Tag: security

DLink routers vulnerable to Bulgarian exploit

khankrumA Bulgarian ethical hacker has found a hole in the firmware of DLink routers which make them vulnerable to remote changing of DNS settings and, effectively, traffic hijacking.

Todor Donev, a member of the Ethical Hacker research team, says that the vulnerability is found in the ZynOS firmware of the device, D-Link’s DSL-2740R ADSL modem/wireless router.

The firmware is used in gear made by D-Link, TP-Link Technologies and ZTE.

The flaw allows attackers to access the device’s Web administration interface without authentication, and through it to modify the DNS settings, which could allow them to redirect users to malware-laden and phishing sites and prevent them to visit legitimate sites for OS and software updates (including security software).

Donev released exploit code for the flaw in a security advisory and said that it could be  exploited remotely if the device’s interface is exposed to the Internet.

It is not the first time that the firmware has been found a little holey. In March 2014, Internet security research organization Team Cymru uncovered a global attack campaign that compromised over 300,000 home routers and changed their DNS settings. A different vulnerability in ZynOS was exploited in that attack and one of the techniques used was likely CSRF.

 

Western spooks behind Regin

 james_bond_movie_poster_006Security experts at Kaspersky Lab have discovered shared code and functionality between the Regin malware and a similar platform  in a newly disclosed set of Edward Snowden documents 10 days ago by Germany’s Der Spiegel.

The link, found in a keylogger called QWERTY allegedly used by the so-called Five Eyes, leads them to conclude that the developers of each platform are either the same, or work closely together.

Writing in their blog, Kaspersky Lab researchers Costin Raiu and Igor Soumenkov  said that considering the extreme complexity of the Regin platform there’s little chance that it can be duplicated by somebody without having access to its source codes.

They think that the QWERTY malware developers and the Regin developers were the same or working together.

The Der Spiegel article describes how the U.S National Security Agency, the U.K.’s GCHQ and the rest of the Five Eyes are allegedly developing offensive Internet-based capabilities to attack computer networks managing the critical infrastructure of its adversaries.

QWERTY is  a module that logs keystrokes from compromised Windows machines; Der Spiegel said the malware is likely several years old and has likely already been replaced.

Kaspersky researchers Raiu and Soumenkov said QWERTY malware is identical in functionality to a particular Regin plugin.

Raiu and Soumenkov said within QWERTY there were three binaries and configuration files. One binary called 20123.sys is a kernel mode component of the QWERTY keylogger that was built from source code also found in a Regin module, a plug-in called 50251.

Side-by-side comparisons of the respective source code shows they are close to identical and sharing large chunks of code.

Regin was discovered in late November by Kaspersky Lab and it was quickly labelled one of the most advanced espionage malware platforms ever studied, surpassing even Stuxnet and Flame in complexity. The platform is used to steal secrets from government agencies, research institutions, banks and can even be tweaked to attack GSM telecom network operators.

 

 

Patch that Flash!

wargames-hackerSoftware company Adobe released a security bulletin that patches its Flash Player.
The updates apply to Windows, to the Macintosh, and to the Linux operating system.
The security bulletin said that Adobe is aware of an exploit used in attacks against older versions of the Flash player.
Affected software includes the Flash Player Desktop Runtime, Flash Player for Linux, Flash Player for Google Chrome, and Flash Player for Internet Explorer 10 and Internet Explorer 11.
You can find details of what you need to do by going to this page. The patch itself won’t be available until next week, it seems.

Oracle pushes out huge security update

Sisyphus-Image-01CDatabase outfit Oracle has pushed out a record number of patches in a security update.

Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.

All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.

The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.

Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.

The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.

While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.

In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.

The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.

There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.

UK open to security abuse

ciscologoA report from networking giant Cisco revealed that only 41 percent of UK companies have good security processes in place.
That places it well below India at 54 percent, and below the US at 44 percent and Germany at 43 percent.
But the situation is worse in Asia.  Only 36 percent of Chinese enterprises have adequate security while Japan has only 24 percent.
Cisco’s annual security review reveals that hackers are moving from compromising servers and operating systems to target individual users’ browsers and emails.
Some of the favoured techniques are Snowshoe spam, which generates many spam emails from a large range of IP addresses to avoid detection.
Attackers are also taking advantage of the relatively weak security of JavaScript and Flash by attacking both at the same time.
According to the survey, less than 50 percent of firms patch and configure systems to ensure security.
The survey canvassed executives at 1,700 companies and it appears there is a gap in perception with 75 percent thinking their security tools are very effective, while the reality is quite different.

 

Skeleton Key exposes password flaws

skeletonsSecureWorks, the security arm of Dell, has found malware which it has dubbed “Skeleton Key” which shows up weaknesses in the password system.

The attack consists of installing rogue software within Active Directory, and the malware then allows attackers to login as any user on the domain without the need for further authentication.

It has weaknesses as an attack vector — installation requires administrator access or a flaw on the server that grants such access.

