Baltimore’s Dispatch System Taken Down

Baltimore’s 911 dispatch system was breached Sunday, March 25th, shutting down automatic dispatching until Monday, March 26th, as well as halting call logs from 9:54 a.m. Sunday to 7:42 a.m. Monday.

A server running the city’s computer-aided dispatch (CAD) system was infiltrated around 8:30 Sunday morning, forcing caller information to be relayed manually for the remainder of the day into Monday. Under normal circumstances, caller information appears on a map and the nearest first responders are dispatched automatically. The attack effectively slowed this process and demanded that call center staff relay this information to dispatchers themselves.

The exploited vulnerability was a port that had been left open after an IT team attempted to troubleshoot a communications issue and in the process made changes to the firewall. City workers were able to take the affected server offline, conduct a thorough investigation, and successfully bring it back online by approximately 2 a.m. Monday morning. Later reports confirmed that the attack did involve ransomware, but neither the ransom amount nor the city’s response to the ransomware has been stated.

-Jordan Sullivan

Sources:

Advertisements

Trustico Servers Compromised

When you surf the web, your web browser requests and receives data from some remote server. If you are logging into a website, you would want to have your login info secure, meaning when you send that information to the remote server for verification, you don’t want the data to be in plaintext such that it can eavesdropped by someone on the network. This is where SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols come in. These protocols are used when then website you visit has HTTPS instead of HTTP, with the ‘S’ standing for “secure”.

These protocols are based on a public key and a private key. These keys separately can be thought of as half of a whole key, and the whole key can be used to determine whether the information sent or received is from a source you expect, allowing you to know the data has not been compromised by another party. This is because data encrypted using somebody’s public key can only be decrypted using the same person’t private key. Suppose you are sending data to A from B. Then B uses A’s public key to encrypt the data, and when A receives the data, A can uses its private key to decrypt the data. Therefore, it is important to keep the private key locked up and secret.

This is where companies who issue SSL certificates come in. There are various ways to encrypt the data to make it secure, and various companies claim there algorithm is more secure or meets whatever criteria required for the server’s use, including warranties, browser support, subdomains, speed, and other additional exclusive features in a package.

On March 1, a user with the Twitter handle @svblxyz has noticed that he was not able to validate his certificate issued by Trustico, a certificate re-seller, and the site was instead sending curl requests (an application used in scripts for downloading various data) as displayed in the application logs. Another user with the Twitter handle @Manawyrm revealed that it’s possible to trick the script on the server doing the curl request to use some other command, also known as code injection. The most shocking thing about that was that the application logs showed that the command was run as root (highest privilege, no restrictions), meaning that script was running as admin. Another user by the Twitter handle @ebuildy also helped reveal that the company doesn’t use proxies, meaning that it is possible to inject code that would display all of the IP address of their LAN devices.

Having a code injection vulnerability on a server is bad enough since you let anyone to essentially mess around with. Having a code injection vulnerability that allows you run things as root is even worse since you then have complete access to the server. Having all that on a server which validates SSL certificates, and you have a complete nightmare. Following the tweets, it did not take the internet long to put Trustico’s server offline. One bad thing that have happened is someone wiping all data on the server, possibly without hopes for recovery or someone installing a bunch of backdoors on their server (allowing the person to get back in even after Trustico fixed the problem).

However, the worst thing that could have happened is private keys for SSL certificates being compromised. The user by the Twitter handle @ebuildy was able to figure out that Trustico doesn’t use proxies because when using code injection to display their localhost info, the results returned their own certificate under the company’s name. This means their private key could have been compromised and anyone could use code injection to run a command see the data unencrypted if they wanted to. Anyone who sends their SSL certificates for validation would have their certificates compromised. As of now the exploit is fixed and their old certificate was revoked and replaced with a new one.

A few days before the security flaw was found, Trustico was meaning to revoke security certificates by Symantec/DigiCert. Mozilla and Chrome browsers were rejecting DigiCert certificates after misissuing of over 30,000 of them. As a result Trustico decided it was better to switch from DigiCert to Comodo. According to a statement by Trustico, “We believe the orders placed via our Symantec® account were at risk and were poorly managed. In good conscience we decided it wasn’t ideal to have any active SSL Certificates on the Symantec® systems, nor any that didn’t meet our stringent security requirements”.

After they requested DigiCert to revoke the certificates to replace them with Comodo ones, DigiCert declined to do such unless they were compromised. Trustico then proceeded to email them the private keys of the certificates, and thus compromising them, providing insight that their certificate validation tools logged private keys of certificates. According to Jeremy Rowley from DigiCert, “Trustico not has provided any details how the private key leaked or how did they acquire the keys”, now leading to skepticism on whether any stored private keys were accessed by unauthorized during the time the code inject vulnerability was present.

— Alex Baraker

 

Sources:

  1. https://www.instantssl.com/ssl-certificate-products/https.html
  2. https://info.ssl.com/faq-what-is-a-private-key/
  3. https://www.instantssl.com/ssl-certificate.html
  4. https://twitter.com/svblxyz/status/969220402768736258
  5. https://twitter.com/Manawyrm/status/969230542578348033
  6. https://twitter.com/cujanovic/status/969229397508153350
  7. https://twitter.com/ebuildy/status/969230182295982080
  8. https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/BLvabFwcJqo
  9. https://gbhackers.com/google-announces-final-distrusting-symantec-ssl-certificates/
  10. https://www.trustico.com/news/2018/symantec-revocation/certificate-replacement.php
  11. https://bitkan.com/news/topic/69234
  12. https://gbhackers.com/23000-ssl-certificates-revoked/

Instant Messaging? How About “Instant Malware”

Telegram LogoIf you’ve never heard of Telegram, it’s an instant messaging platform that’s quickly gaining popularity for its emphasis on secure, private chats. In fact, the developers of Telegram are so confident in its security, that they’ve announced multiple hacking contests with six figure bounties. So far, none of the contests have found a winner.

