Category Archives: Security

aka infosec

Hardware, Internet crime, IoT, Linux, Security, Things that are bad

Confirmed: record-breaking DDoS attacks using IoT devices

2 Comments

Another week, another huge DDoS attack, this time against French web hosting provider OVH.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.

Internet, Privacy, Security, Things that make me happy

Let’s Encrypt’s finances

Leave a comment

I’m a big fan of Let’s Encrypt, an organization committed to encrypting all web traffic by proving free security certificates.

I’m also a big fan of transparency, so when LE published a summary of their financial information recently, my regard for their efforts clicked up another notch.

Highlights from LE’s financial information post:

  • Let’s Encrypt will require about $2.9M USD to operate in 2017.
  • The majority of LE’s funding comes from corporate sponsorships.
  • You can donate to Let’s Encrypt using PayPal.

For the record, this web site (boot13.com) and all my other secure sites now use Let’s Encrypt certificates.

Chrome, Google, Patches and updates, Security

Chrome 53.0.2785.113

Leave a comment

The announcement for Chrome 53.0.2785.113 highlights five security issues that are addressed in the new version. It points to this page for details, but currently nothing is listed there. According to Google, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”

The full change log lists several dozen changes, most of which are minor bug fixes.

For most users, Chrome will update itself. To make sure you’re running the most recent version, click the menu button (at the top right; looks like three vertical dots), and select Help > About. If Chrome hasn’t already updated itself, this should trigger the update.

Adobe, Chrome, Edge, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for September 2016

Leave a comment

Microsoft’s contribution to our monthly headache is fourteen updates for their flagship software (Windows, Office, Edge, and Internet Explorer). Seven of the updates are classified as Critical. Over sixty separate vulnerabilities are addressed by these updates. One of the updates is for the version of Adobe Flash embedded in Internet Explorer 10 and 11, and Edge.

Not wanting to be left out, Adobe once again brings its own pile of patches to the table. Flash 23.0.0.162 includes fixes for at least twenty-six vulnerabilities. Google Chrome will update itself with the new Flash, and Internet Explorer 10 and 11, and Edge, get the new Flash via the update mentioned above. For all other browsers, simply visit the main Flash page to check your Flash version and update it as needed.

Patches and updates, Security, WordPress and other CMS

WordPress 4.6.1: security release

Leave a comment

Two serious security vulnerabilities in WordPress 4.6 are fixed in the latest version, 4.6.1. Several other minor issues are also addressed. See the release notes for additional details.

WordPress sites that are configured to install minor updates automatically should be auto-upgraded to version 4.6.1 in the next few days, but anyone who manages a WordPress site should immediately verify this, and install the update manually if it’s not already running 4.6.1.

Boot13, Internet crime, Malware, Security

Recent Infosec highlights

Leave a comment

It sometimes feels like news in the world of information security (infosec) is a never-ending tsunami. With the almost-daily reports of breaches, malware, phishing, vulnerabilities, exploits, zero-days, ransomware, and the Internet of Things (IoT), it can be difficult to identify stories that are likely to be of interest to typical computer users.

Stories about infosec issues that are primarily academic may be interesting, but they’re unlikely to affect most users. Sometimes the impact of a security issue is exaggerated. Occasionally the threat is later found to be nonexistent or the result of faulty reporting.

In the past, I collected infosec stories and wrote about the most interesting and relevant ones in a single month-end roundup. This helped to manage the load, but it introduced an arbitrary and unrealistic schedule.

Starting today, I will occasionally post a few selected infosec stories in a single ‘highlights’ article. Without further ado…

Don’t be a victim of your own curiosity

Researchers in Germany discovered that most people click phishing links in emails, even when they don’t know the sender, and even when they know they shouldn’t do it. Why? Curiosity, apparently. It doesn’t just kill cats any more.

Promising new anti-phishing technology

On a related note, there’s a new reason to be optimistic in the fight against phishing. A proof-of-concept, prototype DNS greylisting service called ‘Foghorn’ would prevent access to unknown domains for 24 hours, or until the domain is identified as legitimate and whitelisted. Hopefully Foghorn will prove effective, and become available for regular users in the near future.

Scope of 2012 breaches of Last.fm and Dropbox finally revealed

Popular Internet radio service Last.fm suffered a breach way back in 2012, but the details were not revealed until very recently. According to a report from LeakedSource, as many as 43 million user passwords were leaked, and the passwords were stored using very weak security. If you had a Last.fm account in 2012, you were probably instructed to change your password. If you didn’t do it then, you should do it now.

Massively popular file sharing service DropBox was also breached in 2012, but again, the complete details of the breach are only coming to light now: passwords for as many as 60 million Dropbox user accounts were stolen. The validity of this information has been verified by SANS and Troy Hunt.

The usual advice applies:

  • If you have accounts for these services, change your passwords now, if you haven’t already.
  • Avoid using the same password for more than one service or site.
  • Use complex passwords.
  • Use password management software so you don’t have to remember all those unique passwords.
Chrome, Google, Patches and updates, Security

Chrome 53.0.2785.89

Leave a comment

The full change log for Chrome 53.0.2785.89 is another one of those browser-annihilating pages that you probably shouldn’t even try to load. Included in the boat-load of changes in Chrome 53 are thirty-three fixes for security vulnerabilities, making this an important update.

For most users, Chrome will automatically update itself, but given the number of security fixes, you should probably make sure. Click the funny little menu icon (three dots in a vertical line), then select Help > About from the menu. If Chrome isn’t already up to date, this should trigger an update.

There may be some interesting new features in Chrome 53, but the announcement doesn’t mention anything in particular. If anyone out there is patient enough to read the full change log and notices anything noteworthy, drop me a line to let me know, and I’ll update this post.

Apple, Mobile, Patches and updates, Security

Apple fixes three critical vulnerabilities in iOS

Leave a comment

If you have any Apple mobile devices, including iPhones and iPads — anything that runs iOS — you should update them immediately.

Three three vulnerabilities are already being exploited (0days), and can lead to a complete remote compromise of an affected device.

Yesterday Apple released updates that address these vulnerabilities. The updates were released outside of Apple’s regular update schedule (i.e. out of band updates).

Duo Security has additional analysis.

Opera, Patches and updates, Security, Vista, Windows XP

Opera update for Windows XP and Vista

Leave a comment

Opera is now the only major web browser that still supports Windows XP and Vista. If you’re still using either of those operating systems and browse the web, you should definitely stop using Internet Explorer, Firefox, and Chrome, and switch to Opera. Browsing the web is dangerous enough without the added risk of using a browser that has known security vulnerabilities that will never be fixed.

Note that the most recent Opera version that supports Windows XP and Vista is 36. It wasn’t easy to find older versions on the Opera web site, but I eventually found a page that allows you to download any version by platform.

A recent update to Opera 36 addresses security issues that are specific to XP and Vista. The announcement doesn’t mention the actual new version number, but based on my research, it seems to be 36.0.2130.65.

If you’re using Opera on XP or Vista, make sure you install the new version. It should update itself automatically, but you can also download Opera 36.0.2130.65 directly.

I’ve tried to locate release notes for the new version, with no luck. According to the announcement, several security fixes previously applied to later versions were back-ported to Opera 36.