Tag Archives: control

For Sale – Gaming pc

Sahara p35 case and 4 led fans and remote control, new from amazon
Amd Ryzen 3 1300x quad core processor
ASRock X370 Killer SLI motherboard
2 x Adata Gammix D10 8gb Ddr4 3000mhz, 16gb total @ 2667mhz
ASUS STRIX GTX 970 O.C.
Deepcool GAMER STORM LUCIFER V2 cpu cooler and 140mm fan
Kingston SSD A400 120 GB
EVGA 600 W1, 80+ WHITE 600W, Power Supply 100-W1-0600-K3 purchased 26 Apr 2018 remainder of 3 year warranty left
Windows 10 pro

I have never been able to run the memory at 3000mhz with this cpu, add my 3700x into the mix and the ram will clock to 3200mhz YMWV
Update to system forces sale, would like pick up and cash on collection after a demo.

Ryzen 7 1700 8 core available for an extra £50, will swap out the 1300x

Go to Original Article
Author:

Cradlepoint NetCloud update avoids unnecessary data usage

Cradlepoint has introduced technology that helps customers control costs by flagging unusual increases in data use across the wireless links managed by the vendor’s software-defined WAN.

The vendor unveiled this week the latest analytics in its cloud-based Cradlepoint NetCloud management platform. Cradlepoint is aiming the technology at retailers, government agencies and enterprises that have widely distributed operations. Those organizations typically have a WAN dependent on 4G and other wireless links.

The latest algorithms determine patterns of data usage based on historical data gathered over time across a company’s wireless links, the vendor said. Cradlepoint NetCloud will notify network managers when data usage deviates from past patterns.

The feature provides early notification of surges in usage that might be unrelated to normal business operations, such as video streaming by employees or misconfigured networking gear.

Cradlepoint pitches itself as particularly useful to retailers. The company claims that 75% of the top retailers globally uses its technology. Customers include David’s Bridal, which sells wedding dresses through 330 stores in North America and the United Kingdom. Another sizable retail customer is the jewelry manufacturer Pandora, which distributes its products through stores in more than 100 countries.

Companies outside of retail also use Cradlepoint technology. DSC Dredge LLC uses Cradlepoint for managing 4G LTE, 4G and 3G connectivity across its fleet of dredging machines. The company supplies the equipment in more than 40 countries for use in constructing dams and improving waterway drainage and navigability.

DSC has equipped each of its dredges with a Cradelpoint router and oversees the technology through the NetCloud management software.

Cradlepoint sells subscription-based packages that converge multiple network services on a single edge router. The bundle, for example, could include a router with Ethernet ports, and support for Wi-Fi with a guest portal and LTE integration.

Cradlepoint sells subscriptions on a one-, three- or five-year basis.

Go to Original Article
Author:

CyberX launches partner program in IoT security market

CyberX, a Boston-based company that focuses on IoT and industrial control system cybersecurity, has unveiled a channel partner program.

The company’s Xcelerate program includes technical support, online training, deal registration, not-for-resale software, marketing development funds and a partner portal. The program’s scope encompasses managed service providers (MSPs), systems integrators, consulting firms, distributors, value-added resellers and technology alliance partners.

Service provider partners include Dimension Data, DXC Technology, NTT Security, Tata Consultancy Services and Wipro. Technology partners include IBM, ServiceNow and Splunk. CyberX also partners with industrial automation vendors such as Schneider Electric and Siemens.

CyberX provides a network security and monitoring system that covers IT and operational technology (OT) devices. The company has customers in the energy utilities, chemical and pharmaceutical markets. Vendors such as Cisco have advised channel partners to sell IoT services to OT and line-of-business executives, who direct much of the buying in that market.

The global IoT security market is forecast to grow from $18.82 billion in 2019 to $51.42 billion by 2024, according to BIS Research Inc., a market research company based in Fremont, Calif. The market will grow at a compound annual growth rate of 22.26% during that period, the company said.

