Home Routers Pose Biggest Consumer Cyberthreat

Posted on February 19, 2014 by mea

Of the small-office, home-office routers evaluated, every one could be compromised with relative ease by hijacking DNS connections, exploiting HTTPS flaws, weaknesses in Universal Plug and Play services, cross-site-scripting attacks, file-traversal and source-code vulnerabilities, weaknesses in WiFi Protected Setup (WPS), buffer overflows or simply bypassing authentication requirements.

via Home Routers Pose Biggest Consumer Cyberthreat.

During late 2013 and early 2014, gangs of Polish hackers have robbed thousands of consumers by attacking home routers and changing DNS settings so they point at the attackers’ DNS servers rather than legitimate servers.

DNS is a big problem. Usually devices behind a SOHO router will receive their DNS info from the router via DHCP. The router has been configured by the owner using DNS settings from their ISP or they could use one of Google’s servers like 8.8.8.8. A user of their home network should expect a higher level of security unlike the open wifi people use on the road.

The simplest remedy is never allow router management access from the Internet. This is usually turned off by default. Routers should be set and forget so using the maintenance interface should be a rare occurrence. The TP-LINK outlined here requires a user to click a malicious link while in a management session according to this:

Attack Requirements

The victim must have an active management session with the WR1043N.

The victim must be fooled in to performing an action (e.g., by clicking an attacker provided link), browse to a malicious or compromised site, or be the victim of a man-in-the-middle attack.

Here again the user gets tricked into becoming compromised so this wouldn’t be a problem if the user simply entered the management interface of the router, made changes, and left. There’s no point lingering around in a management session.

A physical dedicated firewall sitting between the Internet and treating all routers as dumb access points makes for an added layer of security. All SOHO routers are relatively cheap embedded devices. It is impractical to even expect them to defend against all possible exploits. By virtue of being on the Internet everyone gets constantly scanned by bots. That only poses a problem if the bot sees a vulnerability and phones home listing your device as a possible target.

What happens with digital rights management in the real world?

Posted on February 9, 2014 by mea

An increase in the security of the companies you buy your media from means a decrease in your own security. When your computer is designed to treat you as an untrusted party, you are at serious risk: anyone who can put malicious software on your computer has only to take advantage of your computer’s intentional capacity to disguise its operation from you in order to make it much harder for you to know when and how you’ve been compromised.

via What happens with digital rights management in the real world? | Technology | theguardian.com.

Here is where DRM and your security work at cross-purposes. The DMCA’s injunction against publishing weaknesses in DRM means that its vulnerabilities remain unpatched for longer than in comparable systems that are not covered by the DMCA. That means that any system with DRM will on average be more dangerous for its users than one without DRM.

CSEC used airport Wi-Fi to track Canadian travellers

Posted on January 31, 2014 by mea

Experts say that probably included many Canadians whose smartphone and laptop signals were intercepted without their knowledge as they passed through the terminal.

via CSEC used airport Wi-Fi to track Canadian travellers: Edward Snowden documents – Politics – CBC News.

The above statement is misleading. A smartphone does not have signals that can be “intercepted,” a smartphone actively seeks out and asks for an IP address so it can check in wherever some app wants to check in. A lot of apps want to phone home and have access to a device’s network. Smartphones are always active participants in a network. The user of a smartphone has chosen to leave wifi active which means that user *wants* his device to scan for and connect to available bandwidth resources. This scanning is a feature not a bug.

The document shows the federal intelligence agency was then able to track the travellers for a week or more as they — and their wireless devices — showed up in other Wi-Fi “hot spots” in cities across Canada and even at U.S. airports.

They simply store and key off the device ID or MAC address. Every device has a unique MAC address, the layer 2 address used by local routers in the final leg of a route to send packets to the right device. This address does not leave the local subnet unless through surreptitious means like a malicious app.

This kind of sweep probably captures browsing metadata all keyed by device id. Not sure how useful any of that data will be to anyone. End to end encryption using SSL can protect content of a message data but not metadata, the where and how long one communicates. This kind of metadata could be useful nuggets in corporate espionage for all kinds of reasons. If you’re just using the open wifi at the airport to pass time none of this matters as long as they’re not attempting Man In The Middle attacks or 0-day exploits against you.

“Honey Encryption” Could Trick Criminals with Spoof Data

Posted on January 29, 2014 by mea

“Decoys and deception are really underexploited tools in fundamental computer security,” Juels says. Together with Thomas Ristenpart of the University of Wisconsin, he has developed a new encryption system with a devious streak. It gives encrypted data an additional layer of protection by serving up fake data in response to every incorrect guess of the password or encryption key. If the attacker does eventually guess correctly, the real data should be lost amongst the crowd of spoof data.

via “Honey Encryption” Could Trick Criminals with Spoof Data | MIT Technology Review.

MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages

Posted on December 18, 2013 by mea

MisoSMS infects Android systems by deploying a class of malicious Android apps. The mobile malware masquerades as an Android settings app used for administrative tasks. When executed, it secretly steals the user’s personal SMS messages and emails them to a command-and-control (CnC) infrastructure hosted in China. FireEye Mobile Threat Prevention platform detects this class of malware as “Android.Spyware.MisoSMS.”

via MisoSMS: New Android Malware Disguises Itself as a Settings App, Steals SMS Messages | FireEye Blog.

Once the app is installed, it presents itself as “Google Vx.” It asks for administrative permissions on the device, which enables the malware to hide itself from the user, as shown in Figure 2.

Right there is a clue that something is not right.

Google now proxies images sent to Gmail users

Posted on December 13, 2013 by mea

It’s simple for senders to do this. Embed in each message a viewable image—or if you’re feeling sneaky, a nearly invisible image—that contains a long, random-looking string in the URL that’s unique to each receiver or e-mail. When Google proxy servers request the image, the sender knows the user or message corresponding to the unique URL is active or has been viewed. In Moore’s tests, the proxy servers requested the image each subsequent time the Gmail message was opened, at least when he cleared the temporary Internet cache of his browser. That behavior could allow marketers—or possibly lawyers, stalkers, or other senders with questionable motives—to glean details many receivers would prefer to keep to themselves. For instance, a sender could track how often or at what times a Gmail user opened a particular message.

via Dear Gmailer: I know what you read last summer (and last night and today) | Ars Technica.

The key to this issue is that Gmail now defaults to images on in email which should always be off. In order to fix this Google must cache all images upon receipt of every email. Doing it when a user requests an email defeats the entire purpose. It’s always good practice to view with images off on all email no matter what the provider claims.

Your visual how-to guide for SELinux policy enforcement

Posted on November 13, 2013 by mea

Note: SELinux does not let you side step DAC Controls. SELinux is a parallel enforcement model. An application has to be allowed by BOTH SELinux and DAC to do certain activities. This can lead to confusion for administrators since the process gets Permission Denied. Administrators see Permission Denied means something is wrong with DAC, not SELinux labels.

via Your visual how-to guide for SELinux policy enforcement | opensource.com.\

DAC=Discretionary Access Control

SELinux is a powerful labeling system, controlling access granted to individual processes by the kernel. The primary feature of this is type enforcement where rules define the access allowed to a process is allowed based on the labeled type of the process and the labeled type of the object.

For regular users SELinux can be a complete PITA which usually needs to be disabled or set to just log the violation only. I recall in past years installing some service and trying to figure out why it wouldn’t work until the logs revealed I didn’t have things set up in a way SELinux wants. Currently I try and minimize SELinux violations because it seems like it has a point most of the time.

The second operating system hiding in every mobile phone

Posted on November 13, 2013 by mea

The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.

via The second operating system hiding in every mobile phone.

From: Baseband Hacking: A New Frontier for Smartphone Break-ins

Previously, mobile hacking attempts have involved the phone’s operating system or other software, but this one focuses on breaking into a phone’s baseband processor, which is the hardware that sends and receives radio signals to cell towers.

HealthCare.gov deferred final security check, could leak personal data

Posted on October 31, 2013 by mea

HealthCare.gov sends data to analytics providers such as Google’s DoubleClick and Pingdom. As Simo reviewed the Web requests being made as part of his movement through the HealthCare.gov site, he found requests sent to these two providers that included his visit to the password reset page—and all of the user data that was generated by the page. That runs counter to the privacy policy on HealthCare.gov, which states that no personally identifiable information will be collected by site analytics tools. This is the same sort of behavior that the Federal Trade Commission has fined social networks such as Facebook and MySpace for in the past.

via HealthCare.gov deferred final security check, could leak personal data | Ars Technica.

Thieves allegedly install keyloggers to capture credit cards at Nordstrom

Posted on October 12, 2013 by mea

The keyloggers the thieves used imitate the look and design of PS/2 keyboard connectors, priced around $30-40. They are connected in series with a keyboard cord, between the computer and the keyboard, to intercept data transmitted between the two.

via Thieves allegedly install keyloggers to capture credit cards at Nordstrom | Ars Technica.

Bucktown Bell

Cut to the chase.

Tag Archives: security