| Hackers targeting your home LAN router / firewall |
[Feb. 16th, 2007|10:45 pm] |
This applies to any platform that runs Java, be it Mac, PC Windows or PC Linux. This also applies to any browser that supports Javascript, including all versions of IE, Firefox and Safari.
If you own or buy a Linksys, DLink or Netgear wired or wireless router/firewall box to allow you to share your broadband throughout your household, make sure you change the administrator password on that unit from the factory default. It doesn't matter if your router does not accept administrative connections from the outside - this attack comes from the inside of your network. (Most routers now ship with external admin access turned off, although you can turn it on if you need to get to your router remotely . . . but again, make sure you set a STRONG admin password if you turn that option on for any reason.)
A new exploit uses JavaScript and can access the routers settings from inside your network when you allow that script to run on your computer. The malicious code can be embedded within Javascript that you might want to trust, like - for example - a game applet. Simply surfing a compromised site and allowing Java to run in your browser is enough to get hacked. It may not trigger your browsers security settings, as it never attempts to access or change local files on your computer.
In the background, out of your sight, the script looks up your networks internal gateway address. It then attempts to logon to your routers admin panel using that IP. It can guess the password from one of about five typical login combinations that are widely used by almost all home router manufacturers as their factory setting. It takes advantage of the fact that many owners never change that password.
Once it has control, it changes the DNS settings on your router to point at a hackers "poisoned" DNS server. The idea is that when you browse to your bank (for example) using the correct URL or bookmark, the router looks at the compromised DNS server and sends you off to a phishing site that could look exactly like your banks login site. From there they capture your user ID, password, and of course your bank account.
Simply logging into your routers panel and changing the Admin password to your own unique password will stop this attack.
( Here's how: ) |
|
|
| Craplets: a new term is coined |
[Jan. 14th, 2007|11:14 pm] |
Craplets! What a great word to describe a very dirty side of the PC retail industry.
'"We call them craplets," the official said. The term is a contraction of the words "crap" and "applet." An applet is a small computer program or application.'
For years now I have been removing these things from customers computers. Generally right after we purchased them for their company use.
Recently Dell has begun allowing customers to "opt-out" of craplets on certain high end computers, including some of their ultra high performance gaming rigs, and their medium-to-enterprise class business laptops and professional grade workstations. They've also managed to resist the temptation to add these nasties to their business server lines.
But . . . if you shop the "Home User / Home Office" section of Dell, don't expect to see those options.
The infuriating part is that you have to pay Dell extra to not install their extra crap. Actual cost if you opt out of all the craplets available is between 8 and 24 bucks, at $2 per applet. (A recent ARS blog states that the Dell CEO liked the idea of $60, but I note that he did not mention that the option is already there for less on select systems.) You get a clean system on delivery for your spare change, instead of a unit that likely as not already has spyware or adware on it - new out of the box!
Last year I discovered an automated craplet removal script called the PC Decrapifier that is being maintained/updated on a regular basis. Better, since I generally shop Dell these days, it's specifically targeted at new Dell computers. It's free for personal use, and so far my results have been stellar. Your mileage may vary, yadda yadda etc.
They state it will work on most other new OEM systems, although I cannot personally verify that yet . . . |
|
|
| Wi-Fi update for Windows XP SP2 |
[Oct. 19th, 2006|05:07 am] |
Remember that Wi-Fi hack demo at the Blackhat conference a couple of months ago?
Quietly tonight, Microsoft released a really major update to help prevent that hack method. What's unusual about this release is that it includes new features, something normally reserved for add-on modules or service packs.
It's really part of a feature update to bring Windows XP into parity with domain policy features for the upcoming Windows Server 2003 Service Pack 2 . . . but it's much more than that, and in my opinion, an important update to install. I rather hope that Microsoft places this on their update site, but for now, you have to go the the KB article on the topic to get the patch. |
|
|
| VML Vulnerability, workarounds and a test |
[Sep. 22nd, 2006|11:32 am] |
Many of you may have heard about a new Zero Day Vulnerability that is being exploited on a large scale around the Internet. Fully patched users of Windows 2000 SP4, Windows XP SP1 and SP2 and both versions of Windows 2003 are exposed to the VML flaw. Infections are rising rapidly - you are at risk if you surf the web.
Yesterday I even found a "trusted" page that was serving ad banners that infected victims' computers by this method. (No link will be provided.)
Microsoft has announced they intend to provide a patch on October 10th, with a slight chance they may release it earlier - but no promises.
