Woesnotgone Meadow; March 26, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we have our school system. This isn’t huge, however, is just-right-sized for the community. We have all the amenities of the larger schools and cater to the students. This can be a blessing and create an issue. Any school can be a target, as the Bridgeport schools in CT have found.

Public schools abound through the nation. These are located locally and in certain instances, even within the neighborhoods, their students live in. The schools provide a vital service to the residents and the children in the community. The subject school is the Bridgeport School District, located in Bridgeport, CT.

The attack was much like so many others experienced not only in the school districts but also across the different industries. The school district was targeted for a ransomware campaign. This was allegedly delivered via a phishing attack. This is presumed, as this is the general attack vector. This, however, was not directly stated.

Although no data was exfiltrated, the ransomware was successful. The general operation is for the PCs and/or servers (preferably servers) to be encrypted, and the decrypt key is supplied (hopefully) after the fee is paid, or if the back-ups are viable and current, use these. With this attack, a portion of the district’s data was indeed encrypted. The composition of the data was not detailed in the publications. The amount of the ransom was not listed either.

The school district’s superintendent stated no data was exfiltrated. The attackers were, however, able to access Power School, which was used to store the student’s data. A few of the teachers noted the data encrypted was primarily from their work efforts (e.g. lesson plans and teaching materials). The student’s work and student’s and teacher’s personal data were not affected by this issue.

Once the school district detected the issue they worked through the weekend to fix this. The plan was to limit the damage to the data. Subsequently, all district employees were required to change their passwords. The employees were also directed not to bring in their own equipment into the workplace. The school district was actively working with law enforcement.

This successful attack is an example of what to focus on with the users for the health, and cybersecurity of the organization. With BYOD (bring your own device), the business or entity when this is allowed, also allows any issues on the employee’s personal laptop or device into the network if it attached. The business is at the whim of the person’s level of cybersecurity hygiene, or lack of. Also, there should be substantial training on email and phishing, including what to look for and suspicious requests.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Lambeck, K.C. (2019, January 8). Bridgeport schools computer network falls victim to cyberattack. Retrieved from https://www.ctpost.com/local/article/Bridgeport-Schools-computer-network-hit-by-113515819.php

Lambeck, K.C. (2019, January 9). Connecticut school district hit with ransomware attack. Retrieved from http://www.govtech.com/security/Connecticut-School-District-Hit-with-Ransomware-Attack.html

Olenick, D. (2019, January 8). Bridgeport, Conn., schools hit with ransomware. Retrieved from https://www.scmagazine.com/home/security-news/bridgeport-conn-schools-hit-with-ransomware/

Woesnotgone Meadow; March 21, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Most towns of a certain size have some form of a Chamber of Commerce. Although the Meadow does not have a vast number of businesses, there are quite a few. Jerry is the president and keeps everything running smoothly. Our little municipality has not been targeted for an attack, thankfully. Other Chamber of Commerce departments have not been that lucky. The Ann Arbor/Ypsilanti Regional Chamber of Commerce is located in the southeastern section of the lower peninsula of Michigan. They manage all of the usual tasks a chamber of commerce would.

On January 8, 2019, their computer system was successfully attacked. The attackers used well-known Emotet malware. This iteration allowed the attackers access to customer names, mailing addresses, and emails. The attackers, fortunately, did not have access to banking information, accounts, credit cards, security codes, or passwords.

 Emotet is a curious piece of malware. This is coded to especially evade detection, embed itself into the system and multiply. If the malware detects it is in a sandbox, it is coded to remain dormant. This is also polymorphic, meaning each time it is downloaded, the malware changes slightly, to evade a standard anti-virus signature. As this was designed so well, it is no wonder this is still in use over the last five years.

