You know the drill: it's Thursday!
We’re once again setting up and knocking down the week’s most pressing technical torments. It’s a big one this month, so let’s jump right in.
It’s Creepy and It’s Kooky. Your Modem’s Acting Spooky. The Cable Haunt is Truly… a Vulnerability.
Potentially millions of home broadband routers are susceptible to a critical vulnerability, allowing hackers full remote access to common ISP devices; 200million in Europe alone are thought to be at risk.
Researchers at the Lyrebirds security consultancy discovered the flaw last week, noting that the vulnerability originates from the reference software behind multiple cable modem manufacturers – hence the widespread threat.
The good news? The exploit is such a faff to pull off that hackers probably won’t even bother with it. Victims would still have to be redirected to a webpage harbouring malicious code, and then be subjected to a long-winded DNS rebinding procedure, which admittedly goes beyond your humble reporter’s technical knowledge. From there, hackers can do whatever they want with a victim’s modem; control is essentially taken right out of the rightful owner’s hands.
Broadcom, the chipset designer behind the reference software, has since noted that a fix for this flaw was released as far back as May last year – however, Lyrebirds were still able to compromise several common ISP devices in further tests. It might be that these modems were manufactured before the update was made available, and they will need urgent updating once they make it into the hands of the hardware owner.
Nonetheless, for home broadband users (so, all of you) and smaller businesses, this is something to keep an eye on. It’s recommended you update your home router as soon as possible – if you’re using an ISP’s own router or a more modern device, these updates typically occur automatically.
However, if you need to manually update your router, you can do it the following way:
1. Open up your web browser
2. Enter your router’s ip address in the address bar, addresses for common brands include:
- Asus - 192.168.1.1
- Cisco – 192.168.0.1 or 192.168.1.1
- D-Link: 192.168.0.1 or 10.0.0.1
- Netgear: 192.168.0.1 or 192.168.0.227
3. Log into your router with your admin password. You may have amended these settings yourself, but you can look up the factory default setting of your router model online. ‘admin’ is a commonly used password in many instances.
4. From within the user interface, locate your ‘Update’ option. Not all router interfaces are alike, so this may take a little bit of searching.
5. Follow the instructions to update your router.
Eyebrows Raised Quizzically as NSA Warns Microsoft of Security Vulnerability
The National Security Agency, America’s intelligence agency and Scapegoat Number One for conspiracy theorists worldwide, has alerted Microsoft to a critical vulnerability in its Windows 10, Windows Server 2016 and Windows Server 2019 operating systems. This marks an unprecedented step by the NSA to alert Windows users to a vulnerability - instead of, you know, keeping it to themselves for five years until it was leaked and used for nefarious purposes.
Yep – without the NSA, we wouldn’t have had WannaCry, but that’s a whole other story.
I digress. The unimaginatively titled ‘NSACrypt’ exploit (or CVE-2020-0601, if you’re a traditionalist), is this week’s villain. According to Windows, the exploit affects the Cyrpt32.dll module, which handles the encryption and decryption of data and could have exposed its users to breaches, surveillance and intrusions.
Microsoft have bundled a fix for this vulnerability in this week’s Patch Tuesday update, so with the flaw now out in the wild and waiting for opportunist hackers to take advantage of it, now’s the time to get that patch downloaded.
Meanwhile, we can only speculate what the NSA hopes to achieve with this uncharacteristic sharing of the critical vulnerability. A nation-wide surveillance regime? A distraction from the true, sinister machinations behind Area 51? A coded message to the Illuminati? Answers on a tin foil hat!
Time is of the Essence For Citrix Remote Code Vulnerability
A remote code vulnerability discovered in Citrix Application Delivery Controller and Citrix Gateway products has spiralled into a nail-biting race against time.
The CVE-2019-19781 vulnerability, first discovered in December by Positive Technolgies’ Mikhail Klyuchnikov, is a severe exploit which can be pulled off relatively easily by hackers, affects all supported platforms and products, and allows for remote code access by ‘any external hacker’. 80,000 corporate LANs across the UK, US, Germany, the Netherlands and Australia. Yikes.
Worse yet, Proof-of-Concept exploit codes are already surfacing on the internet, providing a veritable buffet for hackers looking to take advantage. Citrix have offered mitigation advice for their users, but with a conclusive patch not expected until later this month, time may be running out for Citrix and its users.