VML is not used widely on the Internet yet, with the notable exception of a very few graphically advanced web sites, the bad guys and Google Maps. Regarding Google, if you disable VML it will revert to normal graphic overlays if you bring up a map, so disabling VML will not block your use of their map service.
There are a few workarounds listed on Microsoft's security bulletin. The one I recommend from their bulletin seems to cover all the vectors perfectly. It involves unregistering the VML shared library. To deploy this workaround, click Start, select the Run box, and copy the following into the Open field and click OK. You should see a message appear that says the unregister succeeded.
regsvr32 -u "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
Using this work-around will cause sites that depend solely on VML to fail. Later, when the patch from Microsoft is released, you can reverse the workaround (do it before you apply the upcoming patch) by typing into the same run window the following similar command (note the absence of the "-u" in the string.)
regsvr32 "%ProgramFiles%\Common Files\Microsoft Shared\VGX\vgx.dll"
Other workarounds involve disabling JavaScript and ActiveX scripting, but doing that really messes up your web experience for many sites, much more so than simply disabling VML.
And finally there is an excellent third party patch available from Zert that leaves VML functional but closes the vulnerability. On that same page is a link that tests your browser to see if it's vulnerable or not. Use at your own risk, as Microsoft does not endorse and does not recommend it's use. In spite of that, I am now using this 3rd party patch and so far I highly recommend it for home and small office users. Don't unregister the VML DLL as described above if you decide to use this patch. Also, you should rollback this fix (method provided with the patch download) before patching to Microsoft's official critical update for the issue - when it's finally released.
|
|
|
| Critical Wi-Fi driver flaws expose laptops to infection |
[Aug. 3rd, 2006|11:16 am] |
You arrive at your favorite coffee shop, turn on your laptop and order your coffee. You have not yet connected to the public Wi-Fi hotspot sponsored by the shop.
Suddenly the performance on your laptop drops inexplicably. When you initialize the connection to the Internet, aggressive popups begin appearing almost immediately. Or unnoticed by you, your files are being uploaded somewhere . .. and your keystrokes are being logged as you access your bank statement - even though you use a secure SSL or VPN connection over Wi-Fi.
You've just been infected by a rootkit with a nasty trojan virus piggybacked onto the payload. And it happened right after you powered up but before you connected to the Internet. How is this possible?
This scenario is about to come true.
A pair of hackers at the Black Hat conference in Las Vegas demonstrated just such an attack this week, highlighting newly discovered exploits in the drivers for popular Wi-Fi adapters. While their demo was conducted on a Mac Powerbook, they say that any PC with vulnerable Wi-Fi drivers is exposed to this risk. As of this writing, no fixes have been released by any of the major Wi-Fi device companies. The exploit is not yet in the wild - but it's a matter of time. Now that the possibility of this attack is known, we are sure to see it in real life very very soon.
More information at Security IT Hub.
I will be watching this closely. |
|
|
| Social networking sites have (gasp!) open XSS vulnerabilities |
[Aug. 2nd, 2006|08:05 am] |
Researchers at a well known anti-malware company checked out a few popular social networking sites to see how vulnerable they were. In 30 minutes they discovered more than half a dozen server side "worm-able" Cross Site Scripting (XSS) vulnerabilities.
What can end users do?
1) Patch your operating systems! Windows users should be aware that Microsoft generally releases critical updates every second Tuesday of the month. Setting your automatic updates to check once per week (the longest period you can select in the UI) is a great idea. I recommend selecting Wednesday early in the morning - before your work day starts. Leave your machine on Tuesday night . . .
2) Subscribe to good anti-virus protection
3) Subscribe to Malware/Spyware/Adware protection
AntiVirus products that tested well in recent reviews:
- eTrust 8.1 Corporate (Not the home or personal version.)
- Kaspersky
- NOD32
- F-Secure
Some not so good choices:
Symantec AV (over 30% tested infection rate with current signatures)
McAfee AV (over 33% infection rates, plus exploitable holes in their update service.)
While both of the above share the most market share - they offer abysmal protection. They are also system resource pigs. I tell friends that ask me which engine to choose that these two products will turn a perfectly good Pentium IV machine into a PII . . .
Malware Real Time Protection - Best products in order of effectiveness
- Sunbelt Software's CounterSpy (cousin of Windows AntiSpyware Beta 1 and distant relative of Microsoft Defender Beta - but much better!)
- Spysweeper
Malware scanners
Spybot Search & Destroy
Adaware Personal
(Links from this article will open a new browser window.)
|
|
|
| navigation |
| [ |
viewing |
| |
most recent entries |
] |
| |
|
|
![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
netdef's journal
aggravated
awake