Millions of network routers vulnerable to hijacking

December 31, 2014 jrivett Leave a comment

As many as twelve million routers in use in homes and businesses around the world contain a bug that makes them vulnerable to a particular form of attack. Routers made by Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others are affected (see this list of affected routers – warning: PDF).

The vulnerability exists in a particular piece of software called RomPager. This software is embedded in the firmware of the affected routers.

Routers typically provide a mechanism for updating their firmware, but router manufacturers are often slow to provide updates, and the update process can be problematic, especially for regular users.

As a result, this problem is likely to hang around for years, and will not be completely eliminated until all of the affected routers are updated or replaced.

Internet, Internet crime, Privacy, Security, Spam and scams

Even the crappiest computer is worth hacking

December 30, 2014 jrivett Leave a comment

If you’re like a lot of other typical users, you may believe that nothing on your computer makes it a worthwhile target for malicious hackers. You may even feel that this means you’re relatively safe from hackers. Think again.

To a malicious hacker, the Internet is a vast, mostly untapped ocean of computing resources, ready for them to compromise and put to work in numerous ways to help them and hurt you.

Brian Krebs created and posted the image below to remind people of all the ways their computers can be secretly used for nefarious purposes. Although the post is a couple of years old, it’s still relevant.

Hackers can use your computer for dozens of nefarious activities.

Security, WordPress and other CMS

Another serious WordPress plugin vulnerability

December 20, 2014 jrivett Leave a comment

As many as 100,000 web sites built with WordPress have been compromised through a vulnerability in a plugin named ‘RevSlider’ (aka ‘Revolution Slider’, aka ‘Slider Revolution’). Attackers used the vulnerability to add malicious code to the compromised sites, which resulted in those sites serving up the malicious code to site visitors.

Unfortunately, the RevSlider plugin is not free, and as such it typically can’t be updated using the standard WordPress update mechanism. Worse still, the plugin is often included in commercial themes, in which case the theme developer must obtain the updated plugin, create a new package for the theme that includes the new plugin, then make that package available to their customers. Because of these hurdles, many affected sites have not yet been updated.

If you manage a WordPress site that uses RevSlider, you should determine whether it was purchased directly or as part of a commercial theme, then obtain an appropriate update and install it as soon as possible.

Internet crime, Security

Sony should fire their senior management

December 15, 2014 jrivett Leave a comment

Clarification: this attack affected Sony Pictures Entertainment, which is a subsidiary of Sony. As far as we know, the attack did not affect any other parts of Sony.

By now you’ve almost certainly heard about the massive, comprehensive breach of all Sony’s computer systems.

It’s now clear that the attackers gained access months (if not years) ago, and took their time expanding their reach until they had access to almost every system and server controlled by Sony. The attackers then downloaded massive amounts of data from Sony systems, including unreleased films, personal data about employees, internal (and in some cases extremely embarrassing) internal emails, and so on. The final step for the attackers was to wipe hard drives. That’s the point at which Sony finally learned that their systems had been hacked, tipped off by someone who doesn’t even work for Sony.

At this point it’s difficult to estimate the damage, but Sony will be feeling the effects for years to come.

Incredibly, this isn’t the first time Sony has been hacked. In fact, they’ve been hacked as many as 56 times in the last decade or so. Each time this happened, Sony had an opportunity – and a serious responsibility – to improve their security. Instead, as is clearly evident from the details of this most recent attack, Sony has done little or nothing to beef up its security.

Still, one can almost feel some sympathy toward Sony. That is, until you look at what Sony is doing about the latest attack. In a move that only the most clueless corporate lawyer would recommend, Sony is now threatening anyone who reports on this attack, including noted security writer Brian Krebs.

Worse still, there are reports that Sony is performing DDoS attacks against sites that host information take from Sony systems. If true, this is a mind-bogglingly short-sighted move.

Dear Mr. Sony: you should now fire all your senior management. I’m not kidding. These people have – and will continue to – hurt you more than they can possibly help. Time to cut your losses.

