They learn hacking early these days

 

These are certainly interesting times we are living in. In particular, schools are either having virtual classes, in-person classes, or a mixture of these. This has seriously taxed the systems that were already under financial pressure. One area historically under-funded has been cybersecurity, s the focus of the K-12 and university systems has been to teach the students. Bearing this in mind, the systems may not have the budget to fully defend against cybersecurity attacks. A recent target was the Miami-Dade Public Schools System, which has approximately 275k students. This school system is the fourth largest in the country.

Attack

The Miami-Dade County Public school’s students began attending classes again this school year. To facilitate the return, the public school district was using an online learning system (MySchool online), which makes sense of all things considered. For some reason, a 16-year-old high school student, who happens to attend the targeted school system (a junior at the South Miami Senior High School), believed DDoSing the school’s e-learning system, crippling its functions, was a good idea. The high school student did this several times, shutting down access for several days. These attacks were clearly malicious and disrupted the teaching and student learning across the state.

Post-Attack

The student, while using a lower-level form of attack forgot one important thing-to cover his tracks. The investigators were able to locate him from the IP address the attacks originated from. A portion of the attacks did originate from outside of the US. This is such a basic step, it was even addressed in the iconic movie Hackers from the 1990s.

The FBI, Secret Service, and the Florida Department of Law Enforcement was involved with the investigation. The student, when questioned, admitted to eight DDoS attacks beginning on that Monday. The student didn’t code an app for this but instead used an online resource. There may be others involved with this set of attacks. This is not new, as the public school district has experienced more than a dozen of these since the 2020-2021 school year has started.

The student was arrested, as noted, and charged with Computer Use in an Attempt to Defraud. This is a third-degree felony. The student also was charged with Interference with an Educational Institution. This charge is a second-degree misdemeanor.

In Closing

Defending against certain attacks is not an overly complex set of operations. You may need to only contract with a third party to use their apps or services to protect your system. When you don’t plan for the inevitable, this seems to find you rather quickly.

 

Resources

850 WFTL. (2020, September). 16-year-old arrested for hacking miami dade school system. Retrieved from https://www.850wft.com/16-year-old-arrested-for-hacking-miami-dade-school-system/

Allen, K. (2020, September 3). 16-year-old arrested for hacking miami dade school system. Retrieved from https://abcnews.go.com/US/16-year-arrested-hacking-miami-dade-school-sytem/

Ampgoo.com. (2020, September 3). 16-year-old student arrested for allegedly crippling miami school system with cyberattack. Retrieved from https://www.ampgoo.com/16-year-old-student-arrested-for-allegedly-crippling-miami-school-system-with-cyberattack

L33T Dawg. (2020, September 3). 16-year-old arrested for cyberattacks on school’s online learning system.

Miller, M. (2020, September 3). Teen arrested for alleged cyber attacks on miami-data schools. Retrieved from https://thehill.com/policy/cybersecurity/514998-teenager-arrested-for-alleged-cyberattacks-on-miami-dade-school-district

NBC News. (2020, September 4). Miami high schooler charged with cyberattacks that stopped online learning. Retrieved from https://pressfrom.info/us/news/science-and-technology/-527945-miami-high-schooler-charged-with-cyberattacks-that-stopped-online-learning.html

News & Guts. (2020, September). 16-year-old charged with cyber attack that brought down miami public schools. Retrieved from https://www.newsandguts.com/16-year-old-charged-with-cyber-attack-that-brought-down-miami-public-schools/

Odzer, A., Pipitone, T., & Hamacher, B. (2020, September 3). Student arrested in connection with cyber attacks on miami-dade public schools. Retrieved from https://www.nbcmiami.com/news/local/student-arrested-in-connection-with-cyber-attacks-on-miami-dade-public-schools/2287613/

Life isn't always a carnival!

