“Teachers have been using pens and paper and blackboards in place of technology”

The horror! Cyber attack shut down Idaho school district.

District spokeswoman Kathleen Tuck said the attack came from an email, but officials have not found the specific email that caused it. The district has shut down its network, cutting off internet access to all schools.

There is virtually no technical information on the nature of the attack, but given that it appears to be “Microsoft” only that’s impacted, and an email source, I’m going out on a limb and guess phishing, and ransomware, and probably something that should not be in the news like WannaCry, because I’m betting all those PCs were running un-patched WindowsXP. But admitting that after all the news on WannaCry, the news of the Florida cities hit with ransomware, and the latest incident hitting Texas cities, actually admitting that you haven’t done a damn thing about cyber security in more than two years won’t look good on a résumé.


23 Texas Cities Hit by Ransomware

Are cities ready to do anything about this yet? New ransomware strike kicks 23 Texas agencies offline.

That’s the regular media article, so it contains virtually no technical info. But that’s the state of the regular media. Well at almost the end of the article, they do quote ZDNet by mentioning Sodinokibi ransomware also known as REvil.

So let’s look at ZDNet: Over 20 Texas local governments hit in ‘coordinated ransomware attack’

The attack took place on Friday morning, August 16, US time, when several smaller local Texas governments reported problems with accessing their data to the Texas Department of Information Resources (DIR).

Texas does have a statewide office for dealing with this crap, so at least there is someone for the impacted cities to call, but being hit by 23 cities at one time is going to stretch their resources. (That’s a guess on my part BTW.) And in a statement that surprises no one, this is all the result of a single bad person or group.

There are some indications that the OSTAP Trojan is how this thing moved around in the networks.

UPDATE: Lubbock County was also targeted, but was able to contain the ransomware fairly early on, and was not impacted. The Texas DIR reports that about one quarter of the towns hit in this attack have been able to resume operations. Via ARS Technica.

I am still trying to find some info on how this attack got into 20 plus cities/counties at the same time. At a guess, I would say phishing. The bad guys formulated an email, pretended to be from someone people working for cities and counties in Texas would trust. (Someone from the state, or an association of mayors or something.) And they were in with either TrickBot or OSTAP Trojan. (Both of those are often found together.) But the FBI likes to limit any information coming out while they investigate, though most of the “press people” from the cities wouldn’t understand the technical side of things, even if the DIR/Tech support folks had time to brief them.

Bluetooth Is Not Secure

More observations on Bluetooth security from Steve Gibson. Via the Show Notes from Security Now, episode 728. Security Now! #728 – 08-20-19

Our longtime listeners will recall that I have several times observed that there is a large though brief period of inherent vulnerability during Bluetooth pairing. You have two unauthenticated devices hoping to perform a secure negotiation. It’s simply not possible to do that securely without some covert out-of-band channel. It’s just not.

There is a constant push today for everything to be easy. Easy is not secure.

You can find the video for Security Now at This Week In Tech TV. Security Now 728 – The KNOB is Broken. If you aren’t interested in all of Security Now, the bit on Bluetooth starts at 1 hour and 45 minutes from the start of this week’s episode. Also see my first posting on this vulnerability.

If There’s a Security Flaw in Steam, But Valve Refuses to Acknowledge It…

Does it still make a noise? You bet. Researcher publishes second Steam zero day after getting banned on Valve’s bug bounty program.

So a security researcher finds an Escalation of Privilege/Local Privilege Escalation bug in Steam, the gaming engine from Valve. He reports it. They say it isn’t a problem. When he tries to make the report public (Valve just said it isn’t a problem) they lock the report, and when he reports it anyway they ban him from the bug-bounty program. And they (try to) fix the problem. (Turns out their fix needs a fix.)

SO when the original security researcher found a 2nd zero-day exploit, he was banned from the bug-bounty program, so he just turned it lose on the world.

EoP/LPE vulnerabilities can’t allow a threat actor to hack a remote app or computer. They are vulnerabilities abused during post-exploitation, mostly so attackers can take full control over a target by gaining root/admin/system rights.

While Valve doesn’t consider these as security flaws, everyone else does. For example, Microsoft patches tens of EoP/LPE flaws each month, and OWASP considers EoP/LPE as the fifth most dangerous security flaw in its infamous Top 10 Vulnerabilities list.

So now the guy is banned, and he is banging on Steam anyway. Way. To. Go.

Furthermore, a well-known and highly respected security researcher named Matt Nelson also revealed he found the same exact bug, but after Kravets, which he too reported to Valve’s HackerOne program, only to go through a similar bad experience as Kravets.

Nelson said Valve and HackerOne took five days to acknowledge the bug, refused to patch it, and then locked the bug report when Nelson wanted to disclose the bug publicly and warn users.

Nelson later released proof-of-concept code for the first Steam zero-day, and also criticized Valve and HackerOne for their abysmall handling of his bug report.

Never Use Any “Found” USB or Lightning Cables

Or anything found for that matter. And you probably need to be aware of anything offered at an incredibly low price. These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer.

Because you are not smarter than the hackers.

It looks like an Apple lightning cable. It works like an Apple lightning cable. But it will give an attacker a way to remotely tap into your computer.

The prototypes (released at Def Con) were hand made from purchased Lightning cables. Not only did they provide a way to access them remotely (via the internet if connected to a PC so connected) but you could also remotely “self-destruct” the cable if it looked like it was going to be found out. (It would still work as a Lightning cable, just not as a “persistent threat.”) And in close-range, you don’t need the internet, just a phone and an app.

There’s a Hak5 talk about how they did a “USB drive” drop – which were actually Hak5 Rubber Duckies – at a security conference. 60 percent (or more) were plugged into a computer. They were dropped at a security conference. Don’t plug stuff into your computer if you just find it.

Bluetooth? I’ll Keep My 3.5mm Headphone Jack, Thanks

This isn’t the first exploit to hit Bluetooth, and it probably won’t be the last. New Attack exploiting serious Bluetooth weakness can intercept sensitive data.

Address book syncing between a car and phone, keystroke from a keyboard, it isn’t a particular product that is vulnerable, it is the ENTIRE Bluetooth architecture.

KNOB doesn’t require an attacker to have any previously shared secret material or to observe the pairing process of the targeted devices. The exploit is invisible to Bluetooth apps and the operating system they run on, making the attack almost impossible to detect without highly specialized equipment. KNOB also exploits a weakness in the Bluetooth standard itself. That means, in all likelihood, that the vulnerability affects just about every device that’s compliant with the specification. The researchers have simulated the attack on 14 different Bluetooth chips—including those from Broadcom, Apple, and Qualcomm—and found all of them to be vulnerable.

Architectural level problems are the hardest to fix, though several companies have implemented fixes to “mitigate” the issue.

Yet Another .gov Agency Hit By Ransomware

Second time in two weeks for this county. Another county agency hit by ransomware. No ransom has been requested with the 2nd attack.

The Sheriff’s office is still recovering their servers.

This time, it was servers within Lincoln County Communications that were hacked. Issues were discovered by Lincoln County Information Technology staff around 8:30 p.m. on Tuesday, Aug. 6, according to a press release issued by Bill Gibbs, director of the Lincoln County Communications Center.

Not sure why the delay in reporting…

911 calls are still being handled, but data is going out to police, etc. via radio, not over their computers.

We’re taking 9-1-1 calls as we did before we got the servers,” Atkins said. “First responders just won’t receive the data over a computer, it’ll come over the radio. That’s the way we did it for years. It’s hard to say if this will slow down response time but I would say it would be negligible.

I’m sure “negligible” was not how it was described when the funding request for the new 911 communications was proposed.