Update 2014Dec20: Ars Technica has more.

Update 2014Dec23: Bruce Schneier’s post about this is recommended reading. He looks at some of the ridiculous reactions to this attack and presents a sensible overview of what we really know.

Tools

Latest Ouch! newsletter: all about anti-virus software

December 15, 2014 jrivett Leave a comment

This month’s Ouch! newsletter (PDF) from SANS provides a useful overview of anti-virus software, including several helpful tips. Recommended reading for ordinary users.

Microsoft, Patches and updates, Windows 7

Another bad patch from Microsoft

December 14, 2014 jrivett Leave a comment

One of the updates from last week’s Patch Tuesday apparently caused problems for numerous Windows 7 and Windows Server 2008 users.

The update, KB3004394, was issued to increase the frequency of root certificate updates from weekly to daily, thereby improving overall system security.

Unfortunately, once the update was installed on affected computers, some software and driver installation programs no longer worked as expected.

Microsoft initially recommended uninstalling the problematic update, but has now released another update (KB3024777) that fixes the problem.

Ars Technica has additional details.

Adobe, Chrome, Flash, Google, Patches and updates

Chrome 39.0.2171.95 adds latest Flash

December 10, 2014 jrivett Leave a comment

As expected, Google just announced a new version of Chrome with the latest embedded Flash. Version 39.0.2171.95 also includes fixes for a few minor issues. Aside from the Flash update, none of the changes appear to be related to security.

Internet, Internet crime, Privacy

The problem with Tor

December 10, 2014 jrivett Leave a comment

Tor is a collection of software that allows its users to access Internet-based resources anonymously. There are a lot of legitimate reasons why a person might want to remain anonymous on the ‘net. Unfortunately, Tor (as well as other proxy and anonymizing services) also allows unscrupulous persons to hide their illegal activities. A recent study shows that a large proportion of attacks against banking sites arrived via Tor.

As a result, major web sites are increasingly blocking access from Tor nodes, in the hope that this will reduce the overall amount of access by those seeking to do damage or obtain private information. The problem is that Tor users with no evil intent are then also prevented from using such sites.

The Tor developers are aware of this problem, and are working to keep Tor relevant by working with site owners to find ways to prevent improper access without blocking Tor completely.

So far there doesn’t appear to be a good, long-term solution to this problem. However, it may be useful to recognize that Tor is just a tool, and like all other tools, it can be used for good, evil, or anything in between. A better approach to security than wholesale blocking is to improve security on the host.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2014

December 9, 2014 jrivett Leave a comment

It’s patch time again.

As expected, Adobe released updates for Reader/Acrobat, but they also issued updates for Flash. The new version of Reader/Acrobat is 11.0.10, and it addresses at least twenty vulnerabilities.

The latest version of Flash is 16.0.0.235 (on most platforms), and it fixes six vulnerabilities in previous versions. As usual, Google Chrome will update its own internal Flash, and Microsoft will offer Flash updates for Internet Explorer on Windows 8.x via Microsoft Update. Note that Adobe also released Flash 15.0.0.246, which apparently fixes the same issues in earlier versions of Flash 15.

Meanwhile, Microsoft today released seven bulletins and associated patches. The patches address vulnerabilities in Windows, Internet Explorer, and Office. There’s a useful summary on the MSRC blog.

Brian Krebs has additional details.

Internet crime, Security, Spam and scams

Holiday season warning: beware phony ‘order confirmation’ emails

December 5, 2014 jrivett Leave a comment

Brian Krebs recently posted an excellent article about a specific kind of malicious email currently showing up in inboxes everywhere, just in time for the holiday shopping season.

Most web stores send email order confirmations when you buy something, and that’s a good thing. Unfortunately, these emails can be faked easily enough, and the unwary recipient may not notice that the sender’s address doesn’t look quite right, or that the language in the message is somewhat unprofessional. Clicking a link in one of these emails is an extremely bad idea, since it’s likely to lead to browser hijacking, malware, or both.

boot13

Monthly Archives: December 2014