Cyber Week in Review: Vermont Utility, Pacemakers, and PHPMailer

Media Division | January 13, 2017

With so much talk lately about the internet of things (IoT), it’s time to focus on some other little things.  This week in cyberland we take a look at electricity, heart rhythms and the little “contact us” part of your website.

From such little things are born great big hacks.

Russia (Does Not) Attack Vermont Utility

Sometimes in the world of cybersecurity you play connect-the-dots around the globe, and the dots just connected a little askew: what was going to be a picture of a teddy bear turns out like a big-eared rabbit.  Or, at least that’s how a recent “attack” on a Vermont electric company looked.

To be fair, there was a recent power grid attack: about one-fifth of Kiev’s power grid went dark after a recent Russian attack.  Plus, the United States and Russia haven’t really been getting along very well in the cyberverse: Russia stands accused of interfering in the Democratic process in the United States and the US has responded with sanctions and possibly even retaliatory attacks.  (Some are even calling it the second Cold War or Cyber Cold War).

So, when something fishy went on at Burlington Electric in Vermont, it wasn’t long before The Washington Post reported the utility had been hacked.

The only problem is, it wasn’t: an employee laptop (that wasn’t even connected to the grid) may have had some malware on it, that may have possibly been a type (from an IP address) that also has sometimes been used by suspected the Russian hacking group (or individual, or activities) known as Grizzly Steppe.

Sound a little tough to follow?  Well, that’s probably part of what led to the confusion in the first place.  The point is, the US power grid has not been hacked by Russia.  The two super powers will have to continue to find other points of disagreement.

Hacking a Heartbeat

In medical news this week: internal (as in: inside part of your body, not inside an organization) medical devices got a software update after the Food and Drug Administration (FDA) published guidelines on the hack-ability of implantable devices.  Among the affected devices: pacemakers, defibrillators and insulin pumps.

Hospital devices are commonly connected to the internet and implantable devices are frequently cloud-based.  We all know how secure the cloud is (not).

Just like other internet-connected devices, the cloud is subject to its fallibilities.  If that fallibility could interfere with a life-saving insulin dosage or heart rhythm correction: then users have a very real, very immediate problem.

Though scary “what-if” scenarios emerged (such as hackers targeting specific individuals for business or government access, and potential medical blackmail), no actual reports of problems arising as a result of a device hack have emerged, to date.

PHPMailer: the Hack Waiting to Happen

You may use PHPMailer and not even know it.  The ubiquitous, simple mailing solution has been around for nearly 20 years—and in cyber-years that about the age of your grandfather.  You may have another web server program framework or content management system or hosted web server package that includes PHPMailer.

If you do use PHPMailer (and your hosting company will know) and if isn’t using the latest update version, it may still have a recently discovered bug: hackers can use a two-stage attack system to sneak a trusted file onto your server and then come back and run the awaiting file.  (It’s kind of like the command injection vulnerability recently discovered in Netgear routers.)

Your PHPMailer could pick up a stray bug when you:

• Confirm a mailing list subscription
• Welcome new users after an account set up
• Acknowledge support requests with a ticket number
• Send out a link for a trial download

Any of those two-step-communication functions were exploitable.  Fortunately, the patch has already been issued.  Just as with other updates: stay tuned for software updates in rapid succession, since bugs often required layered fixes as exploits get uncovered.

Our Little Big Things

So as you plug in or recharge your many internet-connected devices this year, keep in mind the necessity of updating all of those little things, before they become the big things that crash and ruin your day (or life).

MEDIA DIVISION
Massive's Media Division publishes timely news and insights based on current events, trends, and actionable cross-industry expertise.