The SoHo router backdoor that was “fixed” by hiding it behind another backdoor

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Over the Christmas break at the end of 2013, French hacker Eloi Vanderbeken decided to see if he could break into his own Netgear router.

He wanted to tweak some of the performance settings, but realised he'd forgotten the password, and hacking his way in seemed more fun that doing a hardware reset and starting from scratch.

Long story short, Vanderbeken found his way in.

Turns out there was a service listening on port 32764 (mercifully only on the internal interface by default, not on the internet side!) that could be instructed, without authentication, to dump the router's configution.

Including the admin username and password.

All he had to do was to send the text ScMM (short for SerComm, the original equipment manufacturer), followed by a command number (1 to dump the configuration), followed by the number zero (meaning "I have no further data to send").

Even if a backdoor like this is only accessible to users who are already on your network, it's still a giant security hole.

It means, for example, that any duplicitous guests to whom you grant internet access can surreptitiously get into your router and mess with the settings, including opening up the backdoor on the internet interface so they can get back in later.

The vendor therefore came out with a patch, closing the listening port and with it the backdoor.

That got Mr Vanderbreken thinking, "How serious was the patch?"

After all, if the original purpose of the backdoor was to make it easier for the vendor's own management software to interact with the router, a patch that closed the backdoor altogether would necessitate wholesale changes to the management software, too.

Another long story short, Vanderbeken found that the backdoor was still there [PDF], just turned off by default.

He discovered that you could re-renable it by sending the router a so-called "magic ethernet packet."

? If you've ever used a feature called Wake-on-LAN, you've used a "magic packet": it's an ethernet frame that acts as a signal, rather than carrying data, telling a network card to power up the computer in which it's installed. Wake-on-LAN can be very handy. You can leave your computers turned off at night to save power, and rely on the network card alone to let you activate the computer remotely if required, for example to install security updates.

Greatly simplified, Ethernet frames start with the six-byte MAC address (network card ID) of the destination device; the MAC address of the source device; and a two-byte type EtherType identifier.

Example EtherTypes are 0800 for an IPv4 packet, 86DD for an IPv6 packet, 0806 for ARP (address resolution protocol), and 0842 for Wake-on-LAN.

Sercomm routers, or at least Vanderbeken's Sercomm router, also look out for 8888 "magic packets", which act as another backdoor.

Vanderbeken found that if he sent his router an 8888-type packet containing the number 0x0201 (effectively a command identifier) and the MD5 checksum of the string DGN1000, corresponding to his router's model number, then...

...the original backdoor listening on port 32764 was reactivated!

Just in case you don't know if there are any vulnerable routers on the current LAN segment, Vanderbeken also found that sending a broadcast 8888 packet with command number 0x0200 would provoke the router to reply, allowing a would-be attacker on a LAN to find out automatically if there are any exploitable routers in range.

Short of decompiling your router's firmware, like Vanderbeken did, it's hard to tell whether your vendor has left behind a security hole of this sort.

Even if you think your router has this very same "magic packet" hole, you can never be sure exactly what model identifier string is used in the firmware to generate the MD5 checksum used to validate the magic packets.

So we'll simply repeat the advice we gave last time.

If you're technically inclined, or have a friend or family member who is and can help you, you might want to see if your router can run an open source firmware such as OpenWRT or DD-WRT.

Those are Linux-based firmware builds for low-end routers that are much more modular than most of the firmware downloads from router vendors, meaning that you can leave out the bits you don't need.

They also receive regular security patches, thanks to the care and attention of the developer communities that have sprung up around them.

And if you are ready to go a bit more high-end than a SoHo router, you might want to grab a copy of Sophos's award-winning UTM product, which you can run entirely for free at home.

Follow @duckblog

Image of open doors courtesy of Shutterstock.

View the original article here

Here we go again: Viber mobile messenger app leaves user data unencrypted

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Viber, a mobile messenger app that allows users to make phone calls and send text messages and images for free, also gives up plenty of free user data to anyone who wants to listen.

