Seagate QUIETLY Patches Security Flaw In Their Personal Cloud NAS Devices

Posted in Commentary with tags on January 18, 2018 by itnerd

If you have a Seagate Personal Cloud NAS device, I’d advise you to check for a firmware update because according to a security researcher, there was a nasty bug that Seagate apparently quietly patched after not acknowledging that the flaw even existed:

The vulnerability affects Media Server, a web application that runs on the NAS and allows users to interact with the data stored on the device via a network connection.

And:

The flaw —named an unauthenticated command injection— allows attackers to run commands on the device’s underlying firmware from its web management interface.

Koster put together proof-of-concept code that would use the flaw to enable remote SSH access on the Seagate NAS and then change its root password.

One note is that you have to be on the local network to pull that off. But there’s lots of malware that are capable of getting onto a local network and potentially exploiting something like this. Thus this isn’t trivial.

Here’s the the key point to all of this:

[Security researcher named Yorick] Koster has reached out to Beyond Security’s SecuriTeam managed vulnerability program to inform Seagate of the issue he discovered. Beyond Security, on behalf of Koster, has reached out to Seagate.

“Seagate was informed of the vulnerability on October 16, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory,” Beyond Security wrote.

But Koster has told Bleeping Computer that while ignoring the vulnerability report, Seagate has quietly patched the flaws he reported.

“I can confirm it is fixed on my NAS,” Koster told Bleeping Computer, pointing us to the Seagate Personal Cloud changelog for version 4.3.18.0.

That’s really craptastic handling of this issue by Seagate. The fact that they didn’t respond to this, nor did they wrap any timelines around a fix isn’t cool. The only good news is it looks like they fixed this within the 90 day window that the responsible disclosure protocol demands. But clearly their communication needs to be better. In any case, if you have one of these devices, you need to patch it ASAP.

Advertisements

Current & Former Rogers Employees Say They Are Coached To Agressively Upsell

Posted in Commentary with tags on January 18, 2018 by itnerd

Earlier this week I brought you a story were it came to light that Rogers employees in their call centers were told that they had to make a sale on every call and managers turned a blind eye. Since that report, CBC has been in contact with present and former Rogers call center employees who go into detail about what goes on at the telcos call centers:

An employee who worked at a Rogers call centre in Brampton, Ont., for four years before leaving in 2015 says he and his colleagues were instructed not to mention cancellation fees from other providers when a customer switched to Rogers. CBC has confirmed his employment history, but is not identifying him — or some others in this story — because they fear they will lose their jobs.

“Because these fees were not charged by Rogers itself, we were told to gloss over them as quickly, vaguely and incoherently as possible,” he writes. “Often while the customer was speaking at the same time.”

Another trick, he says, was to secretly reduce certain services — such as the number of television channels a customer received — so he could add new services, such as a home phone line they didn’t necessarily need, but that earned points toward his monthly sales target.

“It was a calculated game of misery,” he says. “How much could you lower their existing services so they wouldn’t immediately notice, while at the same time adding as much in new services as you could?”

He says when he expressed concern over these practices, his manager reminded him that he worked in sales, and said, “It’s not your job to care.”

That sounds pretty bad. But it actually gets much worse than that:

When those customers would ask to speak to a manager, he says agents would just transfer the call to a fellow agent, who would repeat claims that there was nothing they could do to resolve an issue.

“The goal,” he says, “was for the customer to be so frustrated, speaking to someone who couldn’t do anything more than you, that they ended the call.”

Now this is something that I have heard before. I know two former Rogers call center employees who years ago told me that this was a common practice within their call centers. Thus I am not surprised that this is being mentioned in this article. But it still gets worse:

Debbie Sears handled Rogers customer calls from her home in Kingston, N.S., through a third-party company.

“We were constantly being threatened that we would be fired if we did not upsell — add a home line or a cellphone to the account,” she says. “It was a pressure cooker.”

“They expected you to sell on every call. And you were told time and again, ‘Never take no for an answer. Push, push, push!'”

“I have a hard time selling something that’s useless to them [customers],” says Sears. “I told them right from the start, and they said, ‘Oh well, you’ll get used to it.'”

She didn’t. Instead, Sears says she started having panic attacks before starting work, and her blood pressure went “through the roof.”

“My doctor was very worried I’d have a stroke,” she says. “When I got laid off [for not selling], they did me a favour.”

I couldn’t imagine working in an environment like that. But as bad as that sounds, There’s still worse. There are claims that “senior leadership” knew about and encouraged this behavior:

A former Rogers manager also contacted Go Public, admitting he was one of the people who put pressure on workers in the Ottawa call centre.

