Avoidable Viasat Satellite Hack Causes Headaches Across Europe And Ukraine

(Mis)Uses of Technology

from the as-predicted dept

For literally more than a decade researchers have been warning that global satellite telecommunications networks were vulnerable to all manner of attacks. These attacks vary in nature but allow an intruder miles away to both intercept and disrupt satellite communications. In 2020 hackers again clearly demonstrated how these perpetually unresolved vulnerabilities were putting millions of people at risk.

Fast forward to 2022 and a major hack of Viasat’s satellite systems has caused, you guessed it, massive problems for an estimated 27,000 users. The attack on Viasat’s KA-SAT satellite system, suspected to be the work of the Russian government, appears to have been intended to disrupt Ukraine communications in the lead up to war, but managed to impact a very large chunk of Europe:

Viasat told Reuters that the cyberattack Viasat says was made possible courtesy of a misconfiguration in a “management section” of its network. The impact was severe enough that many users of the satellite in Germany, the UK, France, the Czech Republic, and elsewhere found that their modems had effectively been bricked and “rendered unusable.”

Thousands still remain offline across Europe—around 2,000 wind turbines are still disconnected in Germany—and companies are racing to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack. The Viasat hack is arguably the largest publicly known cyberattack to take place since Russia invaded Ukraine, and it stands out for its impact beyond Ukraine’s borders. But questions about the details of the attack, its purpose, and who carried it out remain—although experts have their suspicions.

Such spillover impact is routine in such attacks. The attack not only impacted basic broadband connectivity, 5,800 wind turbines in Germany were knocked offline, preventing them from being reset remotely should problems develop.

Again, this could have been avoided if companies had heeded researchers and white-hat hacker warnings. But instead, the dominant paradigm tends to be to try and silence those researchers, or misdirect our attention toward security and privacy issues that grab easy headlines, but are less of a direct threat (see: the two year long Trump-era freak out about TikTok).

Vulnerabilities such as the ones in satellite networks, or the massive, obvious security and privacy problems in the “internet of broken things” sector, tend to be downplayed and ignored because they’re “boring” for the press and politicians. As a result, there’s little incentive to do better. Wash, rinse, and repeat.

Filed Under: broadband, cybersecurity, hack, hacking, russia, satellite, telecom, ukraine, vulnerability
Companies: viasat

Turns Out It Was Actually The Missouri Governor's Office Who Was Responsible For The Security Vulnerability Exposing Teacher Data

Failures

from the will-you-look-at-that dept

The story of Missouri’s Department of Elementary and Secondary Education (DESE) leaking the Social Security Numbers of hundreds of thousands of current and former teachers and administrators could have been a relatively small story of yet another botched government technology implementation — there are plenty of those every year. But then Missouri Governor Mike Parson insisted that the reporter who reported on the flaw was a hacker and demanded he be prosecuted. After a months’ long investigation, prosecutors declined to press charges, but Parson doubled down and insisted that he would “protect state data and prevent unauthorized hacks.”

You had to figure another shoe was going to drop and here it is. As Brian Krebs notes, it has now come out that it was actually the Governor’s own IT team that was in charge of the website that leaked the data. That is, even though it was the DESE website, that was controlled by the Governor’s own IT team. This is from the now released Missouri Highway Patrol investigation document. As Krebs summarizes:

The Missouri Highway Patrol report includes an interview with Mallory McGowin, the chief communications officer for the state?s Department of Elementary and Secondary Education (DESE). McGowin told police the website weakness actually exposed 576,000 teacher Social Security numbers, and the data would have been publicly exposed for a decade.

McGowin also said the DESE?s website was developed and maintained by the Office of Administration?s Information Technology Services Division (ITSD) ? which the governor?s office controls directly.

?I asked Mrs. McGowin if I was correct in saying the website was for DESE but it was maintained by ITSD, and she indicated that was correct,? the Highway Patrol investigator wrote. ?I asked her if the ITSD was within the Office of Administration, or if DESE had their on-information technology section, and she indicated it was within the Office of Administration. She stated in 2009, policy was changed to move all information technology services to the Office of Administration.?

