CONCORD — Three months after the state learned that the EZ Pass system was vulnerable to cyber-attack, it is unclear whether the problem is even being addressed. State officials ranging from Michael Balboni, head of cybersecurity for the state, to Governor Chris Sununu have not responded to messages seeking an update, and the EZ Pass default login still is set to memorize users’ credentials.
Even more troubling is that the company the state hired to oversee cybersecurity, Atom Group of Portsmouth, has its own vulnerability problems. When globally recognized cyber expert Andy Jenkinson of the United Kingdom tested Atom Group’s website, he found several errors that could allow hackers to infiltrate the site and obtain personally identifiable information, or PII.
Jenkinson also tested the town of Peterborough’s website which Primex, the municipal insurance provider, had asked Atom Group to harden after the town lost $2.3 million to internet scammers in 2021. A year and a half after that hack, the town’s website remains vulnerable, according to Jenkinson.
Peterborough Town Administrator Nicole MacStay did not respond to a request for comment when provided with Jenkinson’s vulnerability chart.
Jenkinson had warned the Federal Aviation Administration that its computer system was vulnerable, but he said the federal agency had ignored his warnings. The cause of the system crash that temporarily grounded airlines on January 11 has not yet been determined, but Jenkinson said it could be the issue he had pointed out to deaf ears.
The problem is that even experts in internet technology do not recognize the link between DNS vulnerabilities and serious cyberattacks. The common belief is that the most a hacker would achieve is taking over the website without getting into the company files.
The federal government is moving toward comprehensive cybersecurity regulations focused especially on critical infrastructure, recognizing that the current voluntary approach has failed to secure the nation against cyberattacks. The government now requires the reporting of known issues and encourages taking steps to protect data, but it has no enforcement power.
The new directive calls for weekly scanning of internet assets, which include domains, subdomains, servers, and Domain Name Systems (DNS). It is insecure DNS that Jenkinson has been focusing on.
The Danger
Jenkinson says in a post on LinkedIn that the United States is still taking “baby steps” to secure the internet, but, “They have had to address the FACT that Cyber Criminals have caught up with their decades of DNS Manipulation and Abuse to launch Cyberattacks.”
According to Jenkinson, “DNS is still very much neglected, ignored, and dismissed,” yet there are more and more attacks through those vulnerabilities. The Ukraine government, the FBI, LastPass, MediBank, and the well-publicized SolarWinds attack all took place through DNS attacks.
In an attempt to explain a complex problem in terms a novice can understand, Jenkinson likened it to a local post office.
“A Content Distribution Network (CDN) is the equivalent of a DHL or FEDEX global distribution network,” he says. “In both cases ‘packets’ are delivered, only in the digital world, packets of data. All packets must remain secure throughout their entire journey. … In its infancy, DNS was designed purely for convenience to enable humans to work with memorable website addresses (letters) and computers to work with numbers (IP addresses). It was not long before manipulation of DNS was understood and enabled access, data capture, data harvesting, and even data alteration on the fly. This exploitable vulnerability has enabled governments to collate, collect, monitor data, and much more.
“Towards the end of 2018/2019, which coincided with the improvement and enforcement of HTTP to HTTPS for additional security, cybercriminals caught up with what governments had been doing for decades. Cyber criminals commenced their own DNS offensive and started to exploit the very same DNS vulnerabilities agencies had been blatantly exploiting.”
He said, “Many organizations, even security professionals, incorrectly consider their websites as the final destination. They incorrectly believe this is the end of their responsibility to secure their company’s data and digital content. This often includes their clients’ PII data. This is a major error, as this is where the ‘tyres hit the road’ and when insecure, can be easily exploited.”
Using a chart, Jenkinson showed how easy it is for those with an understanding of the process to hack into an insecure DNS position and connect directly to a company’s website. An attacker can harvest data and redirect users to nefarious websites in order to capture, alter, and repurpose data. That can include manipulating login passwords and locking people out of their accounts and networks.
“By doing so an attacker can capture the company, and the company’s clients’ credentials, data, transactions, login details, emails, and much more. The actions can then be played out, often for extended periods. These often go completely undetected due to lax Internet Asset Security.”
He continued, “When you achieve a DNS takeover, you can host any service that takes your fancy, and you can log everything in the process.”
This story originally appeared in the Laconia Daily Sun.