Tag: Security

Backdoor In Certain Lenovo Switches Discovered

Does your company utilize either RackSwitch or BladeCenter networking switches? Are those switches running ENOS (the Enterprise Network Operating System)? If so, there’s a backdoor in your network you weren’t aware of. Even worse, it’s been there since 2004.

Engineers at Lenovo recently discovered the backdoor in the firmware when they conducted an internal security audit. These products were added to the company’s portfolio via acquisition from Nortel, and Lenovo only just became aware of their existence.

A spokesman for the company had this to say: “The existence of mechanisms that bypass authentication or authorization are unacceptable to Lenovo and do not follow Lenovo product security or industry practices. Lenovo has removed this mechanism from the ENOS source code and has released updated firmware for affected products.”

Updates are available on Lenovo’s website, and links to the updates are available inside the company’s security advisory on this topic.

It should be noted that this backdoor would be relatively difficult for a would-be hacker to exploit, because it’s not a hidden account whose password could be guessed at or cracked via brute force, but rather an authentication bypass mechanism that requires a strict set of conditions to trigger. Lenovo describes the various configurations of security settings that activate the backdoor in their security advisory.

In any case, the presence of a backdoor into your network (even one that’s hard to trigger and access) isn’t something to be taken lightly. If you’re able, grab the firmware updates from Lenovo at your next opportunity and seal the breach. If that is impractical for some reason, Lenovo has spelled out a few mitigation strategies your company can apply as a stop gap, until you can get the firmware updates in place.

Kudos to Lenovo from their swift, deft handling of the issue!

Do Not Use These Chrome Extensions

Do you use any of the following Chrome browser extensions?

  • Change HTTP Request Header
  • Nyoogle – (a custom logo for Google)
  • Stickies – (a Post-It note for Chrome)
  • Lite Bookmarks

If so, you’re not alone. These four extensions have a combined user base of more than half a million.

Recently, security researchers from ICEBRG (a US cyber-security company) have discovered malicious codes embedded in copies of these on the official Chrome Web Store. The code allows hackers to manipulate the users’ browser via JavaScript.

So far, the hackers have only contented themselves with relatively tame activities like loading and displaying ads, clicking on ads, and loading malicious web pages in the background. However, the potential exists to do much more than this.

Since ICEBRG informed Google, the company has removed three of the four plugins from the Web Store. As of this moment, only Nyoogle remains, though the expectation is that it will be removed in short order as well.

While all four extensions utilize the same basic techniques, and do many of the same things, it is not clear if all four were created by the same group, although this seems likely.

Since the extensions have now been (mostly) removed, the rate of infection will slow. Of course, if you’ve already downloaded and installed one of these four, then you are going to continue to be impacted.

The extensions are easy to uninstall, and if you’re using one of them, that is the recommended course of action.

In recent months, Google has taken steps to make their auditing process more robust to prevent malicious extensions and apps from finding their way onto the web properties they manage. As this latest incident proves, no matter how careful a company is, sooner or later something is going to slip through.

Intel Chips Face Another Possible Vulnerability

Intel’s year isn’t getting off to a very good start. Just after the discovery of a pair of critical vulnerabilities that have been in their chipsets for more than a decade comes the discovery of yet another serious flaw that could impact millions of laptops around the world.

A Finnish data security firm called “F-Secure” just reported an issue with Intel’s Active Management Technology (AMT) that could allow a hacker to completely bypass the machine’s normal login procedure and take control of the target device in under a minute.

AMT is an admin-level feature that allows organizations to control and manage large numbers of PCs and workstations quickly and efficiently via remote. To take advantage of the flaw, a hacker would need physical access to the machine, which is its one saving grace. However, if they have that, they can take complete control even if a BIOS password has been set.

While other research teams have discovered AMT vulnerabilities in the past, this one deserves special attention for three reasons:

  • Once in control, the hacker could gain remote access to whatever network the machine is attached to at some later point.
  • It affects almost all intel laptops, and odds are that if you’re a business owner, there are a number of laptops with Intel chipsets connected to your network
  • It’s an incredibly easy flaw to exploit, requiring no code whatsoever.

F-Security Research Harry Sintonen had this to say about it:

“The attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures.”

It should be noted that this flaw is in no way related to the Spectre and Meltdown vulnerabilities that have been reported on earlier, giving Intel a trio of nasty problems to deal with right at the start of the new year.

Use Of Bots Has Increased Fake Account Creations

The ThreatMetrix Cybercrime Report 2017 is out, and is a troubling read for anyone who has anything to do with data security.  As a fraud prevention company protecting nearly a billion and a half users around the world, they’re uniquely positioned to know, and their insights on the threat landscape is invaluable.

Their main finding is that hackers, scammers and fraudsters are moving away from using stolen debit and credit cards, given that these things have such a short shelf life.  On the face of it, that sounds like it might be a good thing, until you understand what they’re doing instead.

They’re making use of stolen identity data to create bogus accounts, then applying for lines of credit on their own.  Even worse, they’re taking full advantage of automation to speed the process along.  According to the report, the volume of global fraud attacks is up a mind blowing 100 percent in just two years, with 700 million incidents reported in 2017 alone.

Bots are coming to play an increasingly important role in the activity of the fraudsters, too.  Once a new, fraudulent account has been created, it’s handed off to a bot to test it and make sure it’s valid, which increases its value on the Dark Web.

How big of a problem are bots on the web these days?

According to the report, ThreatMetrix blocked 1.5 billion bot attacks last year, with some retailers reporting that more than 90% of their daily traffic is comprised of bots.

At the root, what’s driving this behavior are the increasingly common, large-scale data breaches that put  up to hundreds of millions of data records into the hands of fraudsters.  Until and unless the flow of data can be stopped, we can expect this type of activity to continue to increase.

No matter how you slice it, 2018 is going to be a very interesting and very busy year.

Mac Computers Battling New Malware For Hijacking DNS

It’s official, the first macOS malware of 2018 is here. Discovered by an independent security researcher and dubbed “OSX/MaMi,” the code is functionally similar to DNSChanger malware.

The researcher posted his findings on the Malwarebytes forum and none other than Patrick Wardle (an ex-NSA hacker) analyzed it, having this to say:

“OSX/MaMi isn’t particularly advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads) or to insert cryptocurrency mining scripts into web pages.”

In addition to that, hooks were found in the software that would eventually allow it to:

  • Upload and download files
  • Execute commands
  • Generate simulated mouse events
  • Take screenshots

And more, although at present, these features are not yet active, which points to the malware as being a piece of code still very much in development.

At present, there are no anti-malware or antivirus programs capable of detecting this new strain. That, of course, will change in short order. However, for the time being, the best way to verify whether or not your machine is infected is to go through “System Preferences” and into the terminal app to check your DNS settings.

Two values you don’t want to see there are: 82.163.143.135 or 82.163.142.137.

If you’d rather not check manually, Patrick Wardle has created a free, open-source firewall for macOS called “Lulu,” which you can download from GitHub. This program was designed to block suspicious traffic and will prevent OSX/MaMi from stealing anything from your system.

As threats go, this one is relatively minor, but it’s still early in the year, and whomever is behind this piece of code will no doubt be making improvements on it. Stay tuned.

2 Million Credit Cards Stolen From Popular Sandwich Shop

By now, we’ve seen enough large-scale Point of Sale (POS) credit card thefts that patterns are beginning to emerge. Some companies follow the general arc of the narrative better than others, and deserve credit for doing so, but in the end, the story is about the same.

That’s certainly the case with Jason’s Deli. Recently, they discovered RAM-scraping malware on a number of their POS terminals. This has happened at a total of 164 of their locations, scattered across 14 states.

During the seven-month period before the malware was discovered, the company estimates that the credit card payment information of some two million customers was stolen. The data included credit and debit card numbers, expiration dates, the cardholder’s service and verification codes, and the cardholder’s name.

As is the case with most of these incidents, the company immediately contacted law enforcement and hired a third-party firm to assist with the forensic investigation, which is still ongoing.

Jason’s Deli’s handling of the aftermath of the incident has been well above average. However, the bottom line is that unless companies start paying increasing attention to data security, issues like these are going to continue to occur.

As a general rule, hackers prefer to go after the low-hanging fruit. There’s simply more money in attacking soft targets than hard ones. Your company doesn’t need bullet proof security in order to be safe from most hackers, it’s just got to be better than average. Although obviously, the better and more robust your digital security is, the safer you will be.

Unfortunately, this painfully obvious lesson seems to be falling on too many deaf ears. Until and unless that changes, we’ll continue reading about incidents like these. It’s costing business billions every year. Make sure your company isn’t next on the hackers’ hit list.

Blizzard Games Vulnerability Could Leave Gamers Open To Hacking

Do you play Blizzard online computer games such as World of Warcraft, Diablo III, Hearthstone, Starcraft II, or Overwatch?  If so, there’s a potential problem you need to be aware of.

Tavis Ormandy, a researcher on Google’s Project Zero team, recently discovered that the Blizzard Update Agent is vulnerable to hacking, via a technique known as “DNS Rebinding.”

The update agent is designed to accept commands to install, uninstall, change settings, update and  perform other maintenance related options. This means it has a lot of power and access to the system you’re playing the game on.

Unfortunately, because the update agent in use (JSON-RPC, port 1120) doesn’t include a validation step to check the identity of the server issuing commands, it’s possible for a hacker to insert himself into the middle of the process. This includes possibly injecting malicious commands and using the updater to hijack your machine.

