STE WILLIAMS

On New Year’s Day we wrote about a giant phone number leak from controversial photosharing site Snapchat.

Here’s what happened.

Snapchat implemented a search service so that you could put in a friend’s name and phone number, and find out their Snapchat handle.

Assuming, of course, that they had a Snapchat login, and that they had felt it prudent to tell Snapchat their phone number in the first place.

With hindsight, we now know that it was not at all prudent to entrust phone numbers to Snapchat, because the company did two things that were contradictory from a security point of view:

• It created an easy-to-use web interface by which anyone with a Snapchat account could perform phone number lookups in bulk. (A single request could apparently contain tens of thousands of numbers to check at the same time.)
• It “prevented” overuse – or abuse – of this interface by publishing terms and conditions that told you not to use it without permission.

But with several open source projects available that showed how to use the Snapchat web programming interface, it was really only a matter of time before someone decided to risk being kicked off Snapchat by going after those badly-shielded phone numbers.

Matters weren’t helped when a self-appointed security collective calling itself Gibson Security published details on Christmas Eve of the web requests you’d need to send in order to extract phone numbers in bulk from Snapchat’s servers.

Rather than simply fixing the problem quietly and quickly in the background – as one imagines a company like Google or Facebook would have done – and then apologising, Snapchat took the curious approach of officially declaring this process of mining phone numbers to be “theoretical.”

As The Register’s John Leyden wryly remarked, throwing terms and conditions at a technical problem, and the word “theoretical” at a vulnerability announcement, is the proverbial red rag to a bull.

And so it was that on New Year’s Day we found ourselves announcing that someone had “theoretically” recovered 4,600,000 usernames and phone numbers from Snapchat and published the whole lot online. (The last two digits of each phone number were removed in a sop to decency.)

With the ball back in Snapchat’s court, we honestly expected that Snapchat would:

1. Apologise.
2. Fix the problem.
3. Convince us all that the fix really did work this time.

After all, part of the reason Snapchat wanted us to treat the risk as merely “theoretical” was that the company claimed to have fixed the problem already, saying over the holiday break that:

Over the past year we’ve implemented various safeguards to make [bulk phone number recovery] more difficult to do. We recently added additional counter-measures and continue to make improvements to combat spam and abuse.

Well, Snapchat has now officially responded to the breach, and this time it has:

1. Praised itself.
2. Offered no apology at all.
3. Said it really is fixing things now, honest.

Indeed, it seems that on the issues of privacy and trust, things could scarely be better, with the company stating that:

The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.

That’s because:

We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.

Apparently, Snapchat founders Evan Spiegel and Bobby Murphy – two Stanford guys who love building cool things, as their own website proclaims – aren’t quite as good at actually building things that work safely and reliably.

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/3aHymfpZTHc/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

Threat prevention firm FireEye has acquired privately held net security firm Mandiant. The cash and shares deal, announced Monday, is valued at around $1bn.

Mandiant is best known for its landmark study into the Chinese APT1 hacking crew last year, which exposed the organisation’s tactics and evidence of its links to the Chinese military.

The firm also markets endpoint security products and security incident response products and services.

FireEye, which went public late last year, will improve its “ability to find and stop attacks at every stage of the attack life cycle”, according to a statement on the deal.

Mandiant and FireEye have been technology partners since April 2012. FireEye’s virtual machine-based security products and services supply real-time, dynamic threat protection to more than 1,500 government, enterprise, and small and mid-sized customers worldwide.

The major selling point of FireEye’s technology is the ability to pick up on threats missed by conventional anti-malware tools or intrusion prevention technology. Mandiant adds incident response expertise and threat intelligence to the managed security services mix.

Mandiant will be integrated with FireEye to provide global services and cloud predicts and services, including security consulting, incident response, and managed services. Mandiant’s endpoint threat detection and response products will be incorporated as a core element of the FireEye Oculus threat monitoring platform. ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/03/fireeye_mandiant/

Security information and event management systems (SIEMs) became much more common in 2013, while more companies talked about using massive data sets to fuel better visibility into the potential threats inside their networks.

Yet effective security monitoring has a long way to go. To better secure their networks and improve visibility into the threats on their systems in 2014, companies first need good communication between business executives and information-security managers. While 90 percent of managers surveyed by network security and management firm SolarWinds thought security was under control, only 30 percent of the actual IT practitioners believe that security is well-established, according to the firm.

A good place to start is for information-technology leaders to ask themselves and their business counterparts what more they want to know about their networks, systems, and employees. Without the right questions, monitoring for threats will be hard, says Dave Bianco, Hunt Team manager for incident-response firm Mandiant, which was acquired by FireEye this week.

“It pays for companies to take a step back and look at what they are doing,” Bianco says. “I can look at things that I’m really worried about because of my business, or things that might be interesting to those who are attacking me — not only figure out what you might be able to detect, but figure out what you have to detect them with.”

To start the conversation, here are five initiatives that security-monitoring experts say should be undertaken this year.

