Category Archives: Security Practices

Hackers Infect 500,000 Routers and Growing

Cisco has released an advisory that a half million consumer and small business routers and growing have been infected with malware dubbed VPNFilter.

The malware was detected infecting routers from:

  • Linksys
  • MikroTik
  • Netgear
  • TP-Link
  • and QNap storage devices

The researchers have not figured out a test that a consumer or small business can use to detect whether a particular router is infected or not.

On top of that, there is no “patch” that will inoculate a router against the malware.

The infections is affecting routers in 54 countries and has grown so quickly in the last month that the researchers decided to make their research public early.  They are continuing to study it.

The malware is very flexible in what it can do – including stealing credentials and destroying the router so that the user has to buy a new one.

Among other things, the malware can, apparently, steal files and also  run commands on your router which could lead to a whole variety of different compromises of your systems.

The FBI says that it has seized a server used by the attackers.  Gee, that means that they will hijack a new server and download a new version of the malware onto the compromised devices.  Given this control server was taken offline, it *MAY* mean that the hackers have to reinfect those devices, but apparently, that wasn’t too hard to do in the first place.

Information for this post came from Ars Technica.

OK, so given that, what do you do?

The article lists some of the routers affected.  Some of them, like the Linksys E1200 and E2500 and Netgear R7000 and R8000, are extremely popular.  If you have one of the routers listed in the article, you should raise your alert level.

Rebooting the router WILL NOT remove the malware.  Given that there is no easy way to detect the malware, Cisco is recommending that users of the listed routers perform a factory reset.  Beware if you do that you will lose the router’s configuration and someone will have to reprogram it.  This may involve sending out a service technician to your house or office.  This, right now, is the only known way to disinfect infected routers.

I  recommend putting a separate firewall between your ISP’s router and your internal computers.  This is another level of defense.  Two good firewalls are pfSense (which comes both as open source software and a commercial package) and the Ubiquiti Edge Router X.  Note that you will have to have some expertise or hire someone to configure  it.  This will however, give you an extra layer of protection.  And, since you are buying it, your ISP will not have the password to it.

Make sure that you change the default password in your existing router.  One possible way the infection is getting in is via default credentials.

Check to see if there are any patches to your router available from your router manufacturer.  If so, install them and repeat that process every month.

Unfortunately, unlike some attacks where there is an easy fix, this one is a bit of a dumpster fire and since it affects so many different devices, it is not likely to get fixed quickly.

 

Facebooktwitterredditlinkedinmailby feather

Two Cryptocurrency Attacks In One Week

Cryptocurrency is an interesting beast.  Unregulated by governments.  Not backed by reserves or governments.  Difficult to track IF DONE RIGHT.  Completely transparent if not done right.

For all of these reasons, it is the target of attackers of all stripes.

The first attack this week was in England.  Armed robbers broke into the home of Bitcoin trader Danny Aston and forced him at gunpoint to transfer an unknown amount of Bitcoin from his account to an account under the control of the burglars.

The attack is kind of old school.  Hold someone up at gunpoint and make them turn over their money.

But a couple of things are different.  First, unlike money you can’t deposit it in a bank where there is government assurances of protection.  Also, it is highly unlikely that you can obtain insurance to protect yourself in this case, although it is possible that traditional burglary insurance might cover it.  Typical burglary insurance, however, has very small limits of reimbursement like a thousand dollars of cash or maybe a few thousand.

On the other hand, I am not quite sure how the burglars are going to convert the bitcoin into cash.  The blockchain is very transparent – every transaction is visible to anyone who wants to see it.  In this case since we know or could know the wallet ID of Danny Aston, we could follow the bitcoin no matter how many twists and turns it makes.  But, there is a problem – of course.  While we know Danny’s wallet ID, if it went from there to wallet A, then B, then C and D and so on, there may not be a way to identify those other wallets.  Especially if the wallet is not associated with a Bitcoin exchange (it doesn’t have to be) or is associated with an exchange in a country not friendly to us.  In any case, the bread crumbs will live on for ever, so those robbers need to not make any mistakes.  Ever.

Now onto the second incident.

Hackers stole more than $500 million in a cryptocurrency called NEM.  The NEM coins were stolen from a cryptocurrency exchange called Coincheck.  Apparently, the wallet from which the money was stolen was a “hot” wallet, meaning that it was connected to the Internet.  I don’t know about you, but I wouldn’t leave a half billion dollars exposed to the Internet.

