Zombies, power outage, and phishing: Oh my!

Lake Worth is much like any other community working through the daily operations. Every day was nearly the same as the day before. Unfortunately, there was a power outage on May 20, 2018. As part of the protocol, an alert was sent to the residents. Unfortunately, along with the alert was a message the power outage was due to zombie activity. This was sent at 1:141a-1:45a on Sunday, May 20, 2018. This enduring message was sent to approximately 7,880 residents.

The message was intended to be cute, however, this was indicative of a much larger problem. The city's notification system had been compromised, and not by 'extreme zombie activity'.

Attack
On the surface, this appears to take the form of an old-school attack, perpetrated not for profit, but for notoriety. This would work to better the attacker(s) credibility among peers. This attack and compromise are worthy of a much deeper analysis. This clearly is indicative of a significant vulnerability in the system.

What makes this compromise worse was the second event of this nature in a week. The other involved the online utility payment systems.

In the subject case, a city's employee email was compromised and used to access the system. The attack point was verified. To get this point, a phishing attack was probably used.

Lessons Hopefully Learned
Granted this was a funny message that was sent. Certainly all involved are glad this was not a message destructive in nature. If the attackers were to have been malicious, the outcome could have been much worse. If the message would have been further adulterated to note a hurricane or tornado was headed for the municipality within an hour and everyone was required to leave now, there would have been mass hysteria and potential for auto accidents, in the least.

The compromise is indicative of the underlying issue, however. With the successful phishing attack, the attacker knows there is and will be the opportunity for further successful attacks. The municipality truly needs to step up its employee training to more than the once a year, mandatory, which bores most of the staff, to periodic, more engaging training regiments. Perhaps even an internal phishing campaign would be relevant to gauge the level of success the internal training was reaching towards.


Resources
Alanez, T. (2018, May 21). South florida city warns residents of extreme zombie activity. Retrieved from http://www.sun-sentinel.com/local/palm-beach/fl-pn-zombie-alert-lake-worth-20180521-story.html

Capozzi, J. (2018, October 10). Lake worth 'zombie alert' hacker used a city email to breach system. Retrieved from https://www.mypalmbeacpost.com/news/lake-worth-zombie-alert-hacker-used-city-email-breach-system/

Palm Beach Post. (2018, May 23). national, social media has way too much fun with lake worth's 'zombie alert'. Retrieved from https://www.palmbeachpost.com/news/new-nation-social-media-has-way-too-much-fun-with-lake-worth-zombie-alert/

Rodriguez, D. (2018, May 22). A fake 'zombie outbreak' alert alarms lake worth residents. Retrieved from https://www.tampabay.com/news/A-fake-Zombie-Outbreak-alert-alarms-Lake-Worth-residents-_168461999

Ross, M. (2018, May 22). Lake worth falsely sends out 'zombie' alert during power outage. Retrieved from https://www.palmbeachpost.com/news/breaking-news-breaking-lake-worth-falsely-sends-out-zombie-alert-during-power-outage/

Shatzman, M. (2018, May 22). Where did the zombies come from in lake worth? Retrieved from http://www.sun-sentinel.com/local/palm-beach/fl-pn-lakeworth-zombie-alert-05222018-story.html

Sputnik International. (2018, May 23). Florida apocol-lapse: US city's residents mistakenly warned of zombie attack. Retrieved from https://sputniknews.com/viral/201805231064710940-zombie-alert-warning-message/

Power grid attacked...again

The power grid, along with other utilities continue to not receive their due cybersecurity attention. Unfortunately, the population does not appreciate, in general, how very vulnerable a significant portion of these is. More to the point the subsequent potential effects of a breach (i.e. no electricity for extended periods) are not appreciated...until it happens to a set of users.