He says the pressure to upsell was so intense in 2015 that a Rogers memo (provided to Go Public) directed senior leadership to put more than two-thirds of all the call centre workers on a “performance improvement plan” — to encourage them to sell more, or risk getting terminated.

“Every day we’d have a meeting about sales targets,” he says. “A big part of my job was to manage out the low performers. Witch-hunting those people.”

On the other hand, he says, top sellers were protected — even if they behaved unethically.

“Senior leadership would often issue directives to the team managers to protect their top-level performers by turning a blind eye,” he says. “Protect the tops.”

Now you can read into whatever you want when it comes to “senior leadership”, but all of this makes Rogers sound like a horrible place to work. Now Rogers denies all of this and they’ve circled the wagons by sending out talking points to their call center staff since this story first hit the press. But given what I know from people who speak to me on background, as well as my interactions with the company, I suspect that all the claims that are here are more fact than fiction. Which is a problem if you are Rogers. I think that simply denying these accusations won’t get them very far. What they need to do instead is fully and robustly investigate these claims, then come out to the public and say what they found and what they’re going to do about it so that customers don’t feel like the telco is going to rip them off, and what they’re going to do to make sure their employees don’t feel like they’re going to hell every day they’re going to work. Because right now I can say that since these stories have surfaced, the public perception of Rogers, which wasn’t very good, is far worse now. And that’s not a good place to be if you’re Canada’s largest telco.

Apple To Planet Earth: You’ll Be Able To Disable Throttling For Aging iPhone Batteries

Posted in Commentary with tags on January 18, 2018 by itnerd

Speaking to ABC News, Apple CEO Tim Cook revealed the company will be releasing an iOS update which will enable users to disable intentional CPU throttling of devices with aging batteries. So for you iPhone 6 and 6S users, it means that if you’re willing to risk you phone shutting down every so often, you’ll get all the performance that you crave. He also took the opportunity to again apologize for “Batterygate” saying that Apple did tell users about these iOS updates and what was happening when it came to throttling back performance, “but I don’t think many people were paying attention” when they were released.

The update that Cook spoke of is apparently due next month. It will be interesting to see if that update quiets “Batterygate” down or ramps it up even further.

 

EXCLUSIVE: Linksys Rolling Out Firmware Fixes For WRT32X & WRT3200ACM

Posted in Commentary with tags on January 17, 2018 by itnerd

I just got off the phone with representatives from Linksys who shared with me some news in relation to the WRT32X and WRT3200ACM issues that I’ve been writing about for the last month.

First, they shared with me the root cause analysis of the issues that these routers have had. One cause is this Google issue that I wrote about yesterday. But I want to add to what I wrote yesterday to say that the problems with things like Google Chromecasts and Google Home killing your WiFi also extends to Android phones. Why is this important? When I was trying to troubleshoot the WiFi issues with my WRT32X, I had a couple Android phones turned on and connected to WiFi. When they were turned off, I found that I had a much better WiFi experience than when I had them turned on. This was validated by the experiences of users who were on the Linksys Community. Now this confirmation, further validated by Google saying that they are issuing a fix for this behavior, explains what I was seeing.

However, Linksys isn’t waiting for Google to fix this. The beta firmware for the WRT32X and WRT3200ACM that I told you about this past weekend has a fix for this issue in it. Now I did mention that it was a beta, but I couldn’t find anything wrong with the WRT32X variant of this firmware. Thus I feel comfortable recommending that you install it. But if you don’t want to run beta firmware, which by the way is completely understandable, production firmware is either out or will be out soon. In the case of the WRT3200ACM, that firmware is live as of now. All you need do is turn on the auto update of your router and you’ll get it. One thing that I should note is that about 50% of WRT3200ACM routers that are in production have received this update already. The version for the WRT32X is coming very soon as it’s still in the QA process. But if you have a WRT32X, you may want to proactively turn on auto update to get this firmware when it appears as it should be out sometime over the next few days. When it does pop up, I’ll post an update on what my experiences with it are.

One other thing. To further ensure that nothing else that can be classified as “bad” happens. Such as the Google fix breaking something else, Linksys will be monitoring the situation and be doing additional validation on the Google fix to ensure all their users are happy. One thing that was stressed to me on the call with Linksys is they really want to do right by their users. That’s why you saw them handing out replacement product such as Velop whole home Wifi nodes to customers. WiFi is important to everyone everywhere and Linksys gets that.

In closing, I have an ask for anyone who has a WRT3200ACM or a WRT32X. When you get this firmware update, please leave a comment below with what it’s like as I think it’s important for people to share their feedback on this. Given the results that I saw with the beta, I suspect that users will be very happy once they get the production firmware on their routers. And I think that the world should know about that.

Good day. You’ve Been Pwned!

Posted in Commentary on January 17, 2018 by itnerd

The phone in my home office rang at 4AM this morning. It never rings at that time of the night. So half asleep, I had a look at the call display screen. The call was from India. Since I do have clients from India, I decided to answer it. The person on the other end was in a panic. They said that they got my number from someone who I had flown over there to help and that I came highly recommended.

If I wasn’t half asleep, I would have been flattered.

In any case, they explained their situation. One of their database servers was down. And it turned all their databases into .java files. That woke me up as I had a feeling I knew what was going on. I then requested to start a remote session using GoToAssist with the customer. Once I established the remote session, I started to poke around and I soon confirmed what I was thinking. They had been pwned by ransomware. The confirmation was this file that I found:

pwned.png

Basically, they had been pwned by a variant of the Dharma ransomware [Warning: PDF]. I say a variant because the version that I had previously seen encrypted things with a .Dharma extension. But according to this, the new variant that I was dealing with encrypted files with a .java extension. To make matters worse for the customer. He didn’t ever do backups of his databases, which were mission critical to his businesses.

#Fail. You should always backup your data. Especially if it’s mission critical.

The fortunate thing for this customer is that that there were ways to eliminate the files and possibly recover the data using file decryption software that was mentioned in the article. I then used the instructions to eradicate the virus by hand. I then confirmed that it was gone by scanning it with Trend Micro’s online scanner as the antivirus software that the server had wasn’t working. My next step was to use the file decryption software that was mentioned in the article to start encryption the databases. It took a while, but I was able to get them all back. I then was able to move them to a freshly built database server and make them accessible to the company.

Total time invested: 3.5 hours.

The thing is that this customer was VERY lucky. Ransomware attacks typically don’t have happy endings. The fact that it got in and it was able to do what it did indicates that they need a complete review of their IT security practices as clearly this ransomware was able to get in and pwn them. It could have been a human doing something dumb, or it could have come in via something like a PC that was exposed to the outside world. It could have even been a disgruntled employee. They also need to get into a backup regimen as the fact that they don’t backup mission critical data is a #fail. Thus I will be making arrangements to go there in a couple of months. But in meantime, I have some late nights and early mornings to look forward to as I plan on doing what I can from the other side of the planet.

Fun.

 

#Fail: BMW Will Make Apple CarPlay A Subscription Service In The US

Posted in Commentary with tags , on January 17, 2018 by itnerd

From the “they really didn’t think this through” department comes news via The Verge that BMW in the US will charge $80 a year to subscribe to Apple CarPlay. They argue that this is cheaper than their price to add it on to your BMW which is a one time fee of $300 to get Apple CarPlay forever  because:

  1. The first year will be free. Thus you’re only paying $160 rather than $300 if you’re leasing for 3 years.
  2. It will make it “easier” if you flip between Android and iOS devices because you’re not paying for something that you’re not using. That’s an interesting argument as no BMW I am aware of ships with Android Auto. But BMW’s own services will apparently play nice with Amazon Alexa and Google Assistant. Eventually.

This is a really dumb idea and its clearly a cash grab aimed at members of “Team iPhone.” There are cars out there that come out of the gate with Android Auto, or Apple CarPlay, or both, and they don’t nickle and dime you to death for it. I think for that reason alone, the predictable blowback from iPhone users will make BMW rethink this. Also, you have to wonder if they let Apple know about this as I am pretty sure that the folks at Apple Park will be dialing up the folks in Bavaria if they’re not happy about this.

 

Bizarre Link Sent To iOS & macOS Devices Will Cause Them To Crash

Posted in Commentary with tags on January 17, 2018 by itnerd

A Twitter user by the name of Abraham Masri has apparently discovered an exploit that looks like GitHub link on the surface, but it crashes Messages on both macOS and iOS. It’s been dubbed the “chaiOS” bug.

PLEASE NOTE: While I did repost the link, this is a use at your own risk sort of thing. 

I tried this on my test iOS device and got mixed results:

  • In some instances, sending the link would cause both the sender and recipient’s device to respiring or cause the Messages app to instantly freeze and crash.
  • Reentering the thread would cause the Messages app to crash again and again, making the only viable solution to regain access to that thread to delete it and start a new one.
  • I am unable to reproduce this on the latest 11.2.5 iOS beta.

It isn’t known if Apple will put out a mitigation for macOS. But for you, you may want to avoid clicking on any links that you get in messages.