If your PC starts acting weird or totally goes offline on or after March 8th(for folks who keep their computers off) Please contact ECC for assistance.

Half of Fortune 500s, US Govt. Still Infected with DNSChanger Trojan — Krebs on Security.

The attack took about six hours to properly guess the PIN and return the SSID and password for the target network. During that time, the router locked up once under load, as I was putting normal levels of network traffic through it from other devices. Some routers will also lock out WPS requests for five minutes or so when they detect multiple failed PIN submissions—mine stopped responding occasionally, generating a string of warnings, but Reaver picked back up where it left off once the Linksys started responding again.

Having demonstrated the insecurity of WPS, I went into the Linksys’ administrative interface and turned WPS off. Then, I relaunched Reaver, figuring that surely setting the router to manual configuration would block the attacks at the door. But apparently Reaver didn’t get the memo, and the Linksys’ WPS interface still responded to its queries—once again coughing up the password and SSID. 

The tool also managed to repeatedly cause the router to stop responding to other computers on the network, essentially creating a denial of service attack—a great thing to remember for the next time my neighbors have a loud, all-night Call of Duty session.

In a phone conversation, Craig Heffner says that the inability to shut this vulnerability down is widespread. He and others have found it to occur with every Linksys and Cisco Valet wireless access point they’ve tested. “On all of the Linksys routers, you cannot manually disable WPS,” he said. While the Web interface has a radio button that allegedly turns off WPS configuration, “it’s still on and still vulnerable.”

via Hands-on: hacking WiFi Protected Setup with Reaver.

WiFi Protected Setup Flaw Can Lead to Compromise of Router PINs | threatpost.

This link aggregates all of techcrunchs coverage with decent linking to outside sites about this too.

Carrier IQ | TechCrunch.

Crapware on a pc or mac is easy to combat….format the machine and use your own, known good image.  Phones however are a new frontier of badness for the enterprise and anyone with need for data security.  Folks wonder why I’ve advocated locking smartphones out of sensitive networks…this is why.  I’ve figured this for a while…now it’s been proven.  There are quite a few links in this story..please read them.  The video that’s blown the lid off this is right here.

You just can’t make this stuff up. If I had told you six months ago to be very careful about entrusting corporate data to mobile carriers who pre-install app crap, because they would build spyware into phones, collect secure web browsing information, and embed this software so deeply that you have to change the ROM to get rid of it, you would have written me off as a paranoid. Yet, that appears to be the situation with CarrierIQ, a carrier utility gone wild.

Like the Master Control Program in the 80s science fiction classic, “Tron,” CarrierIQ collects data for an ostensibly harmless purpose: to help carriers improve the quality of their network and improve the user experience. Then, it goes crazy and tries to kill everyone. It may not be as bad in this case, but the trouble is, though Carrier IQ claims, “we are counting and summarizing performance, not recording keystrokes or providing tracking tools,” third party analysis of Carrier IQ begs to differ.

Specifically, researcher Trevor Eckhart writes on his blog that the Carrier IQ application “is receiving not only HTTP strings directly from browser, but also HTTPs strings. HTTPs data is the only thing protecting much of the ‘secure’ Internet.” Carrier IQ, realizing how damaging this revelation was, tried to squelch Eckhart through a cease-and-desist letter (giving him two whole days to respond, and threatening damages starting at$180K), but the Electronic Frontier Foundation came to the rescue. Carrier IQ relented after the assault from the EFF, and is now “deeply sorry for any concern or trouble” that the letter may have caused Eckhart.

From an enterprise perspective, this is massive. It’s the Jerry Sandusky of mobility. It is an insane breach of trust.

[ Not up to date on Carrier IQ? See Carrier IQ Withdraws Legal Threat Against Security Researcher. ]

Enterprises have long put up with “app crap” on Windows platforms, and, then, on mobile platforms. On the Windows platforms, enterprises would shrug, wipe the machines, re-image them, and move on with work as usual. On mobile, enterprises believed that the app crap was benign enough. Wrong.

We all knew that spyware existed on PCs, but the big difference is that spyware and rootkits got installed by malicious third parties, not our trusted partners who get paid for services that they provide.

