UPDATED 23:52 EDT / JUNE 21 2018

INFRA

Click2Gov hacks raise questions about disclosure of related security vulnerabilities

The hacking and theft of personal data from at least 10 U.S. cities, using a software package called Click2Gov from Superion LLC, has been attributed to an unlikely source — raising questions about the need for software companies to disclose vulnerabilities in their products.

The hacks, which started in the summer of 2017, targeted small and medium-sized cities. They included Oceanside, California; Goodyear, Arizona; Fond Du Lac, Wisconsin; Ormond Beach, Florida; and most recently Oxnard, California May 31 and Wellington, Florida June 6 — all targeted in similar attacks.

Along with the theft of credit card details, the hackers in many cases also installed cryptocurrency mining software on government systems, and it’s that ability that ties the hacks together.

The pattern was first noticed by Risk Based Security’s Inga Goddijn earlier this month. In all cases, only cities with local installations of the Click2Gov software, not the cloud version, were hacked. In many cases, those cities said that they could find nothing wrong with the Click2Gov software in terms of security because ultimately there wasn’t a security issue with the software itself. Instead, it was with Oracle’s WebLogic application server — third-party software required to run Click2Gov and the path used by hackers to access the systems.

Although the Click2Gov software was not to blame and ultimately it’s the responsibility of each city to make sure that its systems are secure, Superion was aware of the issue, which could have been easily patched. Not only that, it also failed to tell its customers, informing them of the issue only after they had been hacked.

“Typically, it’s a vendor’s responsibility to make sure its own software works,” Joe Uchill at Axios explained. “A separate software package might be the responsibility of the client who installed it or the vendor who made that product,” but “the ordeal has led to confusion about who’s actually responsible for keeping these servers secure.”

Perhaps only after having the story exposed, Superion said it’s now taking a more proactive stance with its clients, including letting them know they have to patch WebLogic. But that’s little solace for the cities and their residents who have seen their data stolen.

Josh Mayfield, director of solutions at Absolute Software Corp., told SiliconANGLE that “what’s striking is the ordinariness of it all. It seems like every week we hear of another breach with an unmistakable finger pointing at vulnerabilities that could have been resolved. Of course, we always want to find a culprit when things go wrong — the vendor, the staff, the other vendor, the system integrator — but exposures go beyond software, middleware, and integration points that later turn into exploits.”

Mayfield noted that misconfiguration itself is a vulnerability. “But when computing resources are hidden from sight, they are left to languish in their weaknesses and those tasked to secure these devices simply do not know about it,” Mayfield added. “Timely response and swift remediation are achievable, given the right knowledge. When that knowledge is missing, so too is our response to a series of unfortunate events.”

Image: Max Pixel

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU