Category Archives: Security

aka infosec

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for January 2015

Leave a comment

This month we have eight updates from Microsoft, affecting most versions of Windows, with one being flagged as Critical.

Anyone using a Windows computer is encouraged to use Windows Update to install available updates as soon as possible.

For complete technical details on the updates, see the official bulletin on the Microsoft Security TechCenter site.

There’s a related post on the MSRC blog.

Update 2015Jan13: One of the updates in this batch is the source of some ill-will between Microsoft and Google. Google reported a Windows 8.1 vulnerability to Microsoft on October 13, and in keeping with its disclosure policies, made the vulnerability public 90 days later. By the time Microsoft got around to developing a fix, it was too late to make the patch available before the 90 day delay would end. Microsoft apparently asked Google to wait for the patch to be released on January 13, but Google stuck to its policy. Now Microsoft has publicly expressed its displeasure with Google. Information Week has additional details.

Internet crime, Malware, Security, Spam and scams, Windows

CryptoWall update

Leave a comment

Despite the demise of CryptoLocker, ransomware is still prevalent, mostly in the form of CryptoWall, now in its ‘improved’ 2.0 version.

Security researchers recently deconstructed CryptoWall 2.0 and shared their findings in a post on a Cisco security blog.

The researchers discovered that the malware uses a variety of techniques to obfuscate itself on target systems. It’s also able to infect both 32 and 64 bit Windows systems. And it can detect whether it’s running on a virtual machine, making it more difficult to analyze. The command and control servers are apparently in Russia.

A Windows computer can become infected with CryptoWall in a variety of ways, including as part of an e-mail ‘phishing’ attack, through a malicious website, via malicious PDF files, or in a spam e-mail disguised as an ‘Incoming Fax Report’.

Ars Technica has additional details.

Hardware, Internet crime, Security

DDoS services powered by compromised routers

Leave a comment

Malicious hackers are increasingly using compromised, consumer-grade routers to amplify the power of their DDoS attacks. Ordinary users are often unaware that their network devices can be compromised, and even less likely to recognize any actual compromise.

Adding to the problem is the slow pace – or utter lack – of security updates from device manufacturers. Even when updates are made available, users are unlikely to know about them, and in most cases don’t possess the skill required to install them.

All of this makes routers attractive targets. Ars Technica reports on one DDoS-for-hire service that uses a vast network of compromised routers.

There’s a related post on Brian Krebs’ blog. Scroll down to ‘ROUTER SECURITY 101’ for some useful recommendations. At the very least, log in to your router’s admin interface and check for any available security updates.

Hardware, Internet crime, Security

Millions of network routers vulnerable to hijacking

Leave a comment

As many as twelve million routers in use in homes and businesses around the world contain a bug that makes them vulnerable to a particular form of attack. Routers made by Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, ZyXEL and others are affected (see this list of affected routers – warning: PDF).

The vulnerability exists in a particular piece of software called RomPager. This software is embedded in the firmware of the affected routers.

Routers typically provide a mechanism for updating their firmware, but router manufacturers are often slow to provide updates, and the update process can be problematic, especially for regular users.

As a result, this problem is likely to hang around for years, and will not be completely eliminated until all of the affected routers are updated or replaced.

Internet, Internet crime, Privacy, Security, Spam and scams

Even the crappiest computer is worth hacking

Leave a comment

If you’re like a lot of other typical users, you may believe that nothing on your computer makes it a worthwhile target for malicious hackers. You may even feel that this means you’re relatively safe from hackers. Think again.

To a malicious hacker, the Internet is a vast, mostly untapped ocean of computing resources, ready for them to compromise and put to work in numerous ways to help them and hurt you.

Brian Krebs created and posted the image below to remind people of all the ways their computers can be secretly used for nefarious purposes. Although the post is a couple of years old, it’s still relevant.

Hackers can use your computer for dozens of nefarious activities.
Hackers can use your computer for dozens of nefarious activities.
Security, WordPress and other CMS

Another serious WordPress plugin vulnerability

Leave a comment

As many as 100,000 web sites built with WordPress have been compromised through a vulnerability in a plugin named ‘RevSlider’ (aka ‘Revolution Slider’, aka ‘Slider Revolution’). Attackers used the vulnerability to add malicious code to the compromised sites, which resulted in those sites serving up the malicious code to site visitors.

Unfortunately, the RevSlider plugin is not free, and as such it typically can’t be updated using the standard WordPress update mechanism. Worse still, the plugin is often included in commercial themes, in which case the theme developer must obtain the updated plugin, create a new package for the theme that includes the new plugin, then make that package available to their customers. Because of these hurdles, many affected sites have not yet been updated.

If you manage a WordPress site that uses RevSlider, you should determine whether it was purchased directly or as part of a commercial theme, then obtain an appropriate update and install it as soon as possible.

Internet crime, Security

Sony should fire their senior management

Leave a comment

Clarification: this attack affected Sony Pictures Entertainment, which is a subsidiary of Sony. As far as we know, the attack did not affect any other parts of Sony.

By now you’ve almost certainly heard about the massive, comprehensive breach of all Sony’s computer systems.

It’s now clear that the attackers gained access months (if not years) ago, and took their time expanding their reach until they had access to almost every system and server controlled by Sony. The attackers then downloaded massive amounts of data from Sony systems, including unreleased films, personal data about employees, internal (and in some cases extremely embarrassing) internal emails, and so on. The final step for the attackers was to wipe hard drives. That’s the point at which Sony finally learned that their systems had been hacked, tipped off by someone who doesn’t even work for Sony.

At this point it’s difficult to estimate the damage, but Sony will be feeling the effects for years to come.

Incredibly, this isn’t the first time Sony has been hacked. In fact, they’ve been hacked as many as 56 times in the last decade or so. Each time this happened, Sony had an opportunity – and a serious responsibility – to improve their security. Instead, as is clearly evident from the details of this most recent attack, Sony has done little or nothing to beef up its security.

Still, one can almost feel some sympathy toward Sony. That is, until you look at what Sony is doing about the latest attack. In a move that only the most clueless corporate lawyer would recommend, Sony is now threatening anyone who reports on this attack, including noted security writer Brian Krebs.

Worse still, there are reports that Sony is performing DDoS attacks against sites that host information take from Sony systems. If true, this is a mind-bogglingly short-sighted move.

Dear Mr. Sony: you should now fire all your senior management. I’m not kidding. These people have – and will continue to – hurt you more than they can possibly help. Time to cut your losses.

Update 2014Dec20: Ars Technica has more.

Update 2014Dec23: Bruce Schneier’s post about this is recommended reading. He looks at some of the ridiculous reactions to this attack and presents a sensible overview of what we really know.

Adobe, Flash, Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for December 2014

Leave a comment

It’s patch time again.

As expected, Adobe released updates for Reader/Acrobat, but they also issued updates for Flash. The new version of Reader/Acrobat is 11.0.10, and it addresses at least twenty vulnerabilities.

The latest version of Flash is 16.0.0.235 (on most platforms), and it fixes six vulnerabilities in previous versions. As usual, Google Chrome will update its own internal Flash, and Microsoft will offer Flash updates for Internet Explorer on Windows 8.x via Microsoft Update. Note that Adobe also released Flash 15.0.0.246, which apparently fixes the same issues in earlier versions of Flash 15.

Meanwhile, Microsoft today released seven bulletins and associated patches. The patches address vulnerabilities in Windows, Internet Explorer, and Office. There’s a useful summary on the MSRC blog.

Brian Krebs has additional details.

Internet crime, Security, Spam and scams

Holiday season warning: beware phony ‘order confirmation’ emails

Leave a comment

Brian Krebs recently posted an excellent article about a specific kind of malicious email currently showing up in inboxes everywhere, just in time for the holiday shopping season.

Most web stores send email order confirmations when you buy something, and that’s a good thing. Unfortunately, these emails can be faked easily enough, and the unwary recipient may not notice that the sender’s address doesn’t look quite right, or that the language in the message is somewhat unprofessional. Clicking a link in one of these emails is an extremely bad idea, since it’s likely to lead to browser hijacking, malware, or both.