium Software has not been tampered with.
* Niagara 4’s Security Manager provides malware prevention by “sandboxing” third party modules, restricting installed software to a limited set of permissions, and terminating execution of any installed software that attempts unauthorized privileges.
* Niagara limits administrative controls and access to sensitive areas of Niagara to authenticated administrators with platform access.
It is important to understand that the security of your Niagara system also revolves around how your system is configured on your network. Please refer to the following documents to ensure that your systems are up-to-date with best practices:
* Niagara AX Hardening Guide (Step-by-Step Guidance for securing your AX systems)
* Niagara 4 Hardening Guide (Step-by-Step Guidance for securing your Niagara 4+ systems)
* TridiumTalk on Cybersecurity – “Defending Your Business Against Cyber Threats” (One hour webinar on Cybersecurity best practices in your organization)
* Q&A from TridiumTalk on Cybersecurity
* Tridium Cybersecurity White Paper
If you have any questions, please contact your Tridium account manager or contact Customer Support via email@example.com.
Homeland Security Advisory TA17-318B: HIDDEN COBRA – North Korean Trojan: Volgmer. Original release date: November 14, 2017. Systems Affected: Network systems
Overview: This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with a Trojan malware variant used by the North Korean government—commonly known as Volgmer. The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA. For more information on HIDDEN COBRA activity, visit https://www.us-cert.gov/hiddencobra.
FBI has high confidence that HIDDEN COBRA actors are using the IP addresses—listed in this report’s IOC files—to maintain a presence on victims’ networks and to further network exploitation. DHS and FBI are distributing these IP addresses to enable network defense and reduce exposure to North Korean government malicious cyber activity.
This alert includes IOCs related to HIDDEN COBRA, IP addresses linked to systems infected with Volgmer malware, malware descriptions, and associated signatures. This alert also includes suggested response actions to the IOCs provided, recommended mitigation techniques, and information on reporting incidents. If users or administrators detect activity associated with the Volgmer malware, they should immediately flag it, report it to the DHS National Cybersecurity and Communications Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and give it the highest priority for enhanced mitigation.
For a downloadable copy of IOCs, see:
NCCIC conducted analysis on five files associated with or identified as Volgmer malware and produced a Malware Analysis Report (MAR). MAR-10135536-D examines the tactics, techniques, and procedures observed. For a downloadable copy of the MAR, see:
MAR IOCs (.stix)
Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. Since at least 2013, HIDDEN COBRA actors have been observed using Volgmer malware in the wild to target the government, financial, automotive, and media industries.
It is suspected that spear phishing is the primary delivery mechanism for Volgmer infections; however, HIDDEN COBRA actors use a suite of custom tools, some of which could also be used to initially compromise a system. Therefore, it is possible that additional HIDDEN COBRA malware may be present on network infrastructure compromised with Volgmer
The U.S. Government has analyzed Volgmer’s infrastructure and have identified it on systems using both dynamic and static IP addresses. At least 94 static IP addresses were identified, as well as dynamic IP addresses registered across various countries. The greatest concentrations of dynamic IPs addresses are identified below by approximate percentage:
India (772 IPs) 25.4 percent
Iran (373 IPs) 12.3 percent
Pakistan (343 IPs) 11.3 percent
Saudi Arabia (182 IPs) 6 percent
Taiwan (169 IPs) 5.6 percent
Thailand (140 IPs) 4.6 percent
Sri Lanka (121 IPs) 4 percent
China (82 IPs, including Hong Kong (12) 2.7 percent
Vietnam (80 IPs) 2.6 percent
Indonesia (68 IPs) 2.2 percent
Russia (68 IPs) 2.2 percent
As a backdoor Trojan, Volgmer has several capabilities including: gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. In one of the samples received for analysis, the US-CERT Code Analysis Team observed botnet controller functionality.
Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications.
Malicious actors commonly maintain persistence on a victim’s system by installing the malware-as-a-service. Volgmer queries the system and randomly selects a service in which to install a copy of itself. The malware then overwrites the ServiceDLL entry in the selected service’s registry entry. In some cases, HIDDEN COBRA actors give the created service a pseudo-random name that may be composed of various hardcoded words.