Now, it’s important to note that the massive, mind-bogglingly bad, security flaw that exposed all those SSNs in the source code of publicly available websites was coded long before Parson was the governor, but it’s still his IT team that was who was on the hook here. And perhaps that explains his nonsensical reaction to all of this?

For what it’s worth, the report also goes into greater detail about just how dumb this vulnerability was:

Ms. Keep and Mr. Durnow told me once on the screen with this specific data about any teacher listed in the DESE system, if a user of the webpage selected to view the Hyper Text Markup Language (HTML) source code, they were allowed to see additional data available to the webpage, but not necessarily displayed to the typical end-user. This HTML source code included data about the selected teacher which was Base64 encoded. There was information about other teachers, who were within the same district as the selected teacher, on this same page; however, the data about these other teachers was encrypted.

Ms. Keep said the data which was encoded should have been encrypted. Ms. Keep told me Mr. Durnow was reworking the web application to encrypt the data prior to putting the web application back online for the public. Ms. Keep told me the DESE application was about 10 years old, and the fact the data was only encoded and not encrypted had never been noticed before.

This explains why Parson kept insisting that it wasn’t simply “view source” that was the issue here, and that it was hacking because it was “decoded.” But Base64 decoding isn’t hacking. If it was, anyone figuring out what this says would be a “hacker.”

TWlrZSBQYXJzb24gaXMgYSB2ZXJ5IGJhZCBnb3Zlcm5vciB3aG8gYmVpZXZlcyB0aGF0IGhpcyBvd24gSVQgdGVhbSdzIHZlcnkgYmFkIGNvZGluZyBwcmFjdGljZXMgc2hvdWxkIG5vdCBiZSBibGFtZWQsIGFuZCBpbnN0ZWFkIHRoYXQgaGUgY2FuIGF0dGFjayBqb3VybmFsaXN0cyB3aG8gZXRoaWNhbGx5IGRpc2Nsb3NlZCB0aGUgdnVsbmVyYWJpbGl0eSBhcyAiaGFja2VycyIgcmF0aGVyIHRoYW4gdGFrZSBldmVuIHRoZSBzbGlnaHRlc3QgYml0IG9mIHJlc3BvbnNpYmlsaXR5Lg==

That’s not hacking. That’s just looking at what’s there and knowing how to read it. Not understanding the difference between encoding and encrypting is the kind of thing that is maybe forgivable for a non-techie in a confused moment, but Parson has people around him who could surely explain it — the same people who clearly explained it to the Highway Patrol investigating. But instead, he still insists it was hacking and is still making journalist Jon Renaud’s life a living hell from all this nonsense.

The investigation also confirms exactly as we had been saying all along that Renaud and the St. Louis Post-Dispatch did everything in the most ethical way possible. It found the vulnerability, checked to make sure it was real, confirmed it with an expert, then notified DESE about it, including the details of the vulnerability, and while Renaud noted that the newspaper was going to run a story about it, made it clear that it wanted to make sure the vulnerability was locked down before the story would run.

So, once again, Mike Parson looks incredibly ignorant, and completely unwilling to take responsibility. And the more he does so, the more this story continues to receive attention.

Filed Under: dese, hacking, jon renaud, mike parson, missouri, vulnerability
Companies: st. louis post dispatch

Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers

Failures

from the let-it-go,-mike dept

Missouri Governor Mike Parson is nothing if not consistent in his desire to stifle free speech. As you’ll recall, the St. Louis Post-Dispatch discovered that the state’s Department of Elementary and Secondary Education (DESE) website was programming in such an incompetent fashion that it would reveal, to anyone who knew where to look, the social security numbers of every teacher and administrator in the system (including those no longer employed there). The reporting on the vulnerability was done exactly following ethical disclosure best practices — getting just enough evidence of the vulnerability, alerting the state to the problem and not publishing anything until the vulnerability was fixed. The FBI told Missouri officials early on “that this incident is not an actual network intrusion” and DESE initially wrote up a press release thanking the journalists for alerting them to this.

