Utah Valley University (UVU) removed two websites with 17-year-old critical vulnerabilities after the UtahCyberCheck found and reported them.Continue reading
In a feat of resiliency, the United States Ski and Snowboard Association (USSA) migrated a service then decommissioned a vulnerable server during the COVID-19 pandemic after the UtahCyberCheck project found a critical vulnerability.Continue reading
As a security professional, I keep tabs on industry news especially when it pertains to education and government organizations. Regularly there are breaches announced by these types of institutions usually right after ransomware hits a county office or a university suddenly shuts down most of its servers to stop malware from infecting everything.
I have sympathy for small shops trying to do the best they can and commend them for doing remarkably well given their constraints. That’s one reason why I’m giving my time. But the IT and internet climate is changing, and these organizations need to adapt. It is no longer sufficient to rely on a small local staff to handle the cybersecurity challenges that even the largest companies and governments struggle with.
One dominating characteristic of municipalities and education that contributes to their security posture is their small size. Smaller sizes means they have a smaller internet presence, which means a smaller attack surface. There is a smaller chance an attacker will be able to get a foothold. Think of it like shopping for a special grocery item such as soy sauce. A supermarket is practically guaranteed to have it (hopefully in stock), but you could got to half a dozen small convenience stores and still not find it. If a hacker is looking for particular system to attack, they could try dozens of cities or schools and still not find any that use that system.
On the other hand, the small size means there is no dedicated professional security staff. There are a few IT employees who are good at keeping the computers running, but don’t have the time and expertise to adequately protect those systems. Security takes a back seat if thought about at all. When someone does take advantage of a vulnerability (and they will), it’s highly likely to go undetected unless the effects are visible such as a defaced website or ransomware attack.
It is my intention to raise awareness of the current situation in a responsible way that will lead to change and improvement. At the very least, I hope people will acknowledge there is a problem.
You can read the original announcement of my project to highlight deficiencies in local government and education.
I am announcing my small, voluntary effort called UtahCyberCheck (short for Utah cybersecurity check) to show there are deficiencies in the current way Utah education and governments are defending against cyberattacks, stopping abuse of their systems, and protecting the data of students and citizens. Although my focus is specific to the state of Utah, I may include other geographic locations may from time-to-time.
The information I present from this effort is an indicator, not a complete picture, of the Utah’s institutions’ cybersecurity posture. A comprehensive evaluation requires much more information that I do not readily have access to. Instead, I have chosen to find poor practices, vulnerabilities, and evidence of abuse or compromises in public-facing systems that reside on, are managed, or owned by education institutions (including school districts and charter schools), the state, and municipalities. The only exception is Brigham Young University (BYU) and LDS Business College due to the fact the former is my current employer and the latter has affiliation with my employer. This is a personal project and is not affiliated or sponsored by BYU.
My actions are not penetration tests. All data is publicly available and legally obtained, and I intend to interpret and follow responsible disclosure guidelines to the best of my abilities. Discovering techniques are non-intrusive and do not affect confidentiality, integrity or availability of systems or data.
This effort and subsequent reports should not be taken as a sign of failure, but as a sympathetic act to encourage improvement. We are in an ongoing global cyber-conflict where just because there are setbacks so far doesn’t mean we have lost. If we are going to succeed in the end, we need to improve upon what we’re doing now.
Be sure to read my next post detailing some motivation behind this project.
1/7/2020 Update to clarify techniques are benign.
2/6/2020 Included statement that BYU is not associated with UtahCyberCheck. Updated title.