Detection and Response
This alert’s IOC files provide HIDDEN COBRA indicators related to Volgmer. DHS and FBI recommend that network administrators review the information provided, identify whether any of the provided IP addresses fall within their organizations’ allocated IP address space, and—if found—take necessary measures to remove the malware.
When reviewing network perimeter logs for the IP addresses, organizations may find instances of these IP addresses attempting to connect to their systems. Upon reviewing the traffic from these IP addresses, system owners may find some traffic relates to malicious activity and some traffic relates to legitimate activity.
Network Signatures and Host-Based Rules
This section contains network signatures and host-based rules that can be used to detect malicious activity associated with HIDDEN COBRA actors. Although created using a comprehensive vetting process, the possibility of false positives always remains. These signatures and rules should be used to supplement analysis and should not be used as a sole source of attributing this activity to HIDDEN COBRA actors.
alert tcp any any -> any any (msg:”Malformed_UA”; content:”User-Agent: Mozillar/”; depth:500; sid:99999999;)
description = “Malformed User Agent”
$s = “Mozillar/”
(uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and $s
A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include
temporary or permanent loss of sensitive or proprietary information,
disruption to regular operations,
financial losses incurred to restore systems and files, and
potential harm to an organization’s reputation.
DHS recommends that users and administrators use the following best practices as preventive measures to protect their computer networks:
Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
Keep operating systems and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Patching with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
Maintain up-to-date antivirus software, and scan all software downloaded from the Internet before executing.
Restrict users’ abilities (permissions) to install and run unwanted software applications, and apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources. For information on safely handling email attachments, see Recognizing and Avoiding Email Scams. Follow safe practices when browsing the web. See Good Security Habits and Safeguarding Your Data for additional details.
Do not follow unsolicited web links in emails. See Avoiding Social Engineering and Phishing Attacks for more information.
Response to Unauthorized Network Access
Contact DHS or your local FBI office immediately. To report an intrusion and request resources for incident response or technical assistance, contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).
The Active Cyber Defense Certainty Act (ACDC) amends the Computer Fraud and Abuse Act to make limited retaliatory strikes against cyber-miscreants legal in America for the first time. The bill would allow hacked organizations to venture outside their networks to identify an intruder and infiltrate their systems, destroy any data that had been stolen, and deploy “beaconing technology” to trace the physical location of the attacker.
A BILL To amend title 18, United States Code, to provide a defense to prosecution for fraud and related activity in connection with computers for persons defending against unauthorized intrusions into their computers, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Active Cyber Defense Certainty Act’’.
Congress holds that active cyber defense techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber activity.
This new webinar focused on organizational best practices to mitigate risk.
There’s only one day left to register for our new TridiumTalk webinar focused on cybersecurity. Join us September 19 at 11:00 a.m. Eastern U.S. to learn how to develop a strategy to defend against cyber threats.
Tridium chief architect Kevin T. Smith, author of our new white paper Cybersecurity and the IoT—Threats, Best Practices and Lessons Learned, will be leading the TridiumTalk. Recognized industry expert James Johnson will be moderating and taking questions.
With the game-changing IoT, cybersecurity should be a concern for everyone.
Adding network connectivity to any “thing” adds tremendous value, but also brings potential risks to an organization.
Click here to download our new white paper. Kevin and James will cover this material and provide additional insight during the TridiumTalk.
We look forward to you joining us on September 19.
Though each of us, in our own way and at our speed, has willingly or unwillingly, become more acclimated and accepted the rapid proliferation of IoT devices connecting us to the data bases in the clouds, it is still a challenge to fully comprehend the impact this hatching reality will have on our personal lives and professional careers — and we probably should know a lot more. Among the many sources of valuable insight and guidance available to ControlTrends Community, the NIST’s Cybersecurity for the Internet of Things is certainly one of the best. And for those of you already on top of this challenge, NIST wants to hear from you! The Cybersecurity for IoT program is looking for feedback and potential collaborators.
