Category: security

Re: Hackers infect 500,000 consumer routers all over the world with malware

Wednesday’s report is concerning because routers and NAS devices typically receive no antivirus or firewall protection and are directly connected to the Internet. While the researchers still don’t know precisely how the devices are getting infected, almost all of those targeted have known public exploits or default credentials that make compromise straightforward. Antivirus provider Symantec issued its own advisory Wednesday that identified the targeted devices as:

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link R600VPN

Both Cisco and Symantec are advising users of any of these devices to do a factory reset, a process that typically involves holding down a button in the back for five to 10 seconds. Unfortunately, these resets wipe all configuration settings stored in the device, so users will have to reenter the settings once the device restarts. At a minimum, Symantec said, users of these devices should reboot their devices. That will stop stages 2 and 3 from running, at least until stage 1 manages to reinstall them.Users should also change all default passwords, be sure their devices are running the latest firmware, and, whenever possible, disable remote administration. (Netgear officials in the past few hours started advising users of “some” router models to turn off remote management. TP-Link officials, meanwhile, said they are investigating the Cisco findings.

Do a system reset and be sure to change your default password. While you’re at it, update your firmware.

IMO, routers should auto update just like Chrome and our phones and everything else in the dang world. My Apple AirPort Extreme does.

Source: Hackers infect 500,000 consumer routers all over the world with malware | Ars Technica

On Choosing Secure Passwords

I couldn’t agree with this more and if you’re not using a password manager at this point, then you’re just doing the Internet wrong.

I use 1password and recommend it. Yes, it’s pay but that’s good!

My default password generation recipe is 23 characters of upper and lower case letters. I use letters only in case I’m ever having to manually type the stupid thing on a touch screen.

There are still some passwords you have to remember. Obviously you need to remember the password to your 1password file! I also remember the password to my Dropbox account (and I use 2-factor authentication) because that’s what I use to sync my 1password file. I also changed my iPhone from a 4 digit PIN to a strong password since the 5s has the finger print scanner. It’s becoming harder and harder to pick good ones. I used the Diceware method of generating my passwords.

Again, I agree with all this:

Even better is to use random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager like Password Safe to create and store them. Password Safe includes a random password generation function. Tell it how many characters you want — twelve is my default — and it’ll give you passwords like y.)v_|.7)7Bl, B3h4_[%}kgv), and QG6,FN4nFAm_. The program supports cut and paste, so you’re not actually typing those characters very much. I’m recommending Password Safe for Windows because I wrote the first version, know the person currently in charge of the code, and trust its security. There are ports of Password Safe to other OSs, but I had nothing to do with those. There are also other password managers out there, if you want to shop around.

There’s more to passwords than simply choosing a good one:

  1. Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
  2. Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.
  3. Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
  4. One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.

Boston Marathon: What if all personnel had gps enabled, personal dvrs?

In the wake of the bombings at the Boston Marathon I’ve been listening to the radio and reading about the bombings. One of the early reports described how one of the bombs was pretty close to a security guard who was scanning the crowd. If the bomber didn’t look suspicious  then there’s no reason for the security guard to remember the bomber at all so I’m not trying to fault the guard.

But what if all security personnel at the event wore a Google glass type device that recorded everything during their shift? What if these devices were GPS enabled and all of the video was download into a server and that data could then be datamined? For instance, show me all video from all devices that occured between 1:00pm and 3:00pm at coordinate X.

This nerdy idea has been bouncing around in my head for a few days and I hope typing it out will make it stop. 😉

On E-Voting

I read this article about e-voting over on Ars Technica. It’s good so go read it.

My problem is that e-voting would be a huge target for APT types of hackers. What would happen if Egypt was on an e-voting system and the US/Israel wanted to effect the outcome of the election to make sure the Islamist candidate didn’t get elected (e.x., Stuxnet)? Does anybody think that attacks with the full funding and power of the US government wouldn’t be successful?

PS. This is the e-voting machine that we voted on.

Two great articles on password security

Why passwords have never been weaker—and crackers have never been stronger (Ars)

The average Web user maintains 25 separate accounts but uses just 6.5 passwords to protect them, according to a landmark study (PDF) from 2007. As the Gawker breach demonstrated, such password reuse, combined with the frequent use of e-mail addresses as user names, means that once hackers have plucked login credentials from one site, they often have the means to compromise dozens of other accounts, too.

More than just one password: Lessons from an epic hack (1password)

Mat Honan, a 1Password user and writer for Wired, did everything right. He had strong, unique passwords everywhere. Yet he was the victim of an “epic hack”, and had to put a great deal of effort intogetting his digital life back.

A very brief account of this Homer-worthy hack is that someone talking to Amazon customer service got into Mat’s Amazon account, from which they were able to learn enough about him to then call Apple’s customer service to get a new password set. Once they had Mat Honan’s Apple ID and password they used Remote Wipe to erase his iOS devices and his Macs.  This has been written about extensively elsewhere, but I would like to talk about this in the context of whether there are useful lessons for 1Password users.

 

Apple and Amazon security flaws, changes I made to protect myself

Update: Amazon Quietly Closes Security Hole After Journalist’s Devastating Hack

Last night, I read in horror Mat Honan’s account of how he got hacked and how a large part of his digital existence ceased to exist. The scarest part of this “hack” was that it didn’t take advantage of any sort of software bug or security vulnerability. It wasn’t even really somebody doing any sort of social engineering. Some clever people just used the available account recovery processes of Amazon, Apple and Google in order to gain unauthorized access to multiple accounts and delete everything.

Apple only requires a person validate the account holder name, billing address and the last 4 of the credit card on file. The first two are pretty trivial to get. If a person has their own domain name, usually a dns lookup will reveal the billing address. So how did the people involved in this get the last 4 of a credit card #? Enter Amazon.

The Amazon part is a two part process but is pretty trivial:

First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits.

The Amazon bit of this hack is astoundingly easy! Yikes! So now with the last 4 of the CC in hand, the hackers called up Apple and was issued a temporary password.

Gmail also played a role in this hack because the target of the hack was actually Mat’s Twitter account. Mat was using his @me.com email address as his backup account with Google thus the hackers targeted the Apple account.

After I read the article I was horrified to realize that my Apple ID was vulnerable to the same hack. Somebody could access my Amazon account using the process outlined above (assuming Amazon hasn’t already changed their security processes), call Apple Care and get access to my Apple ID. Since I had recently switched most of my online accounts to use my Apple email address, it was trivial to get the keys to my digital kingdom: Twitter, Facebook, etc. Here are the actions I took to harden myself against these types of hacks:

  • I changed the CC on file with Apple (iTunes) to a different CC from the one I have on file with Amazon. In fact, I’ve never used this new CC with any online site at all. That by itself would have prevented the hack described by Mat from working. I actually deleted the CC’s I had on file with Amazon but a look at the order history reveals the last 4 of the CC used on each order.
  • I verified that I didn’t have my me.com email address as my backup with gmail.
  • I enabled 2-step authentication on gmail.
  • I’m switching my online accounts back to my gmail account instead of using my me.com account.
My trust in Apple security has been shattered. I feel that the two factor authentication with gmail better protects me from account recovery attacks. Not just that but having used the icloud solution for a while, gmail is just a better, more full featured email solution.

Please review your accounts to make sure you’re not vulnerable to this hack.