Baltimore’s Dispatch System Taken Down

Baltimore’s 911 dispatch system was breached Sunday, March 25th, shutting down automatic dispatching until Monday, March 26th, as well as halting call logs from 9:54 a.m. Sunday to 7:42 a.m. Monday.

A server running the city’s computer-aided dispatch (CAD) system was infiltrated around 8:30 Sunday morning, forcing caller information to be relayed manually for the remainder of the day into Monday. Under normal circumstances, caller information appears on a map and the nearest first responders are dispatched automatically. The attack effectively slowed this process and demanded that call center staff relay this information to dispatchers themselves.

The exploited vulnerability was a port that had been left open after an IT team attempted to troubleshoot a communications issue and in the process made changes to the firewall. City workers were able to take the affected server offline, conduct a thorough investigation, and successfully bring it back online by approximately 2 a.m. Monday morning. Later reports confirmed that the attack did involve ransomware, but neither the ransom amount nor the city’s response to the ransomware has been stated.

-Jordan Sullivan



Deloitte’s Embarrassing Data Breach

On September 25th 2017, Deloitte, one of the world’s “big four” accounting firms, has acknowledged a breach of its internal email systems. The Guardian said a breach at Deloitte involved usernames, passwords and personal data on the accountancy’s top blue-chip clients. The hackers had access inside the company’s networks for months before the company noticed anything and have compromised all administrator accounts as well as the entire internal email system.

As a global firm with cyber risk consulting as one of its biggest strengths, Deloitte failed to deploy the simplest of cybersecurity techniques. According to The Guardian, Deloitte failed to deploy elementary security measures such as requiring two-factor authentication. The firm also appears to have guarded large pools of data with a single password. In addition to the failure of deploying two-factor authentication, Deloitte’s corporate VPN passwords, usernames, as well as operational details were found on a public GitHub repository. An employee had also uploaded company proxy login credentials to his public Google+ page. This information was on the web for over six months.

Furthermore, Deloitte has many of their internal systems on the public internet with remote access enabled. At this point, they are just inviting hackers to take advantage of them. Everything should have been behind a secure network and a firewall. “Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register

This breach was very embarrassing for Deloitte, which prides itself as one of the top cyber risk consultant firms in the world. They were named by an analyst firm Gartner, to be the world’s best IT security consultant firm for the past five years. In response to the cyber incident, Deloitte has introduced multi-factor authentication and encryption software to try to stop further hacks.

-Tik Ho Chan


Instant Messaging? How About “Instant Malware”

Telegram LogoIf you’ve never heard of Telegram, it’s an instant messaging platform that’s quickly gaining popularity for its emphasis on secure, private chats. In fact, the developers of Telegram are so confident in its security, that they’ve announced multiple hacking contests with six figure bounties. So far, none of the contests have found a winner.

One of the features that makes Telegram so nice to use is the ability to instantly share files with your friends. Pictures, word documents, PDFs, those sorts of things. But what if someone sent you an executable program. Would you run it? Probably not — but what if it looked like a picture, or a word document, or a PDF?

Beginning March 2017, many unsuspecting users fell victim to a vulnerability in how Telegram handled Unicode, specifically the “right-left override” character (or RLO). The RLO character is intended to reverse any text that precedes it. In some applications, the RLO is improperly handled and can cause the characters after the RLO to not be displayed. Telegram, however, displays strings with an RLO character correctly. So what’s the big deal?

It turns out that applying this to filenames can be disastrous. By cleverly naming a file to hide the real extension, it’s possible to trick someone into downloading something that appears harmless. For example, if an attacker wanted to send you a malicious javascript file, they could send you a file named “photo_high_re\U+202Egnp.js” and Telegram would display it as “photo_high_resj.png“.

This exploit was used to install malware such as backdoors and spyware, though some craftier attackers were using Telegram to trick people into running cryptominers. Kaspersky Labs uncovered the vulnerability in October 2017, which means this vulnerability existed for at least 8 months. Kaspersky Labs also noted that this was an increasingly popular exploit for 2017. Kaspersky Labs alleges that the source of the attack was Russian cybercriminals, and that no evidence was found to suggest the exploit was known outside of the Russian cybercriminal community.

Victims of this attack actually would have been somewhat protected if the security confirmations on Windows were still enabled. When executing the file, Windows correctly displays what type of file it is (javascript, exe, etc). However, even for the users that still have this feature enabled, I think it’s fair to say that most people have trained their muscle memory to click “Run” when that popup appears. This serves as a good reminder to always take a moment to verify what you’re doing.

Original article:
Kaspersky Labs:

Written by Jesse R.

Apple’s iBoot source code is leaked online

Apple is a company well known for it’s secrecy surrounding upcoming products and features. The company has it’s own dedicated Global Security team, tasked with monitoring possible leaks and tracking down the source. So it was a shock to many when the source code behind iBoot, the second-stage bootloader responsible for securely launching iOS, was leaked February 7th, 2018.

The source code that leaked was from a version of iBoot that ran alongside iOS 9.3, making it outdated by a couple of years. This may make it sound like there is little to no risk, given that Apple reports that only 7% of all active iOS devices are using a version of iOS less than 10. However, this code still holds significance in the world of mobile security, allowing security researchers and hackers alike to directly view the code responsible for checking code signatures and launching iOS on the iPhone, iPad, and iPod Touch.

Although the most up-to-date version of iBoot may eliminate some of the flaws that can be found in the leaked code, it is still entirely possible for vulnerabilities to still exist between both versions, and if not, the code still provides valuable insight for a low-level system process that could be used to compromise, or jailbreak, an iOS user’s device. Information learned from the source code could also lead to the future emulation of iOS on unsupported platforms.

The leak originated from a Reddit post made with a throw-away account in September of 2017 on the r/jailbreak subreddit, linking to a download of the source code. The post made little traction due to the subreddit’s policy for new users, however the leak gained publicity when links to the post began appearing on Twitter. Shortly after the original link was taken down, the code was re-uploaded to GitHub, and has continued to show up on the site despite Apple’s multiple DMCA take-down requests.

The iBoot leak itself also makes a statement for Apple’s security, which within the past week has dealt with numerous leaks of internal files and information, including future Apple Watch firmware, development Apple TV firmware, a large leak of private links to Apple sales material, and even the source code for the Baseband from iOS 9.3. Leaks like these can come from unsecured web servers as well as employees who either accidentally or purposefully give away the information. Apple has reportedly led investigations within the company to find leakers through their Global Security team, sometimes taking years to track down the source of an information leak. What Apple does now about their security in response to the breaches mentioned has yet to be seen.


-Alex Noel

BlueBorne, a Bluetooth Vulnerability

Armis has identified a new threat to almost every device we own. There are eight vulnerabilities that have been identified, four of which are critical. These vulnerabilities affect over 5 billion Android, Windows, iOS, and Linux devices. This vulnerability is known as BlueBorne.

What makes this vulnerability different than most cyber attacks is that there is no link that a user has to click on or a malicious file that the user has to download to become a victim. The user doesn’t even have to be connected to the internet. Instead, BlueBorne is spread through a devices Bluetooth connection. The attack doesn’t require the targeted device to be paired to the attackers device or even for the targeted device to be set to discoverable mode.

Image result for BlueBorne

This all contributes to BlueBorne being easily spread to devices at a possible unprecedented rate. Bluetooth processes have high privileges on all operating systems which allows this exploit to completely take over the device. Android devices are vulnerable to remote code execution, information leaks, and Man-in-The-Middle attacks. Windows devices are vulnerable to the Man-in-The-Middle attack. Linux devices running BlueZ are affected by the information leak vulnerability, and Linux devices from version 3.3-rc1 (released in October 2011) are affected by the remote code execution vulnerability (This includes many smart watches, smart tvs, and smart refrigerators). iPhone, iPad and iPod touch devices with iOS 9.3.5 and lower, and AppleTV devices with version 7.2.2 and lower are affected by the remote code execution vulnerability, but this vulnerability was already patched for users running iOS 10. Even networks that are “air gapped” are at risk of this attack, and includes industrial systems, government agencies, and critical infrastructure.

Examples of attacks:

  • Taking a picture on a phone and sending it to the hacker
  • Listening to a conversation through a wearable device
  • Redirecting a user to a fake login page to steal their login information
  • Cyber espionage
  • Data theft
  • Ransomware
  • Creating large botnets out of IoT devices

Many companies are pushing out updates for their users, but for many it is too late, and for others they have older devices that will not receive the updates.

As of 9/13/17:

  • Apple users with iOS 10 are safe
  • Google has released a patch for this vulnerability for Android Marshmallow and Nougat, but it might be weeks before the patch is available to some Android users
  • Microsoft patched the vulnerabilities in July
  • A patch for Linux is expected to be released soon

The problem is that even with these patches, there are many users who are unaware of this exploitation and/or do not update their devices regularly. For users that haven’t updated their devices or do not have an update for their device, the safest thing to do is to turn Bluetooth off on your phone and leave it off until there is a patch for your device




-Matthew Smith