Category Archives: Threats

the supreme court determining how bad a hack has to be to sue

In December of 2018 and January of 2019, the high court had conferences regarding two cases that were looking for the same decision of the Supreme Court, a response to the question how bad does a hack have to be for a victim to sue?

FCA US LLC, et al., Petitioners v. Brian Flynn, et al.

The first case in question is FCA US LLC, et al., Petitioners v. Brian Flynn, et al. The petition was filed September 26, 2018, however this case came about July 21, 2015 after a Wired article by Andy Greenberg including a video of their demonstration of the Jeep Cherokees vulnerability was published. The author is shown going down a highway driving normally in the Jeep Cherokee, then hackers that Wired hired decide to turn the AC on, display a picture on the dashboards digital screen, turn on music and turn it up extremely loud, but most notably kill the cars engine entirely. An 18-wheeler barrels past, honking at the dangerously slow vehicle which only made Greenberg all the more uneasy about the situation. There was nothing the driver could do to change it, despite any fiddling with the dials to try and rectify the situation, and this panic is clear to see as he begs for the hackers to turn the engine back on while they laugh in the safety an entirely different location. They were able to do this through a function in the Jeep called Uconnect, a computer in the dashboard display (called the headunit) that has internet connection. This was a huge issue for Chrysler to deal with, despite them sending out USBs to fix the mistake to 1.4 million owners of the vehicles, people still were very weary and pointed the finger at the cars being “excessively vulnerable” then seeking compensation for the risk. There was no evidence of the vulnerability being exploited maliciously, and that is a big stake Chrysler held in their petition.

Zappos.com, Inc. v. Stevens.

The second case is Zappos.com, Inc. v. Stevens. from an online retail service Zappos.com when they experienced a malicious breach of their database in January 2012. This database contained sensitive information of their clients that included names, account numbers, contact information (ie email addressed and billing addresses), and possibly their credit card information from more than 24 million of Zappos customers. Again, the company found nothing signifying the use of the information in tactics such as impersonation, but the clients claim they experienced otherwise, saying they used the information to hack into their other accounts.

The Conclusion of the Petitions

Each cases petition ended up being denied in the end, the case regarding Chrysler was denied at the first conference on January 4, 2019, however the Zappos petition consideration was dragged out across two conferences, finally being denied on March 27, 2019.

The Questions

There are several central questions that these cases both bring up, the first being what exactly is the relationship between obtaining and utilizing information from hacks? Neither company found evidence of the vulnerabilities being used in a way that compromised any users’ safety or confidentiality, but could we then judge these cases on the premise of the fact that there was a vulnerability in the first place? The issue with that is that nothing in cyber security is 100% safe from being breached, so anything that is put out will have vulnerabilities that can be exposed, but is it a problem unless the vulnerability is found out and used maliciously? Then we have to wonder about the victims, is it just to have the court decide if a victim has suffered enough to do something about their losses? It just becomes a never ending cycle of ethical and practical questions regarding these topics and what should be put in place to rectify the gray area, or if anything could get rid of gray areas. This emphasizes the difficulty that comes with cyber security as a whole, the subjectivity and uncertainty of so many things that comes with it. The word “concrete” comes up often with the official case documents, but there is very little regarding cyber security that can be wholly defined as concrete, especially as something intangible that you cannot exactly put numbers on damages the way you can a car crash or a fire regarding the monetary standpoint.

What I Think

My main thoughts are first how lucky it is that these cases did not end up going to the Supreme Court, on behalf of big companies and my personal ethical beliefs. The companies are fortunate because the court could have easily swayed far more in favor of the masses that are being put at risk in so many ways because of security vulnerabilities, when the lines are more defined of damages they will likely end up having to throw millions of dollars at settlements. But the companies are the ones who would be losing the least out of most of these situations as they always do, so I’m much more on the side of the masses as someone who would have my information stolen from a database which may be protected by old white men who are using computers that are over half my age (I am 19, for reference). Users should not have to fear their private information being access by those without clearance, especially with some of the questions that are in background checks and such regarding extremely personal matters. I am fully aware that this is not a perfect world and that asking for privacy online is like putting a flyer of information on a wall and begging nobody to look at it, but it’s still really terrible that that’s how things are… Sometimes. But the thing is that I cannot even fathom any pity for companies with the amount of money and power they have. I feel the people who owned Jeep Cherokees were very justified in their concern and request for compensation because they are wondering “what if” situations, but there is nothing that cannot be hacked so I understand why the request is unreasonable on a security standpoint so it is very hard. Overall, I just feel that something run by the government (the Supreme Court) cannot be the one defining how much damage is enough. The word “enough” alone feels like a default invalidation of the victims of the situations in question, and with cyberspace being a forever changing beast that, realistically, cannot be quantified is a catch 22 of sorts. There is no one solution we can come to for it so for now I think it is best to deal with things on a case-to-case basis.