The worldwide industrial control systems security market, meanwhile, is projected to grow at a 6.5% compound annual growth rate through 2023, when the market is expected to reach $18.05 billion, according to MarketsandMarkets.

Chart of IoT data breaches and cyberattacks.
IoT security is gaining visibility as threats against IoT devices and applications grow.

Berkshire bid boosts Tech Data deal to $6B

Berkshire Hathaway Inc. launched a competitive bid to acquire Tech Data Corp., compelling suitor Apollo Global Management to sweeten the deal.

Berkshire’s offer surfaced in a Tech Data filing with the Securities and Exchange Commission. When Apollo’s $130/share, $5.4 billion agreement to acquire Tech Data was revealed in November, the deal included a “go shop” provision that allowed the Clearwater, Fla., distributor to entertain alternative proposals until December 9. Hathaway presented a $140/share offer during that period. Apollo responded with a $145/share offer, which has cleared the path for the acquisition to proceed. Apollo’s new offer will boost the acquisition’s value to $6 billion.

Vendors launch cybersecurity integrations

Cybersecurity vendors this week revealed new integrations between their technology and MSP management tools. 

Bitdefender integrated its GravityZone MSP security suite with Datto’s remote monitoring and management (RMM) software. Bitdefender said the integration enables Datto RMM users to automate deployments of Bitdefender antivirus, antimalware and advanced endpoint layers via an OS-agnostic kit.

Meanwhile, Netsurion linked up its EventTracker security operations center service with IT Glue’s documentation platform. The combination lets Netsurion MSPs access reports designed to demonstrate security and compliance posture to clients, Netsurion said.

Barracuda Networks integrated two of its own products: Barracuda Content Shield and the Managed Workplace RMM platform. Barracuda’s RMM users can now tap Content Shield’s cloud-based web filtering and malware protection. 

Other news

  • Atos, an IT services and consulting firm based in Bezos, France, said it signed a distributor deal with Ingram Micro, headquartered in Irvine, Calif. Under the agreement, Atos will provide its cybersecurity offerings, including Atos Evidian identity and access management products, to Ingram Micro’s U.S. channel partners.
  • D&H Distributing, a distributor based in Harrisburg, Pa., has identified five main areas of opportunity for 2020: cloud, commercial audio/visual and collaboration, esports, infrastructure/security and build-to-order compute and storage offerings.
  • KORE, an IoT solutions provider based in Alpharetta, Ga., has acquired Integron, an IoT-oriented MSP. Integron has offices in Rochester, N.Y. and Ulestraten, Netherlands.
  • SolarWinds said its remote monitoring platforms now include cryptographic algorithms for managing Windows systems that meet Federal Information Processing Standard 140-2. SolarWinds RMM and SolarWinds N-central adhere to the federal encryption standard.
  • Veeam Software enhanced its Veeam Accredited Services Partner (VASP) program. New VASP benefits include access to additional dedicated internal resources at Veeam, the company said.
  • Nuspire, a managed security services provider, has hired Lewie Dunsworth as its CEO. Saylor Frase vacated the CEO slot to become chairman of the board. Dunsworth was previously CISO and executive vice president of global security services at Herjavec Group.
  • Managed services automation company BitTitan named James Clifford as its new EMEA sales director.

Market Share is a news roundup published every Friday.

Go to Original Article
Author:

Microsoft self-service policy for Office 365 raises concerns

Office 365 admins must sacrifice some degree of control as Microsoft allows end users to purchase certain capabilities themselves for Power Platform products.

Microsoft Power Platform includes Power BI, PowerApps and Microsoft Flow, which have business intelligence, low-code development and workflow capabilities, respectively. These applications are included in most Office 365 enterprise subscriptions. Previously, only administrators could purchase licensing for an organization.

On Oct. 23, Microsoft announced that it would roll out self-service purchasing to U.S. cloud customers starting Nov. 19.