But then Parson blundered his way into making a mess of it, insisting that the reporters were hackers and ordering the Missouri Highway Patrol to “investigate” them for prosecution. When people mocked him for this, he doubled down by insisting that this was real hacking and that those reporting otherwise were part of “the fake news.”

A month later, DESE admitted that it had fucked up, apologized to all the teachers and administrators (current and former) who its own incompetence had exposed, and offered credit monitoring to them all. Notably, DESE did not apologize to the journalists who discovered this mess, and the governor has continued to stand by his call to prosecute them.

Earlier this week the Highway Patrol claimed it had completed its investigation… and turned the findings over to state prosecutors. That alone seems worrisome, as there’s nothing to turn over to prosecutors here beyond “our governor is a very foolish man, who can’t admit to his own failings.”

Capt. John Hotz said the results were turned over to Cole County Prosecuting Attorney Locke Thompson.

?The investigation has been completed and turned over to the Cole County Prosecutor?s office,? Hotz told the Post-Dispatch on Monday.

And the Governor still thinks the end result will be the prosecution of journalists for exposing the fact that his own administration ran a dangerously incompetent computer system that put 600,000 current and former state employees’ private info at risk:

Gov. Mike Parson on Wednesday expressed his opinion the Cole County prosecuting attorney would bring charges in the case of a Post-Dispatch reporter who alerted the state to a significant data vulnerability.

?I don?t think that?ll be the case,? Parson said when asked what he would do if the prosecutor didn?t pursue the case. ?That?s up to the prosecutor; that?s his job to do.?

Parson’s continued insistence that this was unauthorized hacking is absolute garbage.

?If somebody picks your lock on your house ? for whatever reason, it?s not a good lock, it?s a cheap lock or whatever problem you might have ? they do not have the right to go into your house and take anything that belongs to you,? Parson said.

That analogy is just dumb on multiple levels. They didn’t pick any lock. They didn’t intrude somewhere they weren’t supposed to go. The website put the info on their computers in the HTML. They didn’t break any locks. They didn’t access a system they didn’t have access to. They just went where they were allowed to go, and the state’s incompetent technologists handed them info it should not have.

Under Parson’s definition of “hacking” it would be easy to turn anyone into a hacker. Just expose data you shouldn’t expose on a website, and wait until anyone visited the page. That’s not how this should work and the fact that he’s still pressing this issue raises serious questions about Parson’s competence to do anything, let alone run an entire state.

Filed Under: criminalizing security, ethical disclosure, hacking, journalism, mike parson, missouri highway patrol, vulnerability
Companies: st. louis post dispatch

Newly Revealed Details Show That Missouri Government Totally Knew That Journalists Were Not At Fault For Teacher Data Vulnerability

Politics

from the of-course-they-knew dept

Kudos for open records laws proving to us that not only is Missouri Governor Mike Parson a technologically illiterate hack, but he’s a lying one as well. You’ll recall, of course, that in October, the St. Louis Post-Dispatch reported on how the state’s Department of Elementary and Secondary Education (DESE) website was designed in such a dangerous way that it was exposing the social security numbers of state teachers and administrators, and rather than thanking the journalists for their ethical disclosure of this total security fail by the state, DESE and Governor Parson called them hackers and asked law enforcement to prosecute them. Governor Parson continued to double down for weeks, insisting that reporting this vulnerability (and failed security by the government he runs) was malicious hacking until DESE finally admitted it fucked up and apologized to the over 600,000 teachers and administrators whose data was vulnerable — but never apologizing to the journalists.

The Post-Dispatch, whose reporters potentially still face charges, put out an open records request to find out more about what the government was saying and discovered, somewhat incredibly, that before DESE referred to them as hackers, it already knew that it was at fault here and even initially planned to thank the journalists. As the documents reveal, the FBI flat out told DESE that this was a DESE fuckup and DESE had sent Gov. Parson a planned statement that thanked the journalists:

In an Oct. 12 email to officials in Gov. Mike Parson?s office, Mallory McGowin, spokeswoman for DESE, sent proposed statements for a press release announcing the data vulnerability the newspaper uncovered.

