Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio



Russian Government Cyber Attacks Targeting Critical US Infrastructure

In this modern, technology-run day-and-age, the use of cyber hacking by one nation against another is an increasingly frequent method of attack. The United States Computer Emergency Readiness Team in joint with the DHS and FBI recently released a report outlining specific types of attacks they have identified being used by the Russian government targeting the U.S. government as well as “organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors”. They have also confirmed that these attacks have been ongoing since at least March of 2016.

One type of attack uses spear phishing emails containing Microsoft Word files loaded with a malicious script. These script first installs some credential-harvesting tools like Hydra and CrackMapExec. Then, it attempts to retrieve a file on a server via SMB request. By doing so—whether or not the file exists—an authentication request is typically prompted to the user before continuing. At this point, the script will capture the hash of the user’s credentials, and make an attempt to extract the full username and password using the aforementioned tools installed on the machine.

Another type of attack again used phishing to obtain credentials via a link in a falsified .pdf contract agreement. Users were directed to follow a link in the document to enter their email address and password in order to agree to the service contract. Once the credentials were in hand, attackers used them to attempt to gain access to the internal systems of these important infrastructure institutions. A back-door was installed to allow persistent access, and attackers could then modify firewall settings and Windows registry keys.

The release of this information is significant in two ways. First, it is just another example as to the extreme importance of vigilant cyber security awareness and practice. Both of these attacks rely on the ignorance and thoughtlessness on the side of the end-user to gain access into the system. Whether it’s opening unsolicited Microsoft Word documents or agreeing to unfamiliar (and unofficial) contracts, both scenarios rely on users divulging their credentials without suspicion as to whether the requesting source is legitimate.

Second, it is another example of the changing landscape of cyber security and cyber hacking as it continues to be used more frequently by governments as a weapon against other nations. Now more than ever is cyber security conversation and awareness important for all people as we enter an age of online warfare.

— Brendon Stowe
Student, R•I•T
Web & Mobile Computing

Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors

“Responsible” disclosure? AMD given 24 hours to fix

Reminiscent (but unrelated to) the Spectre and Meltdown vulnerabilities that plagued Nvidia earlier this year, AMD was recently hit with a fairly significant set of vulnerabilities.  Although the vulnerabilities were less severe than the ones hitting Nvidia (these vulnerabilities require administrative access to exploit rather than just the ability to write memory), the method by which they were made public is alarming.

According to AMD’s initial assessment, there are three groups of vulnerabilities, all requiring administrative access to exploit.  MASTERKEY is an exploit by which someone who has already corrupted the system can hide their corruption from the AMD Secure Processor checks throughout reboot.  RYZENFALL and FALLOUT allow a user to install malware on the system that is difficult to detect.  While those issues will be patched with a firmware update, CHIMERA is a hardware issue that allows malware to be hidden, which cannot be fully patched through an update.

According to AMD as well as various media outlets, the company had less than 24 hours after being notified of the issues before the discoverer (CTS Labs) went public with the vulnerabilities.  While the technical details of the vulnerability were not (and have still not yet been) made public, this creates very bad PR for AMD, as well as encourages others who may have access to the technical details to exploit the issue before a fix can be made (compared to only knowing that they had been discovered as a fix was released).

In response to the controversy, Ilia Luk-Zilberman (the Chief Technology Officer of CTS Labs) posted an open letter explaining the decision as well as their issues with responsible disclosure.  Responsible disclosure is a generally-agreed-upon policy that, upon finding a serious security issue with a program, software, or system, one should report it to the manufacturer, maintainer, or security team so that they can have a patch ready before the public knows of the issue.  This helps maintain PR, prevent a company from being caught off-guard, and helps consumers know that they are as protected as they can be.  This policy was handled with many recent exploits such as DirtyCOW and Spectre/Meltdown (although those were accidentally leaked a few days early).

