Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Incident Handling: Home Heating 101 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Incident Handling: Home Heating 101
Every winter we get suggestions, warnings, etc to have our furnaces checked out before the cold seasion to make sure they are safe to use, to ensure that they won't burn our house down while trying to heat it.  I have central AC/heat at home so the same air handler is used year round.  When its hot, the outside compressor cools the air and when its cold, the gas furnace heats the air.  The air handler has been working fine without problems until this incident.

Several days ago it finally got cold enough in Virginia to require using the furnace to heat the house so we flipped the switch on the thermostat from Cool to Heat.  The furnace worked fine and we had whole-house heat for a couple of days.  Two days ago I came home and the house was cold.  I checked the circuit breaker in the electric panel and it wasn't tripped.  I checked the light in the utility room (same circuit as the furnace) and it wouldn't come on.  Changed the light bulb -- no joy.  Flipped the circuit breaker off and back on -- no joy.  I went back upstairs to think of other ideas to try before calling an HVAC contractor when all of a sudden, a few minutes later the furnace turned on and started working just fine.

The furnace ran that evening and into the night but sometime early in the morning, it stopped working again.  I called an electrician and got someone to come out a take a look at it that afternoon.  He started with the furnace.  It seemed ok.  Tested the new light bulb -- it was good.  Tested the light socket and was suprised to get a voltage reading on the neutral wire.

So he went to the main electric panel for the house, removed the panel cover to expose the wiring connections to the circuit breakers and nuetral bars and found quite a suprise.  Instead of one neutral wire for each circuit being secured by one lockdown screw on the neutral bar, there were a number of instances of two or three wires under one screw.  In the case of the furnace circuit, there were four wires under one screw.  The screws were loose so the wires had been intermittently shorting and sparking.  Had lots of nice black soot from the arcing in there.  He was really "shocked" at the condition of the wiring in there -- no way it could have passed an inspection as it was.  He rewired the box correctly and the furnace works fine now.

So in this incident, it appeared that the problem was with the furnace since the air handler had been working fine for months cooling air and just shortly after starting to use the furnace for heat was when we had problems.  But it turned out to be an external component (the electrical circuit) that the furnace depended on.

How does this relate to information security?  Well, similar incidents can occur.  If we get alerted that a system on our network has been compromised, the first place our attention is usually directed is to the  compromised system and then perhaps the firewall to ensure to we are only allowing the appropriate access.  We may need to look elsewhere on our network to find the cause of the problem or the access vector that open.  Perhaps someone has added a wireless access point or has a dialin modem attached to a workstation.  Oftentimes we need to look beyond the immediate likely cause to look for the actual cause.

Have a safe weekend and Happy Halloween Monday night.  It looks like its supposed to be dry and cold here so I'm glad my furnace works now.

Dave Goldsmith
David

78 Posts

Sign Up for Free or Log In to start participating in the conversation!