According to researchers from the University of New Haven (UNH) in Connecticut, US, Viber's app sends user messages in unencrypted form - including photos, videos, doodles, and location images.

All of that rich data from users is also stored unencrypted on Viber's servers, rather than being deleted immediately, and is accessible without credentials, just a link, the UNH researchers said.

It's the second cryptographic blunder exposed by UNH researchers in as many weeks - the UNH Cyber Forensics Research & Education Group disclosed on 13 April 2014 that the WhatsApp messenger app also gives away user location data in unencrypted form.

Using a Windows PC as a Wi-Fi access point, the UNH team was able to capture data sent by an Android smartphone with regular traffic sniffing tools, the same approach taken by UNH in their experiments with WhatsApp.

In a video posted on the UNH website and YouTube, the researchers demonstrated capturing messages sent between two test Android phones.

Data can be intercepted by poisoned access points, by malicious users on the same Wi-Fi network, or elsewhere in the network between you and Viber.

In the video, one of the researchers said the unencrypted messages can also be retrieved from Viber's servers by anyone who knows the message URL:

The data is stored on Viber's server in an unencrypted manner. There is also no authentication method used, so anybody who has access to these links can look at this data, retrieve this data, and do whatever they want with it.

The researchers, Dr Ibrahim Baggili and Jason Moore, said in a blog post that they reported the security flaw directly to Viber before publishing their results but did "not receive a response from them."

In a statement to CNET, Viber said it would be releasing a fix soon for Android and iOS, and said the issue has been "resolved."

This issue has already been resolved. It is currently in QA and the fix will be released for Android and submitted to Apple on Monday. As of today we aren't aware of a single user who has been affected by this.

The fact is that an modern online messaging app shouldn't really be "fixing" this sort of blunder - encryption should have been baked in from the start.

And for all that Viber may have "fixed" its apps to exchange data securely now, it hasn't said anything about addressing the insecurities that UNH found in Viber's cloud, where your messages are stored.

The company also lists only Android and iOS as getting updates, leaving users of its numerous other supported platforms in the dark.

That includes users of Viber on the desktop, via Samsung's Bada ecosystem, on Microsoft's various mobile operating systems, and on Blackberry and Nokia phones.

With all of this in mind, Viber's claim that "we aren't aware of a single user who has been affected by this" rings very hollow.

After all, the company didn't bother to apologize for not spotting these problems in its own QA – and putting its customers at needless risk.

As is becoming all too common with the new breed of mobile messenger apps - including the Facebook-owned WhatsApp and the photo and video-sharing app Snapchat - security and privacy of user data seems to be an afterthought.

Although both WhatsApp and Viber said they will work to fix their encryption oversights, at times these young companies have exhibited a cavalier and disdainful attitude towards data privacy and security.

Viber, founded in 2010, has had a couple other security incidents in the past year.

In July 2013, a security researcher managed to use pop-up notifications from the Viber app to bypass the lock screen on an Android device.

And in April 2013, Viber's support page was hacked by the Syrian Electronic Army, although no user data was lost in the attack.

WhatsApp's founder Jan Koum famously said that "respect for your privacy is coded in our DNA," after his company was bought out by Facebook for $19 billion in March.

That's a nice sentiment, but WhatsApp has made repeated cryptographic blunders that left user data vulnerable.

Another rapidly growing messenger app, Snapchat, ignored warnings from security researchers that the app allowed unlimited searches of user phone numbers - a flaw that led to an attacker dumping 4.6 million usernames and phone numbers online after Snapchat dismissed the attack as "theoretical."

When asked to appear voluntarily before a Congressional hearing on data breaches, Snapchat refused to testify, leading one US Senator to say the company was "hiding something."

Which is ironic, since hiding user data from prying eyes doesn't appear to be one of the company's strengths.

Despite promises it made to users that their private messages would "disappear forever," Snapchat has acknowledged that user Snaps aren't deleted right away from their servers or from users' phones.

These popular messenger apps may be free, but at a cost to privacy for their hundreds of millions of users.