Reda Chouffani, VP of development at Biz Technology SolutionsReda Chouffani

Widespread adoption of the SaaS model has already caused significant communication gaps between IT and end users, said Reda Chouffani, vice president of development at Biz Technology Solutions, a consulting firm in Mooresville, N.C.

“Now introducing this and knowing that Microsoft has over 140 million business subscribers that are empowered to make purchasing decisions on certain apps within the suite … that will make it where more of these [communication issues] will occur, and IT is not going to take it lightly,” he said.

Users with non-guest user accounts in a managed Azure Active Directory tenant will be able to make purchases directly with a credit card, according to a recent Microsoft FAQ. IT administrators can turn off the self-service purchasing policy through PowerShell, however, according to an update this week from Microsoft. Microsoft also extended the rollout date to Jan. 14, 2020, to give admins more time to prepare for the change.

The decision to allow IT to disable the capability likely came about from customer pushback about security concerns, said Willem Bagchus, messaging and collaboration specialist at United Bank, based in Parkersburg, W.Va.

IT admins may still be deterred by the self-service purchasing capability, because some may not be aware they can turn it off via PowerShell, Bagchus said.

“For a small-business IT admin who does everything by themselves or depends on the web only for [PowerShell] functions, it’ll be a bit of a challenge,” he added.

Security, licensing and support concerns

Security remains a top concern for many Office 365 customers, said Doug Hemminger, director of Microsoft services at SPR, a technology consulting firm in Chicago. Midsize and large businesses will be scrambling to turn the self-service purchasing capability off, he said.

“A lot of companies are worried about the data access issues that those users may inadvertently expose their company to,” Hemminger said. “Monitoring is a key part of implementing a certain environment and making sure that governance is in place, so many companies that I work with don’t want to give their employees the ability to go out and buy their own licenses.”

In the world we live in today, employees need access to applications to get their jobs done.
Mark BowkerSenior analyst, Enterprise Strategy Group

Office 365 admins can apply data management and access policies to Microsoft self-service purchases, which may alleviate some security concerns. End users do not need administrator approval before purchasing an application with a credit card, however.

“Most users will not think twice before purchasing something if it’s going to help them, which means that security may not necessarily be top of mind,” Chouffani said. “That can make it very difficult, because now everybody can pick their product of choice without truly doing some sort of due diligence and evaluation.”

Others said Microsoft will handle security issues properly.

“Microsoft has proved to me that they’re very serious about security,” said Willem Bagchus, messaging and collaboration specialist at United Bank, based in Parkersburg, W.Va. “Anything that may happen from a security perspective, [Microsoft] will be on top of it right away.”

When it comes to licensing, organizations need to administer checks and balances, Chouffani said.

Self-service purchasers can access a limited view of the Microsoft 365 admin center and assign licenses to other end users, according to the Microsoft FAQ.

Daniel Beato, director of technology at TNTMAXDaniel Beato

“Licensing is the least of our worries,” said Daniel Beato, director of technology at TNTMAX, an IT consultancy based in Wyckoff, N.J. “The user can do their own licensing; they will pay with their own credit card or even the company credit card.”

Employees will likely be held responsible for company purchases, however, when an organization reviews its finances, Beato said.

It is also unclear who is expected to provide end-user support when an application fails, Chouffani said.

Microsoft will provide standard support for self-service purchasers, according to the company.

A ‘smart decision for Microsoft’

Mark Bowker, senior analyst at Enterprise Strategy GroupMark Bowker

Microsoft’s self-service policy is a smart one for the company, said Mark Bowker, a senior analyst at Enterprise Strategy Group in Milford, Mass.

“In the world we live in today, employees need access to applications to get their jobs done,” he said. “Today’s application environment is very, very dynamic.”

Unlike other Office 365 products, such as Word and Excel, Power Platform applications aren’t widely used, Bowker said. Instead, they are used mainly by niche employees such as corporate developers and data analytics professionals.

