Vulnerabilities found in building access system used by schools, governments

Tenable Research discovered four zero-day vulnerabilities in PremiSys access control system from IDenticard (PremiSys IDenticard). The first, a hardcoded backdoor account, “allows attackers to add new users to the badge system, modify existing users, delete users, assign permission, and pretty much any other administrative function.”

The ability to “give an attacker unfettered access to the badge system database, allowing him/her to covertly enter buildings by creating fraudulent badges and disabling building locks” is troubling considering tens of thousands of customers, ranging from K-12 schools, universities, government agencies, medical centers, and Fortune 500 companies, rely on IDenticard for secure key card access.

The researchers warn that there’s also a hardcoded password for viewing backups, a default database username and password combination, as well as user credentials and other sensitive information being stored with weak encryption.

Apparently, the vendor believed the best course of action was to ignore Tenable’s attempts at a coordinated disclosure. After 45 days, Tenable turned to CERT, which the vendor also ignored. Ninety days after trying to responsibly disclose the vulnerabilities, Tenable Research made its findings public.

Renaud Deraison, co-founder and CTO of Tenable, said, “Unfortunately, many manufacturers in the new world of IoT don’t always understand the risks of unpatched software, leaving consumers and enterprises vulnerable to a cyber attack. In this case, organizations that use PremiSys for access control are at a huge risk, as patches are not available.”

Other cybersecurity news

U.S. Secret Service memo warns of criminal gangs using Fuze Cards to evade police

Speaking of cards, a U.S. Secret Service internal memo warned that fraudster gangs are using Fuze Cards to store stolen card data in attempts to avoid getting caught. The cards are marketed as “Your whole wallet in one card,” since Fuze can hold account data for up to 30 credit cards. Krebs on Security got hold of the memo shared with the financial industry, reporting that it stated, “The transaction may also appear as a declined transaction, but the fraudster, with the push of a button, is changing the card numbers being used.”

Ryuk ransomware gang, which made $3.7 million since August, is likely Russian, not North Korean

North Korean hackers were not behind the Ryuk ransomware attack against Tribune newspapers, according to McAfee Advanced Threat Research. Instead, “the most likely hypothesis in the Ryuk case is that of a cyber crime operation developed from a tool kit offered by a Russian-speaking actor.”

The attacker’s methodology of using the TrickBot trojan to target enterprises for Ryuk ransomware was dubbed “big game hunting” by CrowdStrike. “Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98,” the report said.

FireEye added, “Following indiscriminate campaigns, threat actors can profile victims to identify systems and users of interest and subsequently determine potential monetization strategies to maximize their revenue.”

According to Kryptos Logic, “The attribution of attacks will remain difficult, as nation-states can and will use misdirection where possible, and criminal groups are ready to sell access to anyone willing to pay. While, at the same time, the tactics, techniques, and procedures (TTPs) used by both groups are often overlapping, hence yet again increasing the difficulty of attribution.”

Ransomware attack forces Texas city to use pen and paper

The City Hall of Del Rio, Texas, was crippled on Thursday after a ransomware attack. Del Rio officials explained, “The first step in addressing the issue, was for the City’s M.I.S. (Management Information Services) Department to isolate the ransomware, which necessitated turning off the internet connection for all city departments and not allowing employees to log into the system. Due to this, transactions at City Hall are being done manually with paper.” The next step was contacting the FBI, which referred officials to the Secret Service. Neither the type of ransomware nor the reasoning for needing the Secret Service to get involved was revealed.

Other security and privacy tidbits

• If organizations using Schneider Electric’s EVlink Parking charging stations don’t install new firmware, then attackers may exploits flaws that would keep electric car drivers from being able to charge their rides.

• The author of the GPL-licensed text-mode casino game “GPC-Slots 2” has had enough; he’s rescinded the GPL license from Geek Feminists.

• Smartphones are allegedly becoming dumbphones again as vendors make tweaks to squeeze in extra battery saving features. There’s an interesting discussion about this on Hacker News, as well as a rating with bad vendor scores.

• Good luck these days when trying to buy a new TV that isn’t smart. Vizio makes it out like smart TVs are spying on us to actually help us out by keeping prices down.

CTO of Vizio confirms that Data collection in Smart TV’s is now offsetting the cost of the hardware to the point that a non-Smart TV would have a higher price tag. Just like android phones, user data is used to reduce costs and stay competitive. https://t.co/ZaCwg723dh

— Scott Manley (@DJSnM) January 10, 2019

• Domain registrar GoDaddy was caught injecting JavaScript into websites – script that GoDaddy admitted could slow site performance or result in “broken/inoperable” websites. U.S. customers are automatically opted in to this code, which is part of Real User Metrics, but it can be disabled by admins in the cPanel.

• Russia will reportedly tackle U.S. sanctions by investing in bitcoin to replace the U.S. dollar as a reserve currency.

• Thanks to the government shutdown, more than 80 TLS certificates used by .gov sites expired.

• Rapid7 updated its penetration testing framework, releasing Metasploit 5.0.