Do you have a D-Link home wifi router?

Lots of important security patches are out.

Time to patch your Windows computer

Microsoft has released a fix for a severe vulnerability in this month's Windows Update.  The problem here is that a Bad Guy sending a specially crafted IPv6 packet can run code on your computer.  Basically it's a spammer's/hacker's dream, and now there is demonstration code in the wild to do this.

If you run Windows 10 or 11, this is probably bad news for you.  Here's what you need to do:

1. Check to see if you are reachable using IPv6.  If you only have IPv4, then you don't need to worry.
2. If the site in the link above can reach you with IPv6, you need to run Windows Update.  Go to the Start Menu and type "Windows Update" in the search bar which will take you right to the update program.
   

I must say that I was surprised about my IPv6 connectivity.  But this is a really nasty bug, so get patching.

If you use 1Password on Mac, you need to get patching

Le sigh:

Password manager 1Password is warning that all Mac users running versions before 8.10.36 are vulnerable to a bug that allows attackers to steal vault items.

...

Think you might be vulnerable? No mitigations were provided by 1Password, so patching up to version 8.10.36 is your only shot at securing those credentials.

Password Managers are great security tools because they make it easy to have very strong passwords (basically, random gobledy gook) for your online accounts.  They remember these passwords so that you don't have to.

But they're not magic, they're software.  That means that even they can get security bugs.  If you use 1Paddword on Mac, make sure you upgrade it to 8.10.36 which fixes this.

 

Is anyone using old D-Link DIR-859 WiFi routers?

If so, you need to replace it right away.  There is a critical vulnerability which allows a Bad Guy to dump user accounts and passwords - basically, this lets him take over the box.  Because the routers are End Of Life (EOL) there will never be a software update to fix this.

Fortunately, home WiFi routers are pretty cheap these days.

I used to run D-Link in the past (I'm pretty sure I had one at FOB Borepatch, back in the day) but those are long gone now.  If you have one then run, don't walk to get a replacement.

Details here for those who are interested.

It's time to opt out of Windows Recall

Holy cow, what a nightmare:

Microsoft is not giving up on its controversial Windows Recall, though says it will give customers an option to opt in instead of having it on by default, and will beef up the security of any data the software stores.

Recall, for those who missed the dumpster fire, was announced on May 20 as a "feature" on forthcoming Copilot+ Windows PCs. It takes a snapshot of whatever is on the user's screen every few seconds. These images are stored on-device and analyzed locally by an AI model, using OCR to extract text from the screen, to make past work searchable and more accessible.

The ultimate goal for Recall is to record nearly everything the user does on their Windows PC, including conversations and app usage, as well as screenshots, and present that archive in a way that allows the user to remind themselves what they were doing at some point in the past and pull up relevant files and web pages to interact with again. The archive can be searched using text, or the user can drag a control along a timeline bar to recall activities.

But security testers have raised doubts about the safety of recorded information and have developed tools that can extract these snapshots and whatever sensitive information they contain. The data is for now stored as an easy to access non-encrypted SQLite database in the local file system.

"Dumpster fire" doesn't even begin to describe it.  It's easy to imagine all sorts of ways that this would violate laws (e.g. storing healthcare PII unencrypted is a HIPAA violation).

Never mind what sort of reindeer games hackers might get up to - after all, Windows has historically been so difficult for viruses and malware to invade, amirite? 

If you're still using Windows, you should configure it to opt out of Recall.  Or upgrade to Linux.  All the cool kids are.

Interesting security idea

Actually, it's a breath of fresh air:

A Google security bigwig has had enough of federally mandated phishing tests, saying they make colleagues hate IT teams for no added benefit.

Matt Linton leads Google's security response and incident management division. Tasked with rolling out phishing exercises every year, he believes tests should be replaced by the cybersecurity equivalent of a fire drill.

Today's phishing tests more closely resemble the fire drills of the early days, which were more like fire evacuation drills – sprung upon a building's residents with no warning and later blaming them as individuals for their failures.

Yeah, that's about right.

Linton's idea of a possible alternative is considerably different compared to the tests office workers have become accustomed to over the years.

Hello!  I am a Phishing Email. 

This is a drill - this is only a drill!

If I were an actual phishing email, I might ask you to log into a malicious site with your actual username or password, or I might ask you to run a suspicious command.

You can learn more about recognizing phishing emails at and even test yourself to see how good you are at spotting them. Regardless of the form a phishing email takes, you can quickly report them to the security team when you notice they're not what they seem.

To complete the annual phishing drill, please report me.

Thanks for doing your part to keep

A. Tricky. Phish, Ph.D

This seems like a much more productive approach, IMHO.  Which means that it will be ignored by The Usual Suspects.

Burglars using Wi-Fi jammers to disable security cameras

Well, of course:

Authorities with the Los Angeles Police Department are warning residents in Los Angeles’ Wilshire-area neighborhoods of a series of burglaries involving wifi-jamming technology that can disarm surveillance cameras and alarms using a wireless signal.

