Netgear routers vulnerable to attack

February 18, 2015 jrivett Leave a comment

Several popular wireless routers made by Netgear are susceptible to attacks using a recently-discovered vulnerability in their firmware.

From the original report, posted by Peter Adkins on the Full Disclosure mailing list:

Platforms / Firmware confirmed affected:
—-
NetGear WNDR3700v4 – V1.0.0.4SH
NetGear WNDR3700v4 – V1.0.1.52
NetGear WNR2200 – V1.0.1.88
NetGear WNR2500 – V1.0.0.24

Additional platforms believed to be affected:
—-
NetGear WNDR3800
NetGear WNDRMAC
NetGear WPN824N
NetGear WNDR4700

Anyone using one of these routers should immediately confirm that its web interface is NOT enabled for access from the WAN/Internet. If possible, it should also be configured to restrict access to the admin interface to specific IP addresses on the LAN.

A CVE number has not yet been assigned to this vulnerability. Hopefully Netgear will release firmware updates to address this flaw in the near future.

Internet Explorer, Microsoft, Patches and updates, Security, Windows

Patch Tuesday for February 2015

February 10, 2015 jrivett Leave a comment

Microsoft has announced this month’s updates. There are nine bulletins and associated patches, addressing 56 vulnerabilities in Windows, Office and Internet Explorer. Three are flagged as Critical.

Recommendation: install these updates as soon as possible. At least one of them fixes a bug that’s currently being exploited in the wild.

The official bulletin summary has all the technical details.

Internet crime, Spam and scams

Tax-related scam emails appearing

February 10, 2015 jrivett Leave a comment

I just received email purporting to be from Revenue Canada, telling me that I have overpaid my taxes in recent years, and urging me to claim my refund by clicking on a link.

The link actually goes to a Cloudflare-hosted web site, epathchina(.com). The site has nothing to do with Revenue Canada, and exists to trick unsuspecting people into divulging private/financial information to the site’s operators.

Currently, the site shows nothing untoward in Sucuri site check: it’s not on any blacklists and malware scans show nothing. But that’s likely to change.

With tax time nearing, we should expect email like this to appear in our inboxes. As a general rule, it’s a bad idea to click links in email. Of course, if you’re certain the source is legitimate, the risk is far less, but it’s still possible that the ‘legitimate’ source has been compromised. In this particular case, a much safer approach is to simply go to the Canada Revenue web site and log in.

Clues that this was a scam email:

The Return-Path address (refund AT server.whitetails.com) is unrelated to Revenue Canada.
The From address is to a domain that appears to be related to Revenue Canada (craarc.gc.ca), but doesn’t actually exist, as confirmed by any IP checking service like WhatMyIP.
Like most effective cons, it offers money for nothing.
The recipient is urged to act quickly.
The message is poorly formatted.
The recipient is instructed not to contact Revenue Canada by telephone.

Recommendations: configure your email client to display email in plain text format and display all headers. This will make your inbox less entertaining, but a lot safer, since it will much easier to spot suspicious links and headers.

Here’s the body of the email:

Dear Applicant:

Following an upgrade of our computer systems and review of our records we
have investigated your payments and latest tax returns over the last seven
years our calculations show you have made over payments of 226.99 CAD

Due to the high volume of refunds due you must complete the on line application,
the telephone help line is unable to assist with this application.

To access the form for your tax refund,please click here
Your refund may take up to 3 weeks to process please make sure you complete the form correctly.
As we are upgrading our records we require the completed form showing your full current details by 10 February 2015
Please complete the form to confirm the refund.
A. B. Marions
Senior Manager
Canada Revenue Agency

————————————————————–
© Copyright 2015, Canada Revenue Agency All rights reserved.
TAX REFUND ID: XXXXXXXXXXXXX

Brian Krebs recently reported on another tax-related scam affecting Americans, in which stolen credentials are used to post fraudulent tax returns.

Chrome, Flash, Google, Patches and updates, Security

Chrome 40.0.2214.111 fixes several vulnerabilities

February 6, 2015 jrivett Leave a comment

The latest version of Chrome fixes eleven security issues. Version 40.0.2214.111 also includes the latest embedded version of Flash (16.0.0.305).

