City of Atlanta Victim of yet Another Cyber Attack

Early on March 22nd, several departments in Atlanta, Georgia were the target for a cyber attack. The attackers launched a ransomware attack, and demanded bitcoins as payment (over $50,000 USD).

Ransomware exampleRansomware attacks are relatively new and became popular in 2017 with the widely feared WannaCry attack. Ransomware typically encrypts some of your files and locks you out of your computer, then demands a ransom to be paid (usually with Bitcoin, an anonymous cryptocurrency).

This attack had a widespread impact as it affected multiple departments in Atlanta. Administrators took down several websites and services while the attack was investigated by the FBI, DHS, Microsoft, and Cisco. While ATL airport was not directly affected, administrators also disabled its Wi-Fi and advised passengers that flight schedules may not be accurate and to verify information with their airline.

As an additional measure, city employees were directed not to turn on any devices in the building until the malware had been contained. Five days later on March 27th the first machines were powered back on. Administrators expect some machines to be infected and that employees will continue to work using other methods if their machines are affected.

Ransomware attacks historically have just been a means of pressuring victims into paying the ransom. Attackers usually are not looking to steal information in the process. In fact, if an attacker did want to steal information, it wouldn’t make much sense to tell the victim that their machine is infected. However, in the case of the Atlanta cyber attack, both employees and the public were advised to monitor their credit cards and bank accounts for any suspicious activity.

The investigation has shown that it doesn’t appear any information has been compromised. While the details of the attack have not been released, Rendition Infosec reported that Atlanta government had been compromised by a previous cyber attack in April 2017. Microsoft had released critical patches over a month before the attack happened, but they were not installed. The attack lasted a little over a week, and statements from the city of Atlanta suggest that they were not aware the attack had happened in the first place. The identity of the attackers still remains unknown.


Jesse Roux

http://amp.wsbtv.com/www.wsbtv.com/news/local/atlanta/fbi-looking-into-citywide-computer-issues-in-atlanta/720045695?tnym

http://amp.wsbtv.com/www.wsbtv.com/www.wsbtv.com/news/local/hartsfield-jackson-takes-down-wi-fi-after-cyber-attack-on-city/720533019

http://searchsecurity.techtarget.com/news/252437715/Five-days-after-Atlanta-ransomware-attack-recovery-begins

https://www.renditioninfosec.com/2018/03/atlanta-government-was-compromised-in-april-2017-well-before-last-weeks-ransomware-attack/

Advertisements

Sanitize your strings, kiddos

Trusting user inputted strings has always been a problem in computing. Users will always find a way to break your application with some kind of weird character. Programmers have found clever ways to get around this, such as preparing SQL statements, escaping unknown characters, or just returning an error when coming across unknown text. However, with the rise of the internet and the availability of tools, hackers have gotten smarter at the way they attack inputs.

In the last month of so, Django found this out in their django.utils.text.Truncator class. This class had two methods, chars() and words() which would attempt to clean input.

Well, for some reason, users wanted a way to clean HTML with these methods, so Django added a html keyword argument to the methods, which would attempt to clean the text as if it were HTML. However, due to a catastrophic backtracking vulnerability in a regular expression in those functions, malicious users could input complicated HTML that would take a long time to process. This would result in a DoS attack on the web server, and bring down services to other users. Uh-oh.

So, looking at the CVE, you can see the security community ranked it a 5, the highest rating. Needless to say, Django quickly patched the issue and launched a hot fix.

The moral of the story is that security vulnerabilities can happen to anyone, and you should know what the framework you are using is doing, instead of just blatantly trusting that it will work. Be aware of security in your everyday life.

— Kyle Kaniecki

‘Gray Hat’ Hackers Can Be Good

With the internet becoming available on just about any device one can get their hands on, the incidents of hacking can rapidly increase. Smartphones and computers have been the main devices being hacked by cyberhackers before the internet has quickly become available in other machines and technologies. The vision of the future is seen with flying cars and robots, but these things would have to be connected to the internet to function. If any of these things in the future are connected to the internet, then cyberhackers will have more options of technologies to hack. Devices and machines, like cars, coffee makers, and thermostats were once not apart of the internet and that was a beneficial thing in society. But, vast new forms of technology and electronics that were once around as another form, are now more modern with today’s devices that are connected to the internet. We can easily access our cars, televisions, and thermostats with our cell phones now since they are all connected online. These new ways of interacting with electronics may seem fascinating to many in society but they don’t realize that this only gives hackers more opportunities to hack innocent people and businesses.