According to police, the burglaries typically involve three to four suspects who enter homes through a second story balcony.  

Once inside, the thieves target primary bedrooms in search of high-end jewelry, purses, U.S. currency and other valuables. 

Cat 5 is a pain to run but is hard to jam.

(via)

 

 

So which stores use facial recognition technology to track you when you shop there?

Interesting.   There are a lot of surprises on this list, both stores I expected to use this tech who say they won't, and stores I expected not to who do.

(via)

About that iPhone security "flaw"

There's a lot of discussion about the security of Apple's iPhone NameDrop feature. Police departments are recommending turning this off.  It's gone viral, and given Apple a bit of a security/privacy black eye.

It's also overblown.  Key things to know:

1. If your phone is locked (say, at the gym) it will not share contact info via NameDrop.

2. NameDrop only works when the phones are unlocked and the phones are physically in contact with each other.  Just being "close" isn't good enough.  Nobody is going to swipe your data by walking past you.

3. Your phone will ask you if you want to share data.  It won't share automatically.

There's more detail on this here.  Here's how you turn NameDrop off if you want to:

Open Settings, then select General.  Select AirDrop and disable "Bringing Devices Together" and "Use Cellular Data".  You're good to go.

That said, you can share contact info via text message with anyone you want to, so this feature seems pretty useless to me.  I have disabled it on my phone, and I strongly recommend you disable it on any child's phone (or iWatch).

What to do about Quantum Computing?

There's a good (if geeky) read from the UK National Cyber Security Centre on how to prepare your organization for Quantum Computing.  From the article:

Quantum computers use properties of quantum mechanics to compute in a fundamentally different way from today's digital, 'classical', computers. They are, theoretically, capable of performing certain computations that would not be feasible for classical computers. Although advances in quantum computing technology continue to be made, quantum computers today are still limited, and suffer from relatively high error rates in each operation they perform.

In the future, it is possible that error rates can be lowered such that a large, general-purpose quantum computer could exist. It is, however, impossible to predict when this may happen as many engineering and physical challenges must be overcome first. If such a computer could exist in the future, most traditional public key cryptography (PKC) algorithms in use today will be vulnerable to attacks from it.

Breaking Public Key Crypto is A Very Bad Thing Indeed, and would basically break the Internet.  If you're in the security field, you really should read this.

 

Huh. So they didn't do this?

Chrome browser to notify you when an extension is removed from the Chrome store:

Google is testing a new feature in the Chrome browser that will warn users when an installed extension has been removed from the Chrome Web Store, usually indicative of it being malware.

An unending supply of unwanted browser extensions is published on the Chrome Web Store and promoted through popup and redirect ads.

These extensions are made by scam companies and threat actors who use them to inject advertisements, track your search history, redirect you to affiliate pages, or in more severe cases, steal your Gmail emails and Facebook accounts.

The problem is that these extensions are churned out quickly, with the developers releasing new ones just as Google removes old ones from the Chrome Web Store.

Unfortunately, if you installed one of these extensions, they will still be installed in your browser, even after Google detects them as malware and removes them from the store.

Kudos to Google on this but it's a little surprising that this wasn't in from day one.  And the fact that they did this makes you wonder just how big a problem this is.  My take is "big".

And as to extensions, remember Borepatch's First Law of Security from back in 2008: "Free Download" is Interwebz-speak for "open your mouth and close your eyes."

Breaking the Youtube spy/ad algorithm

Yes, it can be done.  You know what to do.

Live by the Cloud

Die by the cloud:

CloudNordic has told customers to consider all of their data lost following a ransomware infection that encrypted the large Danish cloud provider's servers and "paralyzed CloudNordic completely," according to the IT outfit's online confession.

The intrusion happened in the early-morning hours of August 18 during which miscreants shut down all of CloudNordic's systems, wiping both company and customers' websites and email systems. Since then, the IT team and third-party responders have been working to restore punters' data — but as of Tuesday, it's not looking great.

"Not looking great" means that it was wiped clean.  This is a good time to remind everyone about the importance of backing up your data.  It sounds like a pain, but you only need to back up the data you don't want to lose ...

Security vulnerability on Canon wifi printers

First a digression: Divemedic has a good post up about how a vulnerability in Tesla cars lets users turn on for-pay features that they haven't purchased. 

And so to vulnerable printers:

Canon warned users that sensitive information on the Wi-Fi connection settings stored in the memories of home, office and large format inkjet printers may not be deleted by the usual initialization process.

The large printer vendor posted in an advisory Monday that when a third-party takes control of a printer, such as when repairing, lending, selling or disposing the device, a user’s information may get exposed and potentially vulnerable to a wide range of malicious activities.

Canon provided the following instructions to mitigate the issue by wiping Wi-FI settings:

1. Reset all settings (Reset settings ‐> Reset all).
2. Enable the wireless LAN.
3. Reset all settings one more time.

It's important to do a factory reset (sometimes called "Factory Restore") on any electronic device you dispose of.

How to pick a more secure Android device

The problem with many Android devices is that when there's a security update in the Android OS, it typically doesn't go directly from Google (who makes Android) to you.  Instead, it goes from Google to the device manufacturer who then releases it to you.  This is different from Apple, where your iDevice gets automated updates directly from the Apple Mother Ship.

This lag opens the door to the Bad Guys.  I've posted before about "Zero Day" vulnerabilities, where there is a known vulnerability without a released update.  Android devices suffer from this (as do all devices), but the Google-Manufacturer-You release chain brings a new concept: the "N-Day" vulnerability:

A zero-day vulnerability is a software flaw known before a vendor becomes aware or fixes it, allowing it to be exploited in attacks before a patch is available. However, an n-day vulnerability is one that is publicly known with or without a patch.

For example, if a bug is known in Android before Google, it is called a zero-day. However, once Google learns about it, it becomes an n-day, with the n reflecting the number of days since it became publicly known.

Google warns that attackers can use n-days to attack unpatched devices for months, using known exploitation methods or devising their own, despite a patch already being made available by Google or another vendor.

So the key issue when choosing a more secure Android phone is how to minimize the value of N.  The faster the turnaround at the device manufacturer, the less your risk.

There are two strategies you can choose here:

1. Buy a Google branded Android device.  I don't know if N=0 in this case but it's hard to see how any manufacturer could turn a patch around faster than the company that created the patch.
2. Buy a device from a manufacturer that participates in the "Android One" program.  N will not be zero here but the program tries to streamline the patching/update process.
   

Or you could buy an iDevice, but now the discussion has lurched into the theological.

More important Apple security updates

Apple fixes security bugs that are being exploited in the wild.  If you have any of the following, you will want to update ASAP:

Apple has released fixes for several security flaws that affect its iPhones, iPads, macOS computers, and Apple TV and watches, and warned that some of these bugs have already been exploited.

Here's a quick list of all of the security updates released late on Monday afternoon:

• Safari 16.6
• iOS 16.6 and iPadOS 16.6
• iOS 15.7.8 and iPadOS 15.7.8
• macOS Ventura 13.5
• macOS Monterey 12.6.8
• macOS Big Sur 11.7.9
• tvOS 16.6
• watchOS 9.6

Get cracking.

A positive consumer security move by the US Government

This seems like a decent step forward:

The goal of the new US Cyber Trust Mark, coming voluntarily to Internet of Things (IoT) devices by the end of 2024, is to keep people from having to do deep research before buying a thermostat, sprinkler controller, or baby monitor.

If you see a shield with a microchip in it that's a certain color, you'll know something by comparing it to other shields. What exactly that shield will mean is not yet decided. The related National Institute of Standards and Technology report suggests it will involve encrypted transmission and storage, software updates, and how much control a buyer has over passwords and data retention. But the only thing really new since the initiative's October 2022 announcement is the look of the label, a slightly more firm timeline, and more input and discussion meetings to follow.

We'll have to see how this plays out, but better consumer information on security is A Good Thing.

 

Begun, the AI malware wars are

This is not good:

Cybercriminals are leveraging generative AI technology to aid their activities and launch business email compromise (BEC) attacks, including use of a tool known as WormGPT, a black-hat alternative to GPT models specifically designed for malicious activities.

According to a report from SlashNext, WormGPT was trained on various data sources, with a focus on malware-related data, generating human-like text based on the input it receives and is able to create highly convincing fake emails.

The only real defense you have against this new AI-generated email threat is to be very, very cautious (should I say "suspicious") of all emails that you get.  As with firearms, the most important computer security safety tool is between your ears.

 

Interesting new WiFi security tool

This is pretty geeky, but is also pretty interesting:

Cybersecurity researchers have released a new tool called 'Snappy' that can help detect fake or rogue WiFi access points that attempts to steal data from unsuspecting people.

Attackers can create fake access points in supermarkets, coffee shops, and malls that impersonate real ones already established at the location. This is done to trick users into connecting to the rogue access points and relay sensitive data through the attackers' devices.

As the threat actors control the router, they can capture and analyze the transferred data by performing man-in-the-middle attacks.

Trustwave's security researcher and wireless/RF tech enthusiast Tom Neaves explains that spoofing the MAC addresses and SSIDs of legitimate access points on open networks is trivial for determined attackers.

The devices of those who revisit the locations of open wireless networks they previously connected to will automatically attempt to reconnect to a saved access point, and their owners will be oblivious to the fact that they connecting to a malicious device.

Snappy is a free tool (available in about 100 lines of Python source code) that will tell you if the access point that you're connecting to is the same one that you connected to before.  There are all sorts of parameters that an access point advertises, including name (this is what rogue access points advertise) but also things like vendor, supported data rates, channel, and max power (among other things).

Snappy compares all of these to what your legitimate access point advertises and warns you if there is a mismatch.  Clever.

It's also clever to name your access point "Rouge".  Well, it was in 1998.

 

Picking a strong password

LOL.

It will start out looking very familiar, but keep on going.  Very funny indeed.  I didn't see "Password must be a palindrome" but it might be there.

(via)