Always strive to learn something useful. --Sophocles

Several hundred different Brother printer models have unpatchable vulnerability

Tue, 01 Jul 2025 16:32:11 GMT

Well.

What's going on is slightly complicated, and not necessarily a big deal, depending. There are eight flaws found in Brother systems, and they all boil down to one fairly serious vulnerability. A flaw was discovered in how Brother generates the default system administrator password based on the serial number of the printer: if the serial number of the printer is known, you can reverse engineer the password. And here's the problem: if you have not changed that password, THEN you are vulnerable to all sorts of potential mischief! And that's where all the other flaws come into play.

Now, if you changed the default password when you installed your printer, then you're fine. Nothing to worry about. Everything's great. If you didn't, then you need to change it ASAP and patch your printer right now!

This flaw also affects 59 printer models from Fujifilm, Toshiba, Ricoh, and Konica Minolta. I'm assuming they use either Brother engines or the same algorithm for generating admin passwords.

The flaw affects 689 printers, the article provides a link with all of the models listed. Since the default password was built into the printer's read-only memory, it can't be patched. Brother is changing the way they generate the password. But again, if you've changed the default password, you're good. The other flaws are patchable, I don't know if patches are out yet but I'm sure they will be available soon if not already.

https://www.theverge.com/news/694877/brother-printers-security-flaw-password-vulnerability

comments

Speaking of computer security, Xfinity/Comcast didn't patch, 36 mil customer accts compromised

Wed, 20 Dec 2023 14:28:57 GMT

Citrix is a major player in the computer networking equipment market. And they had a major, sorry, MAJOR software flaw back in October that was exploited bigly. They patched it and announced the patch as fast as they could, and their customers patched as fast as they could.

Which brings us to Xfinity.

From the article: "Citrix disclosed the vulnerability and issued a patch on October 10. Eight days later, researchers reported that the vulnerability, tracked as CVE-2023-4966 and by the name Citrix Bleed, had been under active exploitation since August. Comcast didn’t patch its network until October 23, 13 days after a patch became available and five days after the report of the in-the-wild attacks exploiting it."

Ruh-roh!

Two weeks is far too long for a vulnerability that big to go unpatched. Care to guess what happened? Oh, I forgot. It was in this post's subject line.

To continue the article: "“However, we subsequently discovered that prior to mitigation, between October 16 and October 19, 2023, there was unauthorized access to some of our internal systems that we concluded was a result of this vulnerability,” an accompanying notice stated. “We notified federal law enforcement and conducted an investigation into the nature and scope of the incident. On November 16, 2023, it was determined that information was likely acquired.”

Comcast is still investigating precisely what data the attackers obtained. So far, Monday’s disclosure said, information known to have been taken includes usernames and hashed passwords, names, contact information, the last four digits of social security numbers, dates of birth, and/or secret questions and answers. Xfinity is Comcast’s cable television and Internet division."

Yeah. Free credit monitoring? Thoughts and prayers? There needs to be some executive job loss and demotions. But as this is Comcast, nothing will change.

Completely inexcusable.

Back in the '90s, when the I Love You email virus hit, I learned about it at about 7:15 or so in the morning. We literally unplugged our firewall from the internet as there was no patch for it at the moment. And we had no problems. You can't let shit like this go unchecked, or things like this happen.

https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/

comments

I hope you don't have a recent HP laptop or a Western Digital My Cloud device.... Also, Apple iOS

Tue, 09 Jan 2018 13:05:42 GMT

First up, HP. Seems like they think their customers might enjoy a bit of spontaneous laptop combustion. They're having a problem with some of their laptop batteries bursting in to flames. Their solution is to issue a BIOS patch that will drain the battery and then prevent it from charging, then to replace the battery.

From the web site: "Batteries affected by this program were shipped with specific HP Probook 64x (G2 and G3), HP ProBook 65x (G2 and G3), HP x360 310 G2, HP ENVY m6, HP Pavilion x360, HP 11 notebook computers and HP ZBook (17 G3, 17 G4, and Studio G3) mobile workstations sold worldwide from December 2015 through December 2017. They were also sold as accessories or provided as replacements through HP or an authorized HP Service Provider."

These laptops do not have user-replaceable batteries, the case has to be opened up. I've done that many times, but most people shouldn't do that.

https://batteryprogram687.ext.hp.com/en-US/

Next, Western Digital. Seems they hardcoded an admin account and password into their internet-enableable NAS devices, and it would be pretty simple for an attacker to manipulate a web site to include hidden iframes to access your data. A firmware patch is available, and you should disconnect your NAS from the internet until after you've patched.

From the article: "If you aren't sure if your My Cloud Storage device is affected, please check against the below list. If your model is listed, you should unplug it from Ethernet immediately. Apparently, firmware 2.30.172 (issued November 2017) fixes the bug, so do not reconnect to the internet until you are sure that your device is updated and the vulnerability is patched.

MyCloud
MyCloudMirror
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100

Please know, even if you updated the firmware in November, your files could have been accessed by nefarious people before then -- for years. That is very scary."

If you want to test it, the username is "mydlinkBRionyg" and the password is "abc12345cba", without quotes. The back door vulnerability was disclosed to Western Digital six months ago and nothing was done.

https://betanews.com/2018/01/07/western-digital-mycloud-backdoor/

Finally, Apple has released an iOS update to address the Meltdown and Spectre vulnerabilities, possibly also their little battery life slowdown kerfuffle. It's a full-size download, 2.something gig, so expect a long time installing.

comments

Hacker can control Siri and Alexa with inaudible commands!

Sat, 16 Sep 2017 16:41:50 GMT

A proof of concept of this was revealed some months ago when a Burger King TV commercial said "Siri, tell me about the Whopper". Maybe it was Hey Google, I don't remember. Anyway, it was rapidly blocked, then BK came out with another commercial and they had a little war back and forth. And BBC apparently tries it with "Hey Siri, remind me to watch Doctor Who on BBC America." I was particularly amused at "Hey Siri, remind me to watch Broadchurch on BBC America" during the final episode of the series. I burst out laughing when that ad aired and had to explain it to the spousal unit. And as Sam Clemens said, or is alleged to have said, 'Analyzing humor is like dissecting a frog: you can do it, but the frog isn't good for much afterwards.'

Well, the Chinese have found another way: pitch the audio above the range of human hearing. The microphones can still catch it, and the command works. Now, I don't have voice-activated Siri on my iPhone, I have to hold down the button because I find that, for me, for the most part Siri is garbage. I don't think it's my enunciation, but maybe it is.

Makes me wonder if they'll put in a filter to cap mic input to 18-20 kHz or so to prevent this sort of abuse.

I read about this last week, perhaps on the day that I went down to help out that medical practice with their ransomware attack. The clinic was handling their last patients of the day, and the office manager was running the front desk, and was using his iPhone with Siri voice commands. He looked a little shocked when I told him about this attack.

https://apple.slashdot.org/story/17/09/06/2026247/hackers-can-take-control-of-siri-and-alexa-by-whispering-to-them-in-frequencies-humans-cant-hear

Here's the Slashdot summary:

Chinese researchers have discovered a vulnerability in voice assistants from Apple, Google, Amazon, Microsoft, Samsung, and Huawei. It affects every iPhone and Macbook running Siri, any Galaxy phone, any PC running Windows 10, and even Amazon's Alexa assistant. From a report:

Using a technique called the DolphinAttack, a team from Zhejiang University translated typical vocal commands into ultrasonic frequencies that are too high for the human ear to hear, but perfectly decipherable by the microphones and software powering our always-on voice assistants. This relatively simple translation process lets them take control of gadgets with just a few words uttered in frequencies none of us can hear. The researchers didn't just activate basic commands like "Hey Siri" or "Okay Google," though. They could also tell an iPhone to "call 1234567890" or tell an iPad to FaceTime the number. They could force a Macbook or a Nexus 7 to open a malicious website. They could order an Amazon Echo to "open the backdoor." Even an Audi Q3 could have its navigation system redirected to a new location. "Inaudible voice commands question the common design assumption that adversaries may at most try to manipulate a [voice assistant] vocally and can be detected by an alert user," the research team writes in a paper just accepted to the ACM Conference on Computer and Communications Security.

comments

Man, Thursday and Friday were nuts!

Sun, 10 Sep 2017 06:05:12 GMT

Wednesday night I got an email from a friend whom I used to work with. She'd gone to a doctor that afternoon and their office was in a kind of chaos: the office had been hit by at least two different kinds of ransomware attacks. She wanted to know if I could help.

That night I did some research on the particular attacks, found out they were variants of the same core and both were based on exploiting weak Windows RDP (Remote Desktop Protocol) passwords. RDP is a back door to a server that techs use for management. It should NEVER be left open! There are other, more secure, ways to manage servers. If it must be left open, then it should have a VERY secure, i.e. LONG and complicated, password on it.

Obviously it did not.

A friend of the doctor's is their main IT guy, but he's not local, and he's decent but not top drawer. This problem apparently was discovered before Wednesday, and their guy (let's call him Bob) was making a new server for them with the latest version of Windows Server and SQL Server. The software that their clinic uses is mainly based in SQL Server, and here's the really suckie part: it was running Windows Server 2008 R2 and SQL Server 2008. And plugged straight in to a router to the internet. No hardware firewall, vendor-provided router.

*facepalm*

I didn't bother checking to see the patch level on their Windows Server 2008, it was kind of pointless. I did note that their SQL Server 2008 was well below the final patches that were released for it, not that it mattered as all of its databases had been encrypted.

The new router, though consumer grade, is fully patched. The new server is fully patched. A new Cisco firewall is on order. That's the best that we can do right now.

I was there Thursday from 11am to 8pm, then worked at home from 10pm to midnight copying, compressing (7zip), and uploading a big analytics file to a forensics company who sent us a utility to try and figure out what happened. Friday I only put in five hours, finishing up an inventory of all of the computers (which they didn't have) to figure out what should be tossed and what could be upgraded to get them all up to Windows 10 Pro and writing up some reports.

One woman complained to us that her computer was really slow. And it was. It was absolutely horribly slow! I was afraid that it had something nasty running under the covers, then I opened up Control Panel and did some poking around and found that it was a Pentium 4 with 2 gig of memory running Windows 10. The Performance Index, Satisfaction Index, whatever index, was 1.0. So we ordered her a new computer.

I always had a three-step plan when it came to buying computers to make them last longer and save money. When a new OS came out and the original started slowing down: add memory. That usually sped things up. Next OS comes out: install a better video card. Next OS comes out: buy a new computer. All of their computers are running at least 4 gig of memory, odds are they're all running a motherboard-based video card. I'm hoping we might be able to do memory upgrades and install some video cards and upgrade some of these for about $100-150 instead of tossing them. We shall see. I'll do some more inventory work next week now that we have a better idea as to what's out there.

This weekend I'm writing up a report more detailed than the single page invoice that just had bullet points as to what I did, I'm also burning a DVD with bootable malware/virus inspection software that'll look deeper in to the OS than something like Symantec can do, and since you're booting from read-only media, it'll look for boot kits that are otherwise invisible. I'll get to inspect all of the workstations! That'll make everyone oh so very happy to have their computer denied to them for however long it takes.

The tragic thing is that their backups weren't running properly because they had a terrible internet connection that couldn't handle the transfer. The software did a nightly backup to their vendor, but it had been failing. And they weren't doing anything locally, so they didn't really have a fall-back point to recover from. Their practice software vendor was able to restore from an earlier backup, but I don't know how successful that was in terms of how old and was there any corruption in it. I'll be finding that out Monday. This gets their patient information back, which is critical. And their insurance information is also processed online, so that should be safe. But anything stored locally may be lost.

And the horrible thing about that is the way the database is configured! I'm a database guy, I've been working with SQL Server for 25 years, since the first Microsoft version came out running on Lan Man/OS2. And the vendor has a VERY bad configuration. And I won't improve it unless they say it's OK. We're going to set up local backups, I've stressed upon the office manager the importance of rotating backup media and having a fire-proof safe in-house for storing said media. So eventually they'll be in a much better place.

The big question is whether or not they have to notify all their patients. I don't think this represents a HIPAA information spill. These ransomware encryptions are fully automated attacks by bots, I've never heard of data being exfiltrated and used for further extortion, that's a much more targeted attack. I'm going to have to tell the doctor who owns the practice to talk to his attorney and discuss this point because that's far outside of my ability to give him a recommendation.

comments