Netgear router update

If you use a Netgear router for your home network, please log on to your router and use the upgrade feature to apply an important security update. That feature is probably located under the Advanced and/or Administration sections of the router’s web-based menus.

This update addresses several vulnerabilities, some of which are remotely exploitable. The linked page indicates which vulnerabilities affect which routers, and I found that my router was affected by one of the vulnerabilities.

If a character in a story you’re writing needed to exploit this kind of thing against a target, it’s not a great stretch of the imagination. If your character emailed her target an email with a link to a web page she controls, and if the target clicked the link while on a computer at home, she’d have the target’s IP address (she could get that from looking at server logs). Once she knew the target’s IP address, she could interrogate the address herself with readily-available network tools, or she could use something like shodan to try to identify the kind of router her target uses. If the target has remote administration enabled (which may be a default settings in some router models), she could use publicized vulnerabilities like the ones linked above to break into her target’s home network.

You should probably run updates on your home router even if it isn’t made by Netgear.

Advertisements

Flash Player Zero-Day

A zero-day vulnerability is a software defect that doesn’t yet have a patch from the vendor. One of these currently exists for Adobe Flash Player, and it is being actively targeted by a working exploit. This particular defect (CVE-2018-4878) is a use-after-free vulnerability which allows remote code execution. This means that Flash Player tries to read instructions from a memory address that is no longer valid, and that the exploit is able to put malicious code at that memory address, causing Flash Player to execute the malicious code introduced by the exploit.

South Korean security researchers say that North Korea developed this exploit and have embedded it in Microsoft Word documents in an effort to attack South Koreans doing security research on North Korea, and that this has been going on for two or three months.

This zero-day started making news on 1 February, and Adobe says it’ll release a patch the week of 5 February. As in this case, it can take the vendor a while to address a defect like this. So if your character needs to compromise someone’s computer, she might search Dark Web forums for a recent zero-day like this and send it to her target in a phishing email, especially if she knows that her target is not diligent about keeping their computer up-to-date.

And if you use Flash Player, make sure you apply the patch when Adobe releases it. Version 28.0.0.137 is the affected version.

Grand theft auto? Kidnapping? Murder? There’s an app for that.

This is a summary of three articles from the Sophos Naked Security blog that might be of interest to writers of stories involving cybercrime.

Break into a car in seconds

Many new cars come with an electronic fob on the keychain. The fob uses radio signals to tell the car to unlock. In a development which should surprise absolutely no one, criminals have found a way to abuse this feature. Looks like it takes two devices: one to record the fob’s signal and send it to the second device which opens the car door. This appears to work even if the fob is inside the owner’s house.

Your story’s character may not want to steal a car, but she might want the laptop the owner left sitting in the trunk.

Smartwatches are dumb

Does your story have a villain who’s not above kidnapping? He might use an insecure smartwatch to locate his target.

Smart pumps are also dumb

Does your story’s villain need to deliver a lethal does of morphine to a hospital patient? He could potentially do so from a safe distance if the patient is being treated with a device that regulates the IV drip. The vulnerabilities in the linked article are admittedly very difficult to exploit, but they’re indicative of the sloppy development of devices like this. The vendor says they’ll release an update this month to address the problem. It’s probably a firmware update. How many overworked hospital IT workers do you think will go around applying that update to every affected device?

Data breach at US Department of Homeland Security

The Department of Homeland Security (DHS) suffered a “privacy incident” involving a database with personal information on nearly a quarter million people employed by DHS during 2014. This breach also affects an unspecified number of people who were associated with DHS investigations between 2002 and 2014. This latter group includes the subjects, witnesses, and complainants of DHS investigations.

DHS says that this wasn’t the result of a cyber attack. Sounds like a former DHS employee helped themselves to a personal copy of this database. This database contains names, social security numbers, dates of birth, and other information useful for identity theft. It isn’t clear how far this information was disseminated.

So if you think you may be affected by this data breach, click the above link for information about enrolling in 18 months of free credit monitoring. And if you’re an author with a character who wants secret information about a company or organization, have your character start running phishing attempts against current and former employees of the company/organization. She might identify these employees by running searches in social media sites like LinkedIn. Gaining access to an employee’s personal computer or Dropbox account might be very fruitful, because there’s no telling what that employee might have taken home with him.

Equifax breach

The data breach at credit bureau Equifax has gotten a lot of attention in the last week. It seems that the company has been guilty of at least two significant blunders: unpatched software and default authentication credentials.

Unpatched software

Equifax has at least one web application built on Apache Struts, a category of software called a web application framework. Web developers use frameworks to build their applications, because the frameworks provide components common to many web applications, components that do things like handling input typed into a web form, generating HTML for web pages, etc. Frameworks allow web developers to skip over routine tasks and focus on the business logic specific to the application.