?We are grateful to the member of the media who brought this to the state?s attention,? said a proposed quote from Education Commissioner Margie Vandeven.

The Parson administration and DESE did not end up using that quote.

The next day, on Oct. 13, the Office of Administration issued a news release calling the Post-Dispatch journalist a ?hacker.?

This is truly incredible. As are the details of the conversation between a Missouri employee and a local FBI agent.

Meanwhile, at 3:24 p.m. on Oct. 13, Angie Robinson, cybersecurity specialist for the state, emailed Department of Public Safety Director Sandra Karsten to inform her that she had forwarded emails from the Post-Dispatch to Kyle Storm with the FBI in St. Louis.

?Kyle informed me that after reading the emails from the reporter that this incident is not an actual network intrusion,? she said.

Instead, she wrote, the FBI agent said the state?s database was ?misconfigured.?

?This misconfiguration allowed open source tools to be used to query data that should not be public,? she wrote.

So, by the time of the “hacker” statement by DESE, it was already pretty clear to people within DESE that it was DESE at fault and not journalists ethically disclosing DESE’s terribly bad security practices. However, the report also notes that the FBI and the local Assistant US Attorney were still investigating whether or not they could bring criminal charges against the journalists:

?Kyle said the FBI would speak to Gwen Carroll, the AUSA (Assistant U.S. Attorney), with the updated information from the emails to see if this still fit the crime and if she was interested in prosecuting,? Robinson said.

Oh, and even worse: technically the criminal investigation is still ongoing:

As of Tuesday, the Highway Patrol?s investigation was still active, Capt. John Hotz told the Post-Dispatch.

That investigation needs to be closed, and everyone involved from DESE to Governor Parson to the Highway Patrol owe the St. Louis Post-Dispatch, its reporters, and the citizens of Missouri a massive apology.

Filed Under: data breach, dese, ethical disclosure, mike parson, missouri, right click, view source, vulnerability
Companies: st. louis post dispatch

DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later

(Mis)Uses of Technology

from the holy-shit-this-is-bad dept

Welp. Everything is compromised. Again.

Reuters was the first to report suspected Russian hackers had gained access to hundreds of SolarWinds customers, including US government agencies.

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.

[…]

The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.

A full report by FireEye (which was also a victim of this hacking) details the process used to gain illicit access, which involved leveraging bogus signed components crafted by the hackers and distributed by an unaware SolarWinds. The widespread hacking campaign may have begun as early as March of this year. That it was only discovered now means the fallout from this will continue for months to come.

Here’s how the backdoor works, according to FireEye:

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.

After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

SolarWinds boasts over 300,000 customers, including 425 Fortune 500 companies, all ten of the top ten telcos, the Pentagon, State Department, NSA, DOJ, and the White House. Its long list of customers (which now returns a 404 error) all but ensures every passing hour will add another victim to the list.

According to SolarWinds’ post-attack-discovery SEC filing, it believes only a small percentage of its customers are affected. But even a fraction of its users is still a gobsmacking number of potential victims.

On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.

The attack is serious and widespread enough that the DHS’s cybersecurity arm has issued a warning — one that says the only proven way to mitigate damage at this point is to disconnect affected hardware from the internet and pull the plug on Orion software. The CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive says this is a persistent threat — one not easily patched away.

CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:

• Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems;

• High potential for a compromise of agency information systems;

• Grave impact of a successful compromise.

CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.

The directive goes on to mandate reporting on infected systems and for affected agencies to assume the system remains compromised until CISA gives the all-clear. Unfortunately, this grave warning comes from an agency that is also compromised. CISA issued the directive on December 13. Here’s what was reported in the early hours of December 14:

US officials suspect that Russian-linked hackers were behind the recent data breach of multiple federal agencies, including the Departments of Homeland Security, Agriculture and Commerce, but are continuing to investigate the incident, multiple sources told CNN Monday.

CNN learned Monday that DHS’ cyber arm, which is tasked with helping safeguard the nation from attacks by malicious foreign actors, is among at least three US government agencies compromised in the hack.