Another aspect of responsible disclosure is a time limit on the vulnerability (typically cited as 90 days) before the discoverer posts the vulnerability.  This is to ensure that the company puts priority on fixing the issue instead of pushing it off (after all… even though it’s broken, no one knows about it, so it’s probably fine).  This famously happened with the MoonPig vulnerability last year, in which the greeting card company MoonPig had an incredibly broken API (there was no need to log in as a user, just cite their user ID), and refused to fix it for over a year until the details went public.

CTS Labs, however, decided that the risk of not going public outweighed the benefits, so they released the possible impacts of the vulnerabilities without disclosing technical details of the vulnerability or how to exploit it.

– Ryan V.


AI is an amazing development in Computer Software, and is being used to make computers and software think intelligently, like a human. This has led to software that can recognize handwriting, robots that know how to play chess, and lead malware attacks.

According to a study completed by a group of technology agencies released a few weeks ago, AI cam be used maliciously in many ways, and the use of it will increase in the future. The ability to recognize handwriting can be used to create forged documents, the ability to recognize and predict patterns can led to an increase in “fake news” articles that can be used to spread malware. Facial Recognition, while it is helpful, can be used by drones to specifically target a person in order to cause harm to them.

The purpose of this report was to simply bring attention to the idea of AI being used for malicious reasons, and encourage the community to come up with a plan in order to prevent the technology that we have worked so hard to create from being misused, and discuss some of the ethical dilemmas of this type of technology.

-Zoe James

Facebook’s personal data acquisition and use in the wake of court rulings

On Monday, February 12, a ruling from a German court regarding Facebook’s default privacy settings and personal data use was made publicly available. The ruling handed down from a regional court in Berlin found five of Facebook’s default privacy settings and eight clauses of their terms of service to be in breach of consumer law. A similar case in Belgium occurred later that week, on the 16th of February, in which Facebook has been ordered to cease tracking through third party sites. These rulings appear to be continuing a precedent of European concern regarding Facebook’s collection, use, and distribution of both consumer and non-consumer data.

Under the requirement for explicit and informed consent, the German court ruled that the default privacy settings were in violation of German data protection laws. Other rulings of interest are as follows: “read and understood” clauses are invalid, a clause that required users to use their real names or names they are popularly identified by was ruled invalid, and a clause that was designed to give consent for Facebook to transfer user data to the United States was ruled invalid.

The ruling regarding “read and understood” clauses has interesting implications regarding the future of methods of consent in Europe. A great number of services have obscenely long terms of service contracts which are generally ignored but serve as the primary form of communicating the conditions of a product’s use. If these sorts of terms and service contracts can be declared invalid under the assumption that a user cannot be expected to fully read and understand the terms, then it could potentially force companies to either find alternative ways of setting terms of use or just encourage companies to shorten them.

The removal of a “real name” clause theoretically removes a convenient user id for select users, possibly requiring Facebook to resort to cross referencing to tie data available on Facebook with other identifying data in order to maintain the same user data structure they once had. This would be complicated by the fact that cross-referencing personally identifiable data is currently illegal in all EU countries, and Facebook has already faced an EU taskforce in October of the previous year regarding the cross-referencing of data between Facebook and WhatsApp. Of course, the implications of the removal of the “real name” clause runs under the assumption that Facebook haven’t already discovered or designed a more convenient alternative.

The final ruling of interest here regarding the transfer of personal data to the US actually has much stronger implications on the value of the personal data collected by Facebook than it seems. Much of the data collected by Facebook is very niche, and not very useful for their advertisement algorithms on their own. To allow for more insights into this data, Facebook cross-references the individual data sources in order to generate a more valuable combined dataset for their algorithms and for other companies. In Europe, however, the cross-referencing is complicated because of the illegality mentioned previously. To circumvent this, Facebook would send the individual data to the United States, where cross-referencing personal data is legal, combine the data sets, and then send the combined dataset back to Europe. This ruling could remove the ability for companies to circumvent the data protection laws via this method, which would reduce the desire for companies to gather as much niche data.

– S. Carlton


Court Ruling (German):

German Court News:

Belgian Court News: