Category Archives: Hardware

A warning to Lenovo PC users

PC manufacturer Lenovo has been shipping PCs with an extraordinarily nasty piece of adware called Superfish.

The basic concept is bad enough: Superfish watches your Internet activity and injects advertisements into web pages. But Superfish is much worse than that, since in the process of hijacking your web sessions, it opens your PC to ‘man in the middle’ attacks.

Lenovo has been downplaying the risks involved, while analysts continue to demonstrate just how bad this situation really is.

Affected models include:

  • G Series: G410, G510, G710, G40-70, G50-70, G40-30, G50-30, G40-45, G50-45
  • U Series: U330P, U430P, U330Touch, U430Touch, U530Touch
  • Y Series: Y430P, Y40-70, Y50-70
  • Z Series: Z40-75, Z50-75, Z40-70, Z50-70
  • S Series: S310, S410, S40-70, S415, S415Touch, S20-30, S20-30Touch
  • Flex Series: Flex2 14D, Flex2 15D, Flex2 14, Flex2 15, Flex2 14(BTM), Flex2 15(BTM), Flex 10
  • MIIX Series: MIIX2-8, MIIX2-10, MIIX2-11
  • YOGA Series: YOGA2Pro-13, YOGA2-13, YOGA2-11BTM, YOGA2-11HSW
  • E Series: E10-30]

You can confirm that your computer is affected using the Superfish CA test (offline as of 2016Jan06).

Anyone who owns or uses one of these models should follow the Superfish removal instructions or ask their IT/support person to look into it.

Update 2015Feb21-1: Lenovo is may be starting to recognize and admit their mistake. Meanwhile, Superfish (developers of the adware) remains defiant, and Komodia (who develop spyware that is apparently at the heart of this issue) is saying nothing at all.

Update 2015Feb21-2: Microsoft has added Superfish detection and automatic removal to Windows Defender.

Update 2015Feb21-3: Lenovo’s CTO is still in denial, saying the vulnerability is ‘theoretical’.

Update 2015Feb21-4: Ars Technica takes a closer look at the Komodia software and the risks related to the way it was used by Superfish.

Update 2015Feb21-5: Superfish (the company) has a history of annoying people with their intrusive technologies. That hasn’t stopped them from making a ton of money, however. The company’s CEO is insisting that they did nothing wrong, but doesn’t address the specific technical concerns.

Netgear routers vulnerable to attack

Several popular wireless routers made by Netgear are susceptible to attacks using a recently-discovered vulnerability in their firmware.

From the original report, posted by Peter Adkins on the Full Disclosure mailing list:

Platforms / Firmware confirmed affected:
—-
NetGear WNDR3700v4 – V1.0.0.4SH
NetGear WNDR3700v4 – V1.0.1.52
NetGear WNR2200 – V1.0.1.88
NetGear WNR2500 – V1.0.0.24

Additional platforms believed to be affected:
—-
NetGear WNDR3800
NetGear WNDRMAC
NetGear WPN824N
NetGear WNDR4700

Anyone using one of these routers should immediately confirm that its web interface is NOT enabled for access from the WAN/Internet. If possible, it should also be configured to restrict access to the admin interface to specific IP addresses on the LAN.

A CVE number has not yet been assigned to this vulnerability. Hopefully Netgear will release firmware updates to address this flaw in the near future.

Hard drive torture tests reveal alarming failure rates for Seagate drives

Ars Technica recently reported on hard drive performance data collected by cloud backup service provider Backblaze.

Backblaze uses regular consumer-grade hard drives due to their low cost and adequate reliability. Since their hard drives are running and active constantly, Backblaze carefully monitors drive reliability. As a public service, the results are published yearly.

In this year’s performance results, the reliability winner is once again HGST. Now part of Western Digital, HGST was formerly Hitachi, and before that IBM’s hard drive division.

What really stands out in this year’s report is the failure rates of Seagate drives, which were as high as 43% for some models.

In the shifting world of hard drive reliability, it’s difficult to make realistic recommendations. But if you’re building a system that you plan to leave running 24/7, you might want to consider avoiding Seagate drives, at least for the next few months. Seagate will probably react to these numbers and improve reliability for their consumer grade drives.

DDoS services powered by compromised routers

Malicious hackers are increasingly using compromised, consumer-grade routers to amplify the power of their DDoS attacks. Ordinary users are often unaware that their network devices can be compromised, and even less likely to recognize any actual compromise.

Adding to the problem is the slow pace – or utter lack – of security updates from device manufacturers. Even when updates are made available, users are unlikely to know about them, and in most cases don’t possess the skill required to install them.

All of this makes routers attractive targets. Ars Technica reports on one DDoS-for-hire service that uses a vast network of compromised routers.

There’s a related post on Brian Krebs’ blog. Scroll down to ‘ROUTER SECURITY 101’ for some useful recommendations. At the very least, log in to your router’s admin interface and check for any available security updates.

Millions of network routers vulnerable to hijacking

As many as twelve million routers in use in homes and businesses around the world contain a bug that makes them vulnerable to a particular form of attack. Routers made by Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others are affected (see this list of affected routers – warning: PDF).

The vulnerability exists in a particular piece of software called RomPager. This software is embedded in the firmware of the affected routers.