Like any software, frameworks have versions and updates. Equifax was using a version of Struts that had at least one serious and widely-known security vulnerability. When the Struts developers (not Equifax, but the people who make the Struts framework) became aware of the vulnerability, they released an update to the Struts framework. The Struts developers released this update months prior to the Equifax data breach. For whatever reason, Equifax didn’t update Struts on their site.

Default authentication credentials

Equifax hosts a web application that their Argentinian employees use to manage credit report data. That web application had a poor choice of authentication credentials: the username was admin, and the password was also admin. Logging in with those credentials allowed an attacker to retrieve the usernames and passwords of Equifax employees, which would in turn allow the attacker to retrieve Equifax customer information.

How does this happen?

Why didn’t Equifax apply the Struts update? A few possibilities come to mind:

  1. The didn’t know about the update. Equifax must have developers, system administrators, and security analysts. Maybe they were all blissfully ignorant of the update for over four months.
  2. Maybe the update was incompatible with the web application they built on the Struts framework. If that were the case, they should have identified and fixed the problem and then run the update. That might take days, but it shouldn’t take months.
  3. They probably have change control processes that delay an update. They wouldn’t immediately run the update on their live production servers. First they’d load it in a test environment, and then they’d test their application after applying the Struts update. But that should take at most days, and probably hours, especially with an update that addresses serious security vulnerabilities.

None of these is an excuse for waiting months to run the update, and there’s really no defending the admin/admin thing at all.

What this might mean to you

Brian Krebs has been a long-time advocate for security freezes, and I’m considering doing this. The only reason I haven’t done this yet is that it just seems like one more pain in the ass when my day job, the current political climate, and other stuff leave me wanting to do little more than read a book or sit in front of the TV binge-watching The Flash and Supergirl (which is why I haven’t been posting on this blog much lately).

The implications of the Equifax breach to a story-teller are obvious enough. If your character needs to break into a web site or computer network, she should look for out-of-date software or default authentication credentials. This sort of thing isn’t supposed to happen to a big company that should know better about how to protect the personal information of millions of people. But it does happen, which can make it a plausible plot device in your fiction. I see that nmap has a test to look specifically for the Struts vulnerability found on the Equifax site, and there are plenty of open-source tools to run brute-force password attacks.

The implications of the breach on a computer user are obvious, too. This is why it’s so important to run software updates on everything. Criminals are well aware of security vulnerabilities and are actively exploiting them. We all need to be running updates:

1. operating system and application software updates on our computers and mobile devices

2. firmware updates on the routers we use for our broadband internet connections

3. updates to self-hosted blogging software like wordpress (plugins, too)

And we need to be picking good passwords for everything. Did you ever change the password on your broadband router? Does “facebook” appear in your facebook password?

CrashPlan discontinuing home plans

I’ve used Crashplan as an offsite backup solution for several years and have really liked it. Today the company announced that they are transitioning to being an enterprise-only solution, and that they are ending support for personal and family plans.

This is pretty disappointing. It’s been a good product at an affordable price, and now I have to find something else. The company is going about this in a nice way: they’re giving their users 14 months’ notice. I’ll post about this again when I figure out what I’m going to do. And I’m certainly open to suggestions.

Your printer may betray you

A recent story making the rounds tells about how an NSA contractor got caught leaking classified information to the media. The contractor wanted to give information in one or more PDF documents to an online publication (The Intercept). She could have just emailed the PDFs, but she was probably worried that the PDFs might contain some metadata that could link the documents back to her. So she printed the PDF files, scanned the printouts with a desktop scanner, probably destroyed the printouts, and then emailed the scanned pages.

It turns out that many modern printers add little yellow dots to every page they print. If you know how to read them, the dots identify the type of printer, the printer’s serial number, and the date and time the document was printed. The dots are hard for people to see, but the contractor’s scanner was sensitive enough to image them.

So when The Intercept sent some of the scanned pages to the NSA asking them to verify the authenticity, the NSA just had to read the dots, identify the printer, and look in server logs to see who used that printer at the time the dots indicated. They arrested the contractor, and a conviction will probably put her in prison for several years.

To me this is reminiscent of typewriter forensics, like how they convicted Ted Kaczynski (search that linked page page for Unabomber). The FBI had a copy of Kaczynski’s typewritten manifesto. He’d used an old typewriter, the kind where the little arms with the embossed letters strike an ink ribbon to mark the paper. The FBI were able to match those pages to the typewriters they found in Kaczynski’s cabin.

It’s easy to see how this kind of trick could be useful to your character. She could do something like what the NSA did and trace a printout back to a person. Or she might print something on someone else’s printer to incriminate the printer’s owner of something.