There has been no explanation of how the attack was carried out.

The good news is that Coincheck says that they are going to reimburse depositors some percentage of their money, but have not explained how, when or where they are getting the half billion or so dollars to do that.  Likely depositors will NOT get reimbursed for 100% of their losses.

And so, the attacks continue and are not likely to stop any time soon.

And equally likely, people will continue to lose their money.

None of the attacks that I have seen attempt to compromise the cryptography.  Instead they either find software bugs or just do an old fashioned stick-em-up (although that was the first time a Bitcoim stickup was ever reported in England).

Even if Coincheck does come up with the half billion dollars to reimburse the depositors, someone is going to be out the money.   After all, unlike the government, Coincheck can’t just print more money.

Information for this post came from the Telegraph and CNBC.

Facebooktwitterredditlinkedinmailby feather

Not A Great Month for Intel

As if it wasn’t already a bad enough month for Intel, it just got a bit worse.

This is not related to Spectre or Meltdown;  this is an entirely new problem.

Intel processors have a remote management engine called Active Management Technology or AMT.  This allows corporate administrators to remotely take over those computers to manage them.

If the person “taking over” the computer is a good guy, then people don’t consider it a problem;  if it is a hacker “taking over” the computer, then it is a serious problem.

There are around 100 million computers that have been built in the last decade that have Intel’s Active Management Technology installed.

Last May Intel patched some bugs in AMT;  then last November they rushed out some more patches that fixed vulnerabilities that had been around since 2015.  Now there is a new vulnerability.

Except in this case, Intel is saying it is a feature.

This feature-bug was discovered last July and kept quiet until now.

The good news is that it does require physical access to the computer, but only for a minute or two.

All the attacker has to do is reboot the computer, enter the bios and configure the Intel Management Engine BIOS Extension (IMTBx).

The attacker will get a screen like this and can then set their own password.

Once they have done that, the hacker can bypass Bitlocker, Trusted Platform Module IDs and BIOS passwords.

One more time, Intel and PC Manufacturers configured the IMTBx with a single, default stupid password – ADMIN .  Technically, the password is admin – lower case.  Who would ever guess that?

This is one more example of SECURITY or CONVENIENCE, pick one.  Setting the password to admin is easier than making it unique to each machine or forcing people to change it the first time they power on the computer.

The hackers  can then enable remote access and take over the computer from anywhere in the world.

Of course, if the vendor or company changed the default password then this trick won’t work.

AND,  it would not have been a problem if Intel didn’t choose a stupid default password.

Intel tried to shift the blame on this one.  They said that they told OEMs in 2015 and again in 2017 to change the default password and improve security.

So if they thought this was a problem, why didn’t INTEL change that default password ?   Nice try blaming others, but it won’t work.

Also, this particular attack only works one computer at a time, so it would be used for targeted attacks.  Given that Intel announced the problem THREE years ago, you have to assume that the bad guys understand how to exploit this.

There is some good news, however, you can change the default password yourself and stop any attack.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather

Processor Security Flaw Keeps Morphing

Last week news was leaked of a problem with Intel processors built since 1995.  The problem – they could be hacked to possibly leak important stuff like all of your passwords.

It then came out that Microsoft and the Linux community were building patches and they would be released soon.

Apple said that they released a patch for the flaw in mid December.  Wait.  No.  Only for part of the flaw.  New patch now.

But the bug also impacts AMD processors – at least some of them.

And ARM processors, like on your cell phone.

Oh, yeah, today Apple released a patch for iPhones.

And now Microsoft is halting the distribution of the patch on computers that have AMD processors in them because AMD gave them bad technical specs and if you install the patch on one of those computers they turn into a really, really, expensive brick.

The good news is that people think this flaw, which has been around for 22 years (and likely already exploited by state sponsored hackers), is relatively hard to exploit .  Until some hacker posts sample code on the Internet.

The industry is not used to such an all encompassing problem.  I can’t recall this EVER happening in my career.  Cross chip and cross operating system – that is a once in a lifetime event.

Also, there are patches being released to applications like Safari and Firefox and many others.

There is no simple answer, but it is getting sorted out.  Give it a week, maybe two tops and I think it will settle down.  There are a LOT of moving parts here.

Information for this post came from Reuters and Betanews.

 

Facebooktwitterredditlinkedinmailby feather

White House Plans To Ban Staffers and Guests From Using Personal Cell Phones

Several months ago the White House floated a trial balloon about banning the use of personal cell phones by staffers in the West Wing due to security concerns.  You may remember that John Kelly was using his personal cell phone for government business and it was owned by hackers for six months before he figured out he had been hacked.

This week the White House said it plans to implement this ban – not only for staffers, but also for guests.  One assumes this does not include the Tweeter-in-Chief, who uses his old, non-secure personal cell phone to tweet.  Perhaps the White House has figured out how to create security patches for President Trump’s old cell phone (I believe it is running Android 4.x; the current version being 7 with 8 in testing).

This generates way too many questions.

Sarah Sanders said, basically, that the White House technology infrastructure is too fragile to handle all these wireless phones.  She did not point to trying to stop staff from using those phones to leak info to the media.  Given that places like Mile High Stadium can support 70,000 plus wireless users during a Broncos game, maybe the White House needs to talk to the Broncos to figure out how to support less than 500 users.

A White House official also said that personal cell phones are not as secure as government issued ones.  Possibly true, but no guarantee. Remember, this is not about using personal phones for government business, but rather using personal phones for personal business.  Which brings up another issue.  If staffers are required to use government phones during the day, will there be a change in the law to accommodate them using their government phones for non government business like coordinating day care or communicating with a spouse or other family members?  Will those conversations somehow be filtered out from FOIA requests and government archive requirements.  Those sound like a challenge to me.

They said that staffers could use their government issued phones for government business.  I don’t think government business includes talking to their spouses, children or parents.  People run  their lives off their cell phones.

They also said that guests cannot use their personal cell phones.  I guess they expect guests to go radio silent since they likely do not have government issued cell phones.

Apparently, this ban does NOT include the press.  Interesting.

It is an interesting problem and given that John Kelly may have been broadcasting sensitive information to hackers or the Chinese for half a year, it is a real problem.

Soldiers who work in places like the Pentagon are used to not having access to cell phones.  Now people who work in the White House will have to deal with similar issues.

The government has been challenged for a while to hire the best and the brightest.  Long hours, low pay, the uncertainty of promotions all compare unfavorably to the private sector.  Government agencies are already feeling this brain drain.  Adding tech restrictions certainly won’t help recruitment.

It is important to understand that the final rules aren’t out yet, so stay tuned for details next week.

Life does not always have neat, clean answers.

Information for this post came from Fox News.

 

Facebooktwitterredditlinkedinmailby feather

White House Considering Banning Personal Cell Phones

In a move that the White House says is for security, John Kelly is considering banning personal cell phones.

On one hand, you can’t blame them.  After all, Kelly’s own personal cell phone was hacked for six months before they figured it out.

On a self serving theme, it is possible that it might cut down on leaks, but I doubt that would really make much of a difference.  If they are going to talk to the press, they will do it off the White House grounds.

From the staff’s perspective, they work somewhat insane hours and being cut off from their families for that long would be, at least for me, a reason to find a different job.  Given the pressures of the job, it is probably hard to find good people anyway and if you add another barrier, it just makes finding people harder.

If a staffer uses a government issued phone to talk to their family and friends, the question comes up about open records and how much would be exposed.  Also, government issued phones can’t do text messages and most families live on those.  I assume you could not install snap chat or telegram or signal on a government phone.  It just seems like a mess.

Government phones can’t access GMail;  I am sure no White House staffers use that.

In addition,  government officials for years have gotten into trouble for using personal phones and personal emails for government business (think Hillary Clinton or Collin Powell, for example), so banning personal phones helps fix that problem, MAYBE.  On the other hand, they also get in trouble for using government phones and emails for personal business.

Now, if this rule goes through, you just made things even harder.  If someone told you that you couldn’t access your personal phone, text messages, social media or personal email for say, 12-18 hours a day, would you take the job?  I suspect a lot of people would not.

It is fair to assume that foreign powers would love to tap into govies’ phones, so there is no easy answer.

Stay tuned for more details.

Information for this post came from Bloomberg.

Facebooktwitterredditlinkedinmailby feather