Category: Security Alerts

The online attack service launched late last year by the same criminals who knocked Sony and Microsoft’s gaming networks offline over the holidays is powered mostly by thousands of hacked home Internet routers, has discovered.  Just days after the attacks on Sony and Microsoft, a group of young hoodlums calling themselves the Lizard Squad took responsibility for the attack and announced the whole thing was merely an elaborate commercial for their new “booter” or “stresser” site — a service designed to help paying customers knock virtually any site or person offline for hours or days at a time. As it turns out, that service draws on Internet bandwidth from hacked home Internet routers around the globe that are protected by little more than factory-default usernames and passwords.

via Lizard Stresser Runs on Hacked Home Routers — Krebs on Security.

If you router is vulnerable to this outsiders can easily take control of hte router and use it to jump into your network.  These devices have been coming under increasingly attacks due to their poor security models and the lack of security updates by the route manufacturers.  I’ve begun recommending not using these types of routers anymore due to the numerous security problems they are introducing.  Sophos UTM is free for home use…you jsut need to provide suitable hardware.  Sophos UTM is at a reasonable cost for businesses and NPO’s and gives you true protection from the internet.  For full information Contact ETC.


More than 12 million routers in homes and small offices are vulnerable to attacks that allow hackers anywhere in the world to monitor user traffic and take administrative control over the devices, researchers said.The vulnerability resides in “RomPager” software, embedded into the residential gateway devices, made by a company known as AllegroSoft. Versions of RomPager prior to 4.34 contain a critical bug that allows attackers to send simple HTTP cookie files that corrupt device memory and hand over administrative control. Attackers can use that control to read plaintext traffic traveling over the device and possibly take other actions, including changing sensitive DNS settings and monitoring or controling Web cams, computers, or other connected devices. Researchers from Check Point’s malware and vulnerability group have dubbed the bug Misfortune Cookie, because it allows hackers to determine the “fortune” of an HTTP request by manipulating cookies. They wrote:If your gateway device is vulnerable, then any device connected to your network—including computers, phones, tablets, printers, security cameras, refrigerators, toasters or any other networked device in your home or office network—may have increased risk of compromise. An attacker exploiting the Misfortune Cookie vulnerability can easily monitor your Internet connection, steal your credentials and personal or business data, attempt to infect your machines with malware, and over-crisp your toast.

via 12 million home and business routers vulnerable to critical hijacking hack | Ars Technica.

I am not trying to spread the “stranger danger” fear-mongering here.  If you are a parent, grandparent or any other kind of close relative please read the linked article at the bottom of this post.  I have been following this since it began.  More details are becoming known.  I’m not doing the blame the victim game here but unsafe online behavior contributed to this crime.  Parents PLEASE know what your children are doing.

In my experience this is usually the cause of mis-communication or a lack of communication.  Technology is part of the solution but a good parental relationship will do better than any technology.

I was recently at the Brunswick Business Expo and I was disseminating the following documents:

1.  This is a set of tips for adults in regards to online safety

2. This is a set of  steps for youth in regards to online safety.

3.  This is a “contract” between your youth and yourselves.  This provides a framework for communications between the adults and the youth for proper online behavior.  It also provides the foundation for a clear set of expectations from both sides of the conversation.

I am not saying this is the end all be all but I hope you find it useful.  There are technological things that can be done to aid caregivers in supervision of their youth.  If you have any questions contact us.

On November 10, a 12-year-old girl left her home in the Baltimore suburb of Nottingham at 7:30am, heading to her middle school. She never returned home. When her mother called the school later, she discovered that her daughter had not even arrived. Suddenly, Baltimore County Police were calling in the FBI to assist in their search for a missing person.

According to police reports, “an unfamiliar blue pick-up truck with North Carolina license plates” was spotted by neighbors near Jane Doe’s home that morning. (While the girl’s name was previously published in Baltimore local media, we’ll refer to her by the name used in recent court documents—Jane Doe—because of her age and because of the nature of the crime allegedly committed against her.) Over the next four days, the investigation of Jane Doe’s disappearance led to a ranch house on a cul-de-sac 340 miles away in Raleigh, North Carolina. That’s where North Carolina Alcohol Law Enforcement agents working under the direction of the FBI eventually found the kidnapped girl—along with a 32-year-old probationer named Victor Yanez Arroyo.