In addition to CISA, government officials also suspect breaches at the US Postal Service and the Department of Agriculture. And the Defense Department is in the process of assessing its own exposure, if any. If any of its components have been breached, it has yet to be publicly reported.

The Russian government is denying involvement, but the evidence seems to point to “Cozy Bear,” the offensive hacking wing of Russia’s intelligence services. Unfortunately, SolarWinds’ dominance in the network management field made it that much easier for the attack to scale. And with CISA compromised, the government’s attempts to mitigate damage will be slowed as its own cybersecurity wing attempts to rid itself of a persistent threat.

Filed Under: cisa, commerce department, hacking, russia, treasury, vulnerability
Companies: fireeye, solarwinds

GPS Service Vulnerability Opened Door To Remote Vehicle Shutdown

(Mis)Uses of Technology

from the I'm-sorry-I-can't-do-that,-Dave dept

We’ve highlighted for years how flimsy (read: often nonexistent) privacy and security standards in the internet of things space is opening the door to all kinds of problems, from historically-massive DDOS attacks to your refrigerator leaking your Gmail login data. And while your your not-so-smart kettle exposing your network credentials is intimidating enough, the problem is far more worrisome in the “smart” automobile space, where a compromised system could prove decidedly more, oh, fatal.

Most modern car infotainment GUIs hint at the sloppiness lingering just beneath. Security researchers have routinely highlighted how many cars are absurdly vulnerable to not just hacking but a near-total takeover of in-car systems. They’ve similarly noted how historically, automaker efforts to patch these vulnerabilities are slow to arrive–if they arrive at all.

Granted it’s not just retail vehicles that pose a security risk. Last week, researchers highlighted how GPS units installed in many fleet automobiles (designed to help companies track their shipments or employees as they travel) could also be somewhat easily compromised, allowing attackers to track these vehicles and their drivers without their permission:

“The hacker, who goes by the name L&M, told Motherboard he hacked into more than 7,000 iTrack accounts and more than 20,000 ProTrack accounts, two apps that companies use to monitor and manage fleets of vehicles through GPS tracking devices. The hacker was able to track vehicles in a handful of countries around the world, including South Africa, Morocco, India, and the Philippines.”

The origin of this vulnerability? The manufacturers of these systems thought it would be a good idea to give all customer accounts the default password of…”123456.” Worse perhaps, because these systems are so closely tied to a vehicle’s network and computers, the hacker found he could actually disable some vehicle systems (since that’s a function already embedded in these services app platforms). In this case (fortunately), only if the vehicles are traveling at speeds slower than 12 miles per hour.

The researcher who discovered the problem noted it wouldn’t be hard to use such vulnerabilities to create some notable urban headaches:

“On some cars, the software has the capability of remotely turning off the engines of vehicles that are stopped or are traveling 12 miles per hour or slower, according to the manufacturer of certain GPS tracking devices…?My target was the company, not the customers. Customers are at risk because of the company,? L&M told Motherboard in an online chat. ?They need to make money, and don’t want to secure their customers.”

Comforting. Over the last decade some have tried to argue that dismal vehicle security practices are being over-hyped, yet a steady parade of reports have indicated the problem is very real. As everything becomes interconnected and the quest to build interlinked smart cities and smart vehicles takes off, the door opens ever so wider to somebody using our collective privacy and security apathy in a very troubling way at an even more troubling scale — something security experts like Bruce Schneier have been warning about for some time.

Filed Under: cars, gps, remote vehicle shutdown, security, vulnerability

Georgia Scrambles To Patch Massive Vulnerabilities In Its Voter Registration System After Insisting It Was Totally Secure

(Mis)Uses of Technology

from the so-about-that-voting-system... dept

Yesterday we had a rather incredible story about Georgia’s Secretary of State, Brian Kemp, who, despite the conflict of interest, is both running for Governor and in charge of making sure Georgia’s elections are fair. Over the weekend, Kemp had made a highly questionable claim that his opponents in the Democratic Party of Georgia had attempted to hack the voter registration system, and he was opening an investigation. As we noted, what appears to have actually happened was that an independent security researcher had discovered massive, stunning, gaping security flaws in Georgia’s voter registration system, that would potentially allow anyone to access anyone else’s information and even modify it. That’s an especially big deal in Georgia, where the very same Secretary of State Brian Kemp had pushed for laws that meant that if any of your ID information was different from what was in the voter system, you didn’t get to vote.

