Baltimore’s Dispatch System Taken Down

Baltimore’s 911 dispatch system was breached Sunday, March 25th, shutting down automatic dispatching until Monday, March 26th, as well as halting call logs from 9:54 a.m. Sunday to 7:42 a.m. Monday.

A server running the city’s computer-aided dispatch (CAD) system was infiltrated around 8:30 Sunday morning, forcing caller information to be relayed manually for the remainder of the day into Monday. Under normal circumstances, caller information appears on a map and the nearest first responders are dispatched automatically. The attack effectively slowed this process and demanded that call center staff relay this information to dispatchers themselves.

The exploited vulnerability was a port that had been left open after an IT team attempted to troubleshoot a communications issue and in the process made changes to the firewall. City workers were able to take the affected server offline, conduct a thorough investigation, and successfully bring it back online by approximately 2 a.m. Monday morning. Later reports confirmed that the attack did involve ransomware, but neither the ransom amount nor the city’s response to the ransomware has been stated.

-Jordan Sullivan

Sources:

Advertisements

Crypto-jacking on Government Official Websites.

About a month ago it was discovered that there was a vulnerability being exploited on a browser plug-in called, Browsealoud. Browsealoud is a website plugin, developed by the company TextHelp, that adds speech, reading, and translation to websites, in an effort  to help those with dyslexia and other conditions.  Hackers injected a crypto-mining script on a Java file within the Browsealoud library. The script would mine the currency ‘monero’. Since the hackers attacked Browsealoud itself and not the individual websites, all the websites that were using Browsealoud (nearly 4000) were infected.  Some of the websites included  UK’s ICO (Information Commissioner’s Office) and NHS (National Health Service) and US’ federal judiciary. When someone visited a website using the plugin, the script would run and use the visitors CPU to begin mining.

Crytpo-mining is something to be wary about especially with the rise of Bitcoin and other cryptocurrencies. The hackers simply just wanted an easy way to mine more currency for themselves whether or not it was legally. There reason for doing this comes back to the acronym ‘MEECES’ which stands for money, ego, entertainment, cause, entrance, status. The attackers were just looking for some money in this case because as of now it is unknown who injected the script. It was very fortunate, with the information as of now, that no information of the users who used the website was stolen, and only were used to mine cryptocurrency.

Websites now should use more caution when implementing plugins to there website. Every company should have people testing for vulnerabilities within their services and should submit proof of this to their customers. In the future we need to become more aware of ways our websites and services can become vulnerable and the risks we take using them.

– Jordan Disciglio

Souces:
https://viraldocks.com/cryptojacking-attack-hits-4000-websites/

https://www.theguardian.com/technology/2018/feb/12/cryptojacking-attack-hits-australian-government-websites

Sanitize your strings, kiddos

Trusting user inputted strings has always been a problem in computing. Users will always find a way to break your application with some kind of weird character. Programmers have found clever ways to get around this, such as preparing SQL statements, escaping unknown characters, or just returning an error when coming across unknown text. However, with the rise of the internet and the availability of tools, hackers have gotten smarter at the way they attack inputs.

In the last month of so, Django found this out in their django.utils.text.Truncator class. This class had two methods, chars() and words() which would attempt to clean input.

Well, for some reason, users wanted a way to clean HTML with these methods, so Django added a html keyword argument to the methods, which would attempt to clean the text as if it were HTML. However, due to a catastrophic backtracking vulnerability in a regular expression in those functions, malicious users could input complicated HTML that would take a long time to process. This would result in a DoS attack on the web server, and bring down services to other users. Uh-oh.

So, looking at the CVE, you can see the security community ranked it a 5, the highest rating. Needless to say, Django quickly patched the issue and launched a hot fix.

The moral of the story is that security vulnerabilities can happen to anyone, and you should know what the framework you are using is doing, instead of just blatantly trusting that it will work. Be aware of security in your everyday life.

— Kyle Kaniecki

Web Injects Used to Steal Bitcoin Money

With the increased use of cryptocurrency, hackers have started employing the use of Web injects to intercept payments and acquire user information.  Of course when it comes to hacking there are many ways, but this report is intended to inform readers of how Web injects work and why they can be hard to identify.  What a Web inject does is while the page loads, malware that changes the web page before the user sees it.  In this article, two website Web injects are used for Coinbase and Blockchain.info.  With Coinbase, the inject disables the enter key forcing the user to press a fake submit button, thus giving the user credentials to the hacker.  Likewise, the Web injects for Blockchain.info changes the web page so that the payment transaction goes to the hacker.

In the future, the use of online websites for bitcoin transactions (or payment transactions in general) will continue to increase.  A study claimed that by 2024, the number of bitcoin users will reach 200 million (RT news).  Therefore, hackers will always try to exploit the user’s information.  So in the future, companies with online payment platforms and bitcoin wallets will need to continue to research hacker attacks and stay up to date with security.  Also, users should be more aware of the how hackers use Web injections.  So for example, if a button does not work or there is a strange error, they should notify the companies.  This is all that companies and users can really do in this situation.  Just continue to develop security tools and pay attention to details on the webpages.

-Jamie Smith

https://www.darkreading.com/attacks-breaches/criminals-using-web-injects-to-steal-cryptocurrency/d/d-id/1331350

https://www.ccn.com/exponential-growth-number-bitcoin-users-reach-200-million-2024/

 

AMD Acknowledges new exploits in new processors

Earlier this month, a lab based in Israel was able to find 13 critical exploits in AMDs new line of processors that would allow hackers to install persistent malware and access sensitive information.

Although the labs have not publicly stated how the exploits are to be done, people are still criticizing them for publicly stating that there are exploits in general because when exploits are found, the researchers usually give the company a 30-60 day grace period to find out how to fix the hole. However, the CTO of the labs believes that it is important to notify the public immediately because there is a history of companies notifying their customers of the potential risks to their machines.

The CTO of the CTS labs believes that their approach of notifying both the company and public gives more reason for the company to work on a patch because there is now public pressure to create a patch to their exploits. He also believes that it poses no threat to the consumers because they never actually publicly release the technical aspects of the exploit. Going public on Day 0 also allows for third parties to start to try and work on a fix for the exploit as well.

For these specific set of exploits on the new line of processors, a hacker would need administrative privileges to even use these exploits. AMD stated that even without these exploits, a hacker would have a wide range of attacks they could do on your machine if they administrative access and that there are bigger worries than their processor exploits if someone managed to gain administrative access to your computer. However, these new exploits could stop preventative measures put into place like Windows Credential Guard which is supposed to stop even administrative level access from getting to certain information.

AMD has since then been working on creating firmware patches to roll out to the general public, which they said would not affect performance at all.

Ryan Lei

 

Sources:

https://thehackernews.com/2018/03/amd-processor-hacking.html

https://www.theinquirer.net/inquirer/news/3028922/amd-says-security-flaws-do-exist-in-ryzen-and-epyc-cpus-but-updates-are-incoming