Sources

All information and quotes came from the following sources.

Written by Faith Cronister on September 29, 2019

Coalfire Penetration Test of County Courthouse Lands Two Employees in Jail

Coalfire Labs, a company that provides cyber risk management and compliance services for public and private companies, was contracted by The Iowa State Judicial System to perform security penetration testing of the Dallas Iowa Judicial Branch. Coalfire employees Justin Wynn and Gary Demercurio were tasked with the physical assessment and were subsequently arrested. Both were arrested following the alarm going off after attempting to enter the court to conduct their assigned evaluation.

Let’s start from the beginning

The Iowa State Judicial System contracted Coalfire Labs to perform penetration security tests on the Dallas County Court System. The master agreement that got the assessment started was signed on January 14, 2015. This document defines all the terms and conditions that both parties would abide by. It did not, however, mention anything that pertained to the actual assessment. The agreement only addressed the main legal and monetary items. The agreement was silent on the exact security penetration techniques to be used. Between May and July 2019, the rest of the documents start to come into fruition. May 28, 2019, the service order was signed by the IT Director of the Iowa Court System, Mark Headlee. This document defined the key deliverables, the engagement scope, and the pricing. It was listed in the scope that there would be physical attacks against the courthouse (unauthorized entries) and that they can happen at any time during the day or night. July 30, 2019, the rules of engagement are sent to Andrew Shirley (Information Security Officer for Iowa Judicial Branch). Here the rules of how Coalfire was to engage are outlined, the locations, testing dates, and how information was to be handled internally within Coalfire. The document addresses concerns with client information, as well as any relevant information concerning the network, the locations, wireless networks, any applications, and any cloud infrastructure. August 9, 2019, the Social Engineering Authorization document was signed by John Hoover (Infrastructure Manager), Andrew Shirley (Information Security Officer), and Mark Headlee (IT Director). This document outlined what physical social engineering methods could and could not be used to access facilities.

The Event that led to the arrest

Both Justin Wynn and Gary Demercurio were arrested when they were discovered attempting to conduct their assigned physical assessment at 12:30 am at the Dallas County Courthouse. Two days prior they successfully made entry into the Polk County Courthouse. As they began to enter into the Dallas Courthouse, they set off the alarm system prompting a police response. They were arrested with their preliminary hearing set for September 23, 2019.

Iowa’s Senate steps in

Iowa’s Senate Government Oversight Committee is investigating these so-called break-ins. This investigation is going to look into how this physical assessment would have improved the Judicial Branch’s ability to perform its services. Senator Tony Bisignano(D) said that he is concerned with the fact that the state took this upon themselves to do this. “We need to know as quickly as possible what truly happened, what the contract says, how many contracts are out there and who was going to be liable in case of a mishap, an injury, an altercation.”  He says that this is going to be a burglary case, not a contract case. The Judicial Branch Administrators, after releasing the contract, stated: “They did not intend, or anticipate, those efforts to include the forced entry into a building.” Bisignano agrees that testing security is something important. He thinks that it “could have been accomplished in a less covert way other than a CIA-type action.”

What is the question here?

I see the big question that this case will address is, do state governments have the power to have private companies perform assessments of any kind on county/town systems? The answer to this question will decide whether Justin and Gary of Coalfire go free or if they go to jail.

My Thoughts on the matter

I think that the administration should have anticipated this. The rules of engagement clearly state that they would attempt to make a physical entry at three locations, and they could do this at any time of the day. The two Coalfire employees that were arrested had no nefarious or criminal intent. Criminal intent (Mens Rea) has to be proven to convict a person of a criminal act. Justin Wynn and Gary Demercurio were conducting a contracted work assignment, not a criminal act. Also, I don’t agree with Senator Tony Bisignano’s statement of this could have been accomplished less covertly, which is laughable. Most criminals try to be as covert as possible to avoid detection and arrest. His comments hold no actual reasoning or legal basis and are seemingly only political grandstanding.   Penetration testing done correctly many times has to be done covertly. Covert testing pushes the existing defenses that are in place to their limits. They are essential to detect deficiencies and blind spots and are without any extraordinary countermeasures being put in place that ordinarily would not be present.  My take on the question as to state governments having the power to contract companies to perform assessments of any kind on the county/town systems; I believe that they do. Most courts hold protected state and federal documents, including arrest and conviction records. The storage, dissemination, and maintenance of these documents are regulated by state and federal law giving the state the authority to inspect and or test that these laws are being followed. The only caveat I have is with how this assessment took place is someone should have been informed at the courthouses. If just one or two people were notified to establish a point of contact at each courthouse, it would have changed the way that this case is being discussed.