Incredibly, despite multiple security experts pointing out some fairly basic flaws, Kemp’s office insisted the site was secure. According to press secretary Candice Broce:

?We can also confirm that no personal data was breached and our system remains secure.?

Elsewhere the Secretary of State’s Office insisted there were no problems with the site. However, as ProPublica is now reporting, late Sunday night, after it had insisted there was nothing wrong, it appeared that someone behind the scenes was scrambling to patch the vulnerabilities:

ProPublica?s review of the state?s voter system followed a detailed recipe created by the tipster, who was described as having IT experience and alerted Democrats to the possible security problems. Using the name of a valid Georgia voter who gave ProPublica permission to access his voter file, reporters attempted to trace the security lapses that were identified.

ProPublica found the website was returning information in such a way that it revealed hidden locations on the file system. Computer security experts had said that revelation could give an intruder access to a range of information, including personal data about other voters and sensitive operating system details.

ProPublica?s attempt to take the next step ? to poke around the concealed files and the innards of the operating system ? was blocked by software fixes made that evening.

The same Candice Broce who had insisted that there was absolutely nothing wrong with the site then told ProPublica two obviously bullshit claims. First, that the setup that allowed users to see exactly where files were stored was standard practice, and so was making last minute changes to a voter registration website two days before an election:

Broce said the ability to see where files were stored was ?common? across many websites, and she said it was not an inherent vulnerability. She did not deny that the website?s code was rewritten and would not say whether changes were made as a result of the possible security holes.

?We make changes to our website all the time,? Broce said. ?We always move our My Voter Page to a static page before Election Day to manage volume and capacity. It is standard practice.? By Monday afternoon, the page did not appear to be static in the way Broce described, and she did not respond to a request to provide evidence of the change.

Of course, as anyone who has done any serious website building in, let’s say, the last 10 to 15 years, knows well, that is not at all standard practice. But, let’s see the quote from an expert anyway:

Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., disputed that visibility into file storage was common. ?It?s definitely not best practice,? he said. He said it appeared the state had made the change in response to being notified of the problem and could see no reason why officials would otherwise make such a change ahead of Election Day.

Security experts frown on making such seemingly ad hoc changes close to major events, such as an election, because they can create unforeseen problems when made so quickly.

Basically, it appears that Kemp and the Secretary of State’s office are betting on voters in Georgia being totally ignorant. Meanwhile, this is the same office that just a couple months ago made the following bold statement:

?There has never been a breach in the Secretary of State?s office. We have never been hacked, and according to President Trump and the Department Of Homeland Security, we have never been targeted. Georgia has secure, accessible, and fair elections because Kemp has leveraged private sector solutions for robust cyber security, well before any of those options were offered by the federal government.?

I don’t care what side of the partisan divide you fall on, but Kemp’s actions in failing to protect the system, overseeing the voting in his own election, then attacking the messenger for pointing out his own vulnerability, denying the vulnerability, and then scrambling to fix the vulnerability at the last minute without telling anyone, should disqualify him from running a Burger King, let alone being Governor of the state of Georgia.

Filed Under: brian kemp, computer security, election, georgia, voter registration, vulnerability

0-Day Vulnerability Exposes Thousands Of AT&T Broadband Customers To Attack

Broadband

from the whoops-a-daisy dept

AT&T and hardware manufacturer Arris are being accused of leaving millions of broadband subscribers open to attack. A new report by security researcher Joseph Hutchins highlights how five flaws were discovered in Arris routers used by AT&T and numerous other ISPs around the world. Hutchins notes that some of the flaws may have been introduced after they were delivered to AT&T, since ISPs traditionally modify hardware for use on their network post sale. But many of the flaws were courtesy of the all-too-common tendency to ship hardware with hardcoded credentials and SSH enabled by default:

“It was found that the latest firmware update (9.2.2h0d83) for the NVG589 and NVG599 modems enabled SSH and contained hardcoded credentials which can be used to gain access to the modem?s ?cshell? client over SSH. The cshell is a limited menu driven shell which is capable of viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet, and even controlling what appears to be a kernel module whose sole purpose seems to be to inject advertisements into the user?s unencrypted web traffic.”

Nearly 140,000 devices are impacted, and the Arris NVG589 and NVG599 modems are used by AT&T to power its VDSL broadband (formerly U-verse) service. The vulnerabilities not only open up subscribers to attack, but hardcoded credentials are also to thank for the rise in historically massive DDoS attacks as malware targets such devices for use in botnets. In addition to hard-coded credentials (which you’d think any sensible hardware vendor would steer well clear of at this point), Hutchins notes the devices suffer from default https server credentials, command injection vulnerabilities, and a a firewall bypass on port 49152.

AT&T is refusing to comment and Arris tells ThreatPost it’s looking into the flaws. Whichever party is to blame, Hutchins noted that the vulnerability was a result of “pure carelessness” at the companies:

“Regardless of why, when, or even who introduced these vulnerabilities, it is the responsibility of the ISP to ensure that their network and equipment are providing a safe environment for their end users. This, sadly, is not currently the case. The first vulnerability found was caused pure carelessness, if not intentional all together. Furthermore, it is hard to believe that no one is already exploiting this vulnerability at the detriment of innocents.”

At a recent Defcon, hackers demonstrated how they were able to break into around half of thirty different commercially-available residential broadband routers without too much elbow grease. Why does this continue to be such a problem? Security experts like Bruce Schneier have repeatedly noted how the same flimsy security we enjoy mocking in the internet of broken things space is all too present in residential broadband router market, thanks in large part to nobody in the supply chain having the financial incentive to do much about it:

“Typically, these systems are powered by specialized computer chips made by companies such as Broadcom, Qualcomm, and Marvell. These chips are cheap, and the profit margins slim. Aside from price, the way the manufacturers differentiate themselves from each other is by features and bandwidth. They typically put a version of the Linux operating system onto the chips, as well as a bunch of other open-source and proprietary components and drivers. They do as little engineering as possible before shipping, and there?s little incentive to update their ?board support package? until absolutely necessary.

The system manufacturers ? usually original device manufacturers (ODMs) who often don’t get their brand name on the finished product ? choose a chip based on price and features, and then build a router, server, or whatever. They don’t do a lot of engineering, either. The brand-name company on the box may add a user interface and maybe some new features, make sure everything works, and they’re done, too.”

After that, everybody in the cycle is too focused on making money on the next product or chipset to do the legwork required to keep the hardware or software in these devices updated or secure. This is at the heart of IOT dysfunction, but the problem goes notably deeper than just your easily hacked smart thermostat. Fair or not, the onus then gets put in the lap of the broadband ISP — since they field the support calls once a customer gets hacked. But swapping out the hardware or troubleshooting existing gear erodes profit margins as well — at companies that already cut customer support corners to an often comical degree.

As script-kiddie oriented malware kits make attacking these vulnerabilities easier than ever, the problem nobody seems to want to fix is going to only get worse. And while some might incorrectly call it hyperbole, that’s why Schneier and many other security researchers have been warning for years that there’s dumpster fire just over the horizon that could result in a notable loss of human lives. It’s a future everybody in the space can pretty clearly see, but few are willing to spend the money to avoid.

Filed Under: 0-day, hardcoded password, home broadband, routers, security, vulnerability
Companies: at&t

Company Storing Families' Personal Data Blocks Users/Researchers Informing It Of A Security Flaw

(Mis)Uses of Technology

from the blockchain,-but-for-ignoring-your-problems dept

It must be repeated over and over: people who discover security flaws and report them are not the enemy. And yet, company after company after company treat security researchers and concerned users like criminals, threatening them with lawsuits and arrests rather than thanking them for bringing the issue to their attention.