Attackers
Well, this issue has two sides, as do most. While one side has not given this the appropriate level of attention, another has given this at least a baseline amount-the attackers. Recently the Kyiv power grid was attacked. From the appearances and evidence present, a well-known group was involved with this latest attack. This was allegedly the work of the Telebots and used Industroyer. This was the same malware responsible for the disc-wiping software NotPetya and BlackEnergy. The group was responsible for the 2015 blackout in the Ukrain.

Telebots had been linked to Industroyer due to their recent activity. A group attempted to deploy a new backdoor titled Exaramel. This appears to be an improved version of Industroyer. This appearance is based on code similarities, shared command & control (C&C) infrastructure, and malware execution chains. While this is not 100% indicative, the point and direction are rather significant. This pattern of implementing the specific backdoor is rather telling.

Resources

Lyngaas, S. (2018, October 11). Researches link tools used in notpetya and ukraine grid hacks. Retrieved from https://www.cyberscoop.com/telebots-eset-notpetya-ukraine-link/

Reeve, T. (2018, October 11). Kyiv power grid attack attributed to telebots through industroyer link. Retrieved from https://www.scmagazineuk.com/kyiv-powre-grid-attack-attributed-telebots-industroyer-link/article/1495836?bulletin=sc-newswire

WeLiveSecurity. (2018, October 11). New telebots backdoor: First evidence linking industroyer to notpetya. Retrieved from https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

Ed tech targeted!

Chegg Inc. is a publicly traded company, which went public in 2013. The company, based in the US, rents online textbooks, and offers tutorials. Thus, the company does hold and manage sensitive and confidential client information. As this is the case, and the data is very marketable, the company would naturally be a target.

Issue!
The company was targeted and experienced a data breach. Chegg learned of the breach on September 19, 2018. This is the good news. The company could not have known about this breach at all, and the clients could have been none the wiser. The company detecting this was good for the parties involved. The bad news is the breach occurred on or about April 9, 2018. The attackers could have been in the company's systems for months, unfettered and acquiring the information they wanted. The attackers had the potential to harvest all the data they wanted. Chegg began to notify the affected clients on September 26, 2018. The notice stated the clients' data and other information had been accessed.

This compromise, beginning in late April 2018 by an unauthorized party or group accessed a company database with their user's data, including the names, emails, shipping addresses, and hashed passwords. Granted the passwords being hashed is a good thing. The curiosity and potential issue is the hashing algorithm was not disclosed. This could have been very weak, and subsequently vulnerable. This also affected the data of its subsidiary Easybib.

Remediation
This was a rather serious breach. Due to the client's information being accessed by the unauthorized party, Chegg needed to reset the passwords. This was a rather substantial project, as there were 40M users overall who needed to do this.


Resources
Cimpanu, c. (2018, September 26). Chegg to reset passwords for 40 million users after April 2018 hack. Retrieved from https://www.zdnet.com/article/chegg-to-reset-passwords-for-40-users-after-april-2018-hack/

Pymnts. (2018, September 27). Chegg hack hits 40M customers. Retrieved from https://www.pymnts.com/news/securityandrisk/2018/chegg-data-breach/

Reed, J.R. (2018, September 26). Ed tech company chegg plunges after disclosing data breach. Retrieved from https://www.cnbc.com/2018/09/26/ed-tech-company-chegg-plunges-after-disclosing-data-breach.html

Reed, J.R. (2018, September 26). Online textbook rental and tutorial company chegg plunges after disclosing data breach. Retrieved from https://sg.finance.yahoo.com/news/online-textbook-rental-tutorial-company-191100361.html

Securities and Exchange Commissioner (SEC). (2018, September 25). Form 8-K. Retrieved from https://www.sec.gov/Archives/edgar/data/1364954/000136495418000187/cyrus.htm

Surran, C. (2018, September 26). Chegg -12% after disclosing data breach; reaffirms Q3 guidance. Retrieved from https://seekingalpha.com/news/3393207-chegg-minus-12-percent-disclosing-data-breach-reaffirms-q3-guidance

Blockchain to be helpful with cybersecurity

Blockchain has grown in use exponentially over the last few years. People are trying to apply this to virtually anything possible. This phenomena almost appears to be the goose that lays the golden eggs. When the term blockchain is attached to a process, there is the instant attention paid to it. This is prevalent to the extent this is being applied where it may not make the most sense.

