Archive for the Security Category

« Older Entries

How To Check To See If Your ASUS Router Has Been Pwned

Posted in Security with tags on June 2, 2025 by itnerd

Shortly after this story dropped about ASUS routers being pwned right, left and centre, I got a number of emails asking me to detail how one can check their routers to see if they’e been pwned. To that end, I am going to put forward two options for you to make sure you’re not affected by this.

Option 1: Factory reset your router.

If you’re really paranoid about this, taking the nuclear approach and resetting your router may not be a bad idea. While this vulnerability can survive reboots and firmware updates, it cannot survive a factory reset. ASUS has a document that tells you how to do that. And after you do that, you should set it up again from scratch. Meaning that you should not use a backup to set it up. That way you don’t import the vulnerability back into the router. That means that you should make a note of your settings before you factory reset it.

Option 2: Checking to see if you have been pwned.

Given that about 10,000 routers have been affected by this worldwide, your odds of being affected by this are low. But it’s not zero so checking to if you have been pwned is a good idea. Here’s how you do it. I am using the RT-BE86U in this example so your ASUS router may have this in a different location:

  1. Log into your router
  2. Click on Administration on the left.
  3. Click on System on the top. That will take you to this screen:

See if Enable SSH is enabled. If it isn’t, you’re likely not affected. But it never hurts to dig deeper. Choose LAN and WAN to get to this screen:

If you see anything in the SSH Port section and the Authorized Keys section that you did not put there, chances are that you’ve been pwned. Specifically, you’ve been pwned if you see these values:

SSH Port: 53282

Authorized Keys: AAAAB3NzaC1yc2EAAAABIwAAAQEAo41nBoVFfj4HlVMGV+YPsxMDrMlbdDZ

I’ve only put in part of the key to stop people from self pwning their router. But if you see both of these, you’ve been pwned and you should immediately reset your router as per option 1 and ensure that the firmware in the router is up to date.

4. Do not save any of the settings and simply log out of your router if you find nothing there.

Now the threat actors have been exploiting a number of vulnerabilities that ASUS has either patched or will patch. Thus even if you are clear when you have a look at these settings, I would strongly recommend watching the ASUS website for other firmware updates and install them when they become available. Or use the ASUS Router app to check for firmware updates. As an aside, you should always ensure that your router always has the latest firmware installed on it.

Finally, there is no practical reason why anyone needs remote access to their router via any means. Be it a vendor supplied method, or via SSH or anything like that. I say that because all it does is give threat actors a means to pwn you. Thus if you value your security, never, ever enable remote access in any way shape or form on your router and be happy. It won’t make you 100% safe, but it will make you a whole lot safer.

Leave a comment »

Adobe Says Install Flash Update NOW

Posted in Security with tags on February 4, 2014 by itnerd

I don’t see this everyday.

Adobe today released a “priority 1” update to Flash that the company recommends that you install within the next 72 hours to protect your computer. From what you may ask? Apparently, an attacker could take control of your system remotely. Here’s what the company said:

Adobe has released security updates for Adobe Flash Player 12.0.0.43 and earlier versions for Windows and Macintosh and Adobe Flash Player 11.2.202.335 and earlier versions for Linux. These updates address a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system.

Adobe is aware of reports that an exploit for this vulnerability exists in the wild, and recommends users update their product installations to the latest versions

You can get the latest Flash Player here. I’d update now if I were you.

 

Leave a comment »

Hey IT Nerd: Should I Remove Old Java Versions?

Posted in Security with tags , on June 19, 2013 by itnerd

I got this question from a reader today:

“Hello IT Nerd. I read your blog often and I had a question for you. I just updated my installation of Java and it opened a web page offering to remove older versions of Java. Do I need to do that?”

Thanks for reading my blog!

The page that this reader is referring to is this one. It’s a Java based uninstall tool that is designed to find older versions of Java and remove them. It appears to have popped up to users when Java released their latest update a day or two ago. Though I will admit that it may have been there for much longer and simply wasn’t presented to users when they updated. You should use it as there are plenty of exploits out there that leverage older versions of Java. In short, if you want to be secure and you have to run Java rather than remove it, you should use this tool.

There is one catch though This tool is Windows only. If you’re running anything else such as a Mac or a LINUX box, you’re forced to remove older versions manually. Not the biggest deal in the world for those who are technically skilled, but it would be nice if Oracle brought this same functionality to other platforms.

Leave a comment »

A Customer Gets Hit By Nigerian Scammers…. Be Warned!

Posted in Commentary, Security with tags , , on June 4, 2012 by itnerd

I got a call early last week from a customer who found out from friends that the following e-mails were coming from her e-mail account:

I’m writing this with tears in my eyes, I traveled to Tarragona in Spain for a program and unfortunately for me i was robbed on my way to the hotel. Cash, cell-phone and credit cards were also taken from me. I am so confused right now, I don’t know what to do or where to go. So I have access to only emails.

     I’ve been to the embassy and the Police here but they’re not helping issues at all,they asked me to wait for 3weeks but i can’t wait till then.The hotel manager won’t let me leave until i settle the hotel bills.Please can you lend me €1,350 Euro so i can pay for my bills and also arrange for my flight back home. As soon as I get home I would refund it immediately. Please I need you to get back to me so I can let you know how to send the money to me.
I’m looking forward to hearing from you.

Clearly this was a Phishing scam at work. I juggled my schedule and got to her house as soon as I could. I discovered that her Yahoo Mail account has been hacked in some very interesting ways. First the reply to address was changed to one that ended in .ca rather than .com which is what her’s ended in. That way when people replied to the above e-mail, it would go straight to the scammers. Next they redirected anything that was destined to her inbox to a mobile device like a Windows phone or an Android phone. Third they had a e-mail sorting rule set up to send items to the trash. Fourth they added a secondary e-mail account to replicate e-mail to. Finally, they deleted her address list.