But Skeleton Key has some interesting coding which could point to something even nastier in the future. It does not actually install itself on the filesystem. Instead, it’s an in-memory patch of Active Directory which makes detection even more difficult.

Access is not logged and the malware is completely silent and, as a result, extremely undetectable. Identifying the malware using traditional network monitoring also does not work due to the fact that Skeleton Key does not generate any network traffic.

In its current form, the malware does not survive a system reboot, which means that it has to be a continuous hack, but such things are possible, particularly if you have a disgruntled sysadmin.
Companies can also make the malware useless by having a two-factor authentication to connect to servers, VPN, email and the like. So in otherwords leaning on passwords is pretty much suicide.

Google chucks rocks in glass house

obj058aIt seems that there is a large amount of pot calling kettle black when it comes to security.

Last month, Google angered Microsoft by releasing the details of a security vulnerability ahead of Microsoft’s Patch Tuesday. Microsoft said that the patch was set to be released two days after Google went live with the details and that they refused to wait an extra 48 hours so that the patch would have been released along with the details of the exploit.

That would all be fine but Google does not have the same standards for itself. An exploit has been uncovered in Android 4.3 (Jelly Bean) – which covers roughly 60 per cent of Android’s install base, according to the Android Developer dashboard – and Google is saying that they will not patch the flaw.

The flaw, which exists in WebView impacts nearly 1 billion users, when using Google’s own numbers as a base along with Gartner figures.

To make matters worse Jelly Bean was first announced in June of 2012, which means that Google is dropping support for its mobile OS less than three years after it was released.

Google is clearly stating that legacy support for the OS is not on their agenda even while phones are still being flogged with Jelly Bean under the bonnet.

The question is why if Google is being such a bastard about its own operating system is it so keen to throw Microsoft under the bus?

Crooks stole 61 million customer records

IBM logoResearch from IBM said that in 2014 cyber attackers stole 61 million records from retailers.
But that’s just in the USA.
IBM’s survey said that there had been a 50 percent decline in attacks on retail web sites in 2014.
The report said that even though the number of cyber attacks had fallen, the attacks have become much more sophisticated.
IBM’s security services analyse over 20 billion security incidents every day – presumably worldwide.
The attackers are developing sophisticated techniques to grab “massive amounts” of data with each attack.
“The threat from organised cyber crime rings remains the largest security challenge for retailers,” said Kris Lovejoy, general manager of IBM Security Services.
IBM suggested that not all cyber breaches are disclosed.
Big Blue said the primary way cyber gangs gained access was through a method called Secure Shell Brute Force, which now outweighs malicious code.
There has been a rise in attacks however in point of sale systems using malware, but most were through command injection or SQL injection.
IBM said lack of data validation in SQL databases by system administrators made retail databases a favourite spot to attack.

 

Quantum theory may help net security

National-Security-Agency--008Scientists at the Griffith University in Queensland claim quantum physics will help protect data on the internet.
The researchers said that so-called “quantum steering” can be used to improve data security over long distances.
Project leader Professor Geoff Pryde boasts that the method his team are engineering promises “absolutely secure information transfer”.
He said: “Your credit card details or other personal data sent over the internet could be completely isolated from hackers.”
The scientists used special photon quantum states to program a measurement device at each step of sending code.
He said that quantum systems would secure long distance comms by generating random and uncrackable code.
But that would rely on both parties sharing systems.  But his team has invented something called quantum steering, which is used to maintain communication security and removing trust in third party devices.

 

Microsoft sues Windows scammers

Microsoft campusSoftware giant Microsoft has taken legal action against a company it claims is scamming people by representing itself as a Windows support outfit.

The Indian company, C-Cubed Solutions, is alleged to call people up saying people have had problems with their computers and conning them out of money.

The case claims that representatives from the company claim they represent Microsoft and then attempt to inveigle people into visiting web sites which are infected with malware, according to the Times of India. The caller may also attempt to get remote access to a computer and ask for payment using a credit card under the pretext of providing technical support.

Microsoft says it never cals people cold and advises people who get such calls never to give any information to people who claim to represent it.

The scam doesn’t only affect people in the USA – cold calls have been made to other countries including the UK, Ireland, Australia, Canada and New Zealand.

Worm found at nuclear control system

Shin Kori nuclear power plant, South Korea: Wikimedia CommonsA South Korean company was hit by what authorities described as a low risk computer worm.

The Korea Hydro & Nuclear Power Co was hit by a hack earlier this month and data stolen from its system.

But the South Korea energy ministry said today that the control systems for three nuclear reactors were unaffected by the hack, according to a Reuters report.

The energy minister told the South Korean parliament that the worm was most likely transmitted to the computer systems by an infected USB device – a claim that some have their doubts about.

The CEO of Korea Hydro and Nuclear Power told the parliament that all of the country’s reactors were invulnerable to viruses and worms.  But nevertheless he said that the firm was hiring more IT security staff to be on the safe side.

