Category Archives: New Technology

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part I

9 July 2017

“Germany’s BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.” The report “Germany says cyber threat greater than expected, more firms affected” published in the Reuters Technology News on 7 July 2017 is worth reading.

But the big question is: Why is the industry such vulnerable against WannaCry and NotPetya style attacks?

In my opinion, the main reasons for this are

  • the aging IT infrastructure, and
  • the built-in features of the Windows operating system.

Aging IT infrastructure

SMB Version Introduced with Version Year of Release
V1.0 Windows 2000 2000
Windows XP / 2003 Server 2001 / 2003
V2.0 Windows Vista / 2008 Server 2007 / 2008
Windows 7 / 2008 Server R2 2009
V3.0 Windows 8 / 2012 Server 2012
Windows 10 / 2016 Server 2015 / 2016

Table 1: SMB Versions

The source of today’s problems, SMB V1.0, was introduced with Windows 2000. With the end of the extended support for Windows XP on 8 April 2014, and Windows 2003 Server on 14 July 2015, Windows XP/2003 Server became a big security issue.

Nevertheless, systems with XP or Windows 2003 Server are still operated in data centers and industrial networks. Since these systems must exchange data with other Windows-based systems, SMB V1.0 cannot be just switched off. Even Windows systems which support SMB V2.0 or higher must allow SMB V1.0 for data exchange with older versions.

The big question is: Why takes it so long to shut down Windows XP/2003 Server? The answer is easy: Software and hardware manufacturers have not sufficiently cared about the software life cycle, at least in the past. Let me illustrate this with an example.

A package unit in Healthcare industry is a large machine with lots of inbuilt computers. Since package units are very expensive, they are operated for many years and extensively changed to support new products. With this, a package unit delivered in 2008 with embedded Windows XP control units may still be in use 24 hours a day in 2017.

The hardware of the computers is designed to control a high-speed packaging process. To ensure sustained high operational quality the manufacturer often allows neither the installation of anti-malware software nor service packs for the OS, not to mention the upgrade to newer versions of the Windows OS.

Since the MES (Manufacturing Execution System) copies files to and from the packaging unit through files shares on the embedded Windows XP control stations, the MES must communicate through the SMB V1.0 protocol. The same is true for computers used in remote maintenance. With this, a single Windows XP machine reduces the security level of an entire network.

The big challenge is to design maintenance-friendly industrial computer systems: An exchange of hardware and software components, which are near End-of-Life or which have reached technical limits, must be easily possible. This requires a change in the design of software in industry. In addition, hardware should be dimensioned such that basic security features like anti-malware protection could be operated.

Manufacturers were often not aware of the software lifecycle and its impact on cyber security and integrity of product and production in the past. A change is desperately needed, in particular with regards to the increased use of IIoT devices.

Have a great week.

Advertisements

IIoT is killing ISA 95!?

12 February 2017

At the end of his great post ‘IIoT is killing ISA 95 !! …a.k.a. the operators that talked to the CEO‘, Antonio Buendia, Head of Manufacturing Process Control at Novartis, asks 3 questions:


What do you think?

(1) Do you think that ISA 95 is dead, and we are going to have a series of devices each of them talking to each other? And those devices will be able to digest and process the information by themselves?

(2) Do you think that the IIoT will bring enhanced communication capabilities, but we still need to establish a hierarchy, a set of common rules for orchestration, but a new model has to be created?

(3) Or do you think that ISA 95, with some minor tweaks, is still the model of reference for the IIoT?”


There is no simple answer to this question. In my opinion the answer depends strongly on the issues one is going to solve with IIoT devices.

Even in the age of IIoT ISA 95 will still be a reference model in production. Let me be quite clear: For just the execution of a manufacturing order the ISA 95 model will fit more or less well even in the age of the IIoT.

For other production related issues the ISA model may possible not fit. Let me make this clear with an example:

For the execution of a huge production order it would be helpful to know in advance of the likelihood of equipment breakdowns during the execution time. IIoT devices like smart pumps or smart valves are able to gather operational data. This data can be used for the prediction of the remaining run time of the devices. If the remaining run times of all devices are known, it is easy to predict whether a production order can be executed without major delays.