“I think overall this will be a good thing,” Bagchus said. “More users and more installations will improve a product.”

Communication is key

No matter their personal feelings on the Microsoft self-service policy, Office 365 admins should be prepared for the changes and adjust accordingly.

Admins should have a good relationship with their organization’s Microsoft sales representative and keep in regular contact with a point person for updates, Bagchus said.

“That way you won’t get blindsided,” he said. “You can evolve with it.”

IT should also collaborate with end users to understand the needs of the business and to be a part of the solution, Chouffani said.

Go to Original Article
Author:

Explore the Cubic congestion control provider for Windows

Administrators may not be familiar with the Cubic congestion control provider, but Microsoft’s move to make this the default setting in the Windows networking stack means IT will need to learn how it works and how to manage it.

When Microsoft released Windows Server version 1709 in its Semi-Annual Channel, the company introduced a number of features, such as support for data deduplication in the Resilient File System and support for virtual network encryption.

Microsoft also made the Cubic algorithm the default congestion control provider for that version of Windows Server. The most recent preview builds of Windows 10 and Windows Server 2019 (Long-Term Servicing Channel) also enable Cubic by default.

Microsoft added Cubic to Windows Server 2016, as well, but it calls this implementation an experimental feature. Due to this disclaimer, administrators should learn how to manage Cubic if unexpected behavior occurs.

Why Cubic matters in today’s data centers

Congestion control mechanisms improve performance by monitoring packet loss and latency and making adjustments accordingly. TCP/IP limits the size of the congestion window and then gradually increases the window size over time. This process stops when the maximum receive window size is reached or packet loss occurs. However, this method hasn’t aged well with the advent of high-bandwidth networks.

For the last several years, Windows has used Compound TCP as its standard congestion control provider. Compound TCP increases the size of the receive window and the volume of data sent.

Cubic, which has been the default congestion provider for Linux since 2006, is a protocol that improves traffic flow by keeping track of congestion events and dynamically adjusting the congestion window.

A Microsoft blog on the networking features in Windows Server 2019 said Cubic performs better over a high-speed, long-distance network because it accelerates to optimal speed more quickly than Compound TCP.

Enable and disable Cubic with netsh commands

Microsoft added Cubic to later builds of Windows Server 2016. You can use the following PowerShell command to see if Cubic is in your build:

Get-NetTCPSetting| Select-Object SettingName, CcongestionProvider

Technically, Cubic is a TCP/IP add-on. Because PowerShell does not support Cubic yet, admins must enable it in Windows Server 2016 from the command line with the netsh command from an elevated command prompt.

Netsh uses the concepts of contexts and subcontexts to configure many aspects of Windows Server’s networking stack. A context is similar to a mode. For example, the netsh firewall command places netsh in a firewall context, which means that the utility will accept firewall-related commands.

Microsoft added Cubic-related functionality into the netsh interface context. The interface context — abbreviated as INT in some Microsoft documentation — provides commands to manage the TCP/IP protocol.

Prior to Windows Server 2012, admins could make global changes to the TCP/IP stack by referencing the desired setting directly. For example, if an administrator wanted to use the Compound TCP congestion control provider — which was the congestion control provider since Windows Vista and Windows Server 2008 — they could use the following command:

netsh int tcp set global congestionprovider=ctcp

Newer versions of Windows Server use netsh and the interface context, but Microsoft made some syntax changes in Windows Server 2012 that carried over to Windows Server 2016. Rather than setting values directly, Windows Server 2012 and Windows Server 2016 use supplemental templates.

