Daily Archives: October 19, 2015

Netgear Releases Router Firmware Update Addressing Security Issues

Early last week Netgear issued a firmware update for some of their consumer broadband routers. This update resolves 2 critical vulnerabilities (1x command injection vulnerability and 1x authentication bypass vulnerability).

Affected Routers (authentication bypass vulnerability):

  • JNR1010v2
  • JNR3000
  • N300
  • R3250
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Affected Routers (command injection vulnerability):

  • JWNR2010v5
  • JWNR2000v5

Why Should These Issues Be Considered Important?
By default the affected routers administrative interface can be accessed by any user on the same internal network as the router. If WAN administration is enabled (a setting that allows anyone outside of your network to access your router) the above mentioned authentication bypass vulnerability is even more serious since a remote attacker could access your router’s admin interface without needing a username or password.

The command injection vulnerability could allow an attacker to issue a command of their choice to your router e.g. performing a file listing.

How Can I Protect Myself From These Issues?
If you own any of the affected routers listed above, please either apply the update (if it is already available for your router). If not, check if an updated firmware is available for your router that corrects this issue. If no corrected version is available it would be advisable to contact Netgear to determine if an update is planned. They may also be able to supply steps to mitigate the issue if no update is planned.

Netgear has issued updated firmware for some of the affected routers:

  • JNR1010v2
  • WNR614
  • WNR618
  • JWNR2000v5
  • WNR2020
  • JWNR2010v5
  • WNR1000v4
  • WNR2020v2

Please follow the instructions within the above linked to Netgear knowledgebase article to install the updated firmware.

Thank you.

Detecting and Removing Apple iOS YiSpecter Malware

Early this month news of a new malware threat for Apple iOS devices (iPhone and iPad) began to circulate. This threat has been named YiSpecter by Palo Alto Networks.

This threat has been primarily seen in East Asia, particularly in China and Taiwan. However the method of infection and it’s effects could easily be used by other threats in the future and thus Apple iOS users should take the appropriate precautions which I will discuss below.

Why Should This Threat Be Considered Important?
This threat is distributed from a number of different places (my thanks to Symantec for the full list of where this threat originates from):

  • Hijacked Internet Service Provider (ISP) Traffic causing websites to redirect to another page where the threat is downloaded
  • Forums
  • Social media
  • Alternative App Stores

The threat allows an adversary to perform a range of actions of their choice namely by first installing a backdoor (defined) and installing adware (defined here and here). The backdoor provides the malware authors with the following capabilities:

  • To download and install fraudulent apps (that appear to be legitimate iOS system apps)
  • Change Apple Safari bookmarks to all point to a link as specified by the command and control server (see Aside below for a definition) of this malware.
  • Uninstalling apps
  • Displaying adverts within installed apps
  • Change your default search engine
  • Steal information about you

This malware can infect both jailbroken (defined) and non-jailbroken Apple devices. This is possible since it makes uses of a legitimate means of app installation normally used by large corporations to allow the installation of customized corporate apps by their employees that are not otherwise available in the official Apple App Store. Such apps are not checked by Apple and can thus have the potential to incorporate malicious functionality (that would otherwise be blocked/not allowed by Apple).

Through the malware’s use of private APIs (Application Programming Interface)(defined) the malware can install malicious apps of it’s choice without notifying the user. Private APIs are a means of using functions within Apple iOS that Apple has not publically document since such functions are not considered stable namely that these functions are not guaranteed to be still present in future releases of the iPhone SDK or that such functions may work slightly differently than before.

These malicious apps can replace legitimate apps with malicious versions of the same name (by installing the legitimate apps). These private APIs are also used to show adverts within apps not known to the malware. Finally such private APIs are used to gather a list of the installed apps on your phone.

How Can I Protect Myself From This Threat?
If you suspect that your iPhone is infected with this malware e.g. you have seen full screen adverts when using apps on your phone, please follow the steps provided at the end of this Palo Alto Networks blog post to manually remove this threat.

As mentioned by Palo Alto Networks the most effective means of avoiding being infected by this threat is to only download apps from the official Apple App Store and not to trust unknown app developers. However they also acknowledge that this will prevents most infections (from similar threats) but not all.

In addition, Apple has confirmed that Apple iPhone users with iOS version 8.4 and later are not vulnerable to this threat. However it would still be recommended to use the most recent iOS update to benefit from the security improvements that it includes. iOS 9.0 and later will also make the installation of this malware a more deliberate action on your part and thus you are less likely to install the malware inadvertently. This change involves manually setting a related provisioning profile to “trusted” in the Settings menu before you can install enterprise/corporate provisioned apps rather than simply choosing “OK” when you are about to launch the app. The latest iOS at the time of writing is 9.0.2.

I hope that the above information and suggestions are useful in removing this threat if you have been affected by it and in preventing this threat from being installed on your Apple device in the first instance.

Thank you.

=======================
Aside:
What is a command and control server?

When malware can be controlled by it’s author remotely that control is usually carried out using a server.

The command and control server (sometimes shortened to the “C2” server) allows the malware author to administer the devices under their control in a convenient manner. This control can include issuing commands to multiple devices to carry out an action at a desired time. Examples would be changing the type of data being collected by the malware (if the malware has this capability), requesting the malware to send all of it’s collected data back to the server for later review, uninstalling the malware and updating the malware to provide it with more capabilities of the author’s choice.

Command and control servers are usually separate to the devices they control. The servers communicate with the controlled device using a customized protocol.
=======================

Apple Releases Security Updates For iMovie and iWork

Earlier last week Apple released security updates for the following products:

Apple Keynote (updated to version 6.6 to resolve 3 CVEs (defined))
Apple Pages (updated to version 5.6 to resolve 4 CVEs)
Apple Numbers (updated to version 3.6 to resolve 3 CVEs)
iWork for iOS (updated to version 2.6)

Full details on all updates are available on Apple’s Security Updates page. I would suggest prioritizing the installation of the updates for Keynote, Pages, and Numbers since they address critical security issues.

If you use any of the above software, please install the appropriate updates as soon as possible. They are available as separate downloads from Apple’s App Store.

Thank you.

Blog Post Shout Out October 2015

Security literature commonly states that users/employees in your organization are the weakest link in terms of IT security. But they don’t have to be!

I wanted to provide a respectful shout out to the following blog post from Sophos which provides 6 practical steps to promote cyber security awareness within your organization. These steps may also enhance your existing security awareness training or help to get you started creating such training:

Practical IT: How to create a culture of cybersecurity at work

I hope that you find the above post useful. Thank you.

Mozilla Releases Firefox 41.0.2

Earlier last week Mozilla made available an unscheduled security update for Firefox bringing it to version 41.0.2 to address a high severity CVE (defined).

This security issue was reported to Mozilla by 2 security researchers.

The issue involves violating the Cross Origin Resource Sharing (CORS) mechanism policy of a web browser which allows a web application in one domain e.g. example.com to access resources within another domain e.g. example2.com. This is accomplished by CORS since it provides a secure means of allowing the source/origin domain to call APIs (Application Programming Interface)(see Aside below for a definition) in another domain. Firefox did not correctly implement the fetch() API which would allow a specifically crafted webpage access to data that it would not usually be able to.

Further details of this update (and the issue it addresses) are available here. If Firefox is installed on any computer that you use, please install the appropriate update as soon as possible. Details of how to install updates for Firefox are here.

Mozilla Firefox updates generally install without issues, however as always I would recommend backing up the data on any device for which you are installing updates in order to prevent data loss in the rare event that any update causes unexpected issues.

Thank you.
=======================
Aside:
What is an Application Programming Interface (API)?

An application programming interface is a structured way of accessing extensive pre-built functions (defined, please see the Aside within that post) available within a programming language e.g. C, C++, Java etc. They allow a programmer to accomplish a desired task without having to write the code themselves to do so. They can use (call) a function from the language’s API to carry out their desired task.

An API is usually a large list of functions which details what a function does and how to make use of (call) it. This includes the types of parameters that you may need to provide to that function for it to carry out a task for you (some functions need parameters, some don’t). Further background information on API’s is available here.

An example of an API function provided by C is printf() We will use this function below to print “Hello World” onto our screen in the following example program. The link to printf() provided above is to the API for this function. We are providing a parameter to the function in the form of the text that we wish to print to the screen and we include a new line character to start a new line at the end of the text (since by convention all strings (sequences of characters) should be null (\n) terminated).

#include stdio.h

/*Declare the necessary string library (stdio.h) for the function that we will call. Please ensure to use the correct placeholder brackets on each side of stdio.h, namely <> I can't insert these directly into this post due to how WordPress interprets code*/

int main(argc, char *argv[])
{
printf(“Hello World\n”);
return 0; /*Since our main function is declared as above it must return an integer value. We will return 0 for simplicity.*/
}

=======================