 

At this point in time, a majority of the nations are not focused on leisure. At some point in the future, society will get back to some form of normal. At that point, we may look to recreational activities to assist with our decompression after being isolated for our extended time. One activity that increases in activity may be the cruise industry. One of the largest companies in the sector is Carnival Corporation. The business operates more than 100 vessels and is based in Florida. The vessels have brands that we all recognize, such as Carnival Cruise Lines, Princess Cruises, Costa Cruises, and AIDA.

Issue

The corporation holds a massive amount of data from operations (revenue, accounts receivable, accounts payable, vendor lists, banking information, etc.) and clients (name, address, credit card numbers, when their cruise will be, etc.). This made the cruise corporation a prime target. The attack was detected on August 15, 2020. The company notified law enforcement and began to investigate. To fill their expertise gaps, they contracted with other incident response persons. The corporation was required to notify the U.S. Securities and Exchange Commission (SEC) since this is publicly traded.

Breach

As this was a successful attack, their defenses were breached. The attackers were able to access and encrypt a portion of the data on their servers. This should sound unfortunately familiar as this is yet another successful ransomware attack. The attackers also downloaded files. This data likely included the personal data of guests and employees. The curious wrinkle with this is there may be a greater issue than just with the SEC if the guests and/or employees were EU citizens, with the GDPR in effect.

The odd part of this is they are not sure how far the breach went. The corporation believes this only affects one brand. Seemingly, they should know if more than one brand’s data was accessed. There are logs for the SIEM to examine, unless the attacker modified these.

Pattern

This is not Carnival’s first experience with a breach. Two of their brands, Holland America Line and Princess Cruises, appear to have been breached in 2019.

Ransomware has become such a mountain of a nightmare over the last four years. This is another example of what can happen with a simple error on the part of an employee.

 

Resources

BNP Media. (2020, August 18). Carnival corporation hit by ransomware.

Grieg, J. (2020, August 19). Carnival cruises hit with a costly ransomware attack. Retrieved from https://www.techrepublic.com/article/carnival-cruises-hit-with-costly-ransomware-attack/

Maritime Executive. (2020, August 17). Carnival corporation reports ransomware attack accessed data. Retrieved from https://www.maritime-executive.com/article/carnival-corporation-reports-ransomware-attack-accessed-data

Mogg, T. (2020, August 18). World’s largest cruise line operator hit by cyber attack. Retrieved from https://www.digitaltrends.com/computing/worlds-largest-cruise-line-operator-hit-by-cyberattack/

Norton, T. (2020, August 19). Carnival corp brand hit by ransomware attack. Retrieved from https://www.travelpulse.com/news/cruise/carnival-corp-brand-hit-by-ransomware-attack.html

Travolution. (2020, August 19). Carnival corporation cruise line brand his by ransomware attack. Retrieved from https://www.travolution.com/articles/116486/carnival-corporation-cruise-line-brand-his-by-ransomware-attack

Vigayan, J. (2020, August 18). Ransomware attack on carnival may have been its second compromise this year. Retrieved from https://www.darkreading.com/attacks-breaches/ransomware-attack-on-carnival-may-have-been-its-second-compromise-this-year/d/d-id/1338696

Oregon State University Ecampus breached!

 

 

Oregon State University (OSU)  is located in Corvallis, OR. As with most universities and schools, there is a virtual option for the students, so they don’t have to attend full time. OSU is no different. The university has in place its own Ecampus, the online education program.

Attack

The attack occurred this summer and was detected on July 27, 2020. The attackers were able to breach and compromise a server on the OSU Ecampus. After this was detected, OSU began its investigation. The university also contacted state and federal authorities on this matter. As part of the process, the FBI was also contacted. The hope is with all this assistance the university and law enforcement are able to find the attackers and also decipher how this happened.

Data

The breach affected approximately 1,700 students and faculty members. The server had their personal information, which was accessed. The records accessed contained names, and OSU email addresses. While this is not optimal, this would not be classified as critical. With other instances, the person’s personal mailing addresses, and phone numbers may have been exposed. This brings the issue to a new level. Fortunately, there was no social security numbers or financial data involved.

