Woesnotgone Meadow; May 21, 2019

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we don’t have any significant manufacturing industries or facilities. The closest we have is a factory which assembles vehicle air fresheners. Although we don’t have much in the way of heavy industry within our bounds, our residents certainly are aware of these facilities.

Within these large facilities, robots abound, lifting the heavy or size-awkward parts in a precision ballet. To watch the process is an amazing feat of science. These robots, while completing these tasks as more of a science than art, also present endpoints to attack. To acquire a list of these to probe and attack, could take a bit of time, and could be hit and miss. Fortunately, there’s a tool for this.

Aztarna

To save time and energy, and effort, Alias Robotics coded, in Python, the open source tool Aztarna. Alias Robotics, while a start-up, did create this valuable tool. The term Aztarna is “footprint” in Basque. In short, this is a port scanning tool and compares its scanning results with its database of fingerprints for individual controls and robotic technology and its components. The tool does robot foot printing, auditing of internet connected robots, and identifying/locating robots and their components. This was engineered to operate in different modes, dependent on the different pen testing use cases.

Uses

As described, this is a robot scanning tool, which seeks robots and the components open on the internet. This is used to track the robotics connected to the internet and powered by any robotic technology (e.g. ROS (Robot Operating System) and SROS (Secure ROS)). The primary focus of the tool are industrial robots and robots used as a part of daily operations. They may be used in the manufacturing industries on the production floor to assemble, for instance.

Targets

The tool begins by seeking specific routers. Within the robotics field, there are a limited number of manufacturers whose routers are used. These historically have been Siena Wireless, Ewon, Moxa, and Westermo.

Initially, the tool was used to scan globally, not only in the US. This scan detected 9000 insecure industrial routers hosting the targeted robots. Of the 9000, 1586 routers were in Europe. These were detected as they were misconfigured. Of this Europe sub-population, France and Spain had the most routers. In comparison the US and Canada had far fewer.

A later scan of 26801 routers identified 8958, or approximately 33%, were insecure. These were using default or weak credentials, or not requiring authentication. Of these, Columbia had the greatest number of misconfigured and insecure devices with 26 each and all of these were using default credentials.

The researchers also scanned for open ROS Master in port 11311. Aztarna was configured to verify if the hosts were corresponding to ROS running machines. The tool detected 106 ROS systems. Of these 52 were located in the US and 16 in South Korea. A portion of these were noted as being connected to simulations or not connected to actual robots.

Vulnerability

The robots were the end target. The insecurities are the clear threat to the manufacturer’s cybersecurity. These manufacturers may not be giving this as much attention as needed. As too many of these have no, default, or weak authentication in place, there is a problem. When these systems are down, as when an attacker would successfully breach one of these systems and shut down one or more robots, every second is revenue and money lost to the company. Dependent on the size of the manufacturer, this could be hundreds of thousands a day to millions. The amount of lost revenue, depending also on the workflow and orders being worked on, is amazing, to the detriment to those with compromised systems, or when ransomware is applied to the robots. To say the least, it is prudent for the manufacturers to review this.

Responsible Disclosure

The researchers noted the vulnerable robots and components from the scans. After the scan results, the researchers did not just hold the results and not do anything positive with this. They did not want the manufacturers to continue with their security by obscurity. This approach in the long-term has never worked well. The manufacturers were notified of the vulnerabilities.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest encryption.

Resources

Alias Robotics. (2019, January 16). Researchers publish a tool to hunt for hackable robots connected to the internet. Retrieved from https://news.aliarobots.com/researhcers-publish-a-tool-to-hunt-for-hackable-robots-connected-to-the-internet/

Happich, J. (2019, January 22). Open-source scanning tool can find vulnerable robots. Retrieved from https://www.eenewsembedded.com/news/open-source-scanning-tool-can-find-vulnerable-robots#

Kumar, M. (2019, January 28). Researchers release tool that finds vulnerable robots on the internet. Retrieved from https://thehackernews.com/2019/01/robot-cybersecurity-tool.html

Waqas. (2019, January 28). Meet aztarna, a tool to find vulnerable internet connected robots. Retrieved from https://www.hackread.com/aztarna-tools-find-vulnerable-internet-connected-robots/

Woesnotgone Meadow; May 21, 2019

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

At times, the citizens of the Meadow may bet the flu or another virus. With a certain portion of the population, the flu or pneumonia has the potential to be very serious. At this point, the resident is transported to a hospital and becomes a patient. At this point, the patient provides their personal information, including their name, social security number, and insurance information. The hospital then becomes responsible for your personal, confidential data. Generally, this is not an issue and the hospital have your data secured. At times, however, this is not the case.

Pawnee County Hospital is located in Nebraska. The hospital conducts business just as most hospitals do. Most of their days on the administrative side are not all too exciting. Things were about to change for the administrators. The subject attack was rather passive, yet in this case, very effective. On November 29, 2018, the hospital discovered the issue. A hospital staff member has received and opened an email. This happens dozens and dozens of times a day for most of the hospital’s staff members. In this case, as with the others, the employee thought (mistakenly) this was from a tested source. Unfortunately, the staff member opened the attachment and began the infection. The attacker had access from November 16 through 24. The employee’s email account contained reports for the business clinic reports, clinical summaries, and other pertinent internal documents. Post-discover, the hospital did contract with a third party for the forensic work.

As this is a hospital, the data they have been entrusted with contains primarily the patient’s confidential data and information (PHI & PII). The compromise allowed unauthorized access to this. The data the attacker’s had access to was the patient’s full name and at least one of the following (address, date of birth, date(s) of service, medical record number, clinical information, insurance information, and driver’s license/state ID numbers). The patient’s social security number may also have been involved.

Due to the compromise, the hospital was required to notify 7,038 to 7,175 patients of the issue. This was the direct result of the malware infecting the system. The compromise created quite an issue for the hospital. As for the remediation, the hospital did agree to provide for one year of their credit monitoring service. The IT department also began to update their systems. All of the staff members were required to reset their email passwords. There were additional security features involved.

This issue also continues to show the importance of employee training. With appropriate training perhaps there would be fewer of these types of issues.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest encryption.

Resources

Dissent. (2019; February 9). Pawnee county memorial hospital notifies 7,038 patients after employee email account compromised by phishing attack. Retrieved from https://www.databreaches.net/pawnee-county-data-breaches.net/pawnee-county-memorial-hospital-notifies-7038-patients-after-employee-email-account-compromised-by-phishing-attack/

Garrity, M. (2019, February 11). Nebraska hospital notifies 7,000 patients of phishing attack. Retrieved from https://www.beckershospitalreview.com/cybersecurity/nebraska-hospital-notifies-7-000-patients-of-phishing-attack.html

HIPAA Journal. (2019, February 11). 7,000 patients notified about pawnee county memorial hospital malware attack. Retrieved from https://www.hipaajournal.com/7000-patients-notified-about-pawnee-county-memorial-hospital-malware-attack/

Woesnotgone Meadow; May 16, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we are working towards more of a green future. We are recycling, and starting to use solar panels. There are other projects in the works. We do use electricity from the grid to power our computers, lights, stoves, microwaves, and other services at home and work. Margie is the local manager for the power company, and she generally manages all of the things we need to be done individually and for the Meadow, so we know it is done right and timely. Fortunately, we have not had a problem with this. Another electricity provider appears to not have been so lucky.

Eskom is the largest electricity utility in South Africa. In this case, when a third party detects an issue on your system, and reports this vulnerability to you, seemingly someone in the company would thank the researcher and start working on closing the issue. This does not seem too outlandish or out of the realm of reality. This did not quite happen in a recent case with Eskom.

The security researcher detected the vulnerability. This was located in Eskom’s information system with its database. This issue had been open for weeks. A company may not listen to someone without evidence. This issue was documented to other parties with a screenshot. The specific vulnerability operations at that time had not been disclosed. This may be from the Trojan Azorult, downloaded from a game. With this specific issue, the user who “allegedly” downloaded the Trojan had also been identified. The end result and detectable issue was the vulnerability was leaking customer data.

The researcher informed them multiple times of the vulnerability and its effects. A news organization also had informed Eskom. There also had been direct messages on Twitter to Eskom. Still no action on this significant issue. After everything else failed, the issue was posted in a public forum (Twitter).

The user’s data being exposed was the alarm for the researcher to focus on. The vulnerability was leaking the customer’s full name, type of credit card, partial credit card number, and credit card CVV.