This is one possible added value we create from IIoT devices. Currently only few manufacturers are collecting these data. The Industrie 4.0 concept goes far beyond the local collection and analysis of operational data. If the data is sent to the equipment manufacturer for further analysis, we can create more value from the data because the device vendor may correlate the data with the data from thousands of similar devices. With this, remaining run times can be estimated more accurately.

From my point of view, it is not necessary that an individual device contacts the vendors database to get details about its remaining run time. It is enough if the device management system does this job. I don’t think that the ERP system must be involved at least during this analysis phase in this communication.

With this, my answer is: ISA 95 is still a reference model for manufacturing in the age of IIoT. But we have to develop other models or extent the ISA 95 model if we are going to turn the capabilities of the IIoT into EBIT.

Have a good week.

Unsecured IIoT devices in untrusted networks

28 January 2017

I am currently reviewing a draft of the German Federal Office for Information Security (BSI) about Operational and Control Technology. The goal of the paper is to define suitable requirements for IT security in OT.

IIoT devices, e.g. moderns sensors like the Schneider Electric PowerLogic ION7650 power meter, offer many communication options, including an optional Ethernet port:

PowerLogic ION 7650 communication options

Schneider Electric PowerLogic ION7650 communication options

With the Ethernet port activated the power meter behaves like a standard web server which provides standard internet communication options for access, e.g. ftp via port 21, http via ports 80, 81 and 443.

The BSI paper introduces the concept of ‘required connections‘ to communication partners outside the production network. This concept is based on the idea that production networks are isolated from a company’s office network as well as from the internet through security devices. The number of required connections, e.g. a connection from the ERP system to the Manufacturing Executions system (MES), should be kept as low as possible. In addition, required connections and the related communication endpoints must be specially protected to prevent misuse.

Lots of the PowerLogic ION7650 power meters are not operated in a production network. They are directly attached to the internet through an internet router, thus directly attackable by all internet users.

With this, each power meter creates its own production network, and every connection becomes a required connection. The major difference to the classic production network is that the power meter is far short of the protection capabilities a classic production network provides.

Thus, special attention has to be paid to the secure configuration of the devices and the attached internet routers during commissioning. Unfortunately, neither the service personnel setting up the device nor the operators seem to be aware of the dangers which result from this limited protection options because lots of unsecured devices are directly attached to the internet.

It is not very likely that a single compromised power meter has an impact on the national power grid. But if an attacker is able to compromise hundreds or thousands of devices …

The BSI paper provides a comprehensive set of technical and organizational measures to OT organizations to deal effectively with IT security issues in production environments.

Nevertheless, I recommend to the operators to review the configuration of and secure their devices. Besides financial loss due to malfunctions unsecured devices can be hijacked and included into bot nets.

Have a good weekend.

O2 not hacked – O2 customers victims of cybercrime

6 August 2016

On 26 July, the Register reported that “Hackers have gained access to customer data on UK telco O2 – and put it up for sale on the dark web.” The BBC Victoria Derbyshire Programme and Graham Clueley brought similar reports.

All reports made clear that O2 has not been hacked. BBC reports that “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago to log onto O2 accounts. When the login details matched, the hackers could access O2 customer data in a process known as “credential stuffing”.

Poor user habits, like recycling of usernames and passwords, are indeed a major problem. But in my opinion many service providers are at least co-responsible because they do not sufficiently protect their customer’s account details.

Many service providers still have not enforced Two-Factor Authentication (TFA), although this technology is easy to implement and to use, in particular for high-tech businesses like O2. Even if account details are stolen, the likelihood of cyber-crime is dramatically reduced because the cyber-criminals have no access to the second factor.

From my point of view it is time that the regulatory authorities finally do their job and protect the citizens and businesses from cyber-crime. We need a European regulation which makes the use of TFA compulsory for all service providers. Unfortunately, this will not have any impact on the O2 customers because of the Brexit …

Have a good weekend.

AppGuard is an important part of a comprehensive security stack

16 July 2016

In the past weeks I tried hard to get an idea of the capabilities of Blue Ridge Networks AppGuard. To be honest, I would not like to miss AppGuard anymore. AppGuard creates the really good feeling that, under certain conditions, many cyber-attacks are simply rendered ineffective.