Kids Pass — a UK company providing discounts for families attending restaurants, theaters, and amusement parks — had a problem. Any user could access any other user’s personal information just by altering numbers linked to user IDs in the URL. A concerned user told security researcher Troy Hunt about the flaw. (via Boing Boing)

[J]ust this weekend I had a Twitter follower reach out via DM looking for advice on how to proceed with a risk he’d discovered when signing up to Kids Pass in the UK, a service designed to give families discounts in various locations across the country. What he’d found was the simplest of issues and one which is very well known – insecure direct object references. In fact, that link shows it’s number 4 in the top 10 web application security risks and it’s so high because it’s easy to detect and easy to exploit. How easy? Well, can you count? Good, you can hack! Because that’s all it amounted to, simply changing a short number in the URL.

Here’s the example the user passed on to Hunt:

Hunt told the user to stop doing anything — including accessing other users’ information — and immediately inform the company. The user did as instructed, contacting the company via Twitter direct message. Shortly thereafter, the user informed Hunt Kids Pass had blocked him on Twitter.

Hunt then made an attempt to speak to someone at Kids Pass… only to find out he had been blocked as well, most likely for having the gall to retweet the concerned user’s message about the security flaw.

The responsible, ethical approach — notifying a company of a security flaw as soon as possible — was being treated like some sort of trollish attack on Kids Pass’ Twitter account. From all appearances, the company simply wanted everyone to shut up about the flaw, rather than address the concerns raised by userw.

It was only after Hunt asked his followers to contact the company on his behalf that Kids Pass finally unblocked him and told everyone the “IT department was looking at it.”

The belated reaction doesn’t make up for the initial reaction. And Kids Pass has shown it has little interest in addressing security flaws until the problem becomes too public to ignore. Hunt points to a blog post by another security researcher who informed Kids Pass last December about its insecure system — including the fact it sent forgotten passwords in plaintext via email to users. He heard nothing back, finally publishing his discoveries in July.

If you want people to be good web citizens and report breaches and flaws, you can’t treat them like irritants or criminals when they do. Securing users’ personal info is extremely important, but some companies seem to feel they should be able to handle it however they want and mute/sue/arrest those who point out how badly-flawed their systems are.

Filed Under: security, shooting the messenger, troy hunt, uk, vulnerability
Companies: kids pass

Yet Another E-voting Machine Vulnerability Found

(Mis)Uses of Technology

from the because-of-course dept

We’ve been talking about the ridiculousness of e-voting machines for well over a decade. If a machine doesn’t include a paper trail for backup, it’s suspect. That’s been the case since e-voting machines have been on the market, and many of us have been pointing this out all along. And the big e-voting companies have a long history of not really caring, even as their machines are shown to be vulnerable in a variety of ways. So it come as little to no surprise to find out that security firm Cylance has announced that it’s found yet another set of e-voting vulnerabilities in the Sequoia AVC Edge Mk1 voting machine. Sequoia especially has a long history of buggy, faulty machines.

Of course, with all the talk of “rigged” voting this year, the fact that some machines are hackable is very, very bad. Mainly because it just enables conspiracy theory talk to seem much more believable. It remains true (for somewhat ridiculous reasons) that while these vulnerabilities do exist, a widespread hack would be quite difficult. The real problem is at the margin, where low level vote changing could occur. As Ed Snowden rightly notes, the hacking may not be difficult, but using that to rig an election is much more difficult, and would almost certainly be caught.

That said, this remains ridiculous. Even the appearance of potential vote hacking is a problem in actually getting the public to trust the results of an election. I can pretty much guarantee that no matter who wins tomorrow, someone will allege e-voting machine hacking, and point to this (or perhaps other) vulnerability disclosures in the days leading up to the election. And that’s bad. For over a decade we’ve been sounding the alarm that it’s ridiculous to use such electronic voting machines, and it would be a damn good idea to fix things. Would have been nice if someone listened.

Filed Under: e-voting, evoting, paper trail, vote rigging, vulnerability
Companies: sequoia