When you receive a gift, generally you don’t ignore this, especially the ones of this type. To receive this data early before the industry at large would have saved them a mass amount of time, money, overhead if they would have acted upon this. This also highlights the need for more user education. It should be obvious, however, the users should not load games on business computers.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Abrams, L. (2019, February 9). Power company has breach due to downloaded game. Retrieved from https://www.bleepingcomputer.com/news/security/power-company-has-security-breach-due-to-downloaded-game/  

Dissent. (2019, February 6). Eskom data leak exposes sensitive customer information-security researcher. Retrieved from https://www.databreaches.net/eskom-data-leak-exposes-sensitive-customer-information-security-researcher/

Finnegan, C. (2019, February 7). Eskom data leak may have exposed personal details of a number of customers. Retrieved from http://thechiefobserver.com/1304/eskom-database-flaw-may-have-exposed-personal-details-of-a-number-of-instances/

NAVVA. (2019). Eskom data leak exposes sensitive customer information-security researcher. Retrieved from https://navva.org/africa/africa/eskom-data-leak-exposes-sensitive-customer-information-security-researcher/

Vermeulen, J. (2019, February 6). Eskom data leak exposes sensitive customer information-security researcher. Retrieved from https://mybroadband.co.za/news/energy/295030-eskom-data-leak-exposes-sensitive-customer-information-security-researcher.html

Woesnotgone Meadow; May 8, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the residents are a bit located off the beaten path. Our highlight for the week tends to be driving to Margie’s Ice Cream Parlor on Friday night. On a special occasion, we may see turkeys in the field on the way there. Although we may seem not to be on the leading edge of technology, we certainly try and use the latest smartphones and laptops. With these devices, there have been various issues with antennas, batteries, and other hardware. A recent vulnerability involved the firmware on WiFi chips.

WiFi chips are used in numerous devices we use in the Meadow on a daily basis. These include gaming equipment, personal computers, business equipment, communications, IoT devices, and many other examples.

With the hardware WiFi process for the individual piece of equipment, the device beacons out, seeking the WiFi points the device is familiar with, with no regard as to the access password. In effect, it is seeking to know what is local and proximate it may connect with. This feature/vulnerability may allow the device to attach to the attacker’s device without any interaction.

Other attacks involve rewriting the pointer to the next free block of memory and controlling the allocation for the next memory block to be used. This may prima facie appears to be mundane and not very exciting. By being able to have the ability to change the pointer for the next block, the attacker could adjust the flow to an out-of-process run-time pointer. The attacker could tell the target/victim computer to alter its normal operation, without authorization. This could run the attacker’s code or process. There are also other vulnerabilities with this.

Vulnerability

The firmware on these devices varies greatly. These, unfortunately, have various levels of security applied to them through the development process. In this particular instance, a vulnerability was detected in Thread X. Thread X is a real-time operating system (RTOS) created by ExpressLogic.

This is not a low usage RTOS, as there are over 6.2B deployments. This makes the vulnerability one of the most widely used software packages. One vulnerability detected involved the block and pool overflow. This issue could be initiated when the chip scans for networks to connect with. The process is done every five minutes, regardless if the device is connected or not.

Uses

The firmware is more expansive in numbers and device usage. This is found in the Avastar 88W 8897 SOC (system on chip), WiFi, Bluetooth, and near field communications (NFC) in Marvell, Sonly Playstation 4 and Pro, Microsoft Surface and Pro tablets, Xbox One, Samsung Chromebook, Galaxy J1 smartphone, and Valve Steam Link.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

BeauHD. (2019, January 18). Firmware vulnerability in popular wi-fi chipset affects laptops, smartphones, routers, gaming devices. Retrieved from https://it.slashdot.org/story/19/01/18/2333237/firmware-vulnerability-in-popular-wi-fi-chipset-affects-laptops-smartphones-routers-gaming-devices

Ilascu, I. (2019, January 18). Vulnerabilities found in highly popular firmware for wifi chips. Retrieved from https://www.bleepingcomputer.comnews/security/vulnerabilities-found-in-highly-pupular-fimrware-for-wifi-chips/

Information Security Newspaper. (2019, January 18). Vulnerabilities found in wifi chips firmware. Retrieved from https://www.securitynewspaper.com/2019/01/18/vulnerabilities-found-in-wifi-chips-firmware/

Woesnotgone Meadow; May 7, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, our residents generally are healthy. Occasionally, we have an issue when someone gets sick or hurt. Last May, Jerry slipped on ice and fractured his ankle. When these occur, there may be a brief or longer visit at a healthcare facility. These facilities over the last few years have been a target for attackers, as they attempt to breach their system. One such institution is the Roper St. Francis Healthcare facility.

