Verdantix: Solution providers step up IT security in smart buildings

One of the biggest barriers to growth in remotely accessing building management systems (BMS) – one of the key features of a smart building – is IT security.

The IT industry has established a sophisticated process for monitoring and protecting IT networks, but these concepts are not as well developed in building systems and many of the equipment that make up the Internet of Things (IoT). Additionally, there is often lack of communication and collaboration between the IT department and the facilities department. There is also increasing pressure on service providers to provide an out-of-the-box security solution.

Smart buildings are particularly vulnerable as every added connected device is another potential door into the building’s wider network. Even one of the most high-tech companies in the world, Google, was hit by a cyberattack in 2013 through a building management system. Retailer, Target was hacked through the HVAC system in 2014. This year, we have seen severe ransomware cyberattacks, such as the WannaCry ransomware attack that affected computers in over 150 countries.

This type of attack now feels very regular with a similar one occurring as we write. Individual buildings such as hotels have also been targeted and hacked through building automation systems (BAS) – witness the attack on a luxury hotel in the Austrian Alps in February, where the card system got breached, shut down, and a ransom demanded to restore the system to enable guests back into their rooms…

To learn more about the market for remote monitoring solutions see our recent report – Now Is The Time To Implement Remote Monitoring Solutions.

[Admin: To see other related posts, use the Smart Buildings tag or Vulnerability tag.]

Continue reading

Changing functionality in TRIRIGA to fix security vulnerabilities

In this day and age, security is a very hot topic. As soon as one vulnerability is addressed and mitigated, another one is found. It is a vicious circle of identifying and addressing vulnerabilities that does not seem to let up. In our fix pack release notes, information regarding the mitigation of vulnerabilities that were addressed without an APAR is listed. And sometimes, a vulnerability is addressed as an APAR.

The reason I am mentioning security vulnerabilities is that sometimes, when they are resolved, there is an impact on existing functionality, which may not always be clear. Sometimes, the result of fixing vulnerabilities can “change” functionality. As an example, in the TRIRIGA 3.5.2 release, external URL navigation items will now open in a new window to avoid cross-origin scripting vulnerabilities…

As the product develops and security vulnerabilities are found and addressed, it could mean a change in how something works. Reading the release notes can be a source of information, but it may not always be clear why something changed. We all know change is hard, especially when we are so used to it working in a certain way. I don’t know about you, but if the change was made to address a security vulnerability, I can live with that and accept the change.

[Admin: This post is related to the 04.07.17 post about APAR IV94912 where “External URL” navigation items may no longer work. To see other related posts, use the Security tag or Vulnerability tag.]

Continue reading

IV96795: User without access can add security via Admin Console

A user who has limited access to people records (such as an External Vendor Admin), and who should not have access to add/delete licenses and security groups, is able to add licenses and security groups to an external vendor by running a command in the TRIRIGA Admin Console.

Moving forward, a client-side vulnerability that could allow a user to escalate their privilege, has been resolved.

[Admin: To see other related posts, use the Vulnerability tag or CVE tag.]

Continue reading

IV96796: User without access can delete a user via browser console

A user who does not have access to delete a user is able to do so by running a command in the console of the web browser.

Moving forward, a security vulnerability that could allow a user to perform actions that they may not have access to, has been resolved.

[Admin: To see other related posts, use the Vulnerability tag or CVE tag.]

Continue reading

IV96009: Vulnerability in running BIRT reports shows stack traces

During our penetration test, a vulnerability was identified that related to the leakage of sensitive information. This vulnerability exists application-wide.

We needed to make the errors from BIRT into MID errors, and send the stack trace to the log. Moving forward, we resolved an issue when running BIRT reports that, in some situations, a technical stack trace would be displayed to the end user when an error occurred.

[Admin: To see other related posts, use the Stack Trace tag or Vulnerability tag.]

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes

[Updated 03.29.17]

For convenience, here are the some recent CVE IDs.

CVE-2016-9737 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially leading to credentials disclosure within a trusted session.
CVE-2017-1153 The IBM TRIRIGA Report Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.
CVE-2017-1171 The IBM TRIRIGA Application Platform contains a vulnerability that could allow authenticated users to execute application actions to which they do not have access.
CVE-2017-1180 The IBM TRIRIGA Document Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.

[Admin: This post is related to the 05.17.16 post and the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

IV93811: Privilege escalation vulnerability in project context

The project context can be set to a project where the user does not have Capital Project security access. A user cannot modify or update data inside the project when they do this. However, the TRIRIGA platform should prevent the setting of this context from ever occurring in the first place.

Users can set the project container through direct URL manipulation. Moving forward, the privilege escalation vulnerability has been resolved.

[Admin: This post is related to the 03.01.17 post about a privilege escalation vulnerability in the Report Manager, and the 02.13.17 post about the relationship between project context and security.]

Continue reading