To remediate the issue, and get the Chamber back up and running, they had to start somewhere. The Chamber began researching what happened with this and on January 24, 2019 sent a notice to its members regarding the successful attack and compromise. In the least, this is an opportunity to learn from this and improve training for the staff. As a reminder, any training does not need to be bland, and not encourage the users to become bored.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Afana, D. (2019, January 24). Malware hits ann arbor/ypsilanti chamber, member information safe, officials say. Retrieved from https://www.mlive.com/news/ann-arbor/2019/01/malware-hits-ann-arborypsilanti-chamber-member-information-safe-officials-say.html

Stockley, M. (2019, January 25). Fighting emotet: Lessons from the front line. Retrieved from https://nakedsecuriyt.sophos.com/2019/01/25/fighting-emotet-lessons-from-the-front-line/

Woesnotgone Meadow; March 22, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, our residents all have one of the many variants of the cell phone. We naturally have the iPhone and Android, and Margie has an old-school flip phone. Our residents use this for navigation, calling family, listening to music, and a variety of other uses. These, while useful, have tended to be a rather important tool in daily life. While these have grown in use and prominence, this has produced a negative bi-product. The phone, especially the Android platform, has become a target for the attackers. While unfortunate, this is our situation.

Across the globe, there are 5B cell phone users (aka targets). With this vast number of users to attack, it’s no wonder these devices are attacked and successfully compromised with regularity. One app available on the Android system is Android Auto. The user plugs their phone into the USB in the vehicle, and the head unit (or screen in the dash) begins to function as an extension of the phone. This acts to interact with the vehicle as a tenant, not as the host, meaning the vehicle is still in charge of the head units operations, and the app is working within it. The app connects to the head unit in the dash and allows the user access to the phone’s functions.

This is great for the user, as they can use the phone while in the vehicle. If the phone were to have malware or another issue, as this connects to the vehicle, could affect the vehicle's operations, if this were coded for the vehicle’s systems. Although this is still a proof of concept (PoC), since there has not been an active attack, there is still the future opportunity for a thorough compromise. Now is the time to address any potential vulnerabilities now, while it is still less costly to fix, versus being in the Sunday paper explaining why a compromise occurred and paying for immediate remediation.  

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Mandal, A.K., Cortesi, A., Ferrara, P., Panarotto, F., & Spoto, F. (2018). Vulnerability analysis of android auto infotainment apps. In Proceedings of the 15th ACM International Conference on Computing Frontier, 183-190. doi:10.1145/3203217.3203278

Woesnotgone Meadow; December 25, 2018

Woesnotgone Meadow has their own police department dedicated to our municipality. They maintain the peace and enforce the laws. Although the work they do is primarily manual, as this involves working directly with the public, face-to-face. There is also the back-end of the work, involving among other things the computer systems. While the vehicles are at risk mostly while on the road, the police department computer network may be attacked at any time, any day of the week. The Rockaway Township police department found this out the hard way.

The attack itself occurred on Thanksgiving. From the attacker’s view, the timing could not have been better. There were many officers, and especially admin staff, off for the holidays. The focus was on their computer system. The attack brought down the system. This wasn’t merely someone who wanted to quickly deface a website, but someone who wanted to hinder the operations. The attacker was good enough so that two weeks after the attack, the department did not know who conducted the attack. The police are still unsure of how this occurred, the vulnerabilities, or distinct exploits.

There are a few issues that are significant, and would worry me if I happened to live within their municipality. With the resources and budget, seemingly their computer system would have some form of an IDS/IPS to manage these occurrences. On a secondary note, the police were still unsure how this actually happened. From a rudimentary Incident Response (IR) view, they should have some idea of what happened.

 To assist with this, the police had contracted with a third party to assist the police department with remediation and data restoration services. But wait, there’s more! The township management is tasked with managing the township. The management team is unhappy with the lack of progress with the investigation. The investigation was still ongoing as of 12/10/2018.

Resources

Dissent. (2018, December 10). Rockaway twp. Police computer hacker still unknown; leaders want answers. Retrieved from https://www.databreaches.net/rockaway-twp-police-computer-hacker-still-unknown-leaders-want-answers/

Myers, G. (2018, December 8). Rockaway twp police computer hacker still unknown; leaders want answers. Retrieved from https://www.northjersey.com/story/news/local/morris-county/2018/12/08/rockaway-twp-police-computer-hacker-still-unknown-leaders-want-answers/2242543002/