Category Archives: Vulnerabilities

COVID-19 Vaccine Test Center Hit By Ransomware Attack: Refuses to Submit to Cybercriminal’s Demands

The Maze group, an anonymous cybercrime group who pledged not to target any medical organizations during the worldwide pandemic, broke their promise and carried out a ransomware attack against Hammersmith Medicines Research. Hammersmith Medicines Research is a British vaccine test center that is on standby to perform clinical trials on potential vaccines for the COVID-19 virus.

The attack took place on March 14th, which was just days before the Maze group announced on March 18th that they would not target any medical organizations during the pandemic. The clinical director of  Hammersmith Medicines Research, Malcolm Boyce, stated that the attack was noticed in progress and was able to be stopped without causing any downtime. However, the Maze group was able to exfiltrate patient data which they are using to extort the vaccine test center.

Boyce expressed that his company would not be giving into the demands of the cybercriminals, and as a result, the Maze group leaked some of the patient data on the dark web on March 21st. The publishing of the data online completely violated their public statement that they would not continue to attack medical organizations during the pandemic.

“We have no intention of paying. I would rather go out of business than pay a ransom to these people,” Boyce said. If the Maze group follows their typical pattern, they will continue to release the stolen data on a staggered basis until the company pays the ransom or all of the data has been released.

On a more optimistic side, security companies such as Emsisoft and McAfee are providing free assistance to medical organizations being hit by cyber attacks. These companies are providing threat analysis, development of decryption tools, and even negotiating with cyber attackers.

 

Written By: Spencer Roth

 

Sources:

https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/#4578500218e5

https://www.computerweekly.com/news/252480425/Cyber-gangsters-hit-UK-medical-research-lorganisation-poised-for-work-on-Coronavirus

Zoom Security Flaws

The use of the video communication tool Zoom has seen a gigantic influx of users over the past month as a result of the COVID-19 pandemic. It has quickly become an important part of remote work and online education. The sudden increase in attention has also made clear some of the security flaws that come with the program.

It was discovered by the Washington Post that Zoom video calls were saved in an unprotected storage space online. This space did not have a password on it, so anyone could access these videos. The videos were also using a naming system that allowed for an easy search for all kinds of content, such as business matters, personal calls, and education.

Another recent issue with Zoom is what is known as “Zoom bombing”. This type of attack involves a hacker or an unauthorized person gaining access to a private Zoom call and spamming it with hate or pornographic images. Some of these attacks come from the leaking of Zoom meeting codes, but many come from direct attacks on video calls that potentially are not end-to-end encrypted.

Security flaws may be some of the more obvious concerns with Zoom, but the way they track users is something else to look at. One feature of Zoom involves attention tracking. The host of a meeting can enable this option when they share their screen to see which participants do not have Zoom as the active window for a set period of time. Not only this, but Zoom also collects certain pieces of data such as name, physical address, phone number, job title, type of device, and even information from a Facebook account if one is connected to the service. They don’t sell the data in the monetary sense, but they do share that data with third parties for “business purposes”.

Overall, while Zoom is a very useful tool in the current time to help continue both work and education online, the sudden popularity of the service has exposed some of the security flaws and data collection practices that may not have been as obvious before.

Sources:
https://securityboulevard.com/2020/04/zoom-recordings-exposed/

https://www.cbsnews.com/news/zoom-video-conferencing-feature-freeze-security-flaws/

https://securityboulevard.com/2020/03/using-zoom-here-are-the-privacy-issues-you-need-to-be-aware-of/

Written by Alex Haubert

Cyber supremacy! US VS RUSSIA

This all started back in 2008 when the Russians dropped of multiple USB flash drives in parking lots around US military bases located in the middle east. These flash drives were picked up and then inserted into computers inside the various bases spreading malware across the US’s machines allowing the Russians access to a secret network called SIPRNet. The network was used by the pentagon to transmit highly classified information. This was the first major cyber warfare incident pertaining two very powerful countries and it raised many questions as to how to respond to such threats.