The girl is now back with her family, but according to arrest documents, Jane Doe told authorities that “at the residence, Arroyo had non-consensual sex with her two times.” Arroyo was arrested and now faces a wave of state and federal charges.

Luckily, the FBI and other law enforcement agencies had Doe’s real name and several aspects of her digital identity to work with, including her Xbox Live gamer tag, her Apple iCloud account, and her social media chat accounts. All of these digital identities played a role in the forensics work used to track down Jane Doe’s abductor.

But they also played a major role in her abduction.

via 12-year-old’s online life brings an abductor to her doorstep | Ars Technica.

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may also threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

“If they install software that listens on port, then that machine would be vulnerable,” he said. An example would be “if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client.”

Tuesday’s disclosure means that every major TLS stack—including Apple SecureTransport , GNUTLS, OpenSSL, NSS, and now Microsoft SChannel—has had a severe vulnerability this year. In some cases, the flaws merely allowed attackers to bypass encryption protections, while others—most notably the Heartbleed bug in OpenSSL and the one patched Tuesday in Windows, allowed adversaries to steal highly sensitive data and execute malicious code on vulnerable systems respectively.

Microsoft’s advisory said there are no mitigating factors and no workarounds for the bug. A separate exploitation index assessed real-world attacks as “likely” for both newer and older Windows releases. The advisory said there is no evidence pointing to in-the-wild exploits against Windows users at the time it was drafted. MS14-066 was one of 16 updates Microsoft scheduled for this month’s Patch Tuesday batch. They include a fix for a zero-day vulnerability already under attack in highly targeted espionage attacks.

It took less than 12 hours after the disclosure of the catastrophic Heartbleed bug for it to be turned against Yahoo and other sites. Anyone who uses a Windows computer—especially if it runs a Web or e-mail server—should ensure Tuesday’s update is installed immediately.

via Potentially catastrophic bug bites all versions of Windows. Patch now | Ars Technica.

I don’t always agree with Steve Gibson.  On this particular attack the one thing that makes this a non-issue is that you have to have active malicious code running in the browser.  Once your machine is compromised in any way you aren’t secure, it is really that simple.  You can listen to Steve talk about this and get a text transcription on the Security Now episode page.

Really this is only a problem is you are surfing on a public wifi point then somebody can intercept your traffic..cause an error in your secure communications and then insert themselves into your data stream.  Keep in mind ssl v3 is nearly 15 years old and has been replaced by TLS.  Really the only folks who use this..are IE6.  All modern browsers are going to fully kill ssl 3.0 support in upcoming updates…which is about time.  Really you are not in danger from this unless your are doing browser on public wifi AND using an ancient browser.  Once ssl v3 finally dies some websites may break temporarily and some browsers will break(IE6).  This isn’t nearly that dangerous as other vulnerabilities that have come up lately.  A full analysis is available here.  If you have any questions contact us.

There is an active exploitation of a security flaw in all versions of Microsoft Word right now.  The various online media have been saying this is a targeted attack but i’m seeing general infestations with this security issue.  If your machines aren’t updated you first need to get all of your gear updated and then there is a patch available to repair the Word problem.  Keep in mind this issue is capable and has bypassed several anti-malware packages:  Norton, Microsoft security essentials, AVG are the ones I’ve seen bypassed.  I’ve not had any clients behind Sophos utm products infected yet.  it is not known if Office 2003 and older will get updated as they have officially gone out of support and aren’t being updated on a regular basis.  If you are running office 2003 or lower you need to upgrade now.  Either install Libreoffice or Contact ETC Maryland for assistance.  if you install Libreoffice you also must uninstall Microsoft Office or you aren’t protected.

This issue is called a Zero day exploit which means the flaw wasn’t found by the “good guys” before it was actively being used by various attackers.  I’ve had 3 machines come in within days of each other infected with malware that used this exploit.  The fix is available online or you can call ETC so I can get your security updated and get you protected against this latest threat.  Here is the Microsoft security bulletin and the automated fixit is here.  You have to manually run this file on every affected machine.  This only protects against the latest exploit.  If you have not kept current on the other windows updates you are open to other issues that this fixit won’t protect you against.  A more comprehensive fix it being worked on but until it is available this fixit is the best solution that ETC Maryland is able to recommend.



The hits to Linksys(now Belkin) routers keep coming.  It’s really gotten to the point I can’t recommend these any longer.  Might be time for a spike in Sophos UTM home installations?


Bizarre attack infects Linksys routers with self-replicating malware | Ars Technica.

First it was Target.  Then Neimen Marcus notified.  Next was Michael’s.  Now it is White Lodging’s turn.  I’ll simply quote from Brian Kreb’s article: 

White Lodging, a company that maintains hotel franchises under nationwide brands including Hilton, Marriott, Sheraton and Westin appears to have suffered a data breach that exposed credit and debit card information on thousands of guests throughout much of 2013, KrebsOnSecurity has learned.

Earlier this month, multiple sources in the banking industry began sharing data indicating that they were seeing a pattern of fraud on hundreds of cards that were all previously used at Marriott hotels from roughly March 23, 2013 on through the end of last year. But those sames sources said they were puzzled by the pattern of fraud, because it was seen only at specific Marriott hotels, including locations in Austin, Chicago Denver, Los Angeles, Louisville and Tampa.

Turns out, the common thread among all of those Marriott locations is that they are managed by Merrillville, Indiana-based White Lodging Services Corporationwhich bills itself as “a fully-integrated owner, developer and manager of premium brand hotels.” According to the company’s Web site, White Lodging’s property portfolio includes 168 full service hotels in 21 states, with more than 30 restaurants.

White Lodging declined to offer many details, saying in an emailed statement that “an investigation is in progress, and we will provide meaningful information as soon as it becomes available.”

Marriott also issued a statement, noting that “one of its franchisees has experienced unusual fraud patterns in connection with its systems that process credit card transactions at a number of hotels across a range of brands, including some Marriott-branded hotels.” The statement continues:

They are in the midst of the investigation and are in close contact with the banks and credit cards companies.  We are working closely with the franchisee as they investigate the matter.  Because the suspected breach did not impact any systems that Marriott owns or controls, we do not have additional information to provide.  As this impacts customers of Marriott hotels we want to provide assurance that Marriott has a long-standing commitment to protect the privacy of the personal information that our guests entrust to us, and we will continue to monitor the situation closely.”

Other hotel chains franchised by White Lodging — including Hilton and Starwood Hotels (which owns the Sheraton and Westin brands) — could not be immediately reached for comment.

Sources say the breach appears to have affected mainly restaurants, gift shops and other establishments within hotels managed by White Lodging — not the property management systems that run the hotel front desk computers which handle guests checking in and out. In the case of Marriott, for example, all Marriott establishments operated as a franchise must use Marriott’s property management system. As a result, the breach impacted only those Marriott guests who used their cards at White Lodging-managed gift shops and restaurants.

Folks our Credit Card technology is stone age based.  What’s worse is the security regulations regulating these card’s data is even more ancient.  Most of the regulations are semi-voluntary.  Couple that with no real consequences for the firms involved and fraud is not only common it’s rampant.  Until some real consequences for these fraudulent breaches come into effect(such as 5% of the annual GROSS income for the breached entity upon the first offense doubling for each subsequent breach over the next 5 years) and this nonsense would stop very quickly.  right now free monitoring is simply a cost of doing business for these large firms.

People have been getting riled up about the latest Facebook permission.  There’s good reason to be concerned.  facebooktextpermission

Now the official response:  If you add a phone number to your account, this allows us to confirm your phone number automatically by finding the confirmation code that we send via text message.


What does this mean?  FACEBOOK IS READING YOUR TEXTS!  Now for many folks they don’t care and that’s fine.  Whoever, If you are a high security entity(HIPAA, accountant, lawyer..etc etc etc) then you most likely have all kinds of information going through your texts including “private” stuff form your customers.  Facebook scans ALL texts looking for these codes form itself.  given past warnings about Facebook’s invasive abilities do you honestly think they won’t slurp the rest?  They might not now but I’m sure the will since you gave them permission to do so.

That’s two apps gone from my phone now.  Starbucks and Facebook.  While a smartphone isn’t secure in the leasta9blackberry is the only exception) jsut handing over everything is something you can put a throttle on.