AKCP Security Summary 09/18/2020

AKCPBlog

Data Center Security

 A data center contains the enterprise’s IT equipment, applications and critical data, so it’s essential to provide proper security systems and security policy.

The main concerns regarding a data center’s security problems are data loss (whether it’s because of human error or from external attack, or from natural disasters), data alteration, Denial of Service (DoS), identity theft, and theft of confidential information.

Hardware-wise, it starts with the physical security of a data center to prevent any physical damage and unauthorized access to the IT equipment storing critical data, including protection from natural disasters.

On the software side, having proper antivirus/antimalware solutions, up-to-date software products, proper backups and conducting frequent security audits can significantly lessen the impact of a possible security breach.

In the Cost of a Data Breach Survey where 49 U.S. companies in 14 different industry sectors participated, the following were found:

  • The average cost of a security breach could reach $5.5 million
  • 39% of the companies say that negligence was the primary cause of their data breaches
  • Malicious and other criminal attacks have accounted for 37 percent of the total breaches
  • The effects of a data breach can have severe consequences on both the company managing the data center and on the customers whose data are copied

Security status of AKCP products

Below we provide the latest information on malware and vulnerabilities in our product line (updated monthly):

  • sensorProbe+ (SP+)
  • sensorProbe (SP)
  • securityProbe (SEC5)
  • AKCPro Server (APS)

We utilize the Nessus Essentials Security Scanner and VirusTotal to get results.

While we aim to provide correct and up-to-date information, it is possible that new vulnerabilities will be found before the status has been updated and new software released. If your security scanner detects a new vulnerability, don’t hesitate to contact us to investigate it.

Scan Results: 09/18/2020

Common false positive detections in AKCP products

By default, all units have the following possibly un-secure configuration. This is to provide the user with ease of access and a simplified installation. It is the end user’s responsibility to change the default settings of the following, if they are considered to be security flaws: 

SNMP v1/v2 enabled with community: public

Remediation: change the community to a customized string, and/or disable the SNMP v1/2 protocols (disabling might affect the product’s functionality).

Built-in default SSL certificate for HTTPS: un-trusted self-signed, using a possibly weak hash algorithm

Remediation: the default certificate has to be replaced with a trusted SSL certificate of the user’s choice, if HTTPS access is required (we provide manuals for changing the SSL certificates on our units).

Telnet and/or SSH service: enabled by default, where supported

Remediation: disable these services if they are not needed. This might affect the product’s functionality.

SNMP ‘GETBULK’ Reflection DDoS

The SNMP server running on our units is designed to be able to send large amounts of data quickly, if necessary. This is to avoid losing important sensor data and alerting functionality.

Remediation: configure SNMP alerts and SNMP Trap messages with only the necessary information, and distribute sending the alerts to multiple hosts.

sensorProbe+ (SP+) products

Security status: SECURE

Latest firmware: 1.0.5238

Vulnerabilities: NONE

sensorProbe+ units are running embedded RTOS (RealTime OS).

The lwIP network stack and a customized web server is used.

No shell access is provided.

As of firmware 5233, only the TLS v1.2 SSL protocol is enabled.

securityProbe (SEC5) products

SEC5ESV Blue

Security status: SECURE

Latest firmware: 405u

Vulnerabilities: NONE

securityProbe units are running an embedded OS based on a customized Linux kernel.

The Linux network stack and a customized web server is used.

SSH and Telnet shell access is provided.

As of firmware 405u, only the TLS v1.2 SSL protocol is enabled.

sensorProbe (SP) products

Security status: ATTENTION

Latest firmware: 476

Vulnerabilities: SOME (see below)

sensorProbe units are running an embedded custom OS.

A customized embedded web server is used.

No shell access is provided.

Important: the sensorProbe family doesn’t provide support for any secure protocols such as SSL or HTTPS. Therefore, it doesn’t support secure email or web access, and only SNMP v1/2 is supported. This might make the product un-secure in some environments unless it’s running in an isolated network.

Nessus Security scan results:

Web Application Potentially Vulnerable to Clickjacking (low risk)

The built-in web server does not set X-Frame-Options or Content-Security-Policy (with the ‘frame-ancestors’ directive) for the HTTP header. This would prevent the page’s content from being rendered by another site when using the frame or iframe HTML tags.

However, the sensorProbe WebUI does not utilize frames.

