STE WILLIAMS

Owners of Verizon’s FiOS Quantum Gateway (G1100) routers should check the firmware has been updated after security company, Tenable, made public three significant security flaws.

Discovered by a researcher in December, none of the three flaws offers hackers a simple remote knock-out but they’re still vulnerabilities every owner will want patched as soon as possible.

At first glance, the most alarming is CVE-2019-3914, an authenticated command injection weakness which Tenable says can be “exploited remotely to achieve command execution with root privileges.”

However, read a bit further and an important qualification jumps out:

An attacker must be authenticated to the device’s administrative web application in order to perform the command injection.

This would only give an attacker a way in via local access (i.e. from within the network), or where remote admin is turned on (which by default it isn’t).

How might an attacker get local access? Assuming the web management interface and Wi-Fi have been secured (each G1100 ships with a unique password), another route would be by exploiting the second flaw uncovered, identified as CVE-2019-3915.

Described as a login replay flaw, an attacker could sniff login requests by capturing the “POSTed” SHA-512 password, replaying it to gain access to the router. This is a basic flaw but, again, requires local access.

Tenable blames the fact the router doesn’t enforce HTTPS for management sessions although, in fairness, precious few domestic routers do this because it’s seen as overkill for internal access.

The final issue is CVE-2019-3916, through which…

An unauthenticated attacker is able to retrieve the value of the password salt by simply visiting a URL in a web browser.

They’d still need to access to the SHA-512 password, which in this case Tenable suggests could be achieved through a dictionary attack against the revealed, salted hash. This might be tricky unless users have changed the secure default supplied with the router to something weaker.

Am I affected?

The FiOS Quantum Gateway (G1100) was launched in 2014 and is probably sitting in large numbers of homes and small businesses in the US that subscribe to Verizon’s fibre broadband. If you use this service, there’s a good chance you’re part of this population.

The router is based on Greenwave Systems’ AXON Platform, which worked with Verizon on the update.

What to do?

No advisory was issued, but according to Verizon, affected FiOS Quantum Gateways should have been remotely updated to a new firmware version, 02.02.00.13, on 13 March.

The firmware version can be checked by logging into the router (type 192.168.1.1 into a browser address bar and enter the admin password printed on the label stuck to the side of the device plus the user name admin) and clicking on System Monitoring in the menu. The firmware version should be visible on this page.

As noted, the update should have been applied automatically without the user needing to do anything. However, Verizon thinks there are still a “small percentage” of users who need an update, possibly because their routers were turned off and unreachable.

A second check is to ensure that the remote admin is disabled, which stops the first of the three flaws from being remotely exploited.

This can be checked via the Firewall tab on the router’s management GUI (see page 106 in this user guide).

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Q5OrgHLHltA/

Microsoft and Adobe have released their April Patch Tuesday updates, which this month comprise a relatively modest 74 CVE vulnerabilities, 15 of which are rated ‘critical’.

But there’s still plenty to worry about, which is why a good place to start is with the two zero-day vulnerabilities Microsoft says are being actively exploited.

Zero-days

These are CVE-2019-0803 and CVE-2019-0859, both identical-looking elevation of privileges (EoP) issues in the same Win32k component.

Microsoft offers little detail about the reported exploitation, but both would still require local access which earns them a designation of ‘important’ rather than critical.

That hints that they are probably being chained in conjunction with other vulnerabilities known or unknown which is why patching them should be a top priority.

Criticals and beyond

The 14 Microsoft flaws marked critical – often a euphemism for remote code execution (RCE) – include six in the Edge browser’s Chakra Scripting Engine, which often now seems to generate a lot of patching work.

Add to this another three more RCEs in Microsoft XML CVE-2019-0791, CVE-2019-0792, and CVE-2019-0793 – and the threat posed by attackers who can lure victims to malicious websites through vulnerable browser components is underscored.

Others to patch include CVE-2019-0853, a critical RCE in the Windows Graphics Device Interface (GDI) handles objects in the memory. Ditto CVE-2019-0824, CVE-2019-0825, and CVE-2019-0827, a hat-trick of important-rated flaws affecting the Microsoft Office Access Connectivity Engine, and CVE-2019-0856, an issue in the Windows Remote Registry Service.

We can be less worried about the half dozen flaws in Internet Explorer’s VBScript, a deprecated component that is still in Windows 10, although this should be blocked by default on this version of Windows.

SophosLabs RCE

One flaw is being fixed thanks to Yaniv Frank of the SophosLabs Offensive Research Team (ORT), namely CVE-2019-0845. While fiddly to exploit, it’s an issue in the IOleCvt ActiveX control which could lead to an RCE.

Shockwave no more

After a quiet March, Adobe’s update hits users with a more normal load of updating work, including 21 CVEs – 11 of which are critical fixes for Adobe Reader. There are two vulnerabilities in Flash Player, one of which, CVE-2019-7096, is marked critical.

For anyone who’s forgotten, this month also marks the end of Shockwave Player. The last patched version will be 12.3.5.205 as outlined in APSB19-20. From now on, the only people receiving updates will be licensed enterprises.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/oNgIfiw2evE/

It turns out that Yujing Zhang, the Chinese woman arrested when she tried to enter President Donald Trump’s private Mar-a-Lago club in Palm Beach, Florida, on 30 March, had a number of suspicious devices in her hotel room – as in, tools good for inflicting malware and spying, and more than $8,000 in cash, all suggesting that she was here for espionage.

As it was, she was carrying four cellphones, a thumb drive containing malware, and other electronics when she breached security at President Trump’s private Florida club. In getting past multiple security checkpoints, she first told US Secret Service agents that she was bound for the hotel’s pool.

Then, supposedly confused by a language barrier that came and went as Zhang used and then apparently forgot competent, nuanced English, Mar-a-Lago staff thought she might be the daughter of a club member with the same last name – one that’s common in China. Next, Zhang told Secret Service agents that she was headed for some kind of United Nations Chinese American Association event that night… or, as she said in her next version, a “United Nations Friendship Event” between the US and China.

As the Miami Herald reports, during a bond hearing in a Florida federal court on Monday, federal prosecutor Rolando Garcia said that a search of Zhang’s room yielded still more gadgetry: a “signal-detector” device used to reveal hidden cameras, USD $7,500 in $100 bills, $663 in Chinese currency, nine USB drives, five SIM cards and other electronics.

…and no swimsuit.

CNN quoted Garcia during the hearing, which was held to determine whether Zhang would be released on bail:

She lies to everyone she encounters.

Zhang was charged with two counts: making false statements to federal authorities and a misdemeanor offense of entering a restricted area without authorization. She hasn’t been charged with offenses that could be associated with international spying, but an FBI counterintelligence squad is investigating the incident as part of a broader investigation into Chinese espionage, and prosecutors are treating Zhang’s case as a national security matter, sources told the Miami Herald.

Malware-containing thumb drive

At Monday’s hearing, Secret Service agent Samuel Ivanovich – who interviewed Zhang on the day of her arrest – testified that when a Secret Service agent plugged Zhang’s USB drive into his personal computer, it immediately began to run a program. From the Miami Herald:

[Ivanovich] stated that when another agent put Zhang’s thumb-drive into his computer, it immediately began to install files, a “very out-of-the-ordinary” event that he had never seen happen before during this kind of analysis. The agent had to immediately stop the analysis to halt any further corruption of his computer, Ivanovich said.

Ivanovich said in an affidavit that a preliminary forensic examination of the thumb drive has determined that it contained malware.

Zhang’s federal public defender, Robert Adler, denied that his client had any devices that could be used for spying.

Why would anybody plug that drive in outside of a forensics lab?

According to Ivanovich’s court testimony, an agent plugged an unknown, potentially malware-carrying device into a computer that presumably was used for official Secret Service work, instead of into a system rigged up for computer forensics – hence, what sounds like a hasty pull-out of that drive when it started running a program.

The apparent lack of security hygiene used by the Secret Service is concerning. Jake Williams, a former hacker for the National Security Agency (NSA) who’s now a cofounder of Rendition Infosec:

As a taxpayer, I’m very concerned about where Agent Ivanovich’s laptop is and where it’s been since he plugged a ma… twitter.com/i/web/status/1…

—
Jake Williams (@MalwareJake) April 08, 2019

If the drive had been plugged into an air-gapped system, the agent wouldn’t have had any reason to pull it out to “halt any further corruption of his computer,” Williams points out. He compared it to the USB drive that carried the Stuxnet malware. Both Stuxnet and Conficker could execute malicious code even with AutoRun and AutoPlay disabled, without user interaction.

Ivanovich testified on Monday that the analysis of the thumb drive is “ongoing but still inconclusive.”

According to the Washington Post, a law enforcement official said the computer wasn’t part of a government data network, and no sensitive information was put at risk.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n-MGh5myN8A/

The Naked Security podcast reveals how long you can expect to go unnoticed online [01’25”], explains why we still have applications where every bit matters [13’05”], and comes up with a new vocabulary for “data loss” on the scale of MySpace’s music file implosion [17’07”].

With Anna Brading, Paul Ducklin, Matthew Boddy and Benedict Jones.

This week’s links:

• Knock and don’t run: the tale of the relentless hackerbots
• IoT surprises – the problem with UPnP
• Serious Security: GPS week rollover and the other sort of “zero day”
• Myspace songs come back from the dead

If you enjoy the podcast, please share it with other people interested in cybersecurity, and give us a vote on iTunes and other podcasting directories.

If you want to know more about the honeypot research we discussed in this episode, here’s the full report:

Thanks to Purple Planet for the opening and closing music.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dOG7d-mUqJw/

As crowdsourced security-testing surges in popularity, companies need to implement safe harbor provisions to protect good-faith hackers — and themselves.

Bug bounty programs are surging in popularity, as more companies — both public and private — use freelance security researchers to spot vulnerabilities in their systems and help protect valuable customer data. According to the 2018 HackerOne report, new bug bounty programs have grown a staggering 54% in the last year alone, and valid reports hit an all-time high of 80%.

However, despite the growth of these programs, disclosure standards and practices vary widely from company to company. This severe lack of standardization exposes well-intentioned hackers to possible legal liability — and can leave companies open to costly avoidable risk, as the 2017 Equifax breach showed.

To ensure the disclosure industry continues to evolve and thrive, companies need to offer protection for good-faith hackers by standardizing their reporting and policies, using easy-to-understand language. By making the rules of the road clear to everyone, the industry can chart a better, more secure path forward.

Closing Reporting Gaps
Having companies pay hackers seems counter-intuitive, but the ecosystem is symbiotic — and, overall, it works. With the help of hackers, companies are able to subject their exposed systems to continuous testing from multiple angles at once, while rewarding freelancers who spot key vulnerabilities.

Ensuring the system moves toward closing reporting gaps requires companies to take a few key actions, including establishing a vulnerability disclosure program (VDP). A VDP provides a secure channel that hackers can use to report bugs quickly, along with an internal team of company experts to mitigate and triage problems.

As an extension of a VDP, safe harbor policies provide specific language and guidelines around bug bounty programs. Several large companies, such as Dropbox and General Motors, have these policies, but most companies don’t. In fact, according to HackerOne, 93% of Forbes’ list of Global 2000 companies don’t have any way for researchers to report security issues. As a result, hackers can’t be confident they’re working directly with companies without fear of civil or criminal legal reprisal, leaving only hackers that are driven solely of good faith to report any vulnerabilities. 

While hackers may be vulnerable in the absence of safe harbor policies, today’s booming bug bounty economy still offers plenty of opportunities. After all, time is money — and it’s a seller’s market. For companies without the proper protection, freelance security researchers lack incentive to report bugs when given the choice to work for companies that publicly offer bounties and protection. Faced with such ambiguity, some might fail to report vulnerabilities at all — or worse, could choose to post the information to the Dark Web, where there’s a thriving market for data and remote access, or publicly expose the flaw to embarrass a company, allowing other hackers to exploit the information, which is what happened to Microsoft in 2017.

Balancing Risks and Rewards
For companies, safe harbor is a trade-off that allows hackers to work more openly within their systems in exchange for protections. Currently, safe harbor is in a “read between the lines” state. While many companies won’t actually pursue legal action against hackers who report a bug in good-faith, other companies also don’t want to give up their right to prosecute if things go sideways.

It’s critical for organizations to formalize their safe harbor protections by writing clear policies that offer a broad range of protections for hackers. It’s simply good business since the cost of a bug bounty is significantly less than what a data breach costs to remediate. The average bounty payout for a critical vulnerability is US $2,041, according to HackerOne. The average data breach cost, according to Ponemon Institute, is a hefty US $3.62 million.

Existing programs like Disclose.io are helping to standardize safe harbor programs by creating universal language within existing bug bounty programs, so that rules for hackers don’t change from program to program. However, safe harbor provisions do come with risks, both for the company and the hacker, meaning that steps need to be taken in order for safe harbor to become more widely adopted.

Adding common and easily accepted legal language to manage disclosure programs is the easiest and best way companies can boost adoption. By using simple wording that’s publicly displayed, companies can state that they will not pursue legal action against hackers within a defined security scope.

Well-known software companies like Dropbox and Mozilla — which have significant exposure, developed vulnerability programs, and high levels of responsiveness — are leading the way in safe harbor programs. And the disclosure industry as a whole will benefit.

Related Content:

• 6 Essential Skills Cybersecurity Pros Need to Develop in 2019
• More Than 22,000 Vulns Were Disclosed in 2018, 27% Without Fixes
• Bounty Hunters Find 100K+ Bugs Under HackerOne Program in 2018

 

 

 Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Matthew Honea is the director of cyber at Guidewire, where he is directs a team of experts to develop new analytical products and insurance solutions. View Full Bio

Article source: https://www.darkreading.com/application-security/safe-harbor-programs-ensuring-the-bounty-isnt-on-white-hat-hackers-heads/a/d-id/1334339?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two 14-year-old boys have been charged with jamming their school’s Wi-Fi network to get out of taking exams, authorities said on Monday.

According to NJ.com, the New Jersey high school freshmen have been charged with computer criminal activity and conspiracy to commit computer criminal activity. School officials reportedly notified police on Thursday after a week of the Wi-Fi network having been forced to crash multiple times.

According to NorthJersey.com, Capt. Dennis Miller said that school officials at Secaucus High reached out to the Secaucus Police Department to notify them that the two students were part of a “scheme where they would disrupt the school’s WiFi service upon demand.”

Their names haven’t been released, given that they’re minors. The boys were released to their parents and are expected to appear in juvenile family court in Jersey City at an unknown date.

Schools Superintendent Jennifer Montesano said on Monday that the Wi-Fi is back up and is running just fine. She didn’t give details, but she did say that an investigation found two students “who may have been involved in the disruption of our system.”

How did they do it?

Some students told NJ.com that they believe the boys were using a Wi-Fi interrupter program or app to crush the school’s routers with traffic in a denial of service (DoS) attack – an attack that caused the network to fail when students tried to log on to do classwork or take online exams.

The news outlet talked to a junior at Secaucus High who said that she learned about the Wi-Fi being down when a friend told her that she’d asked one of the suspects to jam the signal during an exam.

It was done for both the exam-adverse and for fun, she said:

He was doing it to get out of tests and stuff like that. [One of the boys] was doing it also for [his friend], so she wouldn’t have to take a test during the class. It was a big prank, really.

Jamming phones, Wi-Fi and GPS is illegal

Some students were disgruntled – why should the whole class be disrupted because a few kids didn’t feel like squeezing out some brain juice that day? Others were impressed by the boys’ alleged technical acumen and sported more of a “Meh! Nobody got hurt” reaction, like this 10th grader:

I was surprised on how a kid our age, or close to our age, was able to do something like this.

They are messing with people’s education, but they aren’t harming anyone.

Well, regarding the first point, those students shouldn’t be too impressed by their classmates’ alleged technology smarts. In spite of jammers being illegal to market, sell, or use in the US – except for authorized, official use by the federal government – they’re readily available online for a few hundred dollars.

With regards to nobody getting hurt when Wi-Fi crashes, the Federal Communications Commission (FCC) begs to differ. When you use a jammer, you’re jamming critical communications, the FCC points out in its jammers FAQ:

Jammers are more than just a nuisance; they pose an unacceptable risk to public safety by potentially preventing the transmission of emergency communications. Cell phone jammers do not distinguish between social or other cell phone conversations and an emergency call to a family member or a 9-1-1 emergency responder. Similarly, GPS and Wi-Fi jammers maliciously disrupt both routine and critical communications services.

A few years ago, we saw a man get charged with a felony over jamming his fellow commuters’ phone signals, annoyed as he was with their conversations.

The FCC takes this seriously. It once fined another “cellphone cop” $48,000 for using a jammer on his daily commute around Tampa, Florida, in an attempt to stop fellow motorists from using their mobile phones while driving.

In 2015, the FCC went after a company for the same thing, fining a telecommunications business $750,000 for blocking consumers’ Wi-Fi hotspots at convention centers around the country, thereby preventing people from using their own data plans to escape paying big bucks to the company – Smart City Networks – to use its Wi-Fi service.

Maybe nobody did get hurt with the school Wi-Fi jamming, but no kid should grow up believing this is just a harmless prank. It’s not harmless, and the repercussions can be severe.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5nfsvbU1lOs/

The remnants of internet giant Yahoo! are once again in court with hopes of settling the case over their massive 2013 hack that saw every single one of its three billion email accounts pwned.