If you use either of the affected products, it’s utterly crucial that you follow Citrix’s advice, and install the new patch as soon as it’s available.
Ring of Ire: Amazon’s Home Security Just Can’t Keep the Criminals Out
Strap yourself in – this one’s a long one.
At first, we at Threat Thursday passed up on reporting the myriad security stumbles surround Ring, Amazon’s home security system; after all, it was always more of a home product than a legitimate business solution. But with the release of Ring for Business last year, plus some frankly baffling failures in the device’s own security, it’s a topic well worth exploring.
Concerns around Ring’s security (or lack thereof) kicked off early into its release. Videos show an 8-year old girl being contacted by hackers through her Ring camera, with the in-built speaker broadcasting a terrifying combination of Tiny Tim’s “Tiptoe Through the Tulips”, and a voice on the other end of the line identifying itself as Santa Clause. Chilling. A week later, a Florida Man had a slightly less malicious conversation with what sounded like a young boy, possibly a teenager, who had managed to hack into his Ring camera.
Now, we already know that at least one of these users did not have Two-Factor Authentication enabled, which might have improved their security significantly. Yet Ring launched without any 2FA solutions, and only received one in April last year. It’s worth noting that Ring still doesn’t enforce 2FA - despite many average homeowners still being unfamiliar with the practice. Nor, for that matter identify weak or compromised email and password combinations. Ring also allows for logins from multiple ip locations without alerting the owner; a procedure that even the long-irreputable Yahoo! Mail practices.
Recently, Amazon unveiled Ring’s ‘Privacy Dashboard’, a way to let users better control their Ring security. Yet this has been equally revelatory; from the interface, it seems that until now users had no control over video requests for stored footage from local Police, who had connected to neighbourhood Ring devices via the Neighbours app. It was revealed previously that, thanks to America’s lacking data protection laws, Ring surveillance footage was provided to police for their storage, sharing and forensics with barely any restrictions. Security campaigners have been… less than receptive of this new dashboard, viewing it as little more than field dressing on a woefully insecure product.
The cherry on top of this questionably tasting cake comes from last week, however. Confirming all the concerns we’ve had with smart devices since Alexa infiltrated our homes, four Amazon employees have been fired for illegally accessing users’ stored videos. This is particularly damaging; smart device companies insist that any retained customer records are accessed only by a select few of their most trusted security personnel, and under only very controlled circumstances. This latest development proves that those select, most trusted personnel can easily betray that trust, and throws all those reassurances into question.
Amazon Ring isn’t a total calamity. There are ways to stay protected with 2FA, and it shares many of its security weaknesses with any other internet connected device. But if a security system cannot at least educate its owners on the importance of basic, 21st century protection, nor uphold the privacy of its users, it’s impossible to tout its benefits without one heck of a disclaimer.
And Now For the Boring Bit – Yes, It’s the Patch Rundown!
It’s a veritable platter of plodding patch notes this week, as we run down the major updates hitting prominent software suites. Look, I know it’s dull, but it’s also important stuff. Stop fidgeting.
Over at Windows HQ there’s that NSA patch we were just telling you about; that’s accompanied by 49 more Windows fixes, 9 of which are critical, including some crucial patches for Windows Remote Desktop vulnerabilities. Windows 7 has received its last ever official update now that Microsoft have had enough of its fan-favourite operating system; Rest in Peace, Windows 7. Elsewhere, that diligent deity of desktop documents, Office 365, has had several remote code execution vulnerabilities fixed, most notably three in Excel related to malware-infected files. The patch for all these – and more! – is available now.
Adobe has fixed five critical flaws in Illustrator, which when exploited could allow for arbitrary code execution by nefarious attackers. A further four were released for their web analytics programme, Adobe Experience Manager – none of which were deemed critical, but you’ll want to fix up all the same. And, er, that’s all Adobe have for us this week.
And that’s all we have for this week, too. Join us same time, same place next Thursday for the latest security updates.
Or better yet, why not sign up for the regular Threat Thursday email? You’ll get the latest Threat Thursday report in your inbox every week – just add your email into the subscribe box on the right of this blog.