{"id":37121,"date":"2016-12-05t16:37:31","date_gmt":"2016-12-05t21:37:31","guid":{"rendered":"\/\/www.deco-dalles.com\/?p=37121"},"modified":"2019-07-30t15:21:22","modified_gmt":"2019-07-30t19:21:22","slug":"prevent-primavera-p6-hacked","status":"publish","type":"post","link":"\/\/www.deco-dalles.com\/prevent-primavera-p6-hacked\/","title":{"rendered":"5 ways to prevent your primavera p6 install from getting hacked"},"content":{"rendered":"
just over a week ago, the city of san francisco lost millions in revenue as a hacker’s attack left the city’s muni municipal transportation kiosk system completely inoperable.<\/p>\n
the trains and buses were running, but everyone was rode for free for 2 days as it experts struggled with a ransomware demand<\/a>. all muni computer terminals displayed the \u201chacked\u201d message: \u201ccontact for key (cryptom27@yandex.com),\u201d the message read.<\/p>\n the hacker’s ransomware program had comprised thousands of pcs and servers at the sfmta, encrypting their harddrive data,\u00a0leaving it inaccessible without the\u00a0single digital key that would unlock it all. the hacker demanded 100 bitcoins, equivalent to $73,000 usd to release the key.<\/p>\n however, officials refused to pay.<\/p>\n even after the hacker threatened to permanently delete 30 gigabytes of data, officials called the hacker’s bluff and restored harddrives from backups to get systems up and running again.<\/p>\n what seems like a victorious outcome for sf wasn’t that rosy in the eyes of it pundits.<\/p>\n “sf\u2019s transit hack could\u2019ve been way worse\u2014and cities must prepare,”<\/strong> was the headline on wired magazine.<\/a><\/p>\n what’s particularly interesting to us in this situation, is how the hacker was able to access muni systems. the hacker, now known to authorities, actually admitted to sfmta how he was able to thwart their security. it was through a vulnerability in oracle primavera p6 enterprise project portfolio management<\/a> (eppm) software<\/strong>.<\/p>\n he wrote, “read this and install patch before you connect your server to internet again,\u201d<\/em> including this link<\/a> to an oracle security advisory page for oracle weblogic, the web engine that primavera p6 eppm<\/strong> runs on top of. the advisory outlines a known \u2018weblogic unserialize exploit\u2019 and was released in november 2015 to patch a hole in weblogic that would allow remote code execution (this is techno-speak for run a malicious program without anyone knowing). it seems as though the staff at sfmta were not keeping up with their patches.<\/p>\n ransomware attacks of this nature have become commonplace with today’s complex it infrastructure. patching holes in critical systems is a full-time job.<\/p>\n in a strange twist, authorities were able to hack the hacker’s server <\/a>and discovered his techniques and tools, not to mention an inbox that detailed his previous successful attacks on construction firms. the list included\u00a0pa. based irwin & leighton<\/a>;\u00a0cdm smith inc.<\/a> in boston; indianapolis-based skillman<\/a>; and the rudolph libbe group<\/a>, a construction consulting firm from\u00a0ohio. it\u2019s not known if any of\u00a0these firms paid a ransom to the hacker to regain access to their files.<\/p>\n the firms above are not large enough to make headlines when hacked, unlike recent victim san francisco muni. but it doesn’t detract from the fact that\u00a0not only are large-sized firms constantly targeted, but small to medium companies are as well<\/strong>. if that’s you, then you need to ensure your protected from hackers who\u00a0are savvy and know about potential vulnerabilities that you might be at risk for.<\/p>\n if there’s one thing i’ve learned over the years as primavera p6 consultant, it’s that primavera p6 administrators<\/a> don’t much care for it’s security features. i would wager that most primavera p6 installs around the world were put in place along with most of the default settings, many of which are not secure<\/span>. most don’t bother to go through the exercise of establishing proper security profiles or other measures.<\/p>\n sometimes we think “it’s just project data, it’s not like it’s financial data.” true, but hackers can take advantage of any vulnerability regardless and are notorious for using any easy door in\u00a0to gain further access and go deeper.<\/p>\n one of the main issues with primavera p6 are the database user accounts that the application uses to connect to the database. there are 3 accounts in play here:<\/p>\n by default, you’ll find that the passwords to these accounts\u00a0match the account name – to the bane of many it administrators. anyone who knows these passwords can access your primavera p6 data directly from the database. to boost up your security, get a dba to change these passwords and make them complex that someone won’t be able to guess them.<\/p>\n i would really recommend changing the default p6 admin user password as well. anyone can guess it and by then, you might be in the headlines.<\/p>\n i know, i know. paying for\u00a0support from oracle is expensive and you don’t seem to get much! but how hard are you going to kick yourself when the ransomware hacker demands $65,000 to get your data back?<\/p>\n patching your software and applying regular updates is\u00a0going to keep your data secure. the situation in san francisco couldn’t make it more clear. if the sfmta had been regimented with patching their enterprise software, the whole thing might not have happened.<\/p>\n if you are an oracle customer, it might be time to talk to them about how to gain access to their oracle support site<\/a> and how stay on top of bugs that may be critical to your security. even if you purchased software from oracle or a partner, you may not have been granted access to oracle support.<\/p>\n oracle’s support site is where you can find a full list of bugs, patches, and other solutions to keep primavera software humming along, and safe from malicious attacks.<\/p>\n four time a year, oracle issues critical patches to all of their products to their customers with valid support contracts. these occur on the 17th of the following months:<\/p>\n get more information and subscribe to email alerts on their page<\/a>.<\/p>\n these alerts could be very\u00a0relevant to you, like this alert from oct 2016’s advisory<\/a>, even if you don’t have a support contract.<\/p>\n for primavera p6 eppm admins, monitoring these alerts is even more important to maintaining the security of your primavera p6 install, as eppm relies on a webserver and java; 2 platforms that could leave you vulnerable.<\/p>\n san francisco’s transit authority were able to avoid paying for the removal of their ransomware because they had backups. backups can save you, and not only when you’ve been hacked. in terms of beefing up primavera p6 security, setting up regular backups is about the smartest and cheapest thing you can do.<\/p>\n most of us rely on database backups. ie: our dba has set our database to be backed up daily\/weekly (hopefully not monthly!) and those backups are hopefully kept offsite or in the cloud for security. this is the typical enterprise approach.<\/p>\n but what if you’re\u00a0running primavera p6 locally? how are you doing backups?<\/p>\n what if your pc is hacked and ransomware is demanding you pay $30,000? do you have a backup strategy to handle this conundrum and recover your p6 schedule?<\/p>\n what if your pc is hacked and ransomware is demanding $30,000? do you have a backup strategy to handle this conundrum and recover your p6 schedule? \u2013 michael lepage<\/strong><\/p><\/blockquote>\n<\/div>\n well you should. because it’s 110% more likely to occur than the database server crashing.<\/p>\n i’ve told my 世界杯2022亚洲比赛时间
students how you can automate backups of primavera p6 projects<\/a>\u00a0to an xer file. databases still hold their data in files, so backing up an entire database is easier than you think – you can simply use dropbox<\/a> or any other cloud syncing tool to sync your database files to the cloud.<\/p>\n what do i mean when i say “lock down” p6 security?<\/p>\n there are a few thing involved in\u00a0locking something down security-wise.<\/p>\n a) scale back admin access:\u00a0<\/strong>i recommend for installs of 5 or more, there should only be 1 or 2 accounts with administrator access. anything more is too little control.<\/p>\n b) scale back user privileges:<\/strong> nobody likes to hear those words, and i know having minimum access might not help you get your job done. in any enterprise environment, there should be restrictions on what actions users can do, and that list should not prohibit the user from being successful in using the tool.<\/p>\n c) audit sdk & api access:<\/strong>\u00a0is it still being used? are\u00a0these accesses secure and adequately password protected?<\/p>\n d) is everything behind a firewall?\u00a0<\/strong>firewalls prevent unauthorized access from outside the organization. if you’re using eppm or any other web-based primavera tool, is it behind the firewall or is it securely accessible from the outside via vpn or another secure solution?<\/p>\n it goes without saying – update your virus scanner, don’t click strange links from strange emails, get an adblocker for browsing the web and keep your os up to date as well.<\/p>\n we’ve all been too lax with our view of security for primavera p6. but as the city of san francisco has shown us,\u00a0being lazy or ignorant is going to cost you. luckily, a good backup strategy saved them from the oversight of an uninstalled primavera p6 patch.<\/p>\n i’ve provided some tips in this article, but i would also recommend you checkout these tips for avoiding ransomware<\/a> courtesy of the fbi.<\/p>\n <\/p>\n —-<\/p>\nhow to\u00a0strengthen primavera p6 security &\u00a0prevent\u00a0hackers<\/b><\/h2>\n
1. don’t use the default passwords<\/h3>\n
\n
2. apply patches regularly<\/h3>\n
3. follow\u00a0oracle’s critical patch advisories<\/strong><\/h3>\n
\n
4. set regular backups<\/h3>\n
5. lock down primavera p6’s application security<\/h3>\n
\nwhat is your experience with keeping primavera p6 secure?\u00a0let me know in the comments.<\/h4>\n