In the article, a famous hacker and former cybercriminal, Samy Kamkar, helped demonstrate how easy it is for hackers to gain access to other people’s electronic property, by hacking into a car. First of all, Samy is a “gray hat” hacker, meaning he is a good and bad hacker that hacks into devices to search for its weak vulnerabilities only to share with others his findings so they can patch up those weaknesses. Coming from a cybercriminal to a hacker who helps the world with hacking, just shows how much we might need to rely more on people like Samy. The world is becoming more connected through the internet with normal appliances used by people every day, to being used by hackers as cyberweapons and a new way to gain access to a victim’s wallet. Samy was able to use his own gadgets to hack into a random smart car by duplicating the connection with car’s actual key with Samy’s gadgets to be able to unlock the car. Samy showed that we aren’t taking our security as seriously as we should be. People often have weak passwords that they usually use for more than one of their accounts and devices that create a greater advantage for cyberhackers. I believe the world needs more good “gray hat” hackers like Samy Kamkar that can help teach and show others where there are weak vulnerabilities in smart appliances and devices. The more vulnerabilities that are fixed, the less hacking we will hopefully have in the world.

Image result for gray hat hacker  Related image

Sources: https://www.npr.org/sections/alltechconsidered/2018/02/23/583682220/this-gray-hat-hacker-breaks-into-your-car-to-prove-a-point

https://es.paperblog.com/samy-kamkar-hacker-piratear-es-positivo-la-necesidad-de-entender-al-hacker-para-estar-protegidos-3567883/

http://96eb74f3955cce95f97e138c47dfde41.blogspot.com/2015/03/grey-hat-hackers.html

-Matt Aiguier

Self-Replication in Neural Nets

A recent paper from Oscar Chang and Hod Lipson, a grad student and a professor of Columbia University, respectively, has made significant progress in neural network development by successfully building and training a self-replicating neural network.

Self-replicating machines has been long theorized and applied in technological advancements such as polymers and robotics, and despite being widely recognized as a prime objective for the development of a true AI (self-replicating is viewed as a precursor step to reflection and adaptation), no serious progress had been made until 2017 with the development of HyperNetworks. This paper continues a series of meaningful advances in the improvement of AI.

While its yet to have been implemented or public acknowledged as having been implemented, these self-replicating neural networks have the potential to greatly improve the quality of neural networks designed for computer security. The ability to self-replicate and reflect upon the self-replication could allow for much more intelligent and much more resilient defense algorithms, as it may be capable of repairing itself if an adversary was able to alter it or lock itself from being able to alter itself upon a certain condition whilst still being capable of executing.

However, while the results of self-replicating neural networks do seem promising, information regarding their actual effectiveness is scarce. This does raise some personal questions regarding how well a self-replicating neural network could handle a “day 0” alteration through a malicious adversarial examples attack. Either way, the advancement is very promising.

Scott Carlton

Chang & Lipson Paper: https://arxiv.org/abs/1803.05859

HyperNetworks Paper: https://arxiv.org/abs/1609.09106

Memcached and DDOS Attacks

Memcached and DDOS Attacks
Remember the DDOS attack on Github? Yeah this has to do with that. [1] That attack and another that was detected by Arbor Networks on March 5th had to do with a new trick involving a server that implements memcached. memcached is a system that caches data from database calls to speed up subsequent database calls. The practical outcome is that pages that rely on databases load faster.

Why are attackers leveraging memcached servers?
The problem is not memcached inherently, but with a possibly weak default configuration that was being utilized improperly. [1] What attackers could do was amplify/reflect traffic off of the improperly configured memcached servers. This nifty trick not only turns every misconfigured memcached system into a tool, but also multiplied the amount of data that was being sent towards the target. Every year, the amount of data required to successfully deny service to a target service or page gets larger. [1] This trick using memcached allowed hackers to execute record breaking DDOS attacks. Arbor Networks detected a peak traffic load at 1.7 terabits per second.

What’s going on?
A reflection attack typically happens when an attacker sends traffic that looks like it was from the attacker’s target. This prompts a response that is then sent from the queried server to the target. In this case, it’s called an amplification attack because the attacker can send a very small amount of fake traffic which results in a larger response being sent to the target. [2] Attacks involving memcached were researched further after the discovery and it was found that the amplification factor could be as large as 51,200[2].This means, in theory, that for every bit sent from the attacker, there would be about 50Kb sent to the target.

What do we do about it?
Part of the problem is the default configuration. memcached is open-source, and in 2008 Facebook made the contribution that added support for UDP. There was no implementation of authentication for the UDP version of this service, so it was assumed that the administrators would properly auth and secure this [1]. Many did not. The solution is to disable the UDP support or otherwise lock down this public facing port/socket. The open-source project has already been updated so that future implementations of memcached have UDP disabled by default. Firewalls and rate limiting are also valuable tools; cloud service providers have been rate limiting the UDP port 11211(used by memcached) to minimize any abuse on their lines.

If by chance you watch over an implementation of memcached, this guide will show you how to check if your device is ready to become a reflector: https://kb.iweb.com/hc/en-us/articles/230268328-Securing-your-Memcached-Server

-Matthew J. Harris

REFERENCES:

[1]https://www.geekwire.com/2018/memcached-servers-used-launch-record-setting-ddos-attacks/
[2]https://threatpost.com/misconfigured-memcached-servers-abused-to-amplify-ddos-attacks/130150/
[3]https://www.bleepingcomputer.com/news/security/proof-of-concept-code-for-memcached-ddos-attacks-published-online/