SCADA Developer Network

User Security is now comes with Sectioned Security Control, the best thing is it works in conjunction with existing Leveled Security Control. They can work separately or both combined. Leveled Security Control is a plant wide implementation, Sectioned Security Control is being added on top so that one big plant can be splitted into several sections of security access. In another word, every area could have its own level of security access control.

As an example, Supervisor at higher level is assigned to Area 1 and Area 2, and then Technician is assigned to Area 1 and Area 3. The achieved control condition is such that both of them can perform certain tasks at Area 1 with different level, but Supervisor could not access Area 3 which can be accessed by Technician, So highest level doesn’t necessary means can access all area.

Below is the list of improvements for new release.

1. + Added Sectioned Security Control by having additional Label column.
2. + Added Tag-to-Tag comparison for color animation in SAGE.
3. + Added web user activity logging.
4. + Added Alarm Filter.
5. ^ Slider now supports minimum value being more than 0.
6. * Fixed PE bug that unable to save when property being changed for new entry.
7. * Fixed minor bugs and security issues.

HD Moore of Metasploit published a blog about Exploiting DLL Hijacking Flaws on Sunday, August 22, 2010, and then almost everyone who use Windows are at risk, because you can easily spot one familiar application in the long list of applications that prone for this vulnerabilitie, and IntegraXor is also affected for DLL Hijacking vulnerability. DLL Hijacking vulnerability within IntegraXor was found since end of last year, this is thus far the longest vulnerability that we put on hold to patch. The biggest reason is we need to put our existing customers’ requests in priority, and this vulnerability is an attack which may have some lead way on the time line. As such we put this vulnerability in a lower priority to mitigate as compare to other security vulnerabilities that found later.

Summary of Event

• 22-Dec-2010: An anonymous security researcher that addressed himself/herself as “Mister Teatime” has published an “Uncoordinated Disclosure” of a DLL Hijacking vulnerability at The Open Source Vulnerability Database.
• 28-Dec-2010: ICS-CERT published a security alert.
• 12-Jan-2011: ICS-CERT contacted IntegraXor Support Team for confirmation.
• 17-May-2011: Build 4081 with patch was sent to ICS-CERT for verification.
• 25-May-2011: ICS-CERT confirmed DLL hijacking has been patched.
• 30-May-2011: IntegraXor support team issued VN and declared all version after build 4081 are patched for DLL Hijacking attack.

Note: The screenshot/drawing is published under Creative Commons Attribution 3.0 US License.

When you encounter any problem during development, there are few things that you could do to elaborate your problem before contacting technical support. One is producing screenshots, second is to reproduce the problem in a new project and send the test case over.

There are advantages by attempting to reproduce the problem in a new project or test case:

• You may find that the new project is working but not your existing project so either you or others can check out the differences.
• You might end up find out the solution by yourself while trying to reproduce the problem.
• You can remember the steps better, and figure out what exactly causing the problem and describe only the necessary steps to technical support.
• The newly created project is normally smaller hence easier to send as email attachment.
• You don’t have to send out the existing project which might contain P&C information and hence protect your privacy.

Project or test case needs to be compressed and send as email attachment, but it’s not quite possible if the project zip archive contain any *.exe or *.js files as it may be blocked by many types of mail server. Fortunately this can be easily circumvent by using 7zip format instead, 7zip compression format is highly recommended not only it can bypass gmail server checking (as of time of writing) but also produces very much smaller compressed archive, it could be as much as 3x smaller in certain targeted source file type when comparing ordinary *.zip to *.7z file format.

In any case that the compressed file archive could not pass through the mail server, the best practice is to add a disabled extension to the exiting file. For instance, project.zip shall be renamed to project.zip.dsb, or simply add a trailing underscore at the end project.zip_ or project.7z_ for 7zip format.

One of the good thing about 7zip is it doesn’t need to know the compression file format based on the file extension in order to extract. So the mail recipient (support team) doesn’t even need to put back the correct extension before extracting the email attachment. Oh yes, 7zip program is one of the must have utility that also works with many other common compression formats like zip, rar, gzip, tar and etc.

Screen shot showing unknown file type (with additional underscore) can be extracted by 7zip.

Also try to describe the steps to produce the problem. Some works can be achieved with many approaches, some problems only occur in specific steps. As such clearly describe the steps in producing the problem is important.

Last but not least, please specify the expected outcome, avoid to use ambiguous terms like “the outcome is unpredictable”, “the result is screwy”, spell out what was predicted, describe what’s the expected behavior.

SVG graphic files that produced by Inkscape can be further optimized by removing some editing data and spaces which will be ignored by or have less impact to the targeted medium, most of the time, browsers. Now you may do that easily by choosing “Optimized SVG” file type upon “Save As” (Ctrl+Shift+S).

Another pop up will be prompted for user to choose what to be optimized or even compromised. The options should be chosen and tested according to what have been used, but one option that you should *not* choose is the “Enable viewboxing” which will disturb image sizing/positioning for browsers. Our brief tests also show that the precision should not go less than 3. The last option for Indent should always set to ‘None’ since nobody will care to hand code SVG file as Inkscape has done a lovely job for us.

The original SVG file which is optimized should be saved as another file and not to replace the original file. Optimization should only be done before deployment, because optimized file should not be edited as saving it directly (Ctrl+S) will put back all configuration data which was considered redundant to the targeted agent, in most contexts referring to browsers. Also, if you haven’t known, you should only remove old and unused effect/filter by clicking “Vacuum Defs” before deployment.

Do post a reply if you have more tips in optimizing SVG files.

It seems that all modern browsers are ignoring the non-proportioned scaling for raster image in SVG file. If you use Inkscape to resize an embeded/linked raster image in an SVG file, you will find that all browsers will render the raster image in the same aspect/dimention ratio as compare to the original image. Apparently only Inkscape and ASV could interpret non-proportioned raster image scaling.

Comparison was done between Inkscape and browsers in order to elaborate the problem, the IntegraXor logo was used as the raster image, and the blue frame which is the SVG element serves as the border line. The top left image is the original logo, the top right image has been resized in width which wasn’t interpret correctly in browsers, and the medium left image has been resized in height which is also wasn’t inperpreted correctly in browsers. Only the medium right image is rendered correctly in browsers when the image is resized with original aspect ratio.

Last but not least, the bottom image is also rendered correctly in browsers, whereby a trick has been apply by grouping the raster image and the SVG element before the dimension ratio is distorted. In another word, to circumvent this problem is to group the raster image with other SVG element and then scale it together. Otherwise the best thing to do is to avoid scaling or at least scale it in proportion by holding down Ctrl key, in ensuring WYSIWYG in browsers’ display.

The browser shown in the screenshot is Firefox 4.0. However all other browsers also affected, including IE 9.0.8112.16421 RTM(KB982861), Google Chrome 10.0.648.151, Safari 5.0.3 (7533.19.4) and Opera 11.10 Build 2092. Image showing aspect ratio will be always preserved by browsers.