The Roper St. Francis Healthcare facility is based in Charleston, SC. The healthcare facility was targeted for a phishing attack on a rather large scale. The types of attacks have been relatively steady and popular over the last five years. In this case, there were 13 employee email accounts that were successfully compromised. The successful attack was detected on November 30, 2018. In this case, it is fortunate that the hospital’s operations were not affected. Also, the hospital’s electronic medical records (EMR) were not accessed.

Once detected, the hospital responded quickly. One of the first moves was to block access to corporate accounts. They then began the forensic review. The review noted the compromise was open and active from November 1, 2018, through December 1, 2018. The end date is the day after this was discovered. The hospital also contracted with a third party for a thorough forensic review. The third party in-depth review indicated a number of the compromised email accounts did contain confidential data and information. This data included the patient’s name, medical record numbers, health insurance information, and medical record information. For a portion of these, the patient’s social security number and financial information were also exposed.

The affected patients were notified by mail on January 25, 2019. The hospital also posted a notice on its website on January 29, 2019. The affected patients were offered complimentary credit monitoring services. Internally the healthcare facility is strengthening the email cybersecurity and providing continuing education for this type of attack. These steps are prudent and necessary to prevent, as much as possible, for this to occur again.

This successful attack once again shows the weakest link, in general, is the use. There also needs to be better and regular training to watch for this, along with a more robust defense.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Balchunas, C. (2019, February 4). Roper st. francis phishing attack: What did hackers get access to? Retrieved from https://abcnews4.com/news/local/roper-st-francis-phishing-attack

Davis, J. (2019, February 4). Roper st. francis, valley professionals phishing attacks breach patient data. Retrieved from https://healthitsecurity.com/news/roper-at-francis-valley-professionals-phishing-attack-breach-patient-data

Dissent. (2019, February 4). SC: Roper st. francis notifying patients after employee fall for phishing attack. Retrieved from https://www.databreaches.net/sc-roper-st-frances-notifying-partients-after-employees-fall-for-phishing-attack/

HIPAA Journal (2019, February 4). 13 accounts compromised in roper st. francis healthcare phishing attack. Retrieved from https://www.hipaajournal.com/13-accounts-compromised-in-roper-st-francs-healthcare-phishing-attack/

Phillips, P. (2019, January 29). Roper st. francis healthcare notifies patients after employee emails compromised. Retrieved from http:///www.live5news.com/2019/01/29/roper-st-frances-healthcare-notifies-patients-after-employee-emials-compromised/

Staff Report. (2019, February 5). Roper st. frances employee emails compromised. Retrieved from https://charlestonbusiness.com/news/health/75936/

Woesnotgone Meadow; May 4, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, our residents don’t have many banking needs. We generally have the usual checking and deposit accounts, and mortgages. Occasionally, especially in the winter, our residents may not desire to visit Margie’s window at the bank. At this point, the residents may check their balances or if a check has cleared with an app on their smartphones, desktops, or laptops. When our residents have checked their accounts, they have used the two-factor authentication recommended by Margie. Generally, this has not been an issue. Current events have indicated there is an issue with this.

Banking is one of the industries where there should be an extra layer or two of security, just to ensure, as much as possible, there are no issues with the client's money being wired out to others by someone other than the bank’s client. To better secure transactions with mobile banking, an additional measure has been used for years. This two-factor authentication has been accepted as an additional layer of security for years. Recent events and attacks have indicated there is an unauthorized, malicious bypass for this cybersecurity feature due to flaws in the SS7 protocol.

SS7 (Signaling System 7)

The SS7 protocol is used by telecom companies to coordinate how they route texts and calls globally. There have been notably significant flaws in the SS7 protocol that have been known for years. The basic issue is the lack of authentication. The protocol does not authenticate who had sent the message. The attacker may gain access to the network and reroute the text message or call.

This may not only be used to intercept the SMS and 2FA codes, however, this also allows for unauthorized access to the user’s personal data. This has the potential for rather unpleasant circumstances for the users. Although known for years, this flaw/bug/feature is still viable. It’s curious as this is still an issue, as the phone companies spend billions upgrading their networks. Although this initially may have been a thought problem, the attack recently has been verified many times.

There have been recent reports indicating at least Metrobank, a UK bank had been targeted by the attackers. The attackers have been using this SS7 flaw to bypass the 2FA with mobile applications. With the banking targets, the attacker would acquire the user’s username and password. This could be accomplished through a simple phishing attack. When the user logs in, the bank may send a verification code to the user. With the SS7 attack, the message would be intercepted by the attackers. While this does appear to be a rather simple and straight-forward attack, this does take time to formulate and execute, and for the user to accept the phishing hook. The attack, while complicated, is still possible.