Following multiple attacks from various countries over the years and the failure of the US Cyber Command, to deter those attacks, President Trump nominated Lieutenant General Paul Nakasone as the commander of the United States Cyber Command. This marked a new era for the organization and the way Cyber Warfare played out in the US as the lieutenant believed offense was greatly needed in order to defend.

In August of 2018, a few months after the nomination, Trump signed the National Security Presidential Memorandum 13 which basically allowed the US Cyber Command Team operate inside foreign networks without gaining presidential approval. This showed how big of a deal securing the nation’s cyber network had become, as they were indefinitely granted freedom to operate just as the military would operate independent. Once they gained this new power, the first thing they did was to go after the Russians who had attacked them multiple times over the years.

The US shutdown Russia’s Internet Research Agency who was responsible for designing many of the social media ads which impacted the 2016 elections. In addition, they hacked into the Russian Military intelligence, sending various threats to officers and hackers who had participated in the hack against the Pentagon back in 2008. But more importantly, the US recently deployed malicious code into Russia’s power grid system giving them the ability to turn off electricity supply to homes, hospitals and schools in an instant.

The goal here was mainly to deter the Russian’s from further cyber attacks against the US but this approach was basically the same strategy used during the Cold War era. With this more aggressive strategy which uses offense as a form defence, the cyber war would not slow down in anyway without set regulations agreed upon by not just Russia and the US but by every country.

Sources

https://www.nytimes.com/2019/06/15/us/politics/trump-cyber-russia-grid.html

https://www.independent.co.uk/news/world/europe/us-cyber-attack-russia-power-grid-war-kremlin-a8964506.html

Ademide Osunsina

7.5 Million Affected in Adobe Breach

Last Month, on October 19th , Adobe was informed that 7.5 million users had their data exposed due Adobe’s Elasticsearch database being left unsecured. The database held the account information of Adobe’s Creative Cloud users. Adobe responded immediately by locking down the database. The database could be accessed from the internet without the need of credentials of any kind. The information that could be accessed includes email addresses, used Adobe products, subscription status, country of origin, time of last login, and even payment status. Adobe was informed of the exposed database by Comparitech who stated that the database could have been exposed for an indeterminate amount of time.

The estimate that Comparitech gave stated that Adobe’s database was likely left unsecured for around a week’s time though it may have been longer. Adobe doesn’t have any knowledge on whether the database had any actual unauthorized access or when it was first left publicly accessible. They only know that the database could have been accessed from any web browser.

Adobe issued a statement promptly after locking down the database in order to show transparency. The statement went on to assure users that while some of their information was available to public access, pertinent information such as passwords and financial information was not leaked in any way. Adobe warns that although the most important information was kept safe, users should be wary of potential phishing attacks that may come from people that have access to certain information like user emails and subscription status.

Sources:

https://www.zdnet.com/article/adobe-left-7-5-million-creative-cloud-user-records-exposed-online/ https://www.diyphotography.net/adobe-data-breach-exposed-almost-7-5-million-creative-cloud-accounts-to-the-public/ https://www.scmagazine.com/home/security-news/data-breach/adobe-leaves-creative-cloud-database-open-7-5-million-users-exposed/ https://petapixel.com/2019/10/26/adobe-exposed-7-million-creative-cloud-accounts-to-the-public/

-Brandon Nguyen

the supreme court determining how bad a hack has to be to sue

In December of 2018 and January of 2019, the high court had conferences regarding two cases that were looking for the same decision of the Supreme Court, a response to the question how bad does a hack have to be for a victim to sue?

FCA US LLC, et al., Petitioners v. Brian Flynn, et al.

