Archive for the 'Computer Security' Category

Remote Kill Switches are a Bad Idea

Thursday, May 29th, 2014

GuillotineRecently I’ve been hearing about government support for remote kill switches, say in automobiles for law enforcement use, or in cell phones for when they’re stolen. And my first thought is always that some hacker is going to find a way to trigger the switch and cause all kinds of problems.

Apparently the hackers had the same thought. The linked article covers a situation where stolen iCloud credentials were used to lock out iPhones via the “Find My iPhone” anti-theft feature.

Link: http://time.com/…
(via Kim Komando)

Test Your Website for the Heartbleed Vulnerability

Wednesday, May 7th, 2014

Computer SecurityAstute Chad’s News readers will have already heard about the Heartbleed vulnerability, but it’s something we all need to be aware of. Fortunately, xkcd has the best explanation I’ve seen to date. If you manage or own a website that uses SSL certificates for secure HTTPS connections, the linked page will check to see if your site is vulnerable.

You can also use it to verify websites that you visit, to make sure they aren’t open to Heartbleed attacks. Major sites have already patched their systems and installed new SSL certificates, so I’m thinking the real concern is the smaller e-commerce sites. (Note: If you use this tool to verify a site, do it before you open the site in your browser.)

Link: http://safeweb.norton.com/…
(via Kim Komando)

Tor Anonymity Can Be Compromised, Given Time and Resources

Tuesday, May 6th, 2014

Computer SecurityHere at Chad’s News, we’ve previously mentioned Tor, a network used for anonymous communication on the internet. Volunteers host Tor servers, and a user’s internet traffic is routed through those servers, thus disguising the actual location of the sender. (NOTE: Never, ever, ever host a Tor server on a computer that you wouldn’t want confiscated by law enforcement.) Tor has been touted as a great method for political dissidents, whistle-blowers, and others to confidentially send information via the internet without being identified. Of course, it’s also used for illegal traffic.

The linked article discusses a paper [PDF] (Users Get Routed: Traffic Correlation on Tor by Realistic Adversaries, lead author Aaron Johnson of the US Naval Research Laboratory) that comes to some startling conclusions about Tor anonymity. If someone uses Tor regularly, an adversary with significant resources (e.g., a government) has a high chance (80% to 95%) of successfully tracing that user over a period of 3 to 6 months.

Link: http://www.theregister.co.uk/…
(via Kim Komando)

PIN/Password Analysis Shows That We’re Predictable

Tuesday, August 6th, 2013

Computer SecurityThe author of the linked article accumulated a database of hacked PINs and numeric passwords, then analyzed it to see what patterns emerged. Here are some of the highlights:

  • 20% of all PINs use just five different numbers: 1234, 1111, 0000, 1212, and 7777.
  • The fourth most popular seven-digit password is 8675309. (Wait for it…)
  • Using a year in the form 19XX is a bad idea.
  • The least used PIN is 8068.
  • Including 007, 420, and 69 may seem like a neat idea, but they turn out to be quite common.
  • Numbers made from drawing lines or patterns on the keypad are also popular.

Link: http://www.datagenetics.com/…
(via Kim Komando)

An Astounding Number of Vulnerable Internet Devices

Saturday, April 6th, 2013

Computer SecurityA computer researcher wanted to map all 3.6 billion of the Internet’s usable IPV4 IP addresses, to see which ones are actually being used and to determine where the devices are physically located. This would be quite a task for a single computer, so he created a botnet with 420,000 zombie devices to do the task for him. What I find most interesting, however, is how he managed to compromise those devices. He simply tried to connect to each one with the following four username/password combinations:

  • admin/admin
  • root/root
  • admin/(blank)
  • root/(blank)

No kidding. That’s all it took.

For the more technically minded, the paper says that “the vast majority of all unprotected devices are consumer routers or set-top boxes.” So just for kicks, I telneted to my router and found that the admin/admin combination worked. Fortunately it’s configured such that remote telnet is disabled—so I was not part of this experiment. The paper goes on to say that the 420,000 number is for the devices they turned into zombies, and that the actual number of vulnerable machines is about four times that many.

Link #1: http://www.techrepublic.com/…

Link #2 (research paper): http://internetcensus2012.bitbucket.org/…

Hackers Take Over Emergency Alert System and Warn of Zombie Attack

Monday, February 18th, 2013

Computer SecurityThe United States recently replaced its old telephone-based Emergency Alert System with a web-based one. And of course this opened the system to hackers, who broke in and broadcast an alert about zombies rising from the grave (“Local authorities in your area have reported the bodies of the dead are rising from their graves and attacking the living.”). Various television and radio stations in California, Michigan, Montana, and New Mexico actually broadcast the alert. It appears the main problem was that those stations didn’t change the default password for the new system. Oops.

Link: http://www.thespec.com/…
(via Bureau 42)

Computer Security Terms Explained

Thursday, February 14th, 2013

Computer SecurityEver wondered about the difference between a virus, a trojan, and a worm? And just what is a drive-by download? And if my computer is a zombie, will it try to eat my brain? Kim Komando uses everyday language to explain these terms and more, in the linked article.

