New Android Trojan Hijacks Routers

Normally when hackers want to attack a router, they attempt to compromise the router directly.  They try default passwords or a list of passwords;  they look for software vulnerabilities. Maybe patches that haven’t been applied.

Another approach is to compromise a device inside the network and use that device to compromise the router from the inside.

So how might you do that?

In this case, you use a Trojan called Switcher.  Two fake apps that Kaspersky Labs has found with the malware inside them  are a Baidu search engine app and a WiFi information sharing app.  Both of these apps were found in China, but now that the idea is out in the wild, anyone could replicate it.

First you have to get a user to download a compromised app.  That, often, turns out not to be very hard.  Users love apps;  even malicious ones.  Promise them anything, but get them to install the app.

Once the app is installed and when the user connects to a WiFi access point, the app attempts to attack the access point using default WiFi admin passwords.  A next generation of this malware could use a more sophisticated attack scenario.

Once the access point is compromised, the malware changes the primary and alternate DNS server address in the access point.  The DNS server is the part of the Internet that translates web site names to IP addresses that Internet runs on.

Once it has compromised the DNS server address, any web site that you go to could be redirected by the attacker’s DNS server to a fake copy of a real web site, stealing login information from the user.

As if that was not bad enough, it gets worse – much worse.

Since it is compromising a public WiFi access point, effectively, any user that connects to that access point is compromised, whether they installed the rogue software or now.  If it infects a Starbucks WiFi access point and that WiFi serves a thousand users a day, they are all compromised.  BINGO!

For now, the malware has only been seen in China, but given the potential upside of this attack, do not expect that to be limited to China for long.

So what can you do?

First, be very careful about what apps you install.  Make sure that it is from a reputable store.  Look at how long it has been out.  Apps, like fine wine, age well.  New apps are less likely to have been scrutinized.  Look at the reviews.  Few to no reviews is a red flag.

Second, avoid WiFi unless you know the WiFi.  Remember, if anyone connected to that WiFi access point and they were infected, that WiFi access point is infected – likely forever.  Even if you reboot it, the malicious code persists.

In particular, avoid public WiFi.  Starbucks, retail stores, hotels.  For them, WiFi is a service that lures you in to buy something.  They don’t make any money from the WiFi itself, so they are less likely to manage it well.  Hotels typically outsource their WiFi management and that company is typically looking at their bottom line.  The less they have to even look at any given hotel property, the more money they make.  In retail, money talks and if they can outsource the management of the public WiFi in a hundred or a thousand stores to a provider in a third world country and save money, they may do it.  The quality may go down, but that is the tradeoff.

And oh yeah.  Just because you are using an iPhone, if you think you are safe, you are not.  Once the WiFi access point is infected, anything that connects to it will be compromised.  Phone, tablet, laptop, Windows, MacOS, Linux, iOS, Android or anything else.  It makes no difference, because what is infected is basically part of the Internet infrastructure.

So as I always say. Security or convenience, pick one.  Public WiFi is convenient.  But not secure.

Information for this post came from Dark Reading.

Facebooktwitterredditlinkedinmailby feather

Security or Convenience, Pick One – Topps Trading Cards Hacked

When you ask a merchant to store your credit card information, you are trusting them to protect that information.  While some web sites make it very difficult for you NOT to save your credit card information (Amazon being one), many web sites ask you if you want to save your credit card information.

For sure, if the web site is one that you don’t use frequently, then DON’T have the web site save the credit card.

In this case, the Topps trading card company announced the breach.  The data compromised is the usual: names, addresses, email, phone number, credit card number, expiration date and verification number.

If the web site did not store the credit card number then it would be harder for the hackers to steal it.  Not impossible, but harder.

The breach timeline is around July 30, 2016 to October 12, 2016.

The company thinks that Paypal payments were not compromised, but they are not sure.

The issue is whether the credit card data was stolen from where it is stored in a database or at the moment that the credit card processing occurs.  Topps is not providing any details and are not saying how many cards were taken.

Topps hired a security firm and patched the hole that the hackers used.  They are not saying what the hole is.

This is the second breach related to Topps in the last 6 months.

The earlier breach was related to a Mongo DB that was open to the Internet (this seems to happen way to frequently).

Researcher Chris Vickery reported the first breach last June.

However while security at Topps wasn’t working, their spam filter was.  Chris’s email wound up in the spam bucket; an employee thought he was trying to sell something and ignored the emails.  For that breach, Databreaches.net called Topps headquarters and told them about the problem.  Apparently, the phone call did NOT wind up in the spam filter.

In the case of the new breach, the researcher who discovered the new breach was in a meeting with Topps and told them.

It looks like Topps has a lot to learn – hopefully they will learn something from these breaches – including even if the breach notification is in your spam bucket, you might want to check it out.

In the mean time, as a consumer, consider not saving those credit cards on infrequently used web sites.  In fact, if you can check out on those sites as GUEST, there is no easy way for them to save your credit card info to a profile.  This is not perfect, but it may help.

Information for this post came from Security Week.

[TAG:BREACH]

Facebooktwitterredditlinkedinmailby feather

DHS Asks Visitors For Social Media Account Information

Last December, DHS started asking some foreign visitors for their social media account information.  The request is ‘optional’.

Social media platforms such as Facebook, Google+, Instagram and others are on a list where visitors are asked to enter their account names.  Note that they are not being asked for their passwords.

The Feds are trying hard to separate the bad guys from the good guys and this is just another piece of that process.

Of course, since you can have as many Facebook accounts as you care to create, I assume that only dumb terrorists will provide the account that says ‘death to infidels’ and the smart terrorists will provide the account that says ‘I love the USA’.  Therefore, I am not sure that this will really help much.

The Internet Association, a lobbying group that represents companies like Google and Facebook is, not surprisingly, not pleased.  They say it will discourage people from using their platforms and they will lose some ad revenue.  Oh, wait, that’s not what they said.  They said it threatened free expression and posed privacy and security risks to foreigners.  Both are probably true.

The ACLU says that there are very few rules about how the data is collected, maintained and disseminated to various agencies.  There are no guidelines or laws governing how the government uses that data or how long they keep it.

At least for the moment, Customs and Border Protection says that they won’t deny entry to those who don’t answer those questions.

Currently, the questions apply to people visiting from those 38 countries that participate in the visa waiver program – visitors from those countries who can visit for 90 days without a visa.  Of course, it  might expand it later.

It is also possible that other countries might follow the U.S.’s lead and ask for similar information.

Information for this post came from Politico.

 

Facebooktwitterredditlinkedinmailby feather