The first case in question is FCA US LLC, et al., Petitioners v. Brian Flynn, et al. The petition was filed September 26, 2018, however this case came about July 21, 2015 after a Wired article by Andy Greenberg including a video of their demonstration of the Jeep Cherokees vulnerability was published. The author is shown going down a highway driving normally in the Jeep Cherokee, then hackers that Wired hired decide to turn the AC on, display a picture on the dashboards digital screen, turn on music and turn it up extremely loud, but most notably kill the cars engine entirely. An 18-wheeler barrels past, honking at the dangerously slow vehicle which only made Greenberg all the more uneasy about the situation. There was nothing the driver could do to change it, despite any fiddling with the dials to try and rectify the situation, and this panic is clear to see as he begs for the hackers to turn the engine back on while they laugh in the safety an entirely different location. They were able to do this through a function in the Jeep called Uconnect, a computer in the dashboard display (called the headunit) that has internet connection. This was a huge issue for Chrysler to deal with, despite them sending out USBs to fix the mistake to 1.4 million owners of the vehicles, people still were very weary and pointed the finger at the cars being “excessively vulnerable” then seeking compensation for the risk. There was no evidence of the vulnerability being exploited maliciously, and that is a big stake Chrysler held in their petition.

Zappos.com, Inc. v. Stevens.

The second case is Zappos.com, Inc. v. Stevens. from an online retail service Zappos.com when they experienced a malicious breach of their database in January 2012. This database contained sensitive information of their clients that included names, account numbers, contact information (ie email addressed and billing addresses), and possibly their credit card information from more than 24 million of Zappos customers. Again, the company found nothing signifying the use of the information in tactics such as impersonation, but the clients claim they experienced otherwise, saying they used the information to hack into their other accounts.

The Conclusion of the Petitions

Each cases petition ended up being denied in the end, the case regarding Chrysler was denied at the first conference on January 4, 2019, however the Zappos petition consideration was dragged out across two conferences, finally being denied on March 27, 2019.

The Questions

There are several central questions that these cases both bring up, the first being what exactly is the relationship between obtaining and utilizing information from hacks? Neither company found evidence of the vulnerabilities being used in a way that compromised any users’ safety or confidentiality, but could we then judge these cases on the premise of the fact that there was a vulnerability in the first place? The issue with that is that nothing in cyber security is 100% safe from being breached, so anything that is put out will have vulnerabilities that can be exposed, but is it a problem unless the vulnerability is found out and used maliciously? Then we have to wonder about the victims, is it just to have the court decide if a victim has suffered enough to do something about their losses? It just becomes a never ending cycle of ethical and practical questions regarding these topics and what should be put in place to rectify the gray area, or if anything could get rid of gray areas. This emphasizes the difficulty that comes with cyber security as a whole, the subjectivity and uncertainty of so many things that comes with it. The word “concrete” comes up often with the official case documents, but there is very little regarding cyber security that can be wholly defined as concrete, especially as something intangible that you cannot exactly put numbers on damages the way you can a car crash or a fire regarding the monetary standpoint.

What I Think

My main thoughts are first how lucky it is that these cases did not end up going to the Supreme Court, on behalf of big companies and my personal ethical beliefs. The companies are fortunate because the court could have easily swayed far more in favor of the masses that are being put at risk in so many ways because of security vulnerabilities, when the lines are more defined of damages they will likely end up having to throw millions of dollars at settlements. But the companies are the ones who would be losing the least out of most of these situations as they always do, so I’m much more on the side of the masses as someone who would have my information stolen from a database which may be protected by old white men who are using computers that are over half my age (I am 19, for reference). Users should not have to fear their private information being access by those without clearance, especially with some of the questions that are in background checks and such regarding extremely personal matters. I am fully aware that this is not a perfect world and that asking for privacy online is like putting a flyer of information on a wall and begging nobody to look at it, but it’s still really terrible that that’s how things are… Sometimes. But the thing is that I cannot even fathom any pity for companies with the amount of money and power they have. I feel the people who owned Jeep Cherokees were very justified in their concern and request for compensation because they are wondering “what if” situations, but there is nothing that cannot be hacked so I understand why the request is unreasonable on a security standpoint so it is very hard. Overall, I just feel that something run by the government (the Supreme Court) cannot be the one defining how much damage is enough. The word “enough” alone feels like a default invalidation of the victims of the situations in question, and with cyberspace being a forever changing beast that, realistically, cannot be quantified is a catch 22 of sorts. There is no one solution we can come to for it so for now I think it is best to deal with things on a case-to-case basis.

Sources

All information and quotes came from the following sources.

Written by Faith Cronister on September 29, 2019