The release notes for Chrome 40.0.2214.111 describe some of the changes in the new version. There’s a link to the ‘full list of changes’, but since the linked page is an automated change log from the version management software Git, it’s aimed at developers and not much use for regular users. A link to ’11 security fixes’ currently displays an empty page.

In any case, since the new Chrome contains security fixes and the new Flash, anyone using the browser is strongly encouraged to allow Chrome to update itself before using it for web browsing.

Adobe, Flash, Patches and updates, Security

Flash 16.0.0.305 fixes latest zero-day

February 6, 2015 jrivett Leave a comment

To their credit, Adobe is reacting swiftly to the recent outbreak of critical vulnerabilities in Flash. They just released another new version (16.0.0.305) to address vulnerability CVE-2015-0313, which is being actively exploited on the Internet.

Anyone using Flash, especially in a web browser, should install the new version as soon as possible.

Internet Explorer for Windows 8.x and Google Chrome will see related updates in the very near future.

Update 2015Feb07: Ars Technica: As Flash 0day exploits reach new level of meanness, what are users to do?

Internet Explorer, Microsoft, Security

Unpatched vulnerability in Internet Explorer

February 5, 2015 jrivett Leave a comment

Ars Technica reports on a serious bug in current versions of Internet Explorer that could allow attackers to gather security credentials from targeted Windows computers.

Microsoft is aware of the problem and is working on a fix. Anyone using Internet Explorer should exercise extreme caution when opening links from sources not known to be safe.

Adobe, Flash, Security

Another critical Flash vulnerability

February 3, 2015 jrivett Leave a comment

Adobe has posted an alert about yet another critical vulnerability in Flash. This issue (CVE-2015-0313) affects all versions of Flash, including the most recent (16.0.0.296).

So far there is no patch from Adobe, although one is expected this week. As always, disable flash in your browser if you don’t need it, exercise great care in web browsing if you need Flash, and configure Flash browser plugins as ‘Ask to activate’ where possible.

Hardware

Hard drive torture tests reveal alarming failure rates for Seagate drives

February 2, 2015 jrivett Leave a comment

Ars Technica recently reported on hard drive performance data collected by cloud backup service provider Backblaze.

Backblaze uses regular consumer-grade hard drives due to their low cost and adequate reliability. Since their hard drives are running and active constantly, Backblaze carefully monitors drive reliability. As a public service, the results are published yearly.

In this year’s performance results, the reliability winner is once again HGST. Now part of Western Digital, HGST was formerly Hitachi, and before that IBM’s hard drive division.

What really stands out in this year’s report is the failure rates of Seagate drives, which were as high as 43% for some models.

In the shifting world of hard drive reliability, it’s difficult to make realistic recommendations. But if you’re building a system that you plan to leave running 24/7, you might want to consider avoiding Seagate drives, at least for the next few months. Seagate will probably react to these numbers and improve reliability for their consumer grade drives.

Chrome, Google, Patches and updates

Chrome 40.0.2214.94 released

February 1, 2015 jrivett Leave a comment

Another new version of Google’s web browser was announced on Friday. The release notes for version 40.0.2214.94 don’t provide any useful information on what’s different. There is only a link to the version control log entries for version 40.0.2214.94. And unfortunately, that log is both difficult to interpret (especially for non-technical folks) and extremely light on details. It looks like the new version fixes two minor issues, neither related to security.

Firefox, Patches and updates, Security

Firefox 35.0.1 fixes several bugs

January 27, 2015 jrivett Leave a comment

A new version of Firefox was released by Mozilla yesterday. Version 35.0.1 includes fixes for various crashing and security issues.

There was no announcement from Mozilla for Firefox 35.0.1. As usual, I learned of the new release from non-Mozilla web sites. The struggle continues.

Although there have been some improvements to the release notes for Firefox, it’s still often difficult to determine whether the items listed changed in the version being discussed, or in a previous version. For instance, while all the items at the top of the list marked as ‘Fixed’ also refer to version 35.0.1, nothing else on the list refers to a specific version. Many of those items do in fact look like they are related to Firefox 35.0. There’s a link to ‘various security issues‘, but again it’s not clear what on that list is specific to version 35.0.1.

The ‘complete list of changes‘ link to Bugzilla is still not much help.

boot13