Ormandy developed a proof of concept of the attack, and contacted Blizzard when he made the discovery.  The company was receptive for a time, but then suddenly and inexplicably ceased all communication.  Ormandy had this to say regarding the matter:

“Blizzard was replying to emails but stopped communicating on December 22nd.  Blizzard is no longer replying to any enquiries, and it looks like in version 5996, the Agent now has been silently patched with a bizarre solution. Their solution appears to be to query the client command line, get the 32-bit FNV-1a string hash of the exename and then check if it’s in a blacklist.  I proposed they whitelist Hostnames, but apparently that solution was too elegant and simple.  I’m not pleased that Blizzard pushed this patch without notifying me or consulting me on this.”

Since Ormandy went public with his findings, Blizzard has been in contact again, stating that a more robust fix is in the works, one that will adopt the strategy of whitelisting hostnames. Meanwhile, Ormandy is continuing to test the exploit on other online games with a user base of over 100 million to see if others are also vulnerable.  If you’re an online gamer, be aware that you could be leaving the door unlocked for hackers.

Windows 10 Privacy Becoming More Transparent In Next Version

All companies collect data on their customers, but some are better than others when it comes to being upfront about what kinds of data are collected.  Over the past year, Microsoft has made many moves that have been well-received by their enormous user base.  They’ve become increasingly transparent and offer an unprecedented level of control to the users themselves.

Last year, the company took its first major step, adding a pre-installation/pre-update Privacy Setting screen that allowed users to choose between two settings, Basic or Full, where global data collection was concerned.

Not long after, the company also added a Privacy section to the web dashboard of every Microsoft account, which allowed users to do things like:

  • Exporting any of the data found on the dashboard
  • Deleting specific items to allow for more individualized control
  • Viewing and managing media consumption data, along with product and service activity

The most recent addition is the release of an app called “Windows Diagnostic Data Viewer,” currently available on the Windows Store.  Right now, the app is available only to Windows Insiders, but is slated for release to the general public in April or May of this year.

As the name of the app suggests, it will not allow users to delete or manipulate any of the data collected, but it will provide an in-depth view of what data is collected. This would, at the very least, give system administrators the option to explore methods of disabling selected features in a bid to mitigate data collection.

Although the company is providing more options and becoming increasingly transparent, it has no plans to stop collecting telemetry data, insisting that it is essential in terms of making incremental product improvements and rapidly solving bug reports.  Like it or not, data collection is here to stay.

Performance Issues Plague PC’s Updated With Spectre Patch

Recently a critical flaw was found inside every Intel chip made during the last decade.  The flaw makes two different exploits possible.  These exploits have been dubbed “Meltdown” and “Spectre.”

The flaws are incredibly severe, and make it possible for a hacker to gain complete, unfettered access to the targeted PC or laptop.  Although no instances of the exploit have yet been found in the wild, now that both are commonly known, it’s only a matter of time before that happens.

Based on that, and given the severity of the flaw, Intel scrambled to release an update, but here’s the catch:  The update would hurt system performance, lowering it by as much as 23%.

In the end, it didn’t matter.  To ignore the problem was simply not an option, so the company scrambled to get a fix ready and has since released it.  Unfortunately, the fix has proved to be even more problematic than was originally estimated.  In addition to degrading machine performance, it also interferes with a variety of maintenance activities and leads to an inordinate number of system reboots.

Initially, Intel advised its customers to proceed with the download in order to protect their systems, even in light of the performance degradation.  However, as the number of complaints have grown, the company reversed course and has now advised against downloading its latest update, asking users to wait for a revision to be published.

At this point, the company has not given an ETA on when the revised firmware update will be ready, but until it is, you’re placed in an awkward position.  Waiting for the update means exposing your company to risk, should a hacker target one of the machines on your network with the exploit.  Proceeding with the current firmware update means you’ll suffer performance issues, leaving you stuck between a rock and a hard place, at least for the short term.

Electronic Health Record Company “Allscripts” Hit By Ransomware

Another day, another high-profile ransomware attack.  This time, the victim was Allscripts, an EHR (Electronic Health Record) company that hospitals, pharmacies, and ambulatory centers around the country rely on.

The company’s data was thought to be safe on the cloud, but that proved not to be the case. Disruptions of services were felt by Allscripts clients around the country.

At this point, reports are sketchy, incomplete, and in many cases, contradictory.  According to Allscripts, the attack only impacted “a limited number” of applications, and that they were working to restore them.  The company’s statement continued with, “most importantly, to ensure our clients’ data is protected.  Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems.  We regret any inconvenience caused by this temporary outage.”

According to Twitter, where many of Allscripts’ customers have been talking about the issue, the problem goes much deeper. Some clients reported an inability to access critical patient data now stretching into its third day, with predictable impacts on health care delivery.

To complicate matters further, some heath care providers preemptively disconnected from Allscripts servers in a bid to protect their own networks.  Northwell Health, based out of New York, is an example.

In any case, as of the time of the writing of this piece, most, but not all of the disrupted services seem to have been restored. You can bet, based on the contradictory information surrounding the attack, that Allscripts’ handling of the incident will be discussed for a long while to come.  This will probably filed under “how not to handle a ransomware attack.”

The company’s communication was spotty and their business continuity plan seems to have failed them.  There are lessons here for all business owners.  Take heed.