Post-Breach

OSU immediately had begun to mitigate the security issues detected so this would not happen in the same way again. The compromised server was updated to remove the cybersecurity issues and placed back online. The university has notified the affected students and staff. They are offering free credit monitoring and other services. Oddly, this is not the first time there has been a breach in recent history with the university. The last breach was in May 2019 and affected 630 records. While the details of the attack method were not disclosed, this is another example of why cybersecurity is so important.

 

Resources

Albany Democrat-Herald. (2020, September 3). Computer breach at OSU exposes personal info of 1,700 students and faculty.

New Haven Register. (2020, September 4). Computer breach at OSU exposes personal info of 1,700. Retrieved from https://www.nhregister.com/news/article/Computer-breach-at-OSU-exposes-personal-info-of=15542681.php

The Associated Press. (2020, September 5). Computer breach at OSU exposes personal info of 1,700. Retrieved from https://www.kezi.com/content/news/computer-breach-at-OSU-exposes-personal-info-of-1700-572.330491.html, https://www.usnews.com/news/best-states/oregon/articles/2020-09-04/computer-breach-at-osu-exposes-personal-info-of-1-700, and https://www.seattletimes.com/seattle-news/northwest/computer-breach-at-osu-exposes-personal-info-of-1700/

Of all places to steal from...

 

 

Non-profits, as indicated by their name, are not designed to profit from their activities. They provide services, goods (e.g. clothing or food), and other items to those who can’t afford them. By design, there is not the profit motive in work with these organizations.

               When you are planning an attack, one of the first areas you can look at are the crown jewels, or what the attack is focused on. The attackers may also have the mission of simply being malicious. However, with how the attacks have been operationalized, generally, there is something (e.g. money or data) the attackers want.

Target

               A recent breach has been no exception to this. The Jewish Federation of Greater Washington was recently targeted and breached. This organization is a non-profit located in Maryland. The not-for-profit has 52 employees.

Attack

               There are cybersecurity dangers regardless of where you are working. To resolve these, the user needs awareness as a general baseline of what to and not to do. Their systems, if not using the business’ equipment, have to be up-to-date. Having outdated, unpatched apps and programs creates an opportunity for attackers and allows for an easier attack. This is analogous to leaving the front door shut, but unlocked.

               In this learning experience, a staff member, working from home on their system, was successfully attacked. The compromise led to the attacker stealing $7.5M. The attack and theft was possible due to one person’s oversight and the organization not maintaining a proper level of cybersecurity for the staff.

               The attack was not known to the organization until August 4^th. This was detected by a security contractor and not the organization. The red flag in this instance was an anomalous amount of activity with a staff member’s email account.

Post-Attack

               After this was detected, the FBI was contacted. As the investigation continues, there is no comment as to who may have accomplished this. While this is an issue, the CEO, Gil Preuss, did announce the compromise from a virtual conference call with the employees.

               The organization also investigated the breach. The data indicated the attacker had access long before the issue was detected by the cybersecurity contractor. The time period for the unauthorized access was estimated to have started early in the summer. The investigation continues on the systems and servers as these are being analyzed for other cybersecurity issues. Wisely, the organization is no longer allowing the staff to use personal computers for the workplace. The issues abound with allowing this at any time, and especially now with the pandemic forcing most people to work from home. The organization appears to be reviewing what other controls to put in place to mitigate the potential for this to occur again.

Discussion

               In our current situation working from home, for the most part, is not an option. This has taken the form of necessity. The users may feel a little more at ease working from home, and let their guard down. They may also not have the same level of defensive measures in place. For the measures in place, the apps and programs may not be patched or up-to-date. All of these create the potential vulnerability the attackers look for. Unfortunately, all it takes is one person in the right department or with access to other systems, and there’s a breach.

               Cybersecurity does not take a break from the office. This is a 24 hour a day, everyday task. The users still have to be vigilant. There is no vacation or sick day for cybersecurity.