In the real world, the actual SS7 attacks began to empty the bank client’s accounts in 2017, primarily in Germany. This has spread and was being used throughout Europe. One bank confirming they were targeted and successfully attacked was MetroBank, the UK based bank. The bank did note, however, that only a small number of clients had been affected. This would be expected, as the first step involves a successful phishing attack.

This attack, while not designed for attacking the masses, reminds us even with the most current technology in use, if a third party which the business depends on has a faulty protocol or methodology, there is the direct opportunity for significant issues.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Android Police. (2019, February 3). UK bank falls victim to ss7 attacks, allowing cybercriminals to drain accounts and reminding us why SMS two-factor authentication sucks. Retrieved from https://www.technologybreakingnews.com/2019/02/uk-bank-falls-victim-to-ss7-attacks-allowing-cybercriminals-to-drain-accounts-and-reminding-us-why-sms-two-factor-authentication-sucks/

Cox, J. (2019, January 31). Criminals are tapping into the phone network backbone to empty bank accounts. Retrieved from https://motherboard.vice.com/en-us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

Millman, R. (2019, February 4). Criminals hit metro bank with multi-factor authentication bypass ss7 attack. Retrieved from https://www.scmagazineuk.com/criminals-hit-metro-banks-multi-factor-authentication-bypass-ss7-attack/article/

Security Experts. (2019, February 4). Hackers targeting UK banks through ss7 banks. Retrieved from https://www.informationsecuritybuzz.com/expert-comments/hackers-targetting-uk-banks/

Telegraph. (2019, February 3). Metro bank hit by cyber attack used to empty customer accounts. Retrieved from https://fireballcybersecurity.blogspot.com/2019/02/metro-bank-hit-by-cyber-attack-used-to.html

Woesnotgone Meadow; May 2, 2019

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth.

Universities and colleges have been targeted for years by attackers across the globe. These are known for not necessarily having the most current technology, yet having a mass amount of PII, which is readily marketable.

Two Nigerian citizens, Olayinka Olaniyi and Damilola Soloman Ibiwoye, living in Kuala Lumpur, were targeting colleges and universities in the US. The focus was to steal paychecks and tax returns. To compromise the targeted systems, the two attackers were phishing 130-140 universities and colleges a day. The attackers took the time and effort to produce emails which appeared to be legitimate, including the actual logos.

To achieve the end goal, the attackers needed system credentials. The fraudulent emails would direct the user to a non-college or university website, which appeared again to be completely legitimate. Here, the user provided credentials would be harvested. With this data, the attackers were able to reroute paychecks and access certain financial documents. The attackers, unfortunately, were successful with 20 different schools. Specifically, with Georgia Tech, the attack was noted quickly. This quick detection was definitely a bonus. Due to the quick work, the FBI was notified and they were on-site the next day. They were able to monitor the attacker’s traffic once present.

To assist with the identification of the person(s) responsible for this unlawful endeavor, Georgia Tech continued to work with the authorities. The IP addresses were traced to Malaysia. The authorities secured search warrants for the “alleged” attackers’ email accounts to provide evidence for legal actions. From this evidence, the two suspects were clearly identified by their respective names.

It is notable the US does not have an extradition agreement with Malaysia. To work with this, the FBI’s legal attache’ contacted the Malaysian royal police. The local Malaysian authorities also confirmed the attacker’s individual identities. Curiously, the two attackers were living in Malaysia on expired visas. The two were arrested. The evidence gathered also indicated the attackers were using the PII to file fake tax returns.

The two were sentenced to federal prison. Ibiwoye pleaded guilty and received 39 months in January 2018. Olaniyi was convicted with a jury trial and received six years.

This case emphasizes two aspects of a breach. The breached party needs to be fully aware, as much as possible, of the breach and extent of the breach. There also needs to be a fully cooperative stance with a breach. Anything short of this merely adds more time to the open window for the attacker(s) to steal and use the data.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

11 Alive. (2019). Nigerian hackers convicted after trying to break into Georgia tech’s payroll system. Retrieved from https://www.11alive.com/article/news/nigerian-hackers-convicted-after-trying-to-break-into-georgia-techs-payrollsystem/

FBI. (2019, February 4). Hackers targeted universities. Retrieved from https://www.fbi.gov/news/stories/cyber-thieves-sentenced-for-hacking-scheme-targetting-universities-020419