Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link’s DSL-2740R ADSL modem/wireless router.
The firmware is used in gear made by D-Link, TP-Link Technologies and ZTE.
The flaw allows attackers to access the device’s Web administration interface without authentication, and through it to modify the DNS settings, which could allow them to redirect users to malware-laden and phishing sites and prevent them to visit legitimate sites for OS and software updates (including security software).
Donev released exploit code for the flaw in a security advisory and said that it could be exploited remotely if the device’s interface is exposed to the Internet.
It is not the first time that the firmware has been found a little holey. In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.
Security experts at Kaspersky Lab have discovered shared code and functionality between the Regin malware and a similar platform in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.
The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.
Writing in their blog, Kaspersky Lab researchers Costin Raiu and Igor Soumenkov said that considering the extreme complexity of the Regin platform there’s little chance that it can be duplicated by somebody without having access to its source codes.
They think that the QWERTY malware developers and the Regin developers were the same or working together.
The Der Spiegel article describes how the U.S National Security Agency, the U.K.’s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries.
QWERTY is a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced.
Kaspersky researchers Raiu and Soumenkov said QWERTY malware is identical in functionality to a particular Regin plugin.
Raiu and Soumenkov said within QWERTY there were three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251.
Side-by-side comparisons of the respective source code shows they are close to identical and sharing large chunks of code.
Regin was discovered in late November by Kaspersky Lab and it was quickly labelled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators.
Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.
All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.
Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.
The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.
While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.
In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.
The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.
There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.
The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.
It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.
But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.
Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.
In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.
Last month, Google angered Microsoft by releasing the details of a security vulnerability ahead of Microsoft’s Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.
That would all be fine but Google does not have the same standards for itself. An exploit has been uncovered in Android 4.3 (Jelly Bean) – which covers roughly 60 per cent of Android’s install base, according to the Android Developer dashboard – and Google is saying that they will not patch the flaw.
The flaw, which exists in WebView impacts nearly 1 billion users, when using Google’s own numbers as a base along with Gartner figures.
To make matters worse Jelly Bean was first announced in June of 2012, which means that Google is dropping support for its mobile OS less than three years after it was released.
Google is clearly stating that legacy support for the OS is not on their agenda even while phones are still being flogged with Jelly Bean under the bonnet.
The question is why if Google is being such a bastard about its own operating system is it so keen to throw Microsoft under the bus?
The Indian company, C-Cubed Solutions, is alleged to call people up saying people have had problems with their computers and conning them out of money.
The case claims that representatives from the company claim they represent Microsoft and then attempt to inveigle people into visiting web sites which are infected with malware, according to the Times of India. The caller may also attempt to get remote access to a computer and ask for payment using a credit card under the pretext of providing technical support.
Microsoft says it never cals people cold and advises people who get such calls never to give any information to people who claim to represent it.
The scam doesn’t only affect people in the USA – cold calls have been made to other countries including the UK, Ireland, Australia, Canada and New Zealand.
The Korea Hydro & Nuclear Power Co was hit by a hack earlier this month and data stolen from its system.
But the South Korea energy ministry said today that the control systems for three nuclear reactors were unaffected by the hack, according to a Reuters report.
The energy minister told the South Korean parliament that the worm was most likely transmitted to the computer systems by an infected USB device – a claim that some have their doubts about.
The CEO of Korea Hydro and Nuclear Power told the parliament that all of the country’s reactors were invulnerable to viruses and worms. But nevertheless he said that the firm was hiring more IT security staff to be on the safe side.
Some people believe that North Korea is behind attacks on South Korea computer installations. The two countries are still technically at war with each other.
BT, Sky, and Virgin Media are struggling to get customers to say yes or no to the controversial adult content blocks, because unlike David Cameron, the majority of customers are happy with being able to see what they like.
When a user tries to access any website. BT, Sky,TalkTalk and Virgin Media are required to ask all their customers if they want web filters turned on or off and never see anything that would offend Cameron and his blue rinse friends ever again.
According to Wired the measures being taken by ISPs have been described as “completely unnecessary” and “heavy handed” by Internet rights groups.
The hijacking works by intercepting requests for unencrypted websites and rerouting a user to a different page. ISPs are using the technique to communicate with all undecided customers.
If you click on an interesting Channeleye story you could be redirected to a page asking about web filtering. The only way you would be safe is if you only look at encrypted websites.
BT is blocking people’s browsers until they make a decision, making it impossible for customers to visit any websites once the in-browser notification has appeared.
A spokesperson for the UK’s biggest ISP said: “If customers do not make a decision, they are unable to continue browsing. The message will remain until the customer makes a decision.”
BT said that it is not forcing people to activate BT Parental Controls and if a user selects “No” they will be taken to a confirmation page and be able to continue browsing without the message reappearing.
The digital rights organization Open Rights Group (ORG) said that ISPs risked encouraging customers to trust hijacked sessions by displaying messages in this way.
“How can a customer tell the difference between an ISP hijack and a phishing site made to look the same? There are better ways for ISPs to contact their customers—particularly given that they have our phone numbers, email and actual addresses,” an ORG spokesperson said.
Sky is also hijacking browser sessions to ask customers if they want to turn on its Sky Broadband Shield web filter. Unlike BT, Sky said it would not disconnect or block customers if they refused to make a decision.
Virgin said it had no plans to disconnect or block customers who did not make a decision, adding that its in-browser message about its Web Filters system could be ignored. The ISP did not say how it planned to get any remaining undecided customers to make a decision if they continued to ignore prompts.
However, all this is playing directly into the Government’s hands by setting a precident. ISPs for years have said that they are not responsible for what their customers see online. By forcing customers to say “yes” or “no” for the web filters they are placing themselves in a role which the government can use.
The next thing could be looking at emails at the request of whatever daft arse idea that the government has about terrorism, or childcare
They’ve just gone and invented a programming language called Ur/Web that they claim will let developers write web apps as self contained program.
Adam Chlipala, a professor of software tech at MIT claimed Ur/Web makes web pages more secure.
But there’s still some pain for web developers said Chiplala because the compiler doesn’t auto generate style sheets.
Once you’ve typed in your code the compiler takes a long hard look at it and gives a list of CSS classes.
He said that the last thing developers want is for apps to have the ability to read and overwrite passwords. Web frameworks generally speaking assume every little line of a program has complete access to a database. Ur/Web doesn’t, he claims.
MIT didn’t say how you’ll get your paws on the programming language.