Follow @JohnZorabedian
Follow @NakedSecurity

View the original article here

SSCC 144 – iOS malware, fingerprint security, WhatsApp privacy, hacking the taxman [PODCAST]

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Filed Under: Apple, Data loss, Featured, iOS, Law & order, Malware, Podcast, Privacy, Security threats, Social networks, Vulnerability

News, opinion, advice and research!

Here's our latest security podcast, featuring Sophos experts and Naked Security writers Chester Wisniewski and Paul Ducklin.

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)

Follow @NakedSecurity

Follow @duckblog

Tags: "Canada Revenue", "Galaxy 5S", baby panda, chester wisniewski, chet chat, cra, data breach, data leakage, Galaxy, heartbleed, ios, krebs, LaCie, Malware, Paul Ducklin, Samsung, sophos security chet chat, sscc, unflod, WhatsApp

View the original article here

Microsoft devours Nokia and charges ahead with Windows Phone 8.1

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

Microsoft's multi-billion-dollar deal to acquire the devices arm of mobile phone maker Nokia is finally done, and smartphones under the name Microsoft Mobile will soon be rolling out of Nokia's former factories.

The acquisition, which will be finalized on Friday 25 April 2014, gives Microsoft complete ownership of Nokia's Windows Phones, including the flagship Lumia.

Nokia's web and social media properties will continue for up to a year under Microsoft, along with the bulk of its manufacturing facilities, Microsoft's General Counsel and Executive Vice President Brad Smith said in a blog post.

According to a leaked letter from Nokia to its suppliers, the company's official name of Nokia Oyj will be changed to Microsoft Mobile Oy ("Oy" denotes that it's Finnish Limited company).

What Microsoft is hoping to get out of the deal is a chance to make Windows Phone the alternative to the iPhone and popular Android devices like the Samsung Galaxy.

Windows Phone 8.1 steps up to the competition with consumer-friendly features such as Cortana, the virtual assistant that is Microsoft's answer to Siri on the iPhone.

Smith said the deal will "accelerate innovation and market adoption for Windows Phones."

The completion of this acquisition follows several months of planning and will mark a key step on the journey towards integration. This acquisition will help Microsoft accelerate innovation and market adoption for Windows Phones. In addition, we look forward to introducing the next billion customers to Microsoft services via Nokia mobile phones.

With BlackBerry falling off the charts, Windows Phone is still a distant third to Apple and Android smartphones, at around 3% marketshare in 2013, but projected by IDC to reach about 4% in 2014 and 7% in 2018.

The Nokia Lumia series of devices mirrors the iPhone, but Microsoft also gets the Nokia Asha, a feature phone version of that's really popular in emerging markets, where Windows Phones have taken off.

On top of that, Microsoft is giving away Windows Phone 8.1 to equipment and device manufacturers, in an effort to take some of the OS market share away from Google's Android.

Microsoft's commercial spots advertising the Nokia Lumia series of Windows Phones target the younger, social media and photo sharing buffs, highlighting its 41 megapixel camera and sharing apps.

But it's not just consumers Microsoft is eyeing - industry watchers observe that Windows Phone is poised to make inroads in the enterprise market and presents an attractive alternative to Android.

Microsoft says Windows Phone 8.1 is its most business-friendly version yet.

It has all the native Microsoft apps built in, for free, on devices with screens smaller than nine inches, and helps Microsoft move closer to a universal OS for Windows PCs, tablets, and smartphones.

Windows Phone 8.1 brings a lot of features that should appeal to enterprise customers who need to meet data security requirements, including full-device encryption, remote lock-and-wipe, app control, secure VPN, and more options for device, app, and certificate management.

Businesses can manage updates from a mobile device management system from Microsoft, or use third party software.

As Timothy Green wrote for The Motley Fool, with Windows Phone 8.1 Microsoft has finally caught up to Google in terms of features, and the growth potential in the mobile market is "significant" (and he's not the only one saying that).

Presumably because of its small user base, Windows Phone isn't currently attracting much attention from cybercriminals, but security is obviously still a concern and incidents still happen.