1. Catalog the sources in your network
Companies first have to know what they have to work with. A business looking at improving its visibility into its network and the threats in the network should first find out what data sources are available, Mandiant’s Bianco says.

Companies should not only collect the logs from Web servers, firewalls, and intrusion-detection systems, but other systems that may not initially be considered sources of intrusion information, he says. One example: the authentication logs for all the systems in the environment, he says.

“Make sure that you are logging the data from these systems correctly and sending it to a central place where you can get access to it,” Bianco says. “That way you can turn all those independent log sources into new detection platforms.”

2. Monitor users, not just devices
Many companies continue to attribute activities to Internet addresses — that is, devices — on their networks, rather than dealiasing the user behind those actions, says Patrick Hubbard, head geek for SolarWinds. Yet adding context to the actions being taken on the network is important, he says.

“With more and more Internet-connected devices on the network, the number of humans on the network relative to the number of devices on the network is beginning to decrease, so it is not as easy to have strong authentication from the device,” Hubbard says.

[Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events. See 5 Signs Of Trouble In Your Network.]

Businesses should make an effort this year to attribute actions to specific employees and users by combining authentication information and other sources with network logs.

“You want to look at users not just as logons, but within the context of the identity breadcrumbs they are leaving behind on the network,” he says.

3. Use more math
By collecting more data and knowing the questions to ask, companies should find themselves with a lot more information on what is happening in their networks. IT security teams can ask questions of the data and discover incidents that may have otherwise been hidden. However, companies should also allow the data to speak for itself — and to do that, they need math, says Joe Goldberg, senior manager of security and compliance product marketing for data-analytics firm Splunk.

By using statistical analysis, companies can determine the outliers in a big data set. If the average employee downloads 10 files from a SharePoint server in a day, then someone downloading 50 files may be an advanced threat actor harvesting data from the company’s server, he says.

“Use statistics and math on the sea of data that you’ve collected to figure out what is abnormal and what is odd,” Goldberg says.

4. Find out more about attackers
Once companies have the data and the capability to analyze it, they need to know what types of threats may be targeting their company, Mandiant’s Bianco says.

Companies need to know the adversaries that might be targeting their businesses or industries. Focused threat intelligence can provide that as well as what techniques are common for those adversaries, Bianco says. Whether an attacker uses spearphishing, SQL injection, or malware to attack a business’ systems makes a difference for how a company detects the threats, he says.

“You need to know all these things that influence the catalog that a company creates of detection scenarios and how they are going to detect those threats,” he says.

5. Invest more in your people
While security practitioners continue to be in high demand, companies should do everything they can to find the necessary expertise and develop that expertise with training, Splunk’s Goldberg says.

“You are going to need security practitioners to not only deploy these systems and collect the data, but also to sit behind the desk and monitor and fine-tune them,” he says. “You want skilled people who know you environment well, and you cannot always outsource that.”

Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.

Article source: http://www.darkreading.com/monitoring/5-monitoring-initiatives-for-2014/240165105

A US federal court in New York closed out the year by saying that it’s OK for the government to search travelers’ electronic devices at border checkpoints without reasonable suspicion that people have done anything wrong, given that “reasonable” takes on a whole new dimension when you’re talking about the crucial zone of border crossings.

On Tuesday, the court dismissed a lawsuit against such searches that was filed against the Department of Homeland Security (DHS) in September 2010 by the American Civil Liberties Union (ACLU), the New York Civil Liberties Union, and the National Association of Criminal Defense Lawyers (NACDL).

Civil liberties advocates call such border checkpoints “Constitution-free zones” – places where government agents are free to disregard Fourth Amendment protection against unreasonable search and seizure, barring invasive techniques such as strip seizures.

They don’t need reasonable suspicion or probable cause, and they can take what they like, be it laptops or smart phones – a status quo that was upheld in the New Year’s Eve decision.

DHS has the right to look though travelers’ electronic device contents and to keep the devices or to copy the contents in order to continue searching them once the traveler has been allowed to enter the US.

The court pointed to a previous case, United States v. Montoya de Hernandez, that held that whether a search or seizure is unreasonable “depends upon all of the circumstances surrounding the search or seizure and the nature of the search or seizure itself.”

From that earlier case:

The permissibility of a particular law enforcement practice is judged by balancing its intrusion on the individual’s Fourth Amendment interests against its promotion of legitimate governmental interests…. The Government’s interest in preventing the entry of unwanted persons and effects is at its zenith at the international border.

The lawsuit dismissed on Tuesday was pinned on the case of Pascal Abidor, a dual French-American citizen who had his laptop searched and confiscated at the Canadian border; the National Press Photographers Association, whose members include television and still photographers, editors, students and representatives of the photojournalism industry; and the NACDL, which has attorney members in 25 countries.

In May 2010, Abidor, a 26-year-old graduate student at the Institute of Islamic Studies at McGill University in Montreal, was riding a train from Montreal to New York City when a US Customs and Border Patrol (CBP) officer checked out his customs declaration.

