Global cy­ber at­tack hit mu­nic­i­pal web­site

Cam­bridge city web­site users af­fected

Waterloo Region Record - - Front Page - JEFF HICKS Water­loo Re­gion Record

CAM­BRIDGE — A world­wide cy­ber­at­tack briefly hit the City of Cam­bridge web­site last week­end, the city con­firms.

Dur­ing a span of four hours and six min­utes on Sun­day morn­ing, vis­i­tors to Cam­ had their browsers covertly hi­jacked by cryp­tocur­rency min­ers while the vis­i­tors re­mained on the web­site.

How many vis­i­tors? An es­ti­mated 474, the city says.

Their com­put­ers, as silently or­dered by a de­vi­ous se­cret script, then used their pro­cess­ing power to help hack­ers solve com­pu­ta­tional puz­zles to cre­ate a cryp­tocur­rency called Monero.

The com­puter own­ers, who were never asked for per­mis­sion, had no clue.

The crypto-jack­ing ended when the user left the city web page or closed it. Still, a weak se­cu­rity link got ex­ploited for the du­ra­tion of each visit.

The cul­prit? A text-to-voice plug-in called Tex­thelp

Browseal­oud, which is used on the city site to help the vis­ually chal­lenged.

Browseal­oud got hacked. There­fore, the city web­site, and 4,200 other sites us­ing the plug-in around the globe, had been vi­o­lated too.

Thou­sands of sites, in­clud­ing the City of Cam­bridge’s, were com­pro­mised. Hun­dreds of com­put­ers — not mo­bile de­vices, they don’t have the power to pull off the crypto-deed — got qui­etly com­man­deered.

“There was no in­for­ma­tion stolen from the vis­i­tors’ de­vices,” said Ge­orge Ge­or­giadis, the city’s chief in­for­ma­tion of­fi­cer, on Wed­nes­day.

“At no point was there any at­tempt to ac­cess per­sonal data on the user’s com­puter,” he added in an email.

That’s what the city is be­ing as­sured by Browseal­oud. No cus­tomer data was ac­cessed or lost dur­ing the cy­ber-jack­ing, which be­gan at 6:14 a.m.

The city says au­to­mated se­cu­rity tests by the city’s ser­vice provider, eSo­lu­tions, de­tected an is­sue. Browseal­oud was re­moved from the web­site at 10:20 a.m.

“These type of in­ci­dents are not un­com­mon,” Ge­or­giadis said.

“It hasn’t hap­pened to us be­fore. But this is not the first time, in the­ory, that hack­ers are try­ing to ex­ploit some sort of vul­ner­a­bil­ity, in this case it was the Browseal­oud vul­ner­a­bil­ity.”

Tex­thelp later took down its site while Browseal­oud se­cu­rity was to be im­proved. The site was to re­main off-line un­til Thurs­day.

“The at­tacker added ma­li­cious code to the file to use the browser CPU in an at­tempt to il­le­gally gen­er­ate cryp­tocur­rency,” read a state­ment posted on­line by North­ern Ire­land-based Tex­thelp.

“This was a crim­i­nal act and an in­ves­ti­ga­tion is cur­rently un­der­way.”

In­ter­na­tional se­cu­rity re­searcher Scott Helme, ac­cord­ing to The Guardian, is cred­ited with point­ing out the se­cu­rity breach af­ter a friend de­tected an is­sue af­ter vis­it­ing a United King­dom govern­ment web­site.

Thou­sands of sites, some op­er­ated by govern­ment agen­cies, were af­fected from Aus­tralia to Europe to Canada, ac­cord­ing to a hand­ful of tech news sources. Other Cana­dian sites, be­sides Cam­, are among them.

Oshawa, Pick­er­ing and Huron County have Browseal­oud on their web­sites.

In Cam­bridge, as of Wed­nes­day, it hadn’t been de­cided if Browseal­oud would re­main on the city web­site. That is still to be de­ter­mined.

“I don’t think it’s re­ally used that much,” city spokesper­son Su­sanne Hiller said. “In fact, we were even ques­tion­ing whether the tool was needed or not. But, ob­vi­ously, for ac­ces­si­bil­ity pur­poses, we want to have these tools avail­able.”

The City of Kitch­ener doesn’t use Browseal­oud on its web­site. The City of Water­loo re­moved Browseal­oud from its site in early 2017.

“We used to have it on our web­site, but it was never used,” City of Water­loo spokesper­son Jan­ice Works said in an email on Wed­nes­day. “The trend has been that in­di­vid­u­als have their own tech­nolo­gies avail­able to as­sist in read­ing web pages.”

In Cam­bridge, where on­line vot­ing will be used for a sec­ond straight mu­nic­i­pal elec­tion come Oc­to­ber, the is­sue of cy­ber­se­cu­rity is likely to be front-and-cen­tre in the wake of the Browseal­oud hack.

“When you have an on­line vot­ing sys­tem, it does the same kind of thing where it’s load­ing re­sources from other web­sites,” said Alek­sander Es­sex, a Cana­dian cy­ber­se­cu­rity re­searcher and on­line vot­ing se­cu­rity ex­pert. “Here you are with a sit­u­a­tion where they’re load­ing, in­ad­ver­tently and through no fault of their own, they’re load­ing this crypto-jack­ing sort of JavaScript. And then, within eight months, they’re go­ing to be de­ploy­ing on­line vot­ing. It’s a con­ver­sa­tion that needs to be had.”

Last April, Es­sex spoke to Guelph city coun­cil about the se­cu­rity per­ils of on­line vot­ing as that coun­cil re­jected dig­i­tal ad­vance polls in 2018. Es­sex, an as­sis­tant pro­fes­sor in Western Univer­sity’s com­puter en­gi­neer­ing de­part­ment, wants peo­ple to be aware of the lim­i­ta­tions of cy­ber­se­cu­rity in the on­line vot­ing set­ting.

“What if, in­stead of load­ing a cryp­tocur­rency miner JavaScript, it was de­liv­er­ing a vote steal­ing JavaScript?” Es­sex said. “The big worry we have in the vot­ing world is — if your web­site did get hacked and your votes did get changed, how would you know? Be­cause you’re not sup­posed to know how peo­ple voted.”

Ge­or­giadis says Cam­bridge will use a qual­i­fied ser­vice provider, one used by a num­ber of mu­nic­i­pal­i­ties, to en­sure se­cure on­line vot­ing in Oc­to­ber. Also, ex­tra pa­per bal­lots will be ready in case the sys­tem crashes.

“Se­cu­rity is al­ways a con­cern,” Ge­or­giadis said. “The fears of a po­ten­tial in­ci­dent — the con­cern there is not of stolen in­for­ma­tion. It would be more the con­cern if some­thing hap­pens and the ser­vice is not avail­able.”

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.