Evan Mikulski

Sources

All Quotes and information have been derived from

https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/19/iowa-state-senator-calls-oversight-committee-investigate-courthouse-break-ins-crime-polk-dallas/2374576001/

https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/11/men-arrested-burglary-dallas-county-iowa-courthouse-hired-judicial-branch-test-security-ia-crime/2292295001/

https://www.iowacourts.gov/announcements/state-court-administration-statement/

https://www.iowacourts.gov/static/media/cms/Social_Engr_D58D70423AAF3.pdf

https://www.iowacourts.gov/static/media/cms/Rules_of_Engag_E9D807B3D13D3.pdf

https://www.iowacourts.gov/static/media/cms/Requirements_and_Assumptions_F765B6EBC7379.pdf

https://www.iowacourts.gov/static/media/cms/Service_Order__Redacted_581A59C144331.pdf

https://www.iowacourts.gov/static/media/cms/Master_Agreement__Redacted_8645A99317B38.pdf

Burgerville’s data breach

At some point in 2017 or 2018, the restaurant chain Burgerville experienced a security breach. The only way Burgerville learned of the issue is when the FBI notified them on August 22 of this year. At first, it was seen as a “brief intrusion that no longer existed”. However by September 19, (almost a whole month later), the company realized that the breach was active, and was targeting customer’s financial information. Burgerville does not specify what kind of malware it was or where it was detected, though the source article adds that it could be at a point-of-sale system, where people physically swipe/scan/insert their cards.

Data that was stolen includes credit/debit card information: names, card numbers, expiration dates, and CVV security numbers. Burgerville also does not know how many people could have been affected by this, though they warn everyone who used cards from September 2017 through September 2018 to watch their accounts for false purchases. Anyone who used a card to purchase anything at any one of their locations during the last year can have their credit info compromised.

“This was a sophisticated attack in which the hackers effectively concealed all digital traces of where they have been,” states Burgerville. Although no direct evidence was given, the data breach is attributed to Fin7, also known as Carbanak group, another Eastern European hacking network that has successfully done cyberattacks on over 100 US companies.

In August, three Ukrainian members of Fin7 were arrested in Europe, where Fin7 is believed to operate. Despite the arrests, Fin7 is still actively deploying malware on corporate networks. According to the US Department of Justice, this is not the first time Fin7 has targeted a US restaurant chain. Other victims include Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin, and Jason’s Deli.

Although the chain made the initial mistake of underestimating the breach, they pulled in an external cybersecurity company to stop the breach, remove malware, and take preventative measures. “The operation had to be kept confidential until it was completed in order to prevent the hackers from creating additional covert pathways into the company’s network,” Burgerville said in a written statement. Burgerville completed the operation to seal the breach on September 30.

Source articles: 

https://www.zdnet.com/article/burgerville-customer-credit-card-info-stolen-in-data-breach-laid-at-fin7s-feet/

https://www.oregonlive.com/business/index.ssf/2018/10/burgerville_reports_major_cred.html

 

Michael Abdalov

Fired Chicago Schools Employee Causes Data Breach

Recently, a temporary worker at Chicago Public Schools was fired from her job and is alleged to have stolen a personal database in retaliation. The personal database contained the information of approximately 70,000 people. The information which was stolen included, names, employee ID numbers, phone numbers, addresses, birth dates, criminal histories, and any records associating individuals with the Department of Children and Family services.

She allegedly copied the database then proceeded to delete it from the Chicago Public School’s system. Those affected by this breach included employees, volunteers and others affiliated with Chicago Public Schools. Luckily, the breach was discovered before any information was used or spread in any way by the former employee. The individual is now being charged with one felony count of aggravated computer tampering/disrupting service and four counts of identity theft.

This incident is an example of a very essential part of computer security, no matter how many security measures are put in place to guard a system somebody, like a disgruntled employee, can still cause a security breach. The lesson to be learned is to keep a close eye on employees, especially those which show red flags, and to be careful what data/databases certain employees are authorized to use, view and modify.

Written by: Craig Gebo

Source: https://www.securitymagazine.com/articles/89553-fired-chicago-schools-employee-causes-data-breach

Critical Flaws Found in Amazon FreeRTOS IoT Operating System

Link

A researcher has found large flaws in the leading Real-Time Operating System, FreeRTOS. This leaves a large number of Internet of Things devices vulnerable to attack. This affects devices from refrigerators to pacemakers. Last year, Amazon took over project management and upgraded the OS for their own Amazon FreeRTOS IoT operating system. They enhanced the OS for use with their own products in the future.

There are a total of 13 vulnerabilities in FreeRTOS’s TCP/IP stack, which affect the Amazon FreeRTOS as well. These issues let hackers do just about anything they want to the target device, from executing their own code to leaking memory information. The technical details of the flaws have not been revealed to the public in order to protect the development of a fix.

-Max Swank