Some people believe that North Korea is behind attacks on South Korea computer installations.  The two countries are still technically at war with each other.

A British telco hacked my browser

wargames-hackerTop British telcos are hijacking their customers’ browsers to make sure that David Cameron’s anti-porn filter rules are enforced.

BT, Sky, and Virgin Media are struggling to get customers to say yes or no to the controversial adult content blocks, because unlike David Cameron, the majority of customers are happy with being able to see what they like.

When a user tries to access any website. BT, Sky,TalkTalk and Virgin Media are required to ask all their customers if they want web filters turned on or off and never see anything that would offend Cameron and his blue rinse friends ever again.

According to Wired the measures being taken by ISPs have been described as “completely unnecessary” and “heavy handed” by Internet rights groups.

The hijacking works by intercepting requests for unencrypted websites and rerouting a user to a different page. ISPs are using the technique to communicate with all undecided customers.

If you click on an interesting Channeleye story you could be redirected to a page asking about web filtering.  The only way you would be safe is if you only look at encrypted websites.

BT is blocking people’s browsers until they make a decision, making it impossible for customers to visit any websites once the in-browser notification has appeared.

A spokesperson for the UK’s biggest ISP said: “If customers do not make a decision, they are unable to continue browsing. The message will remain until the customer makes a decision.”

BT said that it is not forcing people to activate BT Parental Controls and if a user selects “No” they will be taken to a confirmation page and be able to continue browsing without the message reappearing.

The digital rights organization Open Rights Group (ORG) said that ISPs risked encouraging customers to trust hijacked sessions by displaying messages in this way.

“How can a customer tell the difference between an ISP hijack and a phishing site made to look the same? There are better ways for ISPs to contact their customers—particularly given that they have our phone numbers, email and actual addresses,” an ORG spokesperson said.

Sky is also hijacking browser sessions to ask customers if they want to turn on its Sky Broadband Shield web filter. Unlike BT, Sky said it would not disconnect or block customers if they refused to make a decision.

Virgin said it had no plans to disconnect or block customers who did not make a decision, adding that its in-browser message about its Web Filters system could be ignored. The ISP did not say how it planned to get any remaining undecided customers to make a decision if they continued to ignore prompts.

However, all this is playing directly into the Government’s hands by setting a precident. ISPs for years have said that they are not responsible for what their customers see online. By forcing customers to say “yes” or “no” for the web filters they are placing themselves in a role which the government can use.

The next thing could be looking at emails at the request of whatever daft arse idea that the government has about terrorism, or childcare

MIT invents new web programming language

nand-chipsComputer scientists at the Massachusetts Institute of Technology (MIT) think their invention might make life a lot easier if you’re developing web pages.

They’ve just gone and invented a programming language called Ur/Web that they claim will let developers write web apps as self contained program.

The compiler part of the equation auto generates XML code and style sheet specs, and then just goes right ahead and throws Javascript and database code where it should be.

Adam Chlipala, a professor of software tech at MIT claimed Ur/Web makes web pages more secure.

But there’s still some pain for web developers said Chiplala because the compiler doesn’t auto generate style sheets.

Once you’ve typed in your code the compiler takes a long hard look at it and gives a list of CSS classes.

He said that the last thing developers want is for apps to have the ability to read and overwrite passwords.  Web frameworks generally speaking assume every little line of a program has complete access to a database. Ur/Web doesn’t, he claims.

MIT didn’t say how you’ll get your paws on the programming language.

Apple auto-updates machines

Apple's CEO Tim Cook - shot from WikimediaA potential security threat has forced Apple to send an automatic update to machines without people saying yeah or nay to its installation.

Apple developed auto updates some time ago but this is the first time it’s taken advantage of the technique.

Microsoft has been auto updating its operating systems for quite some while, as security threats come to light.

The update patches problems highlighted by Carnegie Mellon University and the US Department of Homeland Security, relating to a part of Apple’s OSX operating system dubbed the network time protocol.

Apple is often perceived as having secure machines not subject to the type of threat Windows machines face.

Apple said the update doesn’t even need people to restart their machines, meaning that most people will have been unaware of the action taken.

Steel furnace hit by hackers

wargames-hackerFears that computer hackers could compromise industrial as well as military and commercial systems have been confrmed.

A report by the German Federal Office for Information Security (BSI) said that a large German steel mill was shut down after hackers stole logins allowing them to compromise the industrial infrastructure.

The BSI did not name the company but said the hackers were sophisticated technically and hacked into software that administered the plant.

They forced the plant to shut down and also compromised a blast furnace.

The news underlines concerns of the extent to which key parts of a country’s infrastructure is open to compromise by hackers.

Over the weekend, hackers compromised some South Korean nuclear installations and published diagrams  showing the layout of some installations.  The hackers have threatened to damage the nuclear installations themselves if the reactors are not shut down before December 25th.

It’s not known if control systems are vulnerable to such attacks.