Web Server Transmits Cleartext Credentials

The sensorProbe family doesn’t provide support for any secure protocols such as SSL or HTTPS. This might make the product unsecure in some environments, unless it’s running in an isolated network.

AKCPro Server (APS)

Security status: SECURE

Latest version: 14.2.40

Vulnerabilities: NONE

AKCPro Server is a DCIM/CMS application (Central Monitoring Software) running on Windows platform.

A customized web server is used.

No shell access is provided.

Nessus WebApp scan results:

CGI Generic Unseen Parameters Discovery (medium)

There is a potential flaw which allows access to view the contents of restricted folders used by APS, such as listing the used demo image files or font files. This does NOT affect user data in any way. Our engineers are investigating this issue.

VirusTotal scan results:

We regularly scan AKCPro Server binaries with VirusTotal. This is a free service that analyzes files and URLs for viruses, worms, trojans and other kinds of malicious content.

VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal.

The virus scan is performed with well-known antivirus engines, such as:

  • Avast
  • Avira
  • AVG
  • BitDefender
  • ClamAV
  • Comodo
  • ESET-NOD32
  • F-Prot
  • Kaspersky
  • Malwarebytes
  • McAfee
  • Sophos
  • TrendMicro
  • Symantec
  • Windows Defender

Below is the scan result summary of each executable file used in APS. If there are some false-positive detections, we list them along with the functions of these binaries.

APS Installer file “AKCProServer-14.2.40.exe”

https://www.virustotal.com/gui/file/d9d5b3ea46837cc852e5242879499c4efcee4c0c0c31a6971aa72defa6183b42/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\AKCProServer.exe”

https://www.virustotal.com/gui/file/d97d271999bf595f62e81b4997bde2f984800cfd667bff3856b592a278758489/detection

AKCProServer.exe is the main process (Control) of APS.

VirusTotal lists 2 engines detected this file:

Bkav: W32.AIDetectVM.malware2

eGambit: Unsafe.AI_Score_100%

These are false positive results, since only 2 antivirus engines have detected the file as malicious.

There are some patterns within this application that could resemble behavior of a virus, such as low-level network socket creation (RPC port, communication with the monitored devices) and multiple sub-process spawning (for handling notifications).

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\CustomNotification.exe”

https://www.virustotal.com/gui/file/e59fa732512bc1f4f895a5103dfffea84fd92c13b85d37c57e797dcbc4fad544/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\DbRecovery.exe”

https://www.virustotal.com/gui/file/28561ae828b903a5204ecb600f44fc8bcebede53816cd8c351c53c59bcedf813/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\DialNotification.exe”

https://www.virustotal.com/gui/file/6f3fa9e436e1f9ea92a392d6b7548becda3fda621708d0fd0ea8b0f5fa68afaa/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\DoorLockNotification.exe”

https://www.virustotal.com/gui/file/a030e566ff05b0c505ba0d59255999e602f3e40ea3b0c22366cbf4c9ce9ba6a3/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\DryContactNotification.exe”

https://www.virustotal.com/gui/file/ea07b9f18e9792a74443a671929dc3e03ef264948d6ec2dc5e5f20dea5e7e29a/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\EmailNotification.exe”

https://www.virustotal.com/gui/file/fb4369cd5d6ecca7b6f3a69b10834a9d27b15a74a98a2ca10c7bd44e36ef0adc/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\FaxNotification.exe”

https://www.virustotal.com/gui/file/0235b7cb2d7ca14e7c0a3895723ad42a8483001d68c838cb5f68b4e7af5322b5/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\FTPNotification.exe”

https://www.virustotal.com/gui/file/48568054cc7d8ea9b594de11b08023fe73a71fe1eaf75bc4ecccfbc1762eda68/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\mergeLangJson.exe”

https://www.virustotal.com/gui/file/1c4ed686fb91896873f971c7fa1d3811d9b2d15bc0faae2ff19eded3443a017a/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\MMSNotification.exe”

https://www.virustotal.com/gui/file/9943c7c5aebe054fa035751630b53b4aa7c986b17a74b8e5c277a0e42c0a6224/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\ModbusNotification.exe”

https://www.virustotal.com/gui/file/7495c23b8bf29d5dbcb80c96a8c82feed8d179b5bbe970a08628752b436253fc/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\notificationServer.exe”