This being said, one application which may have a useful place for blockchain may be securing data. One area cybersecurity is directly focussed on is data security, including cryptography. Without delving into the minutiae of the blockchain inner workings and processes, this easily could be applied to data.

Each chunk or block of data from the entire data set is packaged and saved with a reference to its prior block, which is secured with a cryptographic algorithm. Once in the chain, it can’t be changed. In addition, the nodes also are involved to ensure the blocks are correct. For an attack to be successful, several facets would need to be cracked, in addition to the attackers taking over 51% of the nodes. This is exceptionally unlikely and not a significant concern. With this in place along with an industry acceptable cryptographic algorithm, there could be a place for blockchain within the data security realm.

Village Ransomwared!

Day after day, Jefferson village simply operated as they did the day before, the day before that, etc. Each day passed without anything exciting occurring. The existence was rather uneventful, which is perfectly acceptable.

Ransomware
On a fateful day, the last thing on the administration's mind was the system potentially being encrypted and a ransom requested for a decrypt key.

In late May 2018, this is what happened (http://www.starbeacon.com/news/locla-news/hackers-try-t0-hold-jefferson-computers-at-ransom/). The Village of Jefferson found themselves as victims of ransomware. The ransom request was for approximately $4,900 of bitcoin to be paid or the systems would be wiped. Curiously, two additional entities were hit at nearly the same time. All three contracted services from Steve Schoneman of Ashtabula’s Schoneman Inc.

Target
The focal point of the attack, among other areas, was a computer used for finances. Fortunately, the village actively used back-ups. These back-ups were used to re-image the systems. This sounds easy enough, however, the project did take a few days.

Lessons
This is a fantastic example of what makes back-ups, tested and verified, so very important. Granted, the fix for the situation took a bit of time, however, compared to losing the data forever or paying the ransom, this was a completely viable solution. Without the back-ups in place and verified, the village would have been in a very difficult position.

Another key fob attack!

Vehicles are synonymous with the US culture. These are pervasive through commercials, print ads, radio, the vast number of vehicles on the road, and various other sources. As these continue to grow in technology being implemented and autonomy, these become more of a target for attack and research. Vehicle and embedded systems cybersecurity is a growing field to complete research in based on this. One relevant, significant attack and the researchers have their 15 minutes of fame, and hopefully a bug bounty for their efforts.

Recently another vulnerability was detected with a Tesla vehicle. The researchers were students at the University of Leuven in Belgium. The researchers were working at the Belgium Uni’s Computer Security and Industrial Cryptography (COSIC) research group. In particular, the researchers focussed on the Passive Keyless Entry and Start (PKES) system used int eh Tesla model S, McLaren vehicles, and others.

Target/Affected Vehicles
The PKES is a common feature in vehicles. Although in nearly all vehicles in current production, the two primary vehicles affected are the Tesla and McLaren, and any other vehicle using the Pektron PKES system. Two other vehicle manufacturers using this are Karma and Triumph.

Method
With a simple tool, the researchers were able to steal a vehicle within a few seconds. In short, this operates to clone the key fob signal.

As noted, the key fob system is manufactured by Pektron. COSIC analyzed the key fob communication and designed a Trade-Off (TMTO) attack. As this was successful, the researchers were able to gain access to the internal area of the vehicle.

With this type of vehicle, seemingly the tools required for this would be rather expensive and complex. To the contrary, the equipment used for the attack tools included a Raspberry Pi 3 Model B+, a smartphone hotspot, Proxmark 3, yard Stick One, and USB battery pack. The cell phone hot spot was needed to access the 6TB drive containing the TMTO table. This equipment is not costly or expensive. The Raspberry Pi 3 Model B+ was $35, Yard Stick One ($100), Proxmark 3 RDV4 kit $300. The USB battery pack would vary greatly in price. Thus the researchers spent approximately $435 to access a $77k (starting price) vehicle.