All of a sudden, Steve Jobs’ perspective about who should control mobile device firmware doesn’t seem to be such a bad idea.

Carrier IQ has no relationship, at all, with the enterprise. They’ve said that “we do not sell Carrier IQ data to third parties” or “provide real-time data reporting to any customer.” But once you generate the data, it’s there for the taking.

This year’s Data Breach Investigations Report, co-sponsored by the US Secret Service, and, ironically, a mobile provider, emphatically states that organizations need to eliminate unnecessary data collection (since it can and will be stolen.) As enterprise trusted partners, it’s time for carriers to eliminate the middleman. Carrier IQ had no incentive at all to limit the type of data that it collects.

Because Carrier IQ is so carrier focused, it may have even come as something of a surprise to the Carrier IQ folks that they may have violated wiretap laws.

The whole model needs to change, or this incident will be repeated. Carriers currently control the phone, and work with third parties to build management software that they need. The third parties have no skin in the game in terms of the trust relationship with the enterprise. Frankly, in this case, if Carrier IQ’s reputation becomes so tarnished that they can no longer sustain a viable business, they can pull up their tent stakes, change their name, and resume operations.

Well, good for them, but BAD for the enterprise, because the enterprise now needs to start investing the type of time that used to be reserved for Windows PCs, in order to re-image spyware-vulnerable smartphones. It’s not a matter of just removing the software. InformationWeek contributor Mathew Schwartz told me this morning that “some deployments of Carrier IQ by the carriers have an ‘off switch’ that smartphone owners can trigger,” but that he’s also seen reports that it simply doesn’t work.

Carrier IQ: Mobile App Crap Must Stop – Security – Mobile Security – Informationweek.

Watch this folks.  I talk about this over and over.  a/v isn’t enough..it is only a start.  Please start with these basics.  Please contact ECC  on how to minimize your exposure.

The Internet Is Infected – 60 Minutes – CBS News.

Second water utility reportedly hit by hack attack • The Register.

Apple’s new “Siri” feature, the voice-activated personal assistant built into the iPhone 4S, leaves owners’ spanking new smartphones partially unguarded.

Those of us who work in the security arena have often banged on about the importance of securing your smartphone with a password or passcode to prevent unauthorised access.

Most mobile phone manufacturers have recognised that as so many people use their smartphones to manage their their diaries, their private communications, and their social lives, it’s good to have some form of security.

Which leaves Apple with some egg on its face regarding Siri.

Even if an iPhone 4S is locked with a passcode, a complete stranger can come up to your smartphone, press the button and give Siri a spoken command.

via Has Siri left your iPhone 4S unlocked? | Naked Security.

In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users’ devices, easier remote analysis, corporate evilness – it doesn’t matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in.

That is not the case. What Trevor found is only the tip of the iceberg – we are all still digging deeper – but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on:

the list of user accounts, including email addresses and sync status for each

last known network and GPS locations and a limited previous history of locations

phone numbers from the phone log

SMS data, including phone numbers and encoded text (not sure yet if it’s possible to decode it, but very likely)

system logs (both kernel/dmesg and app/logcat), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info

Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don’t expect it to read your phone log or list of emails.

But that’s not all. After looking at the huge amount of data (the log file was 3.5MB on my EVO 3D) that is vulnerable to apps exploiting this vulnerability all day, I found the following is also exposed (granted, some of which may be already available to any app via the Android APIs):

active notifications in the notification bar, including notification text

build number, bootloader version, radio version, kernel version

network info, including IP addresses

full memory info

CPU info

file system info and free space on each partition

running processes

current snapshot/stacktrace of not only every running process but every running thread

list of installed apps, including permissions used, user ids, versions, and more

system properties/variables

currently active broadcast listeners and history of past broadcasts received

currently active content providers

battery info and status, including charging/wake lock history

and more

via Massive Security Vulnerability In HTC Android Devices (EVO 3D, 4G, Thunderbolt, Others) Exposes Phone Numbers, GPS, SMS, Emails Addresses, Much More.

via OnStar to Track Speed, Location of Cars, Even After Users Opt Out | threatpost.