https://www.virustotal.com/gui/file/e03c172a62494edc366a8c1e34ec13571b14a62a2c25fd504484bd5e2261edb2/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\RecorderNotification.exe”

https://www.virustotal.com/gui/file/75995c817768f50a175eb14ca56974087aa242a838746e123b2e79572e3d7ec2/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\RelayNotification.exe”

https://www.virustotal.com/gui/file/aa04d6e97ff904999e34efe65b0e10f038715f7aafb69d9c79ebf3a6d427d129/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\serverManagerService.exe”

https://www.virustotal.com/gui/file/4022e00c1d04b435ab0287026ba00397ce0c135f18a5bf684580d68f22cbf172/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\serverManagerUI.exe”

https://www.virustotal.com/gui/file/f8f97597330b9ea29fb245e2f644cf843ba16bfc1aae0b0434ec845c82b13aef/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\ShutdownNotification.exe”

https://www.virustotal.com/gui/file/96fc2bfc79ae514e0d2f966b4ea02fe86c2179c54899baa4d69a4dac8e8fa8aa/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\SirenNotification.exe”

https://www.virustotal.com/gui/file/a39ada8799df33ce400408310fd11343bc4d14f8e3487249e8a55f0111c74bb3/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\SkypeNotification.exe”

https://www.virustotal.com/gui/file/5122e660e6949d2bc3d7a67705dcf1f6424fd9983cbb3a3c635cdea8493147bf/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\SMSNotification.exe”

https://www.virustotal.com/gui/file/14716bfa1a6227e4d2c20dbf2ea91bc640e43665e9d0373c28450a6c7b4aa928/detection

The SMSNotification.exe is a notification sub-process of APS and is used for sending SMS notification messages to mobile phones using supported modems.

VirusTotal lists 1 engine detected this file:

Yomi Hunter: MALWARE

This is a false positive result, since only 1 of all antivirus engines has detected the file as malicious.

There are some patterns within this application that could resemble behavior of a virus, such as low-level network socket creation (communication with modem serial port to send SMS).

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\SnmpSetNotification.exe”

https://www.virustotal.com/gui/file/0ae9a4445e27aeb0677b71c40cca126cdaadcef535e73775d30b864f92b4b38d/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\SoundNotification.exe”

https://www.virustotal.com/gui/file/cbd95a27f03f1ab450579eb1f333330a8cd56b043cdf00603b50b8e459cc934b/detection

The SoundNotification.exe is a notification sub-process of APS and is used for generating sound notification messages on the local PC.

VirusTotal lists 1 engine detected this file:

Yomi Hunter: MALWARE

This is a false positive result, since only 1 of all antivirus engines has detected the file as malicious.

There are some patterns within this application that could resemble behavior of a virus, such as automatic handling of hardware devices (the sound card).

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\SpeechNotification.exe”

https://www.virustotal.com/gui/file/3a441dc9a1ee53670c5c0267a47a5831a3d7f7b35e8292b7dc18a4abb56c9fd5/detection

The SpeechNotification.exe is a notification sub-process of APS and is used for sending telephone call (voice) notification messages to mobile phones using supported modems.

 VirusTotal lists 1 engine detected this file:

Yomi Hunter: MALWARE

 This is a false positive result, since only 1 of all antivirus engines has detected the file as malicious.

There are some patterns within this application that could resemble behavior of a virus, such as low-level network socket creation (communication with modem serial port to perform a voice call).

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\StopRecorderNotification.exe”

https://www.virustotal.com/gui/file/607140613d60af7cb208a9f9e6d88f006ee7b2bad881e892a479013705061e0a/detection

“C:\Program Files (x86)\AKCP\AKCPro Server\bin\TrapNotification.exe”

https://www.virustotal.com/gui/file/27cb8b77ebdd5df71287b4fdf19c6f9747bcddd678957d4413aec3ad2afaea51/detection

 “C:\Program Files (x86)\AKCP\AKCPro Server\bin\VPNAuthen.exe”

https://www.virustotal.com/gui/file/34ad517005cc6c7345e634135e5d069e95e9c90d2e0beb5e86737e9c9645fbf3/detection

 “C:\Program Files (x86)\AKCP\AKCPro Server\bin\WindowsNotification.exe”

https://www.virustotal.com/gui/file/a1d8c6702b23901c16960e35016fcbd88909b8ece022716506bdc33be9bbc2eb/detection

 

 

AKCPAKCP Security Summary 09/18/2020