In this example, we enable Cubic in Windows Server 2016:

netsh int tcp set supplemental template=internet congestionprovider=cubic

This command launches netsh, switches to the interface context, loads the Internet CongestionProvider template and sets the congestion control provider to Cubic. Similarly, we can switch from the Cubic provider to the default Compound congestion provider with the following command:

netsh int tcp set supplemental template=internet congestionprovider=compound

Announcing general availability of Azure IoT Hub’s integration with Azure Event Grid

We’re proud to see more and more customers using Azure IoT Hub to control and manage billions of devices, send data to the cloud and gain business insights. We are excited to announce that IoT Hub integration with Azure Event Grid is now generally available, making it even easier to transform these insights into actions by simplifying the architecture of IoT solutions. Some key benefits include:

  • Easily integrate with modern serverless architectures, such as Azure Functions and Azure Logic Apps, to automate workflows and downstream processes.
  • Enable alerting with quick reaction to creation, deletion, connection, and disconnection of devices.
  • Eliminate the complexity and expense of polling services and integrate events with 3rd party applications using webhooks such as ticketing, billing system, and database updates.

Together, these two services help customers easily integrate event notifications from IoT solutions with other powerful Azure services or 3rd party applications. These services add important device lifecycle support with events such as device created, device deleted, device connected, and device disconnected, in a highly reliable, scalable, and secure manner.

Here is how it works:

As of today, this capability is available in the following regions:

  • Asia Southeast
  • Asia East
  • Australia East
  • Australia Southeast
  • Central US
  • East US 2
  • West Central US
  • West US

  • West US 2
  • South Central US
  • Europe West
  • Europe North
  • Japan East
  • Japan West
  • Korea Central
  • Korea South

  • Canada Central
  • Central India
  • South India
  • Brazil South
  • UK West
  • UK South
  • East US, coming soon
  • Canada East, coming soon

Azure Event Grid became generally available earlier this year and currently has built-in integration with the following services:

Azure Event Grid service integration

As we work to deliver more events from Azure IoT Hub, we are excited for you to try this capability and build more streamlined IoT solutions for your business. Try this tutorial to get started.

We would love to hear more about your experiences with the preview and get your feedback! Are there other IoT Hub events you would like to see made available? Please continue to submit your suggestions through the Azure IoT User Voice forum.

ICS security fails the Black Hat test

The news at Black Hat 2018 wasn’t great when it came to industrial control systems. But while numerous sessions added up to sweeping condemnation of ICS security, there was at least the occasional saving grace that some vendors will correct some problems — at least some of the time. Still, the apparent lack of a security-conscious culture within these organizations means they’ll only fix the minimum, leaving similar products with the same underlying hardware, firmware and fatal bugs untouched and unsecured.

Speaking in a session, called “Breaking the IIoT: Hacking Industrial Control Gateways,” Thomas Roth, security researcher and founder of Leveldown Security, an embedded and ICS security consulting and research company based in Esslingen, Germany, walked through the security faults of a series of five gateway devices he’d found at prices he could afford on eBay. He wanted to look at commonly deployed, relatively current devices — things you find in the real world.

“If you go out on the network and start scanning, you’ll find thousands of these devices. In fact, you’ll find entire network ranges that are used almost exclusively for these devices,” he said.

“Often, they use static IP addresses with no VPN protection.” One device he looked at had a proprietary protocol for its wireless communications. But if you could break it — and he did — you had access to every one of those devices in the field, because the network addressing architecture was flat and unsegmented.

The first device he looked at was typical of his various experiments, tackling a Moxa W2150A which connects ICS devices to wireless networks via an Ethernet port on the device side and a wireless interface on the other side. In between the two interfaces is an easily opened case that reveals a circuit board with pads for connecting to a debugging port. Roth discovered, in a common theme across many of the devices discussed at the conference, the port was a serial terminal connection that booted directly to a root shell in Linux.

“This is a design decision, not a bug,” Roth said. But he noted that if you have the device and you can access a root shell, then as you are writing exploits, you can debug them directly on the device, “which is a pretty nice situation to be in.”

Roth noted the firmware for the device was available on the internet from the Moxa website, but it was encrypted. At first, this seemed like a dead end. But in looking at earlier firmware versions, he noticed one of the upgrades included adding the feature of encrypting the firmware.

This led him to an unencrypted update version, which included a package called “upgrade_firmware.” This, in turn, led to a function called “firmware_decrypt” — a function name that gave the audience a chuckle — which gave him plaintext access to the current version of the software. The decryption key was, needless to say, included in the upgrade code.

Roth raised an issue that hasn’t been much discussed in ICS security: supply chain security issues caused by the wide prevalence of openly accessible terminal access ports on devices. You can change the firmware, he said, write the changed version back to the device, return it to your distributor without mentioning the change, “and they will happily resell it to someone else.” In fact, he knows this because he conducted an experiment and was sold a device with firmware he had previously rewritten.

Roth discussed four more devices in some detail, with two of them still in the process of disclosure, “and there are a lot of fun issues.”

Beyond Roth’s pathway strewn with pwned gateways, there were other such sessions, including ones that found significant vulnerabilities in medical devices, cellular gateways, smart city infrastructure and satellite communications.

Jonathan Butts, CEO of security consultancy QED Secure Solutions, located in Coppell, Texas, noted in a press conference at the event that dealing with vendors around ICS security disclosure had been particularly frustrating. In the case of a pacemaker made by Medtronic, a protracted process leading to the company deciding that changes in the product weren’t necessary led Butts and co-speaker Billy Rios, founder of WhiteScope LLC, a cybersecurity company based in Half Moon Bay, Calif., to demonstrate their attack live and let the audience judge for themselves.

“To be honest,” Butts said, “after about the one-and-a-half-year mark, and you see stuff like [Medtronic’s response], you get fed up.”

ICS security: Protection? Not

While it’s theoretically possible to protect at least the devices that aren’t implanted in human bodies by placing the ICS equivalents of a firewall at strategic network junction points, a session by Airbus security evaluators Julien Lenoir and Benoit Camredon showed a widely deployed ICS firewall made by Belden could be remotely exploited.

The Tofino Xenon device is typically situated between the IP-based control network and local ICS assets that use Modbus, EtherNet/IP or OPC protocols. Interestingly, the device itself doesn’t have an IP address; it is essentially invisible to ordinary interrogation on the network.

A custom protocol allows a Windows machine running a configurator to discover and then send configuration data to a Xenon device. The configurator knows the addresses of protected ICS devices and knows the Xenon is somewhere between the configurator and the devices. The Xenon knows to watch for packets that carry a specific payload and recognizes them as packets from a configurator.

The two researchers were able to reverse-engineer the protocol enough to understand the arrangement that was used for encryption keys. The configurator discovers devices using a common key and then generates two additional keys that are unique to the particular pairing of that configurator and that specific firewall. All of these keys could be extracted from the discovery session, and then the keys unique to the device were used to establish a connection with the device.

“We were able to get a root shell,” Lenoir told the audience, heralding the familiar theme that almost all ICS devices are actually outdated Linux kernels. “Once everything was running as root, now the appliance was no longer a black box, but was instead a Linux kernel.”

From here, they settled on an attack model that used the devices’ ability to be updated from files on a USB stick. Camredon explained the updates comprised two files, both encrypted. “One is an update script, and one is a data file that is an image, including an image of the kernel.”

It turned out that all configurators and all Tofino Xenon devices used the same key for decrypting the update files. Because they had access to root on the Xenon, they were able to extract this key, at which point they further discovered there were no checks in the update script to ensure the data file hadn’t been tampered with since it was created.

Thus, a breached Xenon could be modified in whatever way the attackers wanted, an image of that system made, and the image could be encrypted and included in an update package without the separate installation script detecting the change.

The Xenon has been updated to correct these problems since the researchers disclosed their findings. So, in theory, the firewall is back in business. One problem Roth noted, though, is these systems often come in dozens of variants, with different names and model numbers.

“If you report a bug to some of these vendors,” Roth said, “the vulnerability gets fixed, but then there are 10 different devices which run the same firmware, and they are left completely unpatched.”

Roth suggested this was a clear indication of the lack of security culture at many ICS vendors.

“It’s like exploiting in the ’90s,” he concluded. “We have no integrity protections on any of these devices.”

At another moment, he made a sweeping generalization: “Everything runs as root; everything runs on outdated Linux kernels; everything runs on outdated web servers. If any of these components fails, you have root permission.”

Tempered Networks extends reach of NAC software

Tempered Networks, a maker of network access control for a wide variety of devices, has extended its technology to Microsoft Azure, Google Cloud, Linux servers and additional IoT endpoints.

Tempered, which introduced the latest enhancements this week, has developed NAC software based on the Host Identity Protocol (HIP), a technology developed by a working group within the Internet Engineering Task Force. A HIP network replaces all IP addresses with cryptographic host identifiers that are resistant to denial-of-service and man-in-the-middle attacks.

Tempered has created a HIP wrapper that lets customers manage large numbers of devices through a product the vendor calls a HIPswitch. The technology creates a private overlay network to control what specific endpoints can access. The product can protect corporate, industrial and IoT systems.

What’s new

The latest improvements to the Tempered product portfolio includes a version of HIPswitch for Microsoft Azure and one for Google Cloud. The virtual appliance serves as an identity gateway for endpoints trying to access data, workloads and containers in the public clouds. The NAC software had only been available for AWS.

Also new is the HIPserver for Linux. HIPserver, which was available only for Windows, acts as a server’s overlay network gateway. The software, combined with a firewall, can cloak workloads, so they are not visible to hackers. The technology also ensures that network connections are authenticated before establishing a TCP session. HIPserver supports all major Linux distributions, whether they are running in a public cloud, on premises or a remote site.

Another technology added to the Tempered portfolio is the HIPswitch 75 appliance, a palm-sized IoT edge gateway designed as “plug-and-play” hardware for medical devices, point-of-sale systems and building automation controls. HIPswitch ensures that access policies are enforced for the attached systems.

Finally, Tempered introduced a product called HIPclient, which runs on Windows, Mac and iOS devices. The NAC software ensures clients only access authorized network resources.

The complete Tempered platform includes central software the vendor calls the conductor, which is akin to a software-defined networking controller. Customers use the product’s user interface to whitelist everything attached to HIPswitches and to set access policies for each endpoint or groups of them. Policy routing across the identity network is handled through technology Tempered calls the HIPrelay.

Tempered sells its products via annual subscription, based on the number of products deployed. Fees for HIPswitch for cloud start at $660, HIPserver for Linux, $1,180; and HIPclient, $300.

Yokogawa Stardom vulnerability leaves hardcoded creds in ICS controllers

Industrial control systems around the world might be at risk as hardcoded credentials are found in flawed software.

The Yokogawa Stardom vulnerability (CVE-2018-10592) affects the FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier. These industrial control systems (ICS) are used around the world in various infrastructure capacities including the energy sector, food production and manufacturing.

According to the security advisory for the Yokogawa Stardom vulnerability, an attacker could remotely log in with the hardcoded credentials and be able to execute system commands. The official advisory from Yokogawa and the advisory from ICS-CERT disagree slightly though: Yokogawa labels the issue as being of medium difficulty to exploit, while ICS-CERT notes that it takes “low skill level.”

Yokogawa suggests users upgrade to firmware version R4.10 and ICS-CERT adds that the National Cybersecurity and Communications Integration Center (NCCIC) also recommends that industrial control systems be isolated from networks if possible, protected behind firewalls or restricting logins.

It is unclear how widespread the Yokogawa Stardom vulnerability might be. Yokogawa did not respond to requests for comment at the time of this post.

Hardcoding passwords and other login credentials is a practice that security professionals have frowned upon for decades, but still affects products ranging from IoT to firewalls and more. Meanwhile, industrial control systems have become a bigger target for attackers looking to cause real-world havoc with cyberattacks.