               On a the last point, please push for more training for the users. They do not need to be cybersecurity experts. They do however need to be aware of what to look for, and what not to click on. A stranger is not going to send you a link for their cousin’s hilarious birthday party or a picture of their kitten that you have to open to see the details in the kitten’s fur.

               From the finance administrative side, there should have been controls or alarms in place to monitor any large transfers at once or in a short period of time. This may have also limited the depth of the attack.  

 

Up, up, and away (with my data)

 

 

               Our need for more data, information, and these in a timely manner have driven research through the years. Many years ago, this was accomplished through ye olde snail mail, with the 5 ¼ or 3 ½ discs/disks. Later this advanced with the thumb drives. The downloads over modem took forever, and you hoped there was not an issue with the phone line, otherwise you may need to start over. The internet and infrastructure sped downloads speeds to incredible rates by comparison. The advances continue not only with internet speeds, but also other transmission methods. With the global economy and data requirements, satellites are a new focus. One area, in addition to communications, the satellites are used for is GPS. This is used with vehicles, ships, airplanes, commercial trucking, military, and any other industry moving freight or people. There are few industries not using this technology in one form or another. The satellite technology has provided for increased economic productivity and better user experience for the various use cases. An example is GPS used in our smartphones and vehicles. Gone are the days with the huge fold-out maps or purchasing a CD with maps and printing off the route.

               While the benefits are clear, there is also an area not addressed fully. The cybersecurity with the systems required further attention. Just as with other electronics, this can be attacked. These aren’t theoretical forms of attack. These have been shown to work. In 2019, software used by satellites (VxWorks) was shown to have vulnerabilities to be exploited. When executed, the attacker could take control of the satellite from anywhere. In certain instances, the software is proprietary, which would shift the attack to alternative areas on the attack surface. With the increase in the number of satellites, this is going to continue to be an issue. It would be an understatement to state these need to be tested and use the current industry standard cybersecurity measures.

 

Oxymoron in application

 

With the current state of the pandemic, the business operations have vastly changed from a year ago. One area of change has been voting. Previous to this turn of events, voters had the opportunity to vote in person, or send in their ballots. While this has not been problematic in the past, technology has provided an additional option. E-voting is being researched and used in limited circumstances. The first significant, notable usage was in Iowa for their democratic caucus. While this was used for their caucus and not the vote, this provided a test on how it could or could not work. This has been termed a disaster, with good reason. In 2020 this was attempted with an epic fail. Per reports, the app was not tested properly, did not properly function, and placed the spotlight on what could go wrong-spectacularly.

               After this epic fail, one would think a company whose primary business is e-voting would accept any viable assistance from responsible, reputable cybersecurity pentesting companies. The final report or deliverable would provide a roadmap to ensure, as much as possible, there were minimal issues, and the issues that were encountered are not critical. This assistance would provide an assurance or work to ensure the spotlight does not show on the e-voting business in a negative aspect.

               Well this is not always the case. Voatz is in the business of creating e-voting software. The company wants the CFAA (Computer Fraud and Abuse Act, commonly used as a threat against cybersecurity researchers) to be broadly interpreted so anyone (i.e. cybersecurity researchers) who violate the Terms & Conditions (T&C), which no one really reads, to face federal criminal charges. The loose application would allow for wider prosecution and allow the businesses more avenues to dissuade anyone, including those without malicious intent, from being transparent about their oversights. This effectually would have most in the industry with their head in the sand.

               Possibly what brought this to the forefront, among their own lack of cybersecurity focus, was MIT researchers discovered many flaws in their e-voting software. The very software we depend on for our elections, which can’t be redone without a massive amount of work, expense, and a significant amount of global ridicule and embarrassment. To attempt and put this in a positive frame somehow, Voatz hired their own cybersecurity researchers, whose research arrived at nearly the same conclusion. In short, the Voatz software is holier than Easter Sunday.

               In closing, in cybersecurity as with most things, the more eyes on the objective the better. Also, the responsible thing to do with a product or service is to test it until the cybersecurity vulnerabilities are at a minimum and manageable, which does not appear to have occurred here.