The security issue which allowed this access was an exceptionally weak cipher for the encryption. The 40-bit cipher was used, which allowed this quick compromise, due to the fob’s limited processing power. 

The traffic was sniffed from the car radio transmitter to the fob and back. This signal is transmitted continuously. Once the researchers captured two responses, they used the 6TB table of the pre-computed keys. The process to crack this was merely a few seconds.

Remediation
Naturally, this is a rather serious issue. The attack process leads to a significant compromise and entry to the vehicle. For Tesla remediating the issue consisted of a software update requiring the user to input a PIN to enable the vehicle to be driven. McLaren, on the other hand, took a physical route. McLaren mailed a pouch to put the key fob in. This acts as a Faraday pouch for the user to block the signal from reaching as far as it had been.

Responsible Researchers
The COSIC disclosed the vulnerabilities to Tesla in August 2017, giving them time to fix the issue. Tesla did acknowledge the issue, the researchers were thanked and paid $10k for the bug bounty. To be fair, the researchers also contacted Pektron, the company which manufactured the PKES system. The other known vehicle manufacturers (McLaren, Karma, and Triumph) were also contacted.

To further the research, the attack was repeated during a live demonstration in April 2018, and presented the findings at the Cryptographic Hardware and Embedded Systems (CHES) 2018 Conference in Amsterdam on September 10th.


Resources
Allen, L. (2018, September 10). Security flaws in tesla and mclaren keyless entry found. Retrieved from https://www.autocar.co.uk/car-news/new-cars/security-flaws-tesla-and-mclaren-keyless-entry-found

Beckwith, J. (2018, August 29). Tesla introduces ‘PIN to Drive’ security feature. Retrieved from https://www.autocar.co.uk/car-news/new-cars/tesla-introduces-pin-drive-security-feature

Field, K. (2018, August 6). Tesla files FCC application for bluetooth key fobs for tesla model 3 owners. Retrieved from https://cleantechnica.com/2018/08/06/tesla-rolling-out-bluetooth-key-fobs-fortesla-model-3-owners/

Greenberg, A. (2018, September 10). Hackers can steal a tesla model s in seconds by cloning its key fob. Retrieved from https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/

Jones, R. (2018, September). Researchers show off method for hacking tesla’s keyless entry, so turn on two factor authentication. Retrieved from https://gizmodo.com/researchers-show-off-method-for-hacking-tesla-s-keyless-1828951056

Lambert, F. (2018, August 7). Tesla is working on a new key fob-potentially for keyless model 3. Retrieved from https://electrek.co/2018/08/07/tesla-new-key-fob-model-3/

Mahoney, J. (2018, September 12). Hackers discover security flaw with teslas and mclarens. Retrieved from https://www.motoring.com.au/hackers-discover-security-flow-with-teslas-and-mclarens-114580/

Malone, W. (2018, August 7). Potential model 3 fob: Tesla registers new BLE fob with FCC. Retrieved from https://insideevs.com/potential-model-3-fob-tesla-registers-new-ble-fob-with-FCC/

Morse, J. (2018, September 10). Your tesla is probably vulnerable to hackers, but there’s an easy fix. Retrieved from https://mashable.com/article/tesla-model-3-hack-key-fob/#VJLA4Bg8uaq0

Mott, N. (2018, September 11). Tesla’s keyless entry duped by cloned fobs. Retrieved from https://www.tomshardware.com/news/security-flaws-tesla-wireless-key-systems,37779.html

Sachdeva, A. (2018, September 11). Tesla model s can be hacked in seconds with this raspberry pi-powered equipment. Retrieved from https://fossbytes.com/tesla-model-s-keyfob-hacked-equipment/