Always strive to learn something useful. --Sophocles

First up, HP. Seems like they think their customers might enjoy a bit of spontaneous laptop combustion. They're having a problem with some of their laptop batteries bursting in to flames. Their solution is to issue a BIOS patch that will drain the battery and then prevent it from charging, then to replace the battery.

From the web site: "Batteries affected by this program were shipped with specific HP Probook 64x (G2 and G3), HP ProBook 65x (G2 and G3), HP x360 310 G2, HP ENVY m6, HP Pavilion x360, HP 11 notebook computers and HP ZBook (17 G3, 17 G4, and Studio G3) mobile workstations sold worldwide from December 2015 through December 2017. They were also sold as accessories or provided as replacements through HP or an authorized HP Service Provider."

These laptops do not have user-replaceable batteries, the case has to be opened up. I've done that many times, but most people shouldn't do that.

https://batteryprogram687.ext.hp.com/en-US/


Next, Western Digital. Seems they hardcoded an admin account and password into their internet-enableable NAS devices, and it would be pretty simple for an attacker to manipulate a web site to include hidden iframes to access your data. A firmware patch is available, and you should disconnect your NAS from the internet until after you've patched.

From the article: "If you aren't sure if your My Cloud Storage device is affected, please check against the below list. If your model is listed, you should unplug it from Ethernet immediately. Apparently, firmware 2.30.172 (issued November 2017) fixes the bug, so do not reconnect to the internet until you are sure that your device is updated and the vulnerability is patched.

MyCloud
MyCloudMirror
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100

Please know, even if you updated the firmware in November, your files could have been accessed by nefarious people before then -- for years. That is very scary."

If you want to test it, the username is "mydlinkBRionyg" and the password is "abc12345cba", without quotes. The back door vulnerability was disclosed to Western Digital six months ago and nothing was done.

https://betanews.com/2018/01/07/western-digital-mycloud-backdoor/


Finally, Apple has released an iOS update to address the Meltdown and Spectre vulnerabilities, possibly also their little battery life slowdown kerfuffle. It's a full-size download, 2.something gig, so expect a long time installing.

Wednesday night I got an email from a friend whom I used to work with. She'd gone to a doctor that afternoon and their office was in a kind of chaos: the office had been hit by at least two different kinds of ransomware attacks. She wanted to know if I could help.

That night I did some research on the particular attacks, found out they were variants of the same core and both were based on exploiting weak Windows RDP (Remote Desktop Protocol) passwords. RDP is a back door to a server that techs use for management. It should NEVER be left open! There are other, more secure, ways to manage servers. If it must be left open, then it should have a VERY secure, i.e. LONG and complicated, password on it.

Obviously it did not.

A friend of the doctor's is their main IT guy, but he's not local, and he's decent but not top drawer. This problem apparently was discovered before Wednesday, and their guy (let's call him Bob) was making a new server for them with the latest version of Windows Server and SQL Server. The software that their clinic uses is mainly based in SQL Server, and here's the really suckie part: it was running Windows Server 2008 R2 and SQL Server 2008. And plugged straight in to a router to the internet. No hardware firewall, vendor-provided router.

*facepalm*

I didn't bother checking to see the patch level on their Windows Server 2008, it was kind of pointless. I did note that their SQL Server 2008 was well below the final patches that were released for it, not that it mattered as all of its databases had been encrypted.

The new router, though consumer grade, is fully patched. The new server is fully patched. A new Cisco firewall is on order. That's the best that we can do right now.

I was there Thursday from 11am to 8pm, then worked at home from 10pm to midnight copying, compressing (7zip), and uploading a big analytics file to a forensics company who sent us a utility to try and figure out what happened. Friday I only put in five hours, finishing up an inventory of all of the computers (which they didn't have) to figure out what should be tossed and what could be upgraded to get them all up to Windows 10 Pro and writing up some reports.

One woman complained to us that her computer was really slow. And it was. It was absolutely horribly slow! I was afraid that it had something nasty running under the covers, then I opened up Control Panel and did some poking around and found that it was a Pentium 4 with 2 gig of memory running Windows 10. The Performance Index, Satisfaction Index, whatever index, was 1.0. So we ordered her a new computer.

I always had a three-step plan when it came to buying computers to make them last longer and save money. When a new OS came out and the original started slowing down: add memory. That usually sped things up. Next OS comes out: install a better video card. Next OS comes out: buy a new computer. All of their computers are running at least 4 gig of memory, odds are they're all running a motherboard-based video card. I'm hoping we might be able to do memory upgrades and install some video cards and upgrade some of these for about $100-150 instead of tossing them. We shall see. I'll do some more inventory work next week now that we have a better idea as to what's out there.