AppGuard is a perfect means against all kind of Trojans and downloaders, in particular zero days. Characteristic for this kind of malware is that the malware directly drops a malicious program or downloads a malicious program from the attacker’s server and executes it afterwards. This includes e.g. most of the known Ransomware.

The User Space and MemoryGuard concept just blocks this kind of malware out-of-the-box, provided that the User Space concept is not undermined by a user who is working with high privileges permanently. In fact, if the user works with privileges which allow the Trojan program to store files outside the User Space, the concept will no longer work.

It is strongly recommended to work with the least possible privileges under normal conditions. For the case higher privileges are requested, set up an extra account with the required privileges and supply the credentials of this account if UAC requests higher privileges.

More advanced malware may try to use the Windows auto-elevation feature to acquire higher privileges and to compromise AppGuard. To protect from auto-elevation attacks just set UAC to ‘Always notify me’.

This works even in the case of a gaming computer, where e.g. WOW and TeamSpeak are heavily used. Why shouldn’t it work on a standard system?

In addition, it is strongly recommended to disable macro execution in all kind of office software, e.g. Microsoft Office, OpenOffice or LibreOffice.

Memory Guard protects against all kind of zero-day drive-by downloads, PuP (Potentially unwanted Programs) or file-less malware.

My comprehensive security stack

My comprehensive security stack. Click to enlarge.

 

AppGuard does not protect against any kind of password phishing attacks. Although popular internet browsers block many malicious URLs through URL reputation, e.g. SmartScreen Filtering in Internet Explorer or Firefox, this will not protect in the case of zero-days.

To reduce the likelihood of credential theft, turn on Two-Factor Authentication (TFA) for as many as possible internet services you use. If TFA cannot be enabled, choose a strong password and take care, means:

User awareness is the basic part of the entire security stack!

To put it succinctly: The proposed security stack will dramatically reduce the risk of cyber-attacks. Blue Ridge Networks AppGuard is an important component of this stack, in particular for the protection against all kind of zero-days.

Have a good weekend.

AppGuard successfully protects against PowerShell based zero-day malware

9 July 2016

To get a feel for the impact AppGuard has on daily operations I worked mainly on my test system in the past weeks. My test system is a 6 years old Dell Inspiron 1445 with 4 GB of RAM and a 240 GB SSD.  The latest version of Windows 10 is deployed and all out-of-the-box Windows security options like Windows Defender and SmartScreen are activated.

I work with standard user rights; UAC is set to ‘Always notify me’. Macro protection for the office suite is set to ‘Disable all macros with notification’. AppGuard is installed on top of this security stack to protect from all kind of zero days.

The impact on my daily work is hardly noticeable. Standard malware is blocked either by Defender or by SmartScreen. Even the download of e.g. JavaScript based malware from malwr.com for test purposes is a challenging task.

AppGuard does a really good job in blocking the execution all kind of zero-day malware from user space. But how well works AppGuard in the case of somewhat more advanced malware?

I searched for a new PowerShell based malware on malwr.com and found Invoice_201604469.doc.

A check on VirusTotal showed that only 3 of 56 anti-malware products identified malware:

Antivirus Result Update
Fortinet WM/Poseket.A!tr.dldr 20160706
Qihoo-360 heur.macro.powershell.a 20160706
Symantec W97M.Downloader 20160706

As always, the AutoOpen macro is password protected. But LibreOffice overrides the password protection and reveals a master piece of code:

AutoOpen Macro with Powershell code

AutoOpen Macro with PowerShell Code

I opened the document and followed the instructions to execute the AutoOpen macro.

Invoice_201604469.doc

Invoice_201604469.doc. Click to enlarge.

The effect was enormous. AppGuard’s MemoryGuard blocked the execution of the PowerShell script and prevented the download of the payload 18293.exe:

Blocked Program Message

Blocked Program Message 1

Blocked Program Message

Blocked Program Message 2

Thus the command shell wasn’t able to start the payload and Windows displayed the last error message:

Windows Error Message

Windows Error Message

MemoryGuard is a really charming concept, and out-of-the-box available after installation.

This concludes my tests. The experiments of the past weeks show that User Space and MemoryGuard are useful security features. They complete the Windows built-in security features, and provide additional protection, in particular in the case of zero-day malware.

Have a good weekend.