The company, once known as Jerry and David’s Guide to the World Wide Web, has submitted a revised settlement package [PDF] to Judge Lucy Koh in the California Northern US District Court. The settlement, if accepted, would apply to Yahoo’s small business and personal email account holders in the US and Israel.

Back in January Koh struck down Yahoo’s first proposed settlement package, ruling that too much of the payout was being earmarked for attorneys, rather than the three billion customers who had their data fall into the hands of hackers.

While Yahoo! has since been broken up into the brands Altaba and Oath, for the sake of this case the two companies are jointly represented under the Yahoo! banner.

Let’s talk about cash, baby

The revised settlement would see Yahoo! agree to pay $117.5m to cover damages as well as credit monitoring for any of the class action members. Another $30m will be earmarked to cover attorney fees, down from $35m in the ill-fated first settlement attempt.

The named plaintiffs in the case, who represented 896 million of Yahoo’s personal and small business email customers exposed in the hack, will be able to claim up to $7,500 for themselves. Everyone else will have to settle for two years of credit monitoring or a one-time cash payout.

Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! ‘just!’ 1bn!

READ MORE

For paid and small business accounts, the payout could be as high as $500, or 25 per cent of what they paid for their Yahoo! email service between 2012 and 2016. Free email customers that don’t want credit monitoring (or already bought their own) can instead claim a $100 payout.

In making the case for the settlement, Yahoo! notes that the cost of the credit monitoring service over two years will exceed the cash payout, and there is no limit on how many customers will be able to enroll.

“Importantly, the Credit Monitoring Services are not capped at any enrollment number; hence, if all 196 million Class Members enroll, all will be covered for $24 million — shifting the risk of greater than historically anticipated enrollment to the vendor rather than the Settlement Fund.”

Should Koh ultimately sign off on the settlement, it would join other payouts Yahoo inked to settle the SEC and California State court cases. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/09/yahoo_data_thaft/

Exclusive King’s College London has suffered an IT worry but this time not of its own making – yesterday it warned staff and students that some accounts have been “compromised” due to an apparent brute-force attack on password systems.

The Register has been informed that the raid, which has been ongoing for several days, originates in China and is targeting accounts on the university’s Microsoft Office 365-hosted systems.

The attack comes just days after penetration testers from academic IT outfit JISC revealed that every single university they phished during a test exercise fell for the ruse.

End users at KCL have noticed problems with accessing their university email account using certain clients as security was being beefed up, forcing administrators to issue a memo and explain what is happening.

The KCL missive seen by The Register coyly admitted to the attack, informing some KCL account holders that their passwords had been reset by uni IT bods after the intrusion.

Some of you may have recently experienced difficulties in accessing your email account or been notified by IT that your password has changed. This is because our technical teams in IT have made changes to some accounts at King’s that we suspected may about to be compromised. Our security teams have been taking steps to protect King’s accounts over recent days after detecting some malicious activity.

King’s College London staggers from outage, replaces infrastructure services head

READ MORE

The memo then offered some of the usual security advice – use multi-factor authentication, use the KCL standard operating environment and not some comedy homebrew setup, so on, and so forth. The unusual mention of accounts “about to be compromised” suggests a brute-force or dictionary attack.

As this stage, there have been no reports of an actual breach, damage or loss from this specific incident, aside from the typical mild dose of inconvenience and irritation.

We have asked the London university for a statement of what has happened and will update this article when we hear back.

As regular Reg readers might know, KCL suffered a mega-outage in late 2016 – which saw the near-immediate departure of the university’s head of infrastructure. A single HPE 3PAR appliance which was propping up the entire university’s IT estate decided to put its feet up for a change, as an internal report revealed. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/10/kcl_mass_password_reset/

Cyber espionage attack group adds mobile malware to its toolset.

KASPERSKY SECURITY ANALYST SUMMIT – Singapore – A cyber espionage group believed to be out of Iran and known for targeting telecommunications providers and government bodies in the Middle East has added to its arsenal malware for targeting Android devices.

The so-called MuddyWater hacking group, which has been in action since at least 2017, also has created new backdoor malware for spying on its targets, and has been spotted employing false flag tactics to throw off researchers and investigators, according to security researchers at Trend Micro, who here today shared the details of the Iranian hacking team’s latest activities.

MuddyWater’s attack campaigns to date have been focused on gaining access to telecom providers and government entities, initially via spear phishing emails. But despite all of the intel gathered on the gang’s tactics, tools, payloads, and indicators of compromise, Trend Micro researchers Jaromir Horejsi and Daniel Lunghi said MuddyWater’s actual endgame remains a mystery to them.

