Students Hack Student Information System; Change Attendance, Grades, and Lunch Balance Data


Two students at Bloomfield Hills High School are the main suspects of a hack into the school’s Student Information System called MISTAR. The students are believed to have made changes to the grades, attendance records, and lunch balances of about twenty students and themselves.

The hack was discovered when an employee logged into his account and noticed an error, after which the school investigated the issue and learned about the attack.

The students are suspected to have exploited a now-resolved vulnerability in the school systems to gain access.

“With the assistance of a forensic investigator, we determined that a report that may have contained the usernames and passwords for the Parent Portal may have been run,” the school said in an FAQ on its website after the attack. “As a precaution, a letter will be mailed to all parents detailing how to change their Parent Portal credentials. Should we determine that additional information contained within MISTAR was accessed without authorization, we will provide impacted individuals with notification.”

The school has announced that it will be resetting all Parent Portal passwords on Monday, May 21, 2018, which will then require all parents/guardians to reset their individual password upon returning to the system.

While the investigation is ongoing and the school is still reviewing its digital security, it has said that, “Modifications will be made as necessary to our internal practices and the district plans to conduct internal staff and student training in addition to what has been provided in the past or is normal, ongoing training.”

“We are committed to using this unfortunate incident to teach our students about digital citizenship and help support them in making better digital decisions,” the school further announced.


In a YouTube video, Bloomfield Hills High School superintendent Robert Glass said that the punishment for the culprits of the attack is likely to be severe.

“Cyber hacking is a federal crime and we're working with the proper authorities to determine the appropriate discipline and legal ramifications," he said. "Due to student privacy laws, we're not able to disclose more information but we can assure you that we're working within the full extent of the Student Code of Conduct and the full extent of the law."

The school has also established a support hotline, aside from their FAQ page, where parents can reach out to learn more or have their questions about the hack answered.


Security flaw in India Post server revealed by researcher

French security researcher Robert Baptiste who goes by Elliot Anderson on Twitter has been revealing cybersecurity flaws in the Indian scene for a while now. This time, he has reported a vulnerability on the India Post server that allows remote code execution.

Baptiste has in fact reported this flaw in place of an Indian researcher who chose to remain anonymous because of legal implications in face of Indian law.

The subdomain of India Post — digitization.indiapost.gov.in — was vulnerable to an Apache vulnerability i.e. CVE 2017-5638. It meant that the attacker would be able to run code on India Post server, as shown below:




The flaws led to exposed bank details of employees as well as databases of sensitive information. He posted several screenshots of the files he was able to access by exploiting the flaw.


He also revealed that he was not the first person to exploit these flaws and posted screenshots that show activity from almost a year ago on 14th April, 2017.


The vulnerability has since been fixed, leading to Elliot Anderson tweeting out the details of this recent hack.




BIND 9 Resolver crashes after logging an error in query.c

Security Advisory from isc says that they got report from many Organizations across the Internet about crashes interrupting service on BIND 9 nameservers performing recursive queries.

Affected servers crashed after logging an error in query.c with the following message: "INSIST(! dns_rdataset_isassociated(sigrdataset))" Multiple versions were reported being affected, including all currently supported release versions of ISC BIND 9. ISC is actively investigating the root cause and has produced patches which prevent the crash.

Affected Version:
All currently supported versions of BIND, 9.4-ESV, 9.6-ESV, 9.7.x, 9.8.x

Description:

An as-yet unidentified network event caused BIND 9 resolvers to cache an invalid record, subsequent queries for which could crash the resolvers with an assertion failure. ISC is working on determining the ultimate cause by which a record with this particular inconsistency is cached.At this time we are making available a patch which makes named recover gracefully from the inconsistency, preventing the abnormal exit.

The patch has two components. When a client query is handled, the code which processes the response to the client has to ask the cache for the records for the name that is being queried. The first component of the patch prevents the cache from returning the inconsistent data. The second component prevents named from crashing if it detects that it has been given an inconsistent answer of this nature.

Solution for this vulnerability: 
Upgrade BIND to one of the following patched versions: BIND 9.8.1-P1, 9.7.4-P1, 9.6-ESV-R5-P1, 9.4-ESV-R5-P1