Tuesday, October 28, 2014

(CVE-2014-2718) ASUS wireless router updates vulnerable to a Man in the Middle attack

Over the past few months I have come across a couple of significant issues with ASUS wireless routers (which to their credit the company has been quick to resolve).

In mid February, I wrote that a substantial portion of ASUS wireless routers would fail to update their firmware. In fact, the "check for update" function would inform the administrator that the router was fully up-to-date, even though it was not. The timing could not have been worse, coming right on the heels of an exploit for a bug in which USB hard drives connected to the router could be accessed from the public Internet, with no login required.

In April I wrote that the same line of routers exposed the administrator username and password in clear text. Anyone that could access a PC that had logged into the router could retrieve the admin credentials. Since the admin session would never time out, this could be exploited even without the administrator having a window open on the router.

Today I am disclosing one additional vulnerability, submitted as CVE-2014-2718. The ASUS RT- series of routers rely on an easily manipulated process to determine if an update is needed, and to retrieve the necessary update file. In short, the router downloads via clear-text a file from http://dlcdnet.asus.com, parses it to determine the latest firmware version, then downloads (again in the clear) a binary file matching that version number from the same web site.

Monday, October 27, 2014

Tell someone you love them today


October 27. For many it's just another day on the calendar, a time when the weather has turned cooler, the nights longer, and perhaps Halloween plans are on the mind. For me it holds a special meaning: on this date nine years ago I learned just how precious life is.

Friday, October 24, 2014

Would you know if your email server were attacked?

This is a continuation of a series investigating a piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
I had thought part 3 was the end of the story, but there is now more to tell. Last week I received a relatively typical spam message containing a link to view an "invoice" for something I had supposedly purchased. The link instead downloaded a botnet agent - software that would turn my PC into a bot that an attacker could remotely control to do his bidding. Nothing unusual about that approach. The attacker then gave my bot instructions to probe 5,000 domains, looking for mail servers that could be used to relay yet more spam.

Discovering and writing about criminal mischief is great, but if that's where I stopped, I'm just one more source of noise on the Internet. I research with two purposes: to teach, and to fix. Writing this blog series was the teaching part; as for the fixing part, that is where today's story picks up.

Thursday, October 23, 2014

Where does all the spam come from?

This is part 3 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.
Ever wondered how spam ends up in your inbox, or how spammers come up with the email addresses from which to send spam? The spammer needs a few things in order to send messages: obviously he needs a list of target email addresses to send messages to; those can be bought on the dark market at very little cost. Unless he wants to send email from his own server though, he also needs an abuseable email relay server and spoofed source address. Why? Two reasons – not every Internet provider would turn a blind eye to a spammer sending millions of malicious email; and he can gain far more capacity by sending mail through thousands of open relays.

From click to pwned

This is part 1 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.

Malware writers and scammers have a number of tricks up their sleeves, all with the goal of making your computer become their computer. Some tactics involve technology, some involve sleight-of-hand (sleight-of-mouse?), some involve social engineering, and some involve a combination of factors. I received an email scam that slipped past my spam filters and that exhibited a combination of old and new tactics, so took some time to break it apart.

If you don't want to read through the technical details, here's the short version: don't click links or open attachments in unexpected email, don't trust email from an unknown or uncertain source, and be aware that there are lots of ways to make a malicious link look legitimate. In short, don't click the link.

Wednesday, October 22, 2014

An introduction to malware forensics

This is part 2 in a series investigating a particular piece of malware.
  • Part 1 looks at how the malware is delivered. It and part 2 were originally a single post, later separated since they look at distinct phases in the attack.
  • Part 2 analyzes the bot - the agent which turns your computer into a remotely-controlled robot doing the attacker's bidding.
  • Part 3 dives into the first payload: code to test 30,000 addresses at 5,000 domains, to see if they could be used to send additional spam.

In my last post, we looked at a fairly typical spam message used to deliver malware to unsuspecting users. This message played on psychology (aka social engineering) to trick the reader - a confirmation message for an expensive purchase (in this case, about $1,600), with a link to retrieve the "invoice" (actually the malware). It used Google redirectors to avoid a suspicious-looking link to DropBox or some random web site.

Once the reader clicks the link and allows it to download and run, their computer becomes infected with a botnet agent. In this post, I downloaded the malware into a virtual environment to do some analysis.

Tuesday, October 14, 2014

Snapchat: What every parent needs to know (and teach)


Some topics are less pleasant to write about than others, though at times far more important. It is with this in mind that I write today on a topic every parent needs to know about. In early October rumors started to surface regarding a database breach that revealed thousands of supposedly private messages and photographs sent via the social sharing app Snapchat. Over the weekend that has proved true.

Snapchat is heavily used by younger people - in fact, roughly half of all Snapchat accounts belong to children under 17 years old. The selling point behind Snapchat is that messages and photos can be seen by the intended recipient only, for a brief time only, and then disappear forever - much like old Mission: Impossible assignments ("this message will self-destruct in 10 seconds..."). As such, it has been used by many teenagers for "sexting" - sharing indecent photos of themselves, never suspecting that the photos might not actually disappear.

Friday, October 10, 2014

Another day, another breach

It seems like almost every week another business is in the news for having their payment network compromised and leaking customer information, often in the form of payment card data. Target, Home Depot, Jimmy Johns, Goodwill Industries, JP Morgan Chase, KMart/Sears, the list goes on. Today, Dairy Queen was (formally) added to the list.

I say formally, because Dairy Queen was strongly suspected to be on that list as of late August, but only now made a public statement confirming the fact. This incident hits a little closer to home because my hometown Dairy Queen is on the list of those compromised.

Tuesday, October 7, 2014

One simple move can dramatically reduce the risk of identity theft

Identity theft is a common fear, one that is reinforced with each new headline. 40 million credit cards stolen from Target! Home Depot leaks 56 million payment cards! Hackers steal info on 145 million eBay customers! Giant data breach affects 152 million Adobe accounts! It seems each new breach is more "epic" than the last. A data visualizer known as "Information is Beautiful" has a frightening but fantastic visualization.

Most of these incidents involve theft of credit and debit card information - a form of identity theft that is damaging but generally not terribly difficult to unravel. Consumer protection laws generally limit one's liability, and many banks promise zero liability for fraudulent charges. Using credit cards instead of debit cards further separates the fraudulent activity from your actual cash.

Wednesday, October 1, 2014

The high price of free wifi: your eldest child?

In keeping with National Cyber Security Awareness Month, I'll be updating a number of articles written over the last 4 years. In January of 2011 I entered the blogosphere with a story about Firesheep, a Firefox plugin that made wireless eavesdropping scarily simple.

Most of us know by now to look for the little "padlock" icon in the browser status bar before logging in to a web site, or the "https://" at the beginning of the URL - we want to be sure our password is protected, right? And most sites now use an SSL (secured) connection for the login page - your password is in fact protected (massive Internet-wide vulnerabilities notwithstanding). But once you log in, many sites used to switch back to non-secured. The problem with that approach was, how does the web site know who you are after you have logged in? It is often done with cookies - little bits of data stored on your computer, and automatically sent to the site that created them every time you load or reload a page from that site. The cookies (usually) do not contain your password, but they do identify you to the site. So, if you log into Facebook, then click a link to reload the page, your computer sends your cookie to Facebook, and the site says "hey, I remember who you are, I saw you just a minute ago; you are already logged in, so here you go!" (OK, not literally, but you get the point).