The Android malware is one of their latest attack tools: the researchers found three samples, two of which they believe were test code that dates back to around December 2014. They found clues that the third attack malware program may have been dropped via a compromised Turkish website and targeting victims in Afghanistan. The malware performs classic cyber espionage tasks such as gathering the devices’ contacts, call logs, and SMS text messages, and can retrieve the Android’s geolocation information.

“It’s pretty clear that it’s cyber espionage,” Horejsi said. The Android malware is likely yet another spying mechanism they can use on their targets, he said.

“They start infecting the machine and maybe if they need some more information and [their victim] is using mobile apps more, they try to make them install it [the Android malware],” he said.

MuddyWater’s infrastructure historically has encompassed some 30 IPs for command-and-control, six different domain names, eight different cloud service provider accounts, and 4,100 compromised WordPress servers that they use as proxies in their attacks, according to Trend’s findings.

The group has successfully compromised more than 1,600 targets in 55 different organizations, according to Lunghi. “But we don’t see everything,” he said, so this may just be a snapshot of MuddyWater’s scope, he said.

The hacking group recently swapped out its previous command-and-control infrastructure of hacked WordPress websites. That shift may because they don’t totally control the WordPress sites, and out of concern that the sites could leak information on MuddyWater campaigns and victims, according to the researchers.

False Flags Weak OPSEC

Horejsi and Lunghi found multiple instances of the attackers posing as hackers from other regions. The attackers have written comments and debugging strings in Chinese in their backdoor Trojan code, quotes in Hebrew from famous Israelis, and even posed behind a Russian username in a rigged document’s metadata, all in an apparent attempt to appear to be from anywhere but Iran.

They use three main custom backdoors: one that uses a cloud service for stealing, storing, and downloading files; a .NET-based one that runs PowerShell to upload and download files; and a Delphi-based one that captures the victim’s system information.

Once the attackers successfully drop their implants, they pivot to known tools such as Meterpreter, Mimikatz, SMBmap, and other IT and security tools to blend into the network.

But MuddyWater has been a bit sloppy, too: it uses weak and breakable cryptography, and poorly configured compromised victim servers that ultimately led Trend’s researchers to find more victims of the attacks.

In one case, they found in one of the malicious files a screenshot of one of the attackers’ machines that exposed its browser tabs and other information.

 

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/muddywater-apt-spotted-attacking-android/d/d-id/1334387?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A student government election in California has taken a bizarre turn after one of the candidates admitted to hacking fellow students in an effort to fix results.

According to local news site Berkeleyside, the unnamed student at Berkeley High School took advantage of weak passwords and default credentials to get into the email accounts of more than 500 fellow students and cast fraudulent votes for themself and another unsuspecting candidate.

The report notes that this year’s student body elections were the first to be held online, with students logging in and casting votes with the Google for Education email address they receive from the Berkeley Unified School District when they enroll in one of the city’s schools.

For those of us who graduated in the days before Google’s school offerings, students use these accounts to complete assignments, communicate with their peers and teachers, and apparently even vote in school elections.

In the midst of the voting period, the student who oversees the school elections noted unusual voting patterns for two candidates running for student-body president and vice president, respectively. The votes were being cast by students alphabetically, at odd hours, and all at once.

Least you think millennials are any better at infosec than us old heads, it turns out the students at Berkeley High (located in the shadow of the UC Berkeley campus, no less) had by and large been leaving the default login (a combination of “Berkeley” and the student’s district ID number) on their Google accounts.

No dice, comrade! Senate floats Russia-busting election law

READ MORE

With so many students leaving easily guessed passwords on their accounts, the candidates were able to take control of hundreds and cast votes in their favor simply by looking up the student’s ID numbers. After the ruse was discovered, the votes were reset and students were allowed to recast their ballots. Not surprisingly, the ballot stuffers did not win this time.

The Berkeley Unified School District did not respond to a request for comment, but hopefully the student passwords were also reset.

While Google for Education does allow for two-factor authentication, the option must be enabled by an administrator, and while most kids these days have smartphones, getting multi-factor set up for an entire school district (Berkeley High School alone has 3,000 students) may not be practical.

Still, the incident should be a warning to students and parents alike to make sure you change your password from the default credentials to something more secure and harder to guess. While the idea of a student hacking an election grabs headlines, in the grand scheme of things there are far worse things that could have been done with these hijacked accounts. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/04/10/berkeley_election_hack/