A US SKi and Snowboard Association’s misconfigured web server exposed the username and password of a source code management user, putting other USSA websites and data at risk.
A misconfigured server located at services.dev.ussa.org listed web directory contents of the server. In one of the directories was a “swp”, or swap file, of a script called drupalinstall-v1.5.sh.swp. This type of file is normally created by a text editor such as Vim and acts like a flag to indicate the file is being edited, and can be left on a file system if the editor exited abnormally. The script contained a series of commands to install a website and contained credentials presumably to a Subversion instance located at https://it.ussa.org/svn/. Subversion is a software versioning and control system used by developers to manage their source code. The credentials were not tested to see if they were active.
An attacker could easily harvest the credentials from the script and infiltrate it’s Subversion instance, giving them access to the organization’s source code. What could an attacker do with this access?
Find additional vulnerabilities in code
Discover more credentials allowing them to hack further in
Added malicious code to projects
In addition the the exposed credentials, it is evident the author of the script chooses to ignore basic security by not checking for a valid certificate retrieving data from the Subversion repository. This makes it possible for an attacker to perform a man in the middle attack to steal credentials and manipulate retrieve data.
UtahCyberCheck initially reached out to USSA multiple times in in December 2019 and January 2020. After no response, I passed this information to the Utah Department of Public Safety who successfully made contact with those responsible for the website. As of February 15, 2020 the credentials were removed and the server’s web directory contents were no longer listed.
It is not the first time USSA has ignored reports of security issues. Announced in a previous post, the UtahCyberCheck project found and reported multiple serious security issues with USSA websites. However, the organization did not acknowledge or respond to any of the reports except for fixing the above. Future posts will detail these other security problems.
As a security professional, I keep tabs on industry news especially when it pertains to education and government organizations. Regularly there are breaches announced by these types of institutions usually right after ransomware hits a county office or a university suddenly shuts down most of its servers to stop malware from infecting everything.
I have sympathy for small shops trying to do the best they can and commend them for doing remarkably well given their constraints. That’s one reason why I’m giving my time. But the IT and internet climate is changing, and these organizations need to adapt. It is no longer sufficient to rely on a small local staff to handle the cybersecurity challenges that even the largest companies and governments struggle with.
One dominating characteristic of municipalities and education that contributes to their security posture is their small size. Smaller sizes means they have a smaller internet presence, which means a smaller attack surface. There is a smaller chance an attacker will be able to get a foothold. Think of it like shopping for a special grocery item such as soy sauce. A supermarket is practically guaranteed to have it (hopefully in stock), but you could got to half a dozen small convenience stores and still not find it. If a hacker is looking for particular system to attack, they could try dozens of cities or schools and still not find any that use that system.
On the other hand, the small size means there is no dedicated professional security staff. There are a few IT employees who are good at keeping the computers running, but don’t have the time and expertise to adequately protect those systems. Security takes a back seat if thought about at all. When someone does take advantage of a vulnerability (and they will), it’s highly likely to go undetected unless the effects are visible such as a defaced website or ransomware attack.
It is my intention to raise awareness of the current situation in a responsible way that will lead to change and improvement. At the very least, I hope people will acknowledge there is a problem.
You can read the original announcement of my project to highlight deficiencies in local government and education.
I am announcing my small, voluntary effort called UtahCyberCheck (short for Utah cybersecurity check) to show there are deficiencies in the current way Utah education and governments are defending against cyberattacks, stopping abuse of their systems, and protecting the data of students and citizens. Although my focus is specific to the state of Utah, I may include other geographic locations may from time-to-time.
The information I present from this effort is an indicator, not a complete picture, of the Utah’s institutions’ cybersecurity posture. A comprehensive evaluation requires much more information that I do not readily have access to. Instead, I have chosen to find poor practices, vulnerabilities, and evidence of abuse or compromises in public-facing systems that reside on, are managed, or owned by education institutions (including school districts and charter schools), the state, and municipalities. The only exception is Brigham Young University (BYU) and LDS Business College due to the fact the former is my current employer and the latter has affiliation with my employer. This is a personal project and is not affiliated or sponsored by BYU.
My actions are not penetration tests. All data is publicly available and legally obtained, and I intend to interpret and follow responsible disclosure guidelines to the best of my abilities. Discovering techniques are non-intrusive and do not affect confidentiality, integrity or availability of systems or data.
This effort and subsequent reports should not be taken as a sign of failure, but as a sympathetic act to encourage improvement. We are in an ongoing global cyber-conflict where just because there are setbacks so far doesn’t mean we have lost. If we are going to succeed in the end, we need to improve upon what we’re doing now.
I gave a hands-on training at the BYU Network Club on October 30. It included a guided lab that let members generate attack activity, then look at IDS, IPS, and Firewall logs to see what those attacks look like from a network perspective. Presentation slides are available.
Network encryption is a game changer for security teams as it makes it more difficult to identify malicious traffic. It may even paralyze some people and cause others to dismiss network security monitoring altogether.