In March, Microsoft's app market - Windows Phone Store - mistakenly approved several fake Google apps before taking them down from the store.

Malicious or phony apps appear from time to time in Google Play, and although Google's system for policing apps in the Play Store has kept malware apps out pretty well, abusive advertising practices have been hard to control.

Microsoft has developed its own program for finding apps that violate its terms of service for advertising, and according to the MIT Technology Review, Microsoft's "Monkey" program uncovered that 1,000 of the Windows Phone Store's 50,000 apps violated the terms.

So, does Windows Phone 8.1 get security right?

Naked Security writer Paul Ducklin says the Microsoft approach, with its locked down mobile OS and closely monitored app market more closely resembles that of Apple than Google's more diverse and widespread Android ecosystem.

Of course, there are security risks no matter which OS you have on your smartphone, including Windows Phones.

If you upload the right file to the wrong person, or lose a smartphone without having encrypted or locked it, or type in your banking password on an imposter site, you may end up in harm's way regardless of your operating system.

Will Windows Phone 8.1 security features help Microsoft make inroads to the enterprise market?

Whatever happens, it's going to be interesting to see how the Microsoft-Nokia integration goes and if the market responds.

Follow @JohnZorabedian
Follow @NakedSecurity

Images of Nokia Lumia smartphones and Nokia seal courtesy of Microsoft.

Tags: adware, Android, BlackBerry, Google, Google Play Store, Microsoft, Mobile device management, Nokia, Samsung, Windows 8.1, windows phone, Windows Phone 8.1, Windows Phone Store

View the original article here

PCI DSS – Why it works

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Payment Card Industry Data Security Standard (PCI DSS) is a document that sets the de facto standard of compliance for any company that accesses, stores or transmits cardholder data (CHD) and personally identifiable information (PII).

The PCI DSS's founding members - American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. - sought to replace their individual data security compliance programs in favour of a globally agreed standard.

I've previously written a brief primer on the standard itself and summary of changes for the latest version.

In this post I will examine why the PCI DSS works, focusing primarily on merchants (i.e. retailers of all sizes) as they are the most familiar to us.

A document like the PCI DSS provides businesses with a blueprint for success in safeguarding customer data.

It's easy to point to large retailers and say that they should already know how to do this, and we'd probably be right. But what about the smaller merchants?

Within a 5 km radius of my home there are well over 100 small businesses, the majority of which accept credit or debit cards as a form of payment.

These businesses do not have IT departments brimming with security experts, yet they still need to ensure that cardholder data is secure so as not to run afoul of their merchant agreement.

To quote the PCI Council:

Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale.

If cardholder data is stolen – and it's your fault – you could incur fines, penalties, even termination of the right to accept payment cards!

For them, the PCI DSS provides an easy-to-follow framework for securely processing transactions.

Standards are a great way of ensuring compatibility in design, manufacture and trade.

With respect to the PCI DSS, having a standard means that a set of minimum requirements must be met in order to provide payment services.

It also means that merchants are no longer required to follow separate programs of compliance.

The PCI DSS levels the playing field, ensuring that small businesses are held to the same security standard as large retailers.

This is important. It means that regardless of where you shop, your CHD and PII should be treated with the equivalent level of care, regardless of annual revenue.

According to Visa, merchants can be classified into 4 different tiers.

Individual card issuers are free to set their own tiers, but they are similar across brands.

Where the PCI DSS does really well is ensuring that the focus is on the data.

It would have been easy to limit the scope to point-of-sale systems or payment processing servers.

Instead, the PCI Council strives to ensure that any and all parts of a business's operation that could potentially hold CHD and PII are covered.

This means that whether the data is stored or in transit, whatever system it touches will be considered in scope.

Broad criteria such as these are important in eliminating judgement and combatting "what if" scenarios.

When assessing an environment, merchants should abide by the phrase, "If in doubt, don't leave it out."

An important part of Visa's merchant tier chart is the validation criteria.

It allows smaller merchants (by transaction volume) the ability to spend less money getting certified, as this can sometimes be quite costly. Merchants at Tier 2 and lower are free to choose whether they call in the experts or provide their own assessment.

The PCI Council has also published a handy PDF guide aimed at smaller businesses.

For those who want extra help, they can hire a Qualified Security Assessor (QSA). They are trained professionals who are experts in the PCI DSS and can help smaller merchants understand the requirements and provide guidance on what controls are appropriate.

QSAs also have experience on their side. A QSA can provide recommendations based on previous exposure to similar environments.

So while merchants can opt to do it all themselves, help is there when they need it.

The enforcement of compliance with the PCI DSS and the determination of any non-compliance penalties are carried out by the individual card vendors.

Merchants that do not comply with the PCI DSS requirements may be subject to fines, card replacement costs, forensic audits, brand damage, revocation of privileges and other penalties.

The following is a list of MasterCard fines:

Level 1 & 2 Merchants

First Violation – Assessment Amount: Up to $25,000Second Violation – Assessment Amount: Up to $50,000Third Violation – Assessment Amount: Up to $100,000Fourth Violation – Assessment Amount: Up to $200,000

Level 3 Merchants

First Violation – Assessment Amount: Up to $10,000Second Violation – Assessment Amount: Up to $20,000Third Violation – Assessment Amount: Up to $40,000Fourth Violation – Assessment Amount: Up to $80,000

Besides the risk of fines, any merchant that suffers a breach will automatically be elevated to Tier 1 regardless of transaction volume.

So, for a little upfront effort and cost, complying with the standard can help reduce risk and minimize unpleasant and costly consequences.

While fines won't eliminate breaches altogether, they can certainly motivate merchants to embrace the standard. Especially those that can ill afford the fines and associated costs.

To find out why the PCI DSS is not all it's cracked up to be, have a look at my contrasting opinion.

Follow @John_Shier

Follow @NakedSecurity

Image of yes tag courtesy of Shutterstock.

View the original article here

PCI DSS – Why it fails

Over 170,000 people are part of the Sophos community on Facebook. Why not join us on Facebook to find out about the latest security threats.

Hi fellow Twitter user! Follow our team of security experts on Twitter for the latest news about internet security threats.

Already using Google+? Find us on Google+ for the latest security news.

The Payment Card Industry Data Security Standard (PCI DSS) is a globally agreed standard of compliance for any company that accesses, stores or transmits cardholder data (CHD) and personally identifiable information (PII).

I've written a contrasting article about the successes of the PCI DSS, but in this article I want to highlight five reasons I think it fails in its goal.

The PCI DSS is a lengthy document that provides a baseline for data security. By that I mean it's a starting point, not an end state.

Since when has doing the bare minimum been a good security strategy?

What's more, much of the document is open to interpretation in terms of compensating controls.

Why not be more explicit about which technologies are best suited to protect against a given threat?

If something is to be encrypted, clearly identify what kind of encryption standard is to be used, e.g. AES256. And when a given technology becomes obsolete, change the guidance!

I know this will cause more work by the maintainers of the standard but it's work that will pay off in both the short- and long-term.

As for the non-compliance penalties, in some cases they're hardly deterrents.

I have read about and gotten first-hand information from certain companies blatantly disregarding the standard because it will cost them more money than simply paying the fines.

The logic goes something like this:

I have data I need to protect;The PCI DSS says I need to protect everything and it will cost $X to do it 'correctly';I can do it for $N, which is much cheaper than $X, even when factoring in the non-compliance fines;I'll do it my way.

So now we're left with an overly long, underwhelming security manual that we're free to ignore should our pockets be deep enough.

What could possibly go wrong?

For any merchant qualifying as Level 2 or below, you are free to conduct your own assessments.

To me that makes as much sense as performing your own dental surgery.

Not only are you not qualified to undertake such a task but you probably don't have the correct tools or know how to use them.

Next time you are talking with a small business owner, ask them to explain the difference between a stateful packet firewall and a web application firewall.

As a small business owner, they are probably experts in selling widgets and running their business but computer security is probably not their bailiwick.

The PCI DSS contains over 200 sub-requirements. Each must be fully understood and correctly implemented in order to stay compliant.

Even the larger merchants - Level 2 merchants processing up to 6 million transactions per year - may not have the in-house expertise to correctly implement the standard.

Yet the payment brands are happy to let them go about it on their own.

As a consumer, should we be entitled to know if a merchant has performed their own audit? Some might feel safer knowing it was done by a security expert instead of a pastry chef.

Luckily there's a solution. Hire a Qualified Security Assessor (QSA)!

So the solution to wading through the PCI DSS is to hire a Qualified Security Assessor (QSA) - those trained professionals who are experts in the PCI DSS and are there to help merchants understand the requirements and provide guidance on what controls are appropriate.

Yes, they're 'Qualified' - they pay their annual dues, but how do you know they really understand security and the PCI DSS, your industry and your unique environment?

Luckily the PCI Council is on top of things:

Please note, the PCI Security Standards Council maintains an in-depth program for security companies seeking to be certified as Qualified Security Assessors (QSAs), as well as to be re-certified as QSAs each year.

Sort of:

Although the PCI Security Standards Council strives to ensure that the list of Qualified Security Assessors linked to this page is current, the list is updated frequently and the PCI Security Standards Council cannot guarantee that the list is current at all times.

Caveat emptor.

I speak as someone who has, at various points in my career, held many different certifications. They're not worthless, but they're not always a guarantee of expertise.

QSAs are supposed to understand the PCI standard and process. Unfortunately, many lack the necessary expertise to validate if a technical control is correctly implemented on a system which they don't understand.

Next time you meet a QSA, ask them who their favourite cryptographer is. If their answer is not on this list, tell them Bruce Schneier would like a word with them.

Just because you can pass a test doesn't mean you're qualified to do anything beyond that.

Compound that with companies who are downright insistent and seek out QSAs that will certify them unequivocally.

What could possibly go wrong?

Having a roster full of QSAs is great. Now we can send them all out to make the payment world a safer place.

You know what would be even better though?

What if we also had a services business that could sell and implement all the controls that our QSAs recommend? This is common practice in the QSA world but is it wrong?

Well, it is and it isn't.

There is an endemic bias when a company is involved in both approving a control and selling it to the merchant.

If done right, the QSA firm will self-impose a model of segregation where the two sides of the operation are unable to influence each other.

This type of 'ethical wall' is commonly seen in finance, journalism and law.

The temptation to grow the bottom line can often overshadow ethics especially when there is no legal obligation to do so.

QSAs could also argue that being able to access the service delivery techs helps the customer, but the same can be accomplished if you use highly qualified and competent assessors.

(*If your scarcasm detector is broken, probably best to move on.)

Perhaps one of the greatest failures of the PCI DSS is its compliance-as-a-snapshot nature.

Threats are continually evolving and so must our ability to defend against them. As such, our computing environments are continually in flux.

If you are lucky enough to be in a business that is seeing growth, you will undoubtedly be adding complexity to your existing cardholder data environment (CDE).

The US is currently in the beginning stages of rolling out EMV. All of the existing payment terminals will have to be replaced.

And what about the end of XP? While most point-of-sale terminals run embedded XP - which is supported until 2016 - many still do not.

Then there's the ongoing maintenance of hardware and software applications. Each can potentially introduce new vulnerabilities into the CDE.

Operational costs are always a concern, so many companies might opt to switch service providers from time to time.

It is not outside the realm of possibility that all these activities could occur between yearly assessments. Especially if different groups are responsible for each part.

Yes, the PCI DSS has some mitigation built-in, such as the business-as-usual recommendation. But that's all it is - a recommendation.

The payment brands also require quarterly scans, but seeing as we patch our systems at least monthly (you do that, right?) is that often enough?

What's worse, for the smallest merchants, an annual assessment is only recommended, not required.

Taking all the above into consideration, it seems to me like there's plenty of room for error. Whether deliberate or not.

Follow @John_Shier

Follow @NakedSecurity

Image of no tag courtesy of Shutterstock.

View the original article here