Now it took me a while to undo all of that. But in the process of that I was interested in how long this might have been going on. Yahoo Mail has a feature that shows you the login history of the account. What I saw didn’t surprise me. Since April, someone was accessing this person’s e-mail account from Nigeria. Of course Nigeria is the world capital for Internet based scams which are referred to as 419 scams because of the Nigerian Criminal Code section that covers this crime. The problem was that this person was about to go on a trip and had been booking her trip online and having everything related to it coming to this Yahoo Mail account. Thus I was afraid that other accounts could have been compromised. As it turned out, her Visa card had unauthorized transactions on it. Not good. As a result, that’s been corrected by getting a new card and all her online accounts such as shopping sites and airline sites had their passwords changed. The customer also contacted them to watch for any other “interesting” activity going forward. Finally she changed her password for her Yahoo Mail account to a much stronger one.

So, what do you do if you’re in this situation? You need to act immediately to protect yourself. You should also make sure that nothing else has been hit by the same people who hacked your e-mail. Finally, you need to make sure that none of the people on your contact list are going to send money to the scammers. The latter is important as one of this customer’s friends had just finished withdrawing money to send to her. Had my customer not stopped them, the scammers would have scored.

And that’s why these scumbags do this. If they get one person to fall for this, they score. Do yourself a favor and don’t be their next victim.

1 Comment »

So It’s April 1st And The Planet Hasn’t Imploded Because Of Conficker…..

Posted in Security, Tips with tags on April 1, 2009 by itnerd

… Does that mean that we’re out of the woods? I say that we’re not. Viruses with triggers have consistently failed to do anything on the date they were supposed to. Just look at the Michelangelo virus (1992), CIH (1999), SoBig (2003), and MyDoom (2004) for examples of this. But you never know.

To that end, I spent yesterday running around making sure my clients comptuers were clean of the nortious virus and making sure they have all the latest Microsoft updates installed. So I can say that at least my clients are protected from whatever this is. Now I have to catch up on my blogging.

🙂

I’ve pointed out some good resources on this virus in the past. So if you haven’t looked at them, you may want to now. In the meantime, we’ll see if this is much ado about nothing. Or if a Skynet like botnet is about to come on line.

1 Comment »

Conficker: Everything You Need To Know

Posted in Security, Tips with tags on March 27, 2009 by itnerd

On April 1, a malicious piece of code called Conficker (A.K.A. Kido or Downup) is expected to try to connect to a control center and do “something.” Nobody knows what yet, but whatever it is, it can’t be good. Estimates say that as many as 10 million PCs are infected with this piece of code.

How do you protect yourself? I’d do the following:

  1. UPDATE YOUR COMPUTER! This is vital as the code gets in via unpatched computers. So run Windows Update ASAP.
  2. Scan you computer with an online virus scanner such as Trend Micro’s Housecall to make sure you’re clean.

What happens if you are infected? I would recommend calling a computer professional or checking these links from Symantec for removal instructions:

W32.Downadup.A writeup
W32.Downadup.B writeup
W32.Downadup.C writeup

There’s also this removal tool that I have mentioned previously.

If anybody has any other advice that can be helpful to users, please leave a comment and share your wisdom.

1 Comment »

New Threat Targets Routers And Dumb People

Posted in Security, Tips with tags , on March 24, 2009 by itnerd

A new bit of nasty code called “psyb0t” is making the rounds today. It’s a piece of marware that is backed up by a rather large botnet that is designed to attack Linux-embedded routers. Here’s the kicker, it then tries to take over routers that the default user name and password has not yet been changed, or was changed to something too simple.

In other words, it targets users who are too dumb to have a reasonably secure password on their router.

I’ve reported on an explot like this previously, and the advice that I had then still applies now. So if you haven’t already changed the password on your router (or hopped through a few extra hoops if you’ve got WiFi), now would be a good time to do that.

Otherwise, you’ll join the ranks of dumb people.

1 Comment »

Infected By Downadup/Conficker? Finally There’s A Cure For You!

Posted in Security with tags on March 13, 2009 by itnerd

BitDefender has released a cure for the Downadup/Conficker virus that has the title of the most dangerous virus on the Internet. What the virus does is it exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting.

According to BitDefender:

BitDefender is the first to offer a free tool which disinfects all versions of Downadup and is available for all infected users at: http://bdtools.net This domain is the first to serve a removal tool without being blocked by the e-threat.

So if you’re in deep with this virus, you now have a way out.

Leave a comment »

How To Erase Your Hard Drive So That Others Can’t Get Your Data

Posted in Security, Tips on February 3, 2009 by itnerd

Here’s a nasty little secret: When you erase your hard drive (or many other types of storage media), your files are still there for anyone to find. That can come back to haunt you in terms of fraud and ID Theft. The more paranoid among us will say that you should destroy the hard drive, and while that will work it is a bit extreme. I prefer to secure erase the drive myself. The application that I recommend for this task is Darik’s Boot And Nuke. It is a downloadable CD image that you burn to a CD-R and then use it to boot and nuke your computer in an absolutely secure manner so that nobody can get your data back. One thing to keep in mind is that it can take three to five hours to complete this task, your mileage may vary. But that’s the only way to securely erase a hard disk.

I highly recommend this if you are selling a computer and you want to make sure that your stuff is gone. Just make sure to make a backup first.

1 Comment »

Windows Media Player Vulnerