Homeland Security warns of
hackers targeting popular Niagara software
By Robert O'Harrow Jr.,
Friday, July 13, 12:16 PM
The Department of Homeland
Security on Friday warned that a popular system used by organizations around
the world to manage millions of machines and devices over the Internet is
vulnerable to attack from hackers.
The software system known
as the Niagara Framework enables corporate, military, health-care and other
users to remotely control or monitor medical devices, elevators, video cameras,
security systems and a wide array of other sensitive operations.
In an alert issued Friday,
cybersecurity officials said that Niagara users should immediately prohibit
guest users, bolster passwords, cut off direct access to the Internet and take
other steps to prevent hackers from exploiting configuration and software
flaws.
“Disable the ‘guest’ and
‘demo’ user accounts if enabled,” says the alert, issued by the department’s
Industrial Control Systems Cyber Emergency Response Team. The alert advised
other steps:
●Lock out accounts that
receive excessive invalid login attempts.
●Use stronger passwords.
●Change default user names
and passwords.
●Limit user access to the
file system.
The alert follows a
Washington Post report Thursday that described Niagara and the vulnerabilities,
which were discovered by two security specialists who work as “white hat”
hackers, Billy Rios and Terry McCorkle. The system is vulnerable to a
“directory traversal attack,” a well-known technique among hackers, the alert
said. The attack could enable an intruder to access files containing user names
and passwords.
Last week, Niagara’s
maker, Richmond-based Tridium, privately warned customers about security
problems. On Thursday, months after the firm was first notified of the issues,
Tridium released a public alert.
Officials at DHS said they
had delayed issuing a warning to allow Tridium to work on fixes.
“Incident response is an
essential part of cybersecurity,” the department said in a statement, adding
that it works closely with vendors and others in the process. “The number of
incidents reported to DHS’s ICS-CERT has increased, partly due to this
increased communication.”
In a blog post cited in
the department’s cyberalert, Rios praised the department for its efforts but
criticized Tridium.
“We are disappointed that
it took so long for the public to become aware of this issue,” Rios said.
“According to the Washington Post article, Tridium became aware of this
vulnerability ‘almost a year ago, when a Niagara customer that uses the
software to manage Pentagon facilities turned up issues in an audit.’ ”
Tridium’s parent company,
Honeywell, issued a statement Friday responding to the alert.
“Tridium understands the
importance of security and is committed to helping our customers make any
necessary adjustments to their Niagara AX Framework software to ensure the highest
security. We’ve released a security alert guiding our customers how to verify
that their system is properly configured to protect against directory
traversal. In addition, we will soon be providing a software update that
hardens those settings against inadvertent user changes.”
© The Washington Post
Company
Comments
Post a Comment