Summary: NIST’s Cybersecurity for the Internet of Things (IoT) program supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. By collaborating with stakeholders across government, industry, international bodies, and academia, the program aims to cultivate trust and promote U.S. leadership in IoT.
IoT on the Rise: The rapid proliferation of internet-connected devices and rise of the IoT come with great anticipation. These newly connected devices bring the promise of enhanced business efficiencies and increased customer satisfaction. IoT devices could include wearable fitness trackers, “smart” televisions, wireless infusion pumps, and cars—among many others. Internet-connected devices generally sense, collect, process, and transmit a wide array of data, ranging from consumer personally identifiable information to proprietary company data to infrastructure data used to make critical real-time decisions or to effect a change in the physical world.
Just as there are a variety of new uses, the IoT ecosystem’s nature brings new security considerations. These considerations include—but are not limited to—constrained power and processing; the ability to manage, update, and patch devices at scale; and a diverse set of new applications across consumer and industrial sectors.
Source: Gartner Says 6.4 Billion Connected “Things” Will Be in Use in 2016, Up 30 Percent From 2015.
PC WORLD FROM IDG. Credit: Mark Hachman
This was twittered to us via cyber security guru, Fred Gordy, and was too interesting and too important not to pass on to the ControlTrends Community, especially those with smart thermostats.
What happens if a bad actor turns off your heat in the middle of winter, then demands $1,000 to turn it back on? Or even holds a small city’s power for ransom? Those kinds of attacks to personal, corporate, and infrastructure technology were among the top concerns for security experts from the SANS Institute, who spoke Wednesday during the RSA conference in San Francisco.
Some of these threats target consumers directly, but even the ones that target corporations could eventually “filter down” to consumers, though the effects might not be felt for some time.
Here are the seven most dangerous attack vectors, according to SANS, and what, if anything, you can do about them:
1. Ransomware: Ransomware surfaced more than 20 years ago, but it has since evolved into a seriously scary form of malware: crypto-ransomware, which encrypts your files and demands payment to unlock them. It’s an ideal way for bad guys to attack: Ransomware spreads like a virus, locks up your data independently, and forces you to contact the criminals for payment and recovery, according to Ed Skoudis, an instructor at the SANS Institute.
What you can do: Practice “network hygiene:” patching your system, using antimalware, and setting permissions and network-access controls to limit exposure—once a PC is infected, you don’t want the infection spreading to other PCs on the network. Remember that ransomware is being monitored by actual people, with whom you can negotiate: “Your best bet is to appear small and poor,” Skoudis said, to try to reduce the amount you’ll pay.
2. The Internet of Things. The next stage of the evolution in consumer products is connectedness: Everything from baby cameras to toothbrushes are using wireless protocols to connect to each other and the internet. That, in turn, has left them vulnerable to hacks. Worse still, IoT devices are now attack platforms, as the Mirai worm demonstrated.
What you can do: Change the default passwords. If your smart-home gadget doesn’t allow it, either return it or wait (or petition the manufacturer) for firmware that allows a custom password. You can also take further steps to insulate connected devices by disabling remote access, using a separate dedicated home LAN for IoT devices, as well as a dedicated cloud account for controlling them, Skoudis said.
3. The intersection of ransomware and IoT. Last year, an Austrian hotel was hacked, disrupting its keycard system. Such attacks could eventually migrate to your home, holding your smart thermostat hostage (and set at 40 degrees, say) until you pay up.
What you can do: Right now, this sort of attack is more theoretical than anything else. But it’s something to think about as you start building out your home: How much automation is too much? “You have to ask yourself, what is the right balance between man and machine?” said Michael Assante, director of industrials and infrastructure for SANS.
4. Attacks against the industrial Internet of Things. In 2015 and again in 2016, unknown hackers took down power stations in the Ukraine, leveraging the growing trend of automated, distributed systems against the power company. Fortunately, first responders were quickly able to manually flip the breakers and restore power. But there’s no guarantee that will always be the case—and what happens if Pacific Gas & Electric or Con Edison’s infrastructure is hacked?
