Dallin Warne

Clarifying Technical Obfuscation

USSA Poor Security Practices Leads to Leaked IT Credentials

A US SKi and Snowboard Association’s misconfigured web server exposed the username and password of a source code management user, putting other USSA websites and data at risk.

Screenshot of the open directory of a USSA development site.

A misconfigured server located at services.dev.ussa.org listed web directory contents of the server. In one of the directories was a “swp”, or swap file, of a script called drupalinstall-v1.5.sh.swp. This type of file is normally created by a text editor such as Vim and acts like a flag to indicate the file is being edited, and can be left on a file system if the editor exited abnormally. The script contained a series of commands to install a website and contained credentials presumably to a Subversion instance located at https://it.ussa.org/svn/. Subversion is a software versioning and control system used by developers to manage their source code. The credentials were not tested to see if they were active.

Screenshot of a script containing credentials. Red is highlighted (redacted) credentials, orange indicates where the script ignores insecure SSL connections.

An attacker could easily harvest the credentials from the script and infiltrate it’s Subversion instance, giving them access to the organization’s source code. What could an attacker do with this access?

  • Find additional vulnerabilities in code
  • Discover more credentials allowing them to hack further in
  • Added malicious code to projects

In addition the the exposed credentials, it is evident the author of the script chooses to ignore basic security by not checking for a valid certificate retrieving data from the Subversion repository. This makes it possible for an attacker to perform a man in the middle attack to steal credentials and manipulate retrieve data.

Contacting USSA

UtahCyberCheck initially reached out to USSA multiple times in in December 2019 and January 2020. After no response, I passed this information to the Utah Department of Public Safety who successfully made contact with those responsible for the website. As of February 15, 2020 the credentials were removed and the server’s web directory contents were no longer listed.

It is not the first time USSA has ignored reports of security issues. Announced in a previous post, the UtahCyberCheck project found and reported multiple serious security issues with USSA websites. However, the organization did not acknowledge or respond to any of the reports except for fixing the above. Future posts will detail these other security problems.

Read more about the UtahCyberCheck project on its announcement page.

Update 4/1/2020 Updated Featured Image.

Phishing Leads to University of Utah Health Data Breach

On Friday, the University of Utah Health (U of U Health) announced a data breach of medical patient information among other data due to a phishing attack.

Continue reading

US Ski and Snowboard Association Riddled with Vulnerabilities, Hacked Website

The UtahCyberCheck project found the US Ski and Snowboard Association (USSA) puts the data of tens of thousands of its members at risk and violates its terms of use and privacy policy by using software with critical vulnerabilities and running at least one hacked website. The association, despite multiple attempts to contact them, has ignored reports about these serious issues.

Continue reading

Odyssey Charter School Website Hacked

A hack of the Odyssey Charter School Website went unnoticed for possibly two-and-a-half years until the UtahCyberCheck project discovered the hack in December 2019.

Continue reading

Utah Cyber Check: The Small Picture

As a security professional, I keep tabs on industry news especially when it pertains to education and government organizations. Regularly there are breaches announced by these types of institutions usually right after ransomware hits a county office or a university suddenly shuts down most of its servers to stop malware from infecting everything.

I have sympathy for small shops trying to do the best they can and commend them for doing remarkably well given their constraints. That’s one reason why I’m giving my time. But the IT and internet climate is changing, and these organizations need to adapt. It is no longer sufficient to rely on a small local staff to handle the cybersecurity challenges that even the largest companies and governments struggle with.

One dominating characteristic of municipalities and education that contributes to their security posture is their small size. Smaller sizes means they have a smaller internet presence, which means a smaller attack surface. There is a smaller chance an attacker will be able to get a foothold. Think of it like shopping for a special grocery item such as soy sauce. A supermarket is practically guaranteed to have it (hopefully in stock), but you could got to half a dozen small convenience stores and still not find it. If a hacker is looking for particular system to attack, they could try dozens of cities or schools and still not find any that use that system.

On the other hand, the small size means there is no dedicated professional security staff. There are a few IT employees who are good at keeping the computers running, but don’t have the time and expertise to adequately protect those systems. Security takes a back seat if thought about at all. When someone does take advantage of a vulnerability (and they will), it’s highly likely to go undetected unless the effects are visible such as a defaced website or ransomware attack.

It is my intention to raise awareness of the current situation in a responsible way that will lead to change and improvement. At the very least, I hope people will acknowledge there is a problem.

You can read the original announcement of my project to highlight deficiencies in local government and education.

UtahCyberCheck Announcement

I am announcing my small, voluntary effort called UtahCyberCheck (short for Utah cybersecurity check) to show there are deficiencies in the current way Utah education and governments are defending against cyberattacks, stopping abuse of their systems, and protecting the data of students and citizens. Although my focus is specific to the state of Utah, I may include other geographic locations may from time-to-time.

The information I present from this effort is an indicator, not a complete picture, of the Utah’s institutions’ cybersecurity posture. A comprehensive evaluation requires much more information that I do not readily have access to. Instead, I have chosen to find poor practices, vulnerabilities, and evidence of abuse or compromises in public-facing systems that reside on, are managed, or owned by education institutions (including school districts and charter schools), the state, and municipalities. The only exception is Brigham Young University (BYU) and LDS Business College due to the fact the former is my current employer and the latter has affiliation with my employer. This is a personal project and is not affiliated or sponsored by BYU.

My actions are not penetration tests. All data is publicly available and legally obtained, and I intend to interpret and follow responsible disclosure guidelines to the best of my abilities. Discovering techniques are non-intrusive and do not affect confidentiality, integrity or availability of systems or data.

This effort and subsequent reports should not be taken as a sign of failure, but as a sympathetic act to encourage improvement. We are in an ongoing global cyber-conflict where just because there are setbacks so far doesn’t mean we have lost. If we are going to succeed in the end, we need to improve upon what we’re doing now.

When I tweet about this project, I will use #UtahCyberCheck.

Be sure to read my next post detailing some motivation behind this project.

1/7/2020 Update to clarify techniques are benign.
2/6/2020 Included statement that BYU is not associated with UtahCyberCheck. Updated title.

Featured Photo by Nikolai Ulltang from Pexels

Presentation Materials-BYU Network Club

I gave a hands-on training at the BYU Network Club on October 30. It included a guided lab that let members generate attack activity, then look at IDS, IPS, and Firewall logs to see what those attacks look like from a network perspective. Presentation slides are available.

Presentation Materials– SAINTCON 2019

I gave a presentation at SAINTCON last month entitled “Is Network Security Monitoring Dead in the Age of Encryption?” The presentation slides are available.

Presentation Materials–Orem Kiwanis August 2019

I gave a presentation to the Orem, UT Kiwanis chapter on staying digitally safe. The presentation slides are available.

Probable compromise: An investigative approach for encrypted network traffic

Network encryption is a game changer for security teams as it makes it more difficult to identify malicious traffic. It may even paralyze some people and cause others to dismiss network security monitoring altogether.

But does it have to be this way? During a recent SANS webcast entitled Alternative Network Visibility Strategies for an Encrypted World hosting Zeek/ Bro experts, Matt Bromiley said, “(Encryption) just means I have to change my analysis techniques and change the way I approach these particular datasets as well.”

Continue reading
« Older posts

© 2020 Dallin Warne

Theme by Anders NorenUp ↑