Abidor told the officer that he had briefly lived in Jordan and had visited Lebanon the year before. The travel showed up on his French passport.

The officer wanted to check out Abidor’s laptop, so Abidor willingly typed in his password.

On the laptop, the officer found images of rallies held by Hamas and Hezbollah – both designated as terrorist organisations by the US State Department.

Abidor told the agent that the images were there because his PhD focus is the modern history of Shiites in Lebanon.

But that doesn’t explain why Abidor would save images of Hamas, “a terrorist organization not composed of Shiites and not based in Lebanon,” Senior US District Judge Edward R. Korman wrote in his decision.

According to the ACLU, Abidor was questioned, taken off the train in handcuffs, and held in a cell for several hours before being released without charge.

When he got his laptop back in the mail 11 days later, it showed that many of his personal files had been searched, the ACLU said, including photos and chats with his girlfriend.

Court papers said that other intimate data easily viewable on Abidor’s laptop included copies of email conversations, class notes, journal articles, tax returns, his graduate school transcript, and his resume.

This case was one of two the ACLU has brought in the past few years against the government’s broad powers to conduct searches at border checkpoints.

In 2012, the ACLU brought a suit over the border checkpoint seizure of a laptop belonging to David House, a human rights activist, computer security consultant and supporter of Bradley Manning.

That seizure, carried out at a Chicago airport in 2011, was likewise conducted without a search warrant or any charges of crimes.

It resulted in the US settling the case, admitting that House was on a watch list, and agreeing to turn over investigative documents and to destroy copies of House’s data.

In the case of Abidor, the ACLU said it’s considering an appeal.

Catherine Crump, the ACLU attorney who argued the case in July 2011, said that searches conducted at the border without reasonable suspicion just can’t meet the standard set by the Fourth Amendment to the US Constitution, which protects against unreasonable search.

But such searches are only part of a much bigger picture, she said:

Unfortunately, these searches are part of a broader pattern of aggressive government surveillance that collects information on too many innocent people, under lax standards, and without adequate oversight.

In fact, the ACLU points out that “thousands of innocent American citizens are searched when they return from trips abroad.”

Justice Korman dismissed the idea that such searches are rife, pointing to statistics from the CBP that claim that only a tiny fraction of devices get searched at checkpoints.

From the court papers:

There is less than a one in a million chance that a computer carried by an inbound international traveler will be detained. Even in the case of a quick look and search of a computer, in which CBP officers simply have a traveler boot the laptop up, and look at what is inside … as opposed to a more comprehensive forensic search that would presumably occur if a computer were detained, the number of U.S. citizens subject to such a search comes to approximately 4.9 per day, or less than a five in a million chance that their computer will be subject to any kind of search. Even if both U.S. citizens and aliens are counted, there is about a 10 in a million chance that such a search will take place.

The judge pointed to an earlier court finding that called it a “far-fetched” notion to suppose that anybody might be subject to such search – mostly due to the fact that the US simply can’t get around to searching everybody’s devices:

Customs agents have neither the time nor the resources to search the contents of every computer.

Darn, what a shame. Don’t forget to append the word “yet” to the end of that, though, as occurs elsewhere in the court papers.

Beyond simply not having the wherewithal to rummage through every single traveler’s electronic devices, Justice Korman maintains that search at border checkpoints simply wasn’t all that big a deal before computers.

That’s in spite of plenty of lawyers, photographers and scholars having traveled with sensitive documents and photographs and having conducted potentially sensitive scholarly research – all without anybody suggesting that First Amendment protection of free speech was in danger, he said.

At any rate, the plaintiffs in this case “must be drinking the Kool-Aid” if they think that journalists or others with sensitive information can guarantee confidentiality to their sources or that they can protect privileged information, Korman wrote, saying that Abidor “cannot be so naïve” as to expect that crossing the Syrian or Lebanese border won’t also potentially result in search and seizure.

Finally, Justice Korman took Abidor to task for storing sensitive data on his device, pointing to a Ponemon Institute study (sponsored by Dell) that claims that business travelers in the US, Europe and the United Arab Emirates lose or misplace more than 16,000 laptops per week.

Korman proposes that given all the risk, why risk really important data at all?

… it would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas. … One of the many suggestions that the Dell study makes to travelers is to ‘[t]hink twice about the information you carry on your laptop.’ … And it concludes with the commonsense query: ‘Is it really necessary to have so much information accessible to you on your computer?’

Is it necessary? Well, most people I know find it rather convenient to store data on data-storage devices.

Is it advisable?

Sheesh, given this ruling, that’s another question entirely.

What do you think? Please share your take in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FKtOpKKlzhM/

A US federal court in New York closed out the year by saying that it’s OK for the government to search travelers’ electronic devices at border checkpoints without reasonable suspicion that people have done anything wrong, given that “reasonable” takes on a whole new dimension when you’re talking about the crucial zone of border crossings.