What you can do: As consumers, not much. Infrastructure organizations are going to have to decide whether to operate with intelligent systems, or shut them down. Scaling up with increased automation can help lower your power costs—but the penalty may be increased vulnerability to outside attacks, Assante warned.
5. Weak random number generators. Truly random numbers are the basis of good encryption, securing Wi-Fi and a broad range of security algorithms, according to Johannes Ulrich, the director of the SANS Internet Storm Center. But “random” number generators aren’t truly random, which makes the encryption they’re based upon easier to crack. This gives an edge to criminals, who may exploit this and unlock “secure” encrypted connections.
What you can do: This is a problem for device manufacturers to solve. Just keep in mind that your “secure” network may in fact be weaker than you think.
6. An over-reliance on web services. More and more, apps and software are talking to and incorporating third-party services, such as Docker or Azure. But there’s no real certainty that those apps are connecting to the expected entity, or whether an attacker is stepping in, stealing data, and returning false information.
What you can do: Again, this is a problem for developers. But Ulrich warned that mobile apps are becoming increasingly vulnerable—so even if an app isn’t trying to steal your data, the “service” that it thinks it’s connecting to may be.
7. SoQL Attacks against NoSQL databases. This is another developer problem, but it could affect data collected about you. For years, SQL injections, where executable code was forced inside of a SQL database entry field, were one of the scourges of the internet. Now, as developers move away from SQL to NoSQL databases like MongoDB, they’re finding that those databases aren’t as secure as they should be.
Check out what our friend and Smart Buildings Controls Expert, “Fearless Phil Zito”, had to say about his new book and the current state of Building Automation Controls and how hackers are getting into your building automation controls system and what you can do to stop them.
There are free tools readily available to anyone that can not only scan BACNet networks, it gives the user the ability make changes to individual control points, set schedules, review logs, view alarms and acknowledge, and turn your BACNet devices into “bricks”.
What Can The Tool Do?
The first thing I found was the ease of use of this program. In order to scan the network all I needed was one BBMD. First, use an IoT search engines to find a publicly exposed BBMD (there are literally thousands of exposed BBMD’s worldwide). The image below shows the results of taking one of these IP’s and entering it into the tool. As you can see from the one found using the IoT search engines, the scan revealed even more IP’s that are not listed on the IoT search engine. In addition to finding other BACNet IP devices, it discovered MSTP (serial communicating devices) BACNet devices as well. There can be hundreds of devices attached to the system and thousands of points underneath the devices that can be controlled with this tool.
All the devices and points can be accessed without using a user/password.
By clicking on device in the top left window (image below) the device’s associated points will be displayed in the bottom left window. These points can be dragged into the middle window and their value and status are displayed along with device ID, object ID, name, and update time.
Clicking on a point in the bottom left window will display its properties in the window on the far right.
You have full control of the properties to be able to write to it.
The point property window allows for editing of the point parameters. In the image below the call-outs show what is editable (in black) and parameters that could take the point offline (in red). Depending on the point type, command and control of these points/devices could lock operators out, change VFD speeds to an unsafe level, modify setpoints, etc.
There are many more things that this program can do and below is a couple of examples.
Edit Notification Settings
View Trend Logs
6 million commercial buildings in the US are believed to be secure. Every single one has exposed building controllers, security cameras and access control systems that an entry level hacker can hack into. Join Fred Gordy, Director of Cyber Security at Intelligent Buildings, and Ping Yao, CEO of Optigo Networks as they discuss the incredible vulnerabilities in our buildings’ systems, and what to do about it. If you are responsible for operational systems using open protocols such as BACnet & ONVIF, you won’t want to miss this webinar. We will discuss how easy it is to hack into many of the building systems, and more importantly, what are some of the basic steps that can and should be used to protect them.
Webinar Details: Date: Thursday September 15th Time: 11AM PDT | 2PM EDT