One of the features that makes Telegram so nice to use is the ability to instantly share files with your friends. Pictures, word documents, PDFs, those sorts of things. But what if someone sent you an executable program. Would you run it? Probably not — but what if it looked like a picture, or a word document, or a PDF?

Beginning March 2017, many unsuspecting users fell victim to a vulnerability in how Telegram handled Unicode, specifically the “right-left override” character (or RLO). The RLO character is intended to reverse any text that precedes it. In some applications, the RLO is improperly handled and can cause the characters after the RLO to not be displayed. Telegram, however, displays strings with an RLO character correctly. So what’s the big deal?

It turns out that applying this to filenames can be disastrous. By cleverly naming a file to hide the real extension, it’s possible to trick someone into downloading something that appears harmless. For example, if an attacker wanted to send you a malicious javascript file, they could send you a file named “photo_high_re\U+202Egnp.js” and Telegram would display it as “photo_high_resj.png“.

This exploit was used to install malware such as backdoors and spyware, though some craftier attackers were using Telegram to trick people into running cryptominers. Kaspersky Labs uncovered the vulnerability in October 2017, which means this vulnerability existed for at least 8 months. Kaspersky Labs also noted that this was an increasingly popular exploit for 2017. Kaspersky Labs alleges that the source of the attack was Russian cybercriminals, and that no evidence was found to suggest the exploit was known outside of the Russian cybercriminal community.

Victims of this attack actually would have been somewhat protected if the security confirmations on Windows were still enabled. When executing the file, Windows correctly displays what type of file it is (javascript, exe, etc). However, even for the users that still have this feature enabled, I think it’s fair to say that most people have trained their muscle memory to click “Run” when that popup appears. This serves as a good reminder to always take a moment to verify what you’re doing.

Original article: https://www.csoonline.com/article/3254139/security/hackers-exploit-zero-day-flaw-in-telegram-to-mine-cryptocurrency.html
Telegram: https://telegram.org/
Kaspersky Labs: https://securelist.com/zero-day-vulnerability-in-telegram/83800/

Written by Jesse R.

Encryption system used to exploit protected Wifi networks

Everyone knows that they could be a potential target for cyber-crime; as it often appears in the news almost every day. But just how vulnerable is an individual? CERT recently made a statement about how your Wifi network could be exploited if proper precautions are not taken.

On October 16th, 2017, the Computer Emergency Readiness Team made an announcement that addresses the protection of your sensitive information. In short, its advice is to update all your devices when security advancements are available. The reason for this is that a widely used encryption system used on wireless networks can lead to a breach of your credit card information, emails, passwords, etc.

Essentially, the system allows a hacker to gain access to the internet traffic that occurs between computers. Once in, the hacker can manipulate the data that is recovered. Depending on the target’s network configurations, it is even possible for the attacker to inject malware into the network. The unsettling part about this encryption system is that it has the capability of effecting a very wide range of devices including Android, Apple, Linux, and Windows.

Companies such as Intel, Microsoft, Google, and Apple have heeded this advice and have released updates that will help protect people with their devices from this issue.

– Jared Albert

 

Hackers Exploit Microsoft Servers to Mine Cryptocurrency

Mining for cryptocurrency is becoming an extremely profitable investment. One of the most popular currencies, bitcoin, is skyrocketing in value. One bitcoin is currently worth $4297 U.S. dollar. These currencies are becoming more and more popular to use online for illegal activity because it’s more difficult to trace, and increasing in value so quickly.

Now to this recent attack on servers running Windows server 2003. An exploit in this software was discovered in March of this year (2017), the exploit targets the web server in Windows server 2003. Hackers have now taken to attacking servers that have not patched to the most recent update that fixes the exploit. The exploit infects the server and adds it to a botnet for the hacker to control and mine for cryptocurrency. In this attack the hackers were mining for a currency called Monero, this currency is completely untraceable and anonymous. Hackers prefer mining for Monero because it uses an algorithm called CryptoNight which works on CPUs and GPUs and unlike Bitcoin requires no special hardware to begin mining. This currency is currently significantly less valuable than bitcoin, at the time of writing 1 Monero is worth $90 U.S. dollars but, like all cryptocurrency the value fluctuates quite frequently. This attack gained the hackers $63,000 worth of Monero in 3 months. There are quite a few pieces of malware that exploit servers to mine this currency. One piece of malware called Adylkuzz uses the EternalBlue exploit, which was actually created by the NSA and released by a group called the Shadow Brokers this exploit was used in the WannaCry ransomware attack. BondNet is another form of malware that also creates a botnet to mine Monero.

 

– Levi Walker

 

Sources:

https://thehackernews.com/2017/09/windows-monero-miners.html

https://en.bitcoin.it/wiki/CryptoNight

https://coinmarketcap.com/currencies/monero/