On Tuesday, the court dismissed a lawsuit against such searches that was filed against the Department of Homeland Security (DHS) in September 2010 by the American Civil Liberties Union (ACLU), the New York Civil Liberties Union, and the National Association of Criminal Defense Lawyers (NACDL).

Civil liberties advocates call such border checkpoints “Constitution-free zones” – places where government agents are free to disregard Fourth Amendment protection against unreasonable search and seizure, barring invasive techniques such as strip seizures.

They don’t need reasonable suspicion or probable cause, and they can take what they like, be it laptops or smart phones – a status quo that was upheld in the New Year’s Eve decision.

DHS has the right to look though travelers’ electronic device contents and to keep the devices or to copy the contents in order to continue searching them once the traveler has been allowed to enter the US.

The court pointed to a previous case, United States v. Montoya de Hernandez, that held that whether a search or seizure is unreasonable “depends upon all of the circumstances surrounding the search or seizure and the nature of the search or seizure itself.”

From that earlier case:

The permissibility of a particular law enforcement practice is judged by balancing its intrusion on the individual’s Fourth Amendment interests against its promotion of legitimate governmental interests…. The Government’s interest in preventing the entry of unwanted persons and effects is at its zenith at the international border.

The lawsuit dismissed on Tuesday was pinned on the case of Pascal Abidor, a dual French-American citizen who had his laptop searched and confiscated at the Canadian border; the National Press Photographers Association, whose members include television and still photographers, editors, students and representatives of the photojournalism industry; and the NACDL, which has attorney members in 25 countries.

In May 2010, Abidor, a 26-year-old graduate student at the Institute of Islamic Studies at McGill University in Montreal, was riding a train from Montreal to New York City when a US Customs and Border Patrol (CBP) officer checked out his customs declaration.

Abidor told the officer that he had briefly lived in Jordan and had visited Lebanon the year before. The travel showed up on his French passport.

The officer wanted to check out Abidor’s laptop, so Abidor willingly typed in his password.

On the laptop, the officer found images of rallies held by Hamas and Hezbollah – both designated as terrorist organisations by the US State Department.

Abidor told the agent that the images were there because his PhD focus is the modern history of Shiites in Lebanon.

But that doesn’t explain why Abidor would save images of Hamas, “a terrorist organization not composed of Shiites and not based in Lebanon,” Senior US District Judge Edward R. Korman wrote in his decision.

According to the ACLU, Abidor was questioned, taken off the train in handcuffs, and held in a cell for several hours before being released without charge.

When he got his laptop back in the mail 11 days later, it showed that many of his personal files had been searched, the ACLU said, including photos and chats with his girlfriend.

Court papers said that other intimate data easily viewable on Abidor’s laptop included copies of email conversations, class notes, journal articles, tax returns, his graduate school transcript, and his resume.

This case was one of two the ACLU has brought in the past few years against the government’s broad powers to conduct searches at border checkpoints.

In 2012, the ACLU brought a suit over the border checkpoint seizure of a laptop belonging to David House, a human rights activist, computer security consultant and supporter of Bradley Manning.

That seizure, carried out at a Chicago airport in 2011, was likewise conducted without a search warrant or any charges of crimes.

It resulted in the US settling the case, admitting that House was on a watch list, and agreeing to turn over investigative documents and to destroy copies of House’s data.

In the case of Abidor, the ACLU said it’s considering an appeal.

Catherine Crump, the ACLU attorney who argued the case in July 2011, said that searches conducted at the border without reasonable suspicion just can’t meet the standard set by the Fourth Amendment to the US Constitution, which protects against unreasonable search.

But such searches are only part of a much bigger picture, she said:

Unfortunately, these searches are part of a broader pattern of aggressive government surveillance that collects information on too many innocent people, under lax standards, and without adequate oversight.

In fact, the ACLU points out that “thousands of innocent American citizens are searched when they return from trips abroad.”

Justice Korman dismissed the idea that such searches are rife, pointing to statistics from the CBP that claim that only a tiny fraction of devices get searched at checkpoints.

From the court papers:

There is less than a one in a million chance that a computer carried by an inbound international traveler will be detained. Even in the case of a quick look and search of a computer, in which CBP officers simply have a traveler boot the laptop up, and look at what is inside … as opposed to a more comprehensive forensic search that would presumably occur if a computer were detained, the number of U.S. citizens subject to such a search comes to approximately 4.9 per day, or less than a five in a million chance that their computer will be subject to any kind of search. Even if both U.S. citizens and aliens are counted, there is about a 10 in a million chance that such a search will take place.

The judge pointed to an earlier court finding that called it a “far-fetched” notion to suppose that anybody might be subject to such search – mostly due to the fact that the US simply can’t get around to searching everybody’s devices:

Customs agents have neither the time nor the resources to search the contents of every computer.

Darn, what a shame. Don’t forget to append the word “yet” to the end of that, though, as occurs elsewhere in the court papers.

Beyond simply not having the wherewithal to rummage through every single traveler’s electronic devices, Justice Korman maintains that search at border checkpoints simply wasn’t all that big a deal before computers.

That’s in spite of plenty of lawyers, photographers and scholars having traveled with sensitive documents and photographs and having conducted potentially sensitive scholarly research – all without anybody suggesting that First Amendment protection of free speech was in danger, he said.

At any rate, the plaintiffs in this case “must be drinking the Kool-Aid” if they think that journalists or others with sensitive information can guarantee confidentiality to their sources or that they can protect privileged information, Korman wrote, saying that Abidor “cannot be so naïve” as to expect that crossing the Syrian or Lebanese border won’t also potentially result in search and seizure.

Finally, Justice Korman took Abidor to task for storing sensitive data on his device, pointing to a Ponemon Institute study (sponsored by Dell) that claims that business travelers in the US, Europe and the United Arab Emirates lose or misplace more than 16,000 laptops per week.

Korman proposes that given all the risk, why risk really important data at all?

… it would be foolish, if not irresponsible, for plaintiffs to store truly private or confidential information on electronic devices that are carried and used overseas. … One of the many suggestions that the Dell study makes to travelers is to ‘[t]hink twice about the information you carry on your laptop.’ … And it concludes with the commonsense query: ‘Is it really necessary to have so much information accessible to you on your computer?’

Is it necessary? Well, most people I know find it rather convenient to store data on data-storage devices.

Is it advisable?

Sheesh, given this ruling, that’s another question entirely.

What do you think? Please share your take in the comments section below.

Follow @LisaVaas

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FKtOpKKlzhM/

For many home users, the router-slash-firewall at the edge of their network plays an vital security role.

It acts as a stockade to keep crooks on the internet at arms’ length, typically blocking inbound network connections by default.

It shields the internal layout of the network from outside observers.

It probably also serves as a wireless access point for the household, and thus bears the responsibility of preventing random passers-by from jumping online and getting up to mischief at someone else’s expense.

In a word, your SoHo router is important.

So it is always alarming to read about sloppy programming in the firmware that ships with this sort of device.

Late last year, we wrote about “Joel’s Backdoor,” a misfeature in some D-Link routers which would have been a great joke, if only the side-effects hadn’t been so serious.

Joel’s bug was that if you told your browser to identify itself as xmlset_roodkcab­leoj28840ybtide (read it backwards!) instead of, say, Mozilla or AppleWebKit, then many D-Link routers would skip the need for a password.

Unauthenticated administrative access, just like that!

Here’s another flaw, this time in various router products from Sercomm, that shows a similarly casual attitude to security by programmers who really owe you better code.

Sercomm produces routers under its own name, as well as building hardware sold under a diverse range of brand names, including 3Com, Aruba, Belkin, Linksys, Netgear and Watchguard.

→ Note that not all Sercomm-based products use Sercomm’s firmware, and not all Sercomm firmware builds include the vulnerability detailed below. The finder of the flaw has a partial list of devices and whether they are, might be, or are not affected. The only completely reliable way to tell if you have a router that is affected is to try to exploit the vulnerability on your own device. We’ll repeat that last bit: on your own device.

This latest example of dodgy router firmware coding was found over the recent holiday period by Eloi Vanderbeken, a reverse engineering enthusiast from France.

Eloi’s story started over Christmas, when – presumably due to having a bunch of guests full of festive online spirit – he claims to have found his home network unresponsive.

So he went to tweak a few settings in his router, only to remember that he had forgotten the administrative password.

What better way to spend a vacation, then, that trying to find a way into your own router without the password?

With a bit of prodding, and a spot of reverse engineering applied to a downoaded copy of the router’s firmware, Eloi quickly found just the hole he needed: an unauthenticated access vulnerability that he could use to list, edit or reset his router’s configuration.

What’s that service?

Eloi spotted a TCP service listening on network port 32764 on the router’s internal (wireless) interface.

Poking a stick at it caused it to reply like this:

By reversing, he realised that the reply was three 32-bit values, or DWORDS:

1. ScMM was a magic number, probably just short for Sercomm.
2. FFFFFFFF (-1 when treated as a signed integer) signalled an error.
3. 00000000 was the length of the rest of the reply, zero because the error meant there was nothing to report.

Further reversing showed that a similar packet format was used when making requests, with the middle DWORD containing a number denoting the message type, and the third DWORD containing the length of the data accompanying the message, if any.

Eloi identified thirteen different message types, including two that didn’t require any special data, but were each sufficient to give you access without knowing the password.

Message Type 1 could be triggered by sending a packet like this:

The reply came back with a list of configuration strings from the router’s non-volatile memory (NVRAM), like this:

That’s the crown jewels, right there!

Anyone you let onto your home network, even as a temporary guest, can easily find out how to login to your router, and to your ISP. (The PPPOE username and password are the credentials your router uses when it connects to your ISP after a dropout or a reboot.)