This weekend I'm writing up a report more detailed than the single page invoice that just had bullet points as to what I did, I'm also burning a DVD with bootable malware/virus inspection software that'll look deeper in to the OS than something like Symantec can do, and since you're booting from read-only media, it'll look for boot kits that are otherwise invisible. I'll get to inspect all of the workstations! That'll make everyone oh so very happy to have their computer denied to them for however long it takes.

The tragic thing is that their backups weren't running properly because they had a terrible internet connection that couldn't handle the transfer. The software did a nightly backup to their vendor, but it had been failing. And they weren't doing anything locally, so they didn't really have a fall-back point to recover from. Their practice software vendor was able to restore from an earlier backup, but I don't know how successful that was in terms of how old and was there any corruption in it. I'll be finding that out Monday. This gets their patient information back, which is critical. And their insurance information is also processed online, so that should be safe. But anything stored locally may be lost.

And the horrible thing about that is the way the database is configured! I'm a database guy, I've been working with SQL Server for 25 years, since the first Microsoft version came out running on Lan Man/OS2. And the vendor has a VERY bad configuration. And I won't improve it unless they say it's OK. We're going to set up local backups, I've stressed upon the office manager the importance of rotating backup media and having a fire-proof safe in-house for storing said media. So eventually they'll be in a much better place.

The big question is whether or not they have to notify all their patients. I don't think this represents a HIPAA information spill. These ransomware encryptions are fully automated attacks by bots, I've never heard of data being exfiltrated and used for further extortion, that's a much more targeted attack. I'm going to have to tell the doctor who owns the practice to talk to his attorney and discuss this point because that's far outside of my ability to give him a recommendation.

First, Apple. An exploit was found and weaponized that can root an iPhone or, apparently, also an iPad. You need to update your devices RIGHT NOW is you're running iOS 9. It will update your devices to 9.3.5. It's a small patch, less than 40 meg, so a fairly quick and painless update.

http://arstechnica.com/security/2016/08/actively-exploited-ios-flaws-that-hijack-iphones-likely-spread-for-years/


Windows 10 also has a big problem that is currently not patched, so it requires a registry edit to close the hole.

To update the registry, do the following steps:
Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
Name this new value "WpadOverride"
Double click the new "WpadOverride" value to edit it
In the "Value data" field, replace the "0" with a "1", then click "OK"
Reboot the computer

Obviously this is not a trivial thing to do and messing with the wrong keys and values can brick your computer. I'm not sure if this is also a problem in earlier editions of Windows, so you should do a bit of research before doing something like this. It's already been fixed in most Linux distributions and also in MacOS.

https://it.slashdot.org/story/16/08/13/0149241/disable-wpad-now-or-have-your-accounts-compromised-researchers-warn

This is more of a problem for Internet Explorer 6 users and sadly there are still some of them out there. This is a client attack, not a server attack. This exploits an SSL v3 connection and can happen if you're on a public WiFi network. Recent versions of Windows, i.e. 7 and 8 and probably Vista should be fine.

http://www.wired.com/2014/10/poodle-explained/

A couple of months ago I posted that security researchers had found a valid exploit to alter the microcontrollers on USB devices, making an attack vector that's almost impossible to detect or fix.

It's now in the wild, and criminals are experimenting to see what they can do with it.

A microcontroller is sort is a super-small computer, and the vulnerability is the discovery that it can be reprogrammed. It's almost impossible to detect because of the different levels that computer programs and operating systems work, they're running so far above the hardware that some things just aren't easily seen. So this is almost invisible. In the early days of MS-DOS, you were running pretty much directly on top of the hardware, which had its pluses and minuses, but when Microsoft started abstracting the operating system from the hardware to make it easier to run on variations in hardware, you now had programs talking to the operating system which talk to device drivers to access the hardware. This abstraction is really good from a system administrator standpoint, but it makes things like this really hard to detect.

Here's the most insidious part: a lot of the really nasty malware out there these days belong to Command & Control (C&C) networks and can change. The guy who controls the system can tell it 'Go update yourself' and push a new module out to make the malware capable of infecting any USB device plugged in to it. And since pretty much all personal computing hardware is either Intel architecture or compatible with it, they might be able to push malware that is platform-agnostic and can infect anything.

It might be unpatchable period. It might be that one manufacturer's cannot be, or even one particular series might or might not be fixable. It's not terribly easy to find out who made the controller on your USB device, much less fix it. One source said it could take a decade to resolve this.

Oh, and credit card readers? Those are USB devices usually.

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

http://hardware.slashdot.org/story/14/10/02/2154204/hacking-usb-firmware

The Blackhat security conference is coming up very soon, and with it, advanced information about all sorts of wonderful problems. In this case, two new ways to compromise smartphones.

First up, a report on a tool that's built in to all smartphones: Androids, Blackberrys, iPhones sold by Sprint. They haven't tested Windows phones yet. It's a management tool that allows the cell providers to update firmware in the phone through over the air updates, and the security implementation isn't very good.

Granted, this is a team of advanced security researchers, but they were able to get in and totally pwn the phones they were working with. They've notified the maker of the management tool and the cell companies, so a fix should be distributed over the next few months that will make this more secure. Also, no evidence of this being exploited in the wild.

http://www.wired.com/2014/07/hackers-can-control-your-phone-using-a-tool-thats-already-built-into-it/


Next up, an iPhone, if connected to a compromised Windows PC, can potentially be turned in to a botnet! This is interesting stuff as it has falsely been assumed that Apple had pretty tight security on its iPhones, which is broadly true, but they're also kinda slow pushing updates. I assume that the exploit would also be effective against iPads that also have cellular radios built-in.

http://www.wired.com/2014/08/yes-hackers-could-build-an-iphone-botnetthanks-to-windows/

The German security site, Heise.de, published a report of a compromised cell phone being able to see the reflection of your entering your unlock codes and passwords FROM YOUR GLASSES. They also say that the back camera, being higher resolution, can actually read fingerprints, which will be a big threat for biometric security.

(translated via Google from German)
http://translate.google.com/translate?hl=en&sl=de&tl=en&u=http%3A%2F%2Fwww.heise.de%2Fsecurity%2F

http://www.heise.de/security/meldung/Smartphones-Passwoerter-und-Fingerabdruecke-mittels-eingebauter-Kamera-ausspioniert-2243715.html

The easy solution, if you're not in to taking selfies, would be to cover the front camera with tape. The case that I use covers the back camera unless I'm specifically taking photos, which is a rare thing, so that's useless if my phone were compromised.


There was a Mythbusters episode a few years ago where they were testing hi-tech security systems, including fingerprint readers. They lifted a fingerprint from a glass, using laser printer black toner to make the print visible. They scanned it, printed it on a hi-res laser, copied it on to a melted gummy bear fake finger, and it was rejected by the scanner. So they printed it again greatly enlarged, perhaps to an 8x10", then fixed disconnected lines with a black Sharpie pen. Scanned it again, reduced the size, repeated printing it, and it worked. It was amazing to see.

What was also cool was they got past an ultrasonic sensor, it might also have been infrared, I don't remember, by carrying a huge piece of shag carpeting in front of them. It absorbed the ultrasonics so they didn't reflect back, and they made it past that stage.

The new iPhone 5 fingerprint scanner is a different beast: it doesn't just read your fingerprint, it reads the capillary pattern beneath your skin. So it shouldn't be fooled by the Mythbusters trick. And I understand the newer generation of fingerprint scanners require a 98f heat source behind them, so you can't chop off someone's finger to get in. So the Mythbusers trick will hopefully have a short life.

VMWare servers, Nest thermostats, lots of home routers and firewalls, MyCloud servers, HP printers, videoconferencing systems, etc.

One positive thing in this article is that not all implementations of OpenSSL are vulnerable: older implementations are not vulnerable, and the version that has the bug apparently that segment of code is not mandatory and is not always implemented.

http://www.wired.com/2014/04/heartbleed_embedded/

Here's an excellent XKCD comic showing how it works. The basic concept is known as an unchecked parameter where the requester (hacker) asks the server a question and tells it to return 64,000 characters of information. Said information is a random memory location but can contain quite valuable data, including crypto keys, and that's the reason why all of the certificate authorities are slammed and scrambling like mad to re-issue new encryption certificates.

I'll write more about this later after I've had time to research it better. The one thing is that this seems to be a server problem, I don't know how this affects personal computers. I do know that the observatory that my wife works at had at least three vulnerable servers. People are saying "Change all your passwords NOW!", but I'm not sure if that's the way to go. If you change your passwords now, and the server has not yet been updated, it's still vulnerable. I think it would be better to wait until a given web site says 'change your password' as that should be a solid sign that they've taken steps to remediate their servers.

Let's say you use your laptop to access the internet at Starbuck's, though why you'd pay to use their service I don't know. The SSID (name) of all of their access points are called T-Mobile after their provider. Your laptop remembers the SSID, and the next time you start it up, it tries to associate with it.

So here's the hack. I create an access point named T-Mobile. Your computer boots and says "Look! There's T-Mobile! I wonder if it will be my friend?" Your laptop is now associated with my access point and is now a little bit on the vulnerable side.

First solution: firewall. Don't use the Window's firewall, get something like Zone Alarm Pro. Second, NEVER associate to ad hoc networks. Always have your card to only associate with infrastructure networks. Apparently new laptops that have built-in wireless have a button to turn the card off. They recommend using said card when networking is not in use.

Anyway, Here's The Fine Article on Slashdot that includes a link to the source story.

Important stuff if you're a Windows user who does wireless networking!