Routers typically provide a mechanism for updating their firmware, but router manufacturers are often slow to provide updates, and the update process can be problematic, especially for regular users.

As a result, this problem is likely to hang around for years, and will not be completely eliminated until all of the affected routers are updated or replaced.

UPnP now being used for DDoS attacks

The troubled Universal Plug and Play protocol has a new problem: malicious hackers are increasingly using it as the basis for Distributed Denial of Service attacks.

UPnP is a set of protocols – intended to be used with home networks – that simplifies the process of making connections between network-enabled devices. Unfortunately, misconfigured devices often make UPnP devices visible on the Internet, allowing easy access for intruders.

Now, according to Internet content caching service provider Akamai, those exposed UPnP devices are being used for DDoS attacks. Specially-crafted requests are sent to such devices, so that replies from those UPnP devices are sent to the DDoS target, flooding it with traffic.

If you think you may have UPnP devices that are exposed to the Internet, or just want to make sure you don’t, head over to Steve Gibson’s ShieldsUp site. Click the Proceed button, then on the next page, click the big button labeled GRC’s Instant UPnP Exposure Test. After a moment or two, your results will be shown.

USB firmware hacks published

We recently reported a new potential security threat in the form of hacked USB device firmware.

The details of the original hack were not reported by its discoverers, since it seemed likely that the vulnerability was widespread and difficult to fix.

Now a second team of researchers has published working code for a similar hack. Reactions have been mixed, with some categorizing this move as irresponsible.

This is probably going to get a lot worse before it gets better. There’s currently no way to detect whether a USB device has been hacked. Traditional anti-malware software is useless for this purpose.

Hopefully you were already exercising caution when using thumb drives, viewing drives from unknown sources with suspicion. With this new vulnerability, there’s probably no way to be perfectly safe unless you stop using thumb drives completely. Since that’s not practical for many users, you can stay relatively safe by making sure that your thumb drives are always on your person or stored in a secure location when not in use. So much for convenience.

Shellshock: a very bad vulnerability in a very common *nix tool

Linux and other flavours of the Unix operating system (aka *nix) run about half of the world’s web servers. Increasingly, *nix also runs on Internet-enabled hardware, including routers and modems. A huge proportion of these systems also have BASH configured as the default command interpreter (aka shell).

A serious vulnerability in BASH was recently discovered. The full extent of the danger related to this vulnerability has yet to be determined, because the bug opens up a world of possible exploits. As an example, the bug can be demonstrated by issuing a specially-crafted request to a vulnerable web server that results in that server pinging another computer.

Patches that address the vulnerability (at least partially) became available almost immediately for most Linux flavours. Apple’s OS X has yet to see a patch, but presumably that will change soon, although Apple has been oddly slow to respond to issues like this in the past.

Most average users don’t need to worry about this bug, but if you run a web server, or any server that’s accessible from the Internet, you should make sure your version of BASH is updated.

As new information emerges, I’ll post updates here.

References:

Update 2014Sep27: The first patch for BASH didn’t fix the problem completely, but another patch that does is now available for *nix systems. Still nothing from Apple for OS X. Scans show that there are thousands of vulnerable web servers on the Internet. Existing malware is being modified to take advantage of this new vulnerability. Attacks using the BASH vulnerability are already being observed. Posts from Ars Technica, Krebs on Security and SANS have additional details.

Update #2: It looks like there are more holes to be patched in BASH.

Update 2014Oct01: Apple releases a bash fix for OS X, more vulnerabilities are discovered, and either attacks based on bash vulnerabilities are increasing or attacks are subsiding, depending on who you ask.

Update 2014Oct08: Windows isn’t affected, unless you’re using Cygwin with bash. Oddly, Apple’s OS X bash patch is not available via the App Store; you have to obtain it from the main Apple downloads site. A security researcher claims to have found evidence of a new botnet that uses the Shellshock exploit.

Update 2014Oct23: Ars Technica: Fallout of Shellshock far from over

New dangers of thumb drives

We’ve known for years that careless use of thumb drives (USB storage devices) is dangerous. Windows in particular has a bad habit of automatically running programs on thumb drives when they are plugged in.

Now researchers have found a new way to infect USB devices; not the files they contain, but the firmware that controls how they operate. All USB devices contain firmware, and while it’s not normally accessible to users, the firmware can be modified by anyone with the requisite skills and knowledge.

The researchers developed proof-of-concept malware called BadUSB. A USB device infected with BadUSB can be configured to do just about anything to a computer to which it’s connected, from redirecting network traffic to modifying files.

It remains to be seen just how easy it is for BadUSB – or any other malware that uses this technique – to spread. USB device firmware varies between brands and device types, which might necessitate infection code that’s specific to each type of device.

For now, while the researchers have created working malware that exploits this new technique, real-world exploits are likely months away, if they indeed ever appear.

Ars Technica has more, as does Wired.

Hard drive reliability test results

Backblaze, a cloud backup provider, recently completed a series of reliability tests on consumer hard drives from Western Digital, Seagate and Hitachi. The big winner was Hitachi, with Seagate drives lagging notably in a distant third place. Having recently replaced two failing Seagate drives in a client’s PC (while a third drive – a Hitachi – continued operating just fine), my own limited observations would seem to confirm Backblaze’s findings.