Ironically, when Eloi was testing his exploit code, he iterated through all 13 message types in order.

After he’d finished, he found he’d been kicked offline.

That turned out to be Message Type 11, which resets the router to its factory defaults.

Of course, that means the router no longer had the right pppoe_username and pppoe_password settings, so it couldn’t get back onto the internet.

But with the router administration username and password set to the defaults, Eloi had nevertheless achieved his desired result: unauthenticated administrative access.

What to do?

As mentioned above, there is a partial list of affected and unaffected devices on Eloi Vanderbeken’s Github page.

If you are affected, you’re going to need a firmware update, which probably won’t come from Sercomm, but rather from the vendor whose brand is on the router.

In the meantime, be careful whom you let on your wireless network; choose a strong Wi-Fi password; and make sure that you don’t have the router’s web adminstration service activated on the external interface, which would let any crook wander in at will.

If you’re technically inclined, or have a friend or family member who is and can help you, you might also want to see if your router can run an open source firmware such as OpenWRT or DD-WRT.

Those are Linux-based firmware builds for low-end routers that are much more modular than most of the firmware downloads from router vendors, meaning that you can leave out the bits you don’t need.

They also receive regular security patches, thanks to the care and attention of the developer communities that have sprung up around them.

And if you are ready to go a bit more high-end than a SoHo router, you might want to grab a copy of Sophos’s award-winning UTM product, which you can run entirely for free at home.

There’s no catch (though you need to register with an email address so we can send you a licence code), and included in the free licence is Sophos Anti-Virus protection for up to 12 Windows PCs, managed right from the UTM.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

→ The Sophos UTM offers a full-blown firewall, spam and web filtering (including anti-virus scanning), a VPN, and much more. That means it can’t be installed on a low-end router. You will need a spare computer with a 64-bit Intel CPU, such as a retired laptop.

Further advice and information

You can mitigate the risk of this router hole by ensuring you’re doing Wi-Fi security properly, so why not review your own Wi-fi setup today?

In particular, use WPA2 with a long and hard-to-guess passphrase (you only need to enter it once on each device), and don’t rely on security short-cuts like network name hiding or MAC address filtering.

These short-cuts don’t give you the security you might think, and here’s why:

Follow @duckblog

Image of floating Wi-Fi logo courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZqE7Ra4p-FY/

For many home users, the router-slash-firewall at the edge of their network plays an vital security role.

It acts as a stockade to keep crooks on the internet at arms’ length, typically blocking inbound network connections by default.

It shields the internal layout of the network from outside observers.

It probably also serves as a wireless access point for the household, and thus bears the responsibility of preventing random passers-by from jumping online and getting up to mischief at someone else’s expense.

In a word, your SoHo router is important.

So it is always alarming to read about sloppy programming in the firmware that ships with this sort of device.

Late last year, we wrote about “Joel’s Backdoor,” a misfeature in some D-Link routers which would have been a great joke, if only the side-effects hadn’t been so serious.

Joel’s bug was that if you told your browser to identify itself as xmlset_roodkcab­leoj28840ybtide (read it backwards!) instead of, say, Mozilla or AppleWebKit, then many D-Link routers would skip the need for a password.

Unauthenticated administrative access, just like that!

Here’s another flaw, this time in various router products from Sercomm, that shows a similarly casual attitude to security by programmers who really owe you better code.

Sercomm produces routers under its own name, as well as building hardware sold under a diverse range of brand names, including 3Com, Aruba, Belkin, Linksys, Netgear and Watchguard.

→ Note that not all Sercomm-based products use Sercomm’s firmware, and not all Sercomm firmware builds include the vulnerability detailed below. The finder of the flaw has a partial list of devices and whether they are, might be, or are not affected. The only completely reliable way to tell if you have a router that is affected is to try to exploit the vulnerability on your own device. We’ll repeat that last bit: on your own device.

This latest example of dodgy router firmware coding was found over the recent holiday period by Eloi Vanderbeken, a reverse engineering enthusiast from France.

Eloi’s story started over Christmas, when – presumably due to having a bunch of guests full of festive online spirit – he claims to have found his home network unresponsive.

So he went to tweak a few settings in his router, only to remember that he had forgotten the administrative password.

What better way to spend a vacation, then, that trying to find a way into your own router without the password?

With a bit of prodding, and a spot of reverse engineering applied to a downoaded copy of the router’s firmware, Eloi quickly found just the hole he needed: an unauthenticated access vulnerability that he could use to list, edit or reset his router’s configuration.

What’s that service?

Eloi spotted a TCP service listening on network port 32764 on the router’s internal (wireless) interface.

Poking a stick at it caused it to reply like this:

By reversing, he realised that the reply was three 32-bit values, or DWORDS:

1. ScMM was a magic number, probably just short for Sercomm.
2. FFFFFFFF (-1 when treated as a signed integer) signalled an error.
3. 00000000 was the length of the rest of the reply, zero because the error meant there was nothing to report.