Link: http://www.komando.com/…

Security Alert: Disable Universal Plug and Play Now

Saturday, February 2nd, 2013

Computer SecurityThere are multiple security issues with Universal Plug and Play (UPnP) implementations, some of which have been known for years. (For those who aren’t familiar with UPnP, it’s a protocol that makes it easier to set up network devices. For example, it allows a PC to seamlessly connect with a new network printer.) Security researchers at Rapid7 performed tests to determine just how many Internet-connected systems were vulnerable, and the results were staggering—they found 81 million unique IP addresses that had at least one of the vulnerabilities, which comes out to about 40-50 million devices.

The vulnerabilities allow hackers to either crash the device or run arbitrary code. At first this may not seem like a big issue—I mean, who really cares if someone manages to hack your network scanner? But then if you think about it, what if they make copies of everything you scan and send them to a central server in Russia? Or what if your printer is hacked and they start printing spam? Or if they just decide to see how many devices they can bring down across the world?

You may be wondering, what does this mean for people like you and me? Most home users can safely ignore UPnP vulnerabilities on every network device except the Internet router/modem, provided the router’s firewall is enabled. But you will need to lock down the router. I was able to access my Actiontec router and quickly disable UPnP in the advanced settings. If you don’t know how to do this, I suggest contacting your ISP for help, or, if you purchased the router from a store, contact the manufacturer.

This web page will test your router and determine if it’s vulnerable. There’s also a free Windows program, ScanNow, that will check your local network to see which devices are affected. If you find one, the best thing to do is check the manufacturer’s website for firmware updates, although this may not fix the problem.

The linked white paper has technical details, as well as links to documents that list every vulnerable device. (These links are on the last page.)

Link #1: http://arstechnica.com/…

Link #2 (white paper): https://community.rapid7.com/…

Major Java 7 Vulnerability in the Wild – Update Now

Saturday, January 19th, 2013

Computer SecurityA little over a week ago, word spread on the Internet that a previously unknown security flaw in the Java browser plugin was being “massively exploited in the wild”. The bug allows an attacker to execute arbitrary commands on a vulnerable system. It exists in all versions of Java 7 through update 10, which was the latest release as of a week ago. Based on the widespread use of Java (installed on more than 1 billion PCs) many organizations, including the US government, recommended disabling Java in the browser, or uninstalling Java completely.

The real problem was not that a flaw was found, but that it was already in the wild and had infected a significant number of machines.

Oracle released an emergency patch within three days of the announcement: Java 7 Update 11. If you’ve not already done so, you should update your Java software—this can be done via the Java Control Panel, or via www.java.com. Developers who use the JDK can go to the Java download page to get the latest version. If you don’t know which version(s) of Java you have installed, this page will tell you.

Note that even with the update from Oracle, US-CERT still recommends disabling Java in browsers, to “defend against … future Java vulnerabilities.” Apparently optimism is not in their vocabulary.

Link #1 (announcement of flaw): http://arstechnica.com/…

Link #2 (announcement of update): http://arstechnica.com/…

Link #3 (govt advisory): http://www.us-cert.gov/…

Link #4 (oracle advisory): http://www.oracle.com/…

Beware of Malicious QR Codes

Saturday, January 5th, 2013

QR Code for Chad's NewsQR codes are those black and white squares that you can scan with your smartphone to go directly to an associated website. They’ve become popular enough to attract the attention of spammers and malicious hackers, who are including codes in spam emails. They’re also placing QR code stickers in areas with a high amount of foot traffic (think airports and tourist sites) in the hopes that people will scan them. And even worse, they’re putting the stickers on top of regular QR codes—so it seems legitimate, but you end up going to a malicious website. According to the linked article, the only safeguard is to “download and install a QR reader that checks the website’s reputation, and then offers them the option of taking them there or not.”

Link: http://www.net-security.org/…
(via Slashdot)

Another Step Toward the End of the Password

Friday, December 28th, 2012

Computer SecurityUsing custom software and a computer cluster of 25 graphics cards, password-cracking expert Jeremi Gosney has created a system capable of guessing 350 billion Windows passwords per second. From the article, it takes 5½ hours to “brute force every possible eight-character [Windows] password containing upper- and lower-case letters, digits, and symbols.” This development reinforces the message of this xkcd comic, that long passwords are much harder to crack than shorter but more complicated ones. Note also that an easy way to create long but memorable passwords is to use a passphrase.

Link: http://arstechnica.com/…

Why Hosting a Tor Server is a Bad Idea

Tuesday, December 25th, 2012

Computer SecurityTor is a computer network that allows people to transmit information anonymously. It is free for anyone to use. The network comprises a large number of servers (called relays) hosted by volunteers. The benefits seem to be good at first glance. Tor allows dissidents in politically oppressive regimes to anonymously get information out to the world at large. Companies and governments can use it to transmit sensitive communications. Journalists can safely connect with whistleblowers. Or it can be used by people who simply value their privacy. Anyone can configure the Tor software to make their computer into a Tor network relay. It’s quite easy for people like you and me to help promote these good causes.

The problem, however, is that criminals also use Tor—including terrorists and child pornographers. And if you’re hosting a Tor server/relay that transferred illegal material, the police can and will come after you. The linked articles give two such cases.

Link #1: http://arstechnica.com/…

Link #2: http://arstechnica.com/…