Further reversing showed that a similar packet format was used when making requests, with the middle DWORD containing a number denoting the message type, and the third DWORD containing the length of the data accompanying the message, if any.

Eloi identified thirteen different message types, including two that didn’t require any special data, but were each sufficient to give you access without knowing the password.

Message Type 1 could be triggered by sending a packet like this:

The reply came back with a list of configuration strings from the router’s non-volatile memory (NVRAM), like this:

That’s the crown jewels, right there!

Anyone you let onto your home network, even as a temporary guest, can easily find out how to login to your router, and to your ISP. (The PPPOE username and password are the credentials your router uses when it connects to your ISP after a dropout or a reboot.)

Ironically, when Eloi was testing his exploit code, he iterated through all 13 message types in order.

After he’d finished, he found he’d been kicked offline.

That turned out to be Message Type 11, which resets the router to its factory defaults.

Of course, that means the router no longer had the right pppoe_username and pppoe_password settings, so it couldn’t get back onto the internet.

But with the router administration username and password set to the defaults, Eloi had nevertheless achieved his desired result: unauthenticated administrative access.

What to do?

As mentioned above, there is a partial list of affected and unaffected devices on Eloi Vanderbeken’s Github page.

If you are affected, you’re going to need a firmware update, which probably won’t come from Sercomm, but rather from the vendor whose brand is on the router.

In the meantime, be careful whom you let on your wireless network; choose a strong Wi-Fi password; and make sure that you don’t have the router’s web adminstration service activated on the external interface, which would let any crook wander in at will.

If you’re technically inclined, or have a friend or family member who is and can help you, you might also want to see if your router can run an open source firmware such as OpenWRT or DD-WRT.

Those are Linux-based firmware builds for low-end routers that are much more modular than most of the firmware downloads from router vendors, meaning that you can leave out the bits you don’t need.

They also receive regular security patches, thanks to the care and attention of the developer communities that have sprung up around them.

And if you are ready to go a bit more high-end than a SoHo router, you might want to grab a copy of Sophos’s award-winning UTM product, which you can run entirely for free at home.

There’s no catch (though you need to register with an email address so we can send you a licence code), and included in the free licence is Sophos Anti-Virus protection for up to 12 Windows PCs, managed right from the UTM.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

→ The Sophos UTM offers a full-blown firewall, spam and web filtering (including anti-virus scanning), a VPN, and much more. That means it can’t be installed on a low-end router. You will need a spare computer with a 64-bit Intel CPU, such as a retired laptop.

Further advice and information

You can mitigate the risk of this router hole by ensuring you’re doing Wi-Fi security properly, so why not review your own Wi-fi setup today?

In particular, use WPA2 with a long and hard-to-guess passphrase (you only need to enter it once on each device), and don’t rely on security short-cuts like network name hiding or MAC address filtering.

These short-cuts don’t give you the security you might think, and here’s why:

Follow @duckblog

Image of floating Wi-Fi logo courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZqE7Ra4p-FY/

Do you think Facebook is trustworthy?

Do you even have a clue what that’s supposed to mean?

No? Neither do we!

Like, say, does it pertain to trusting the company with your real, actual birthdate, instead of lying through your teeth because you’re careful with your privacy and you assume that the company could accidentally leak everyone’s date of birth (it’s happened!)?

Maybe Facebook wants to know if you trust it to keep your data out of the hands of the National Security Agency (NSA), as the Washington Post’s Brian Fung guesses, or whether you trust it to show you only the Farmville updates that truly matter.

Facebook isn’t explaining, but it is asking.

As Fung reports, Facebook asked him and others recently to take a “quick and painless” survey on user experience, in multiple-choice form.

What it asks: how happy you are with Facebook, whether the service is easy to use, if it’s reliable or not, and whether you think it is trustworthy.

Now, obviously, Facebook isn’t the first entity to ask users whether they trust it or not. Plenty of others have done the same (and then gone on to actually share the results).

Fung cites a few polls, including a AP/CNBC survey from last year that found that 59% of respondents said they had “little or no trust” that Facebook will keep their personal information private. (Note that users said they don’t trust Facebook, but they aren’t giving it up, either.)

Another poll, this one done by Reason and published in September, found that respondents deemed both the NSA and the Internal Revenue Service (IRS) more trustworthy than Facebook (or Google).

But wait! There’s more!

To top off this mushy trust cupcake with the most sublime cherry of them all, when Naked Security polled users in October 2012 about whether one should trust accurate, truthful information to sites such as Facebook, exactly 92.92% of respondents as of 2 January 2014 had said that the prospect looked like a nice, tall glass of NOPE (all hail the Oatmeal!).

So yes, there’s plenty of data out there on how little faith Facebook users place in the service, however you define “trust”.

But Facebook won’t be adding to that data set, given that it’s declined to share the results of its own polling.

A spokesman told Fung that Facebook does doesn’t share the data it collects from the survey, though it’s happy to get the feedback.

We are constantly working to improve our service, and getting regular feedback from the people who use it is an invaluable part of the process.

That’s nice. But we still want to know the results.

I did the due diligence of asking Facebook if it wanted to elaborate on that statement, but I hadn’t heard back by the time this was published. I will update this article once I get a reply.

At any rate, since Facebook is keeping the results to itself, maybe Naked Security could poll the same question. (You’ll have to decide exactly what “trustworthy” means to you on this one).

Here goes:

Follow @LisaVaas

Follow @NakedSecurity

Image of handshake courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mWWNaswS_mU/

Do you think Facebook is trustworthy?

Do you even have a clue what that’s supposed to mean?

No? Neither do we!

Like, say, does it pertain to trusting the company with your real, actual birthdate, instead of lying through your teeth because you’re careful with your privacy and you assume that the company could accidentally leak everyone’s date of birth (it’s happened!)?

Maybe Facebook wants to know if you trust it to keep your data out of the hands of the National Security Agency (NSA), as the Washington Post’s Brian Fung guesses, or whether you trust it to show you only the Farmville updates that truly matter.

Facebook isn’t explaining, but it is asking.

As Fung reports, Facebook asked him and others recently to take a “quick and painless” survey on user experience, in multiple-choice form.

What it asks: how happy you are with Facebook, whether the service is easy to use, if it’s reliable or not, and whether you think it is trustworthy.

Now, obviously, Facebook isn’t the first entity to ask users whether they trust it or not. Plenty of others have done the same (and then gone on to actually share the results).

Fung cites a few polls, including a AP/CNBC survey from last year that found that 59% of respondents said they had “little or no trust” that Facebook will keep their personal information private. (Note that users said they don’t trust Facebook, but they aren’t giving it up, either.)

Another poll, this one done by Reason and published in September, found that respondents deemed both the NSA and the Internal Revenue Service (IRS) more trustworthy than Facebook (or Google).

But wait! There’s more!

To top off this mushy trust cupcake with the most sublime cherry of them all, when Naked Security polled users in October 2012 about whether one should trust accurate, truthful information to sites such as Facebook, exactly 92.92% of respondents as of 2 January 2014 had said that the prospect looked like a nice, tall glass of NOPE (all hail the Oatmeal!).

So yes, there’s plenty of data out there on how little faith Facebook users place in the service, however you define “trust”.

But Facebook won’t be adding to that data set, given that it’s declined to share the results of its own polling.

A spokesman told Fung that Facebook does doesn’t share the data it collects from the survey, though it’s happy to get the feedback.

We are constantly working to improve our service, and getting regular feedback from the people who use it is an invaluable part of the process.

That’s nice. But we still want to know the results.

I did the due diligence of asking Facebook if it wanted to elaborate on that statement, but I hadn’t heard back by the time this was published. I will update this article once I get a reply.

At any rate, since Facebook is keeping the results to itself, maybe Naked Security could poll the same question. (You’ll have to decide exactly what “trustworthy” means to you on this one).

Here goes:

Follow @LisaVaas

Follow @NakedSecurity

Image of handshake courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mWWNaswS_mU/

The business case for a multi-tenant, cloud-based Recovery-as-a-Service solution

A Slovenian virus writer who created an infamous strain of malware used to infect an estimated 12 million computers worldwide has been jailed for almost five years.

Matjaž Škorjanc (who operated under the handle Iserdo) was sentenced by a Slovenian court for writing the code used to create the infamous Mariposa botnet.

The virus writer, 27, was arrested in 2010 following a two-year-long investigation by the FBI as well as Spanish and Slovenian police. He had been a student of medicine and, later, computing.

He was sentenced in late December for offences related to the creation of Rimecud, a malware starter pack that spreads by copying itself to removable storage devices, instant messaging and P2P file-sharing systems. Once infected, compromised computers became part of an information-stealing botnet which hoovered up passwords and credit card details from victims.

Škorjanc’s code was sold through underground forums to other cyber-criminals, including a trio of chancers in Spain who proved especially adept at spreading the malware. Their actions earned the whole malware outbreak a Spanish name – Mariposa being Spanish for “butterfly” – even though it spread worldwide.

The network of compromised PCs established using the Mariposa code was taken down back in 2009.

A regional court in the Slovenian city of Maribor convicted Škorjanc of malware creation and money laundering, jailing him for 58 months (four years and 10 months) in total. In addition, he was fined €3,000 and had his apartment and car, which were judged as being bought with the proceeds of crime, confiscated. Prosecutors claim that Škorjanc earned up to €114,000 from his crimes, while estimating the damage caused by Mariposa to run into tens of millions of euros.

Škorjanc’s ex-girlfriend, Nuša Čoh, also received a punishment of eight months’ probation for-money laundering as part of the same prosecution.

Škorjanc plans to appeal against his conviction. ®

2014 predictions: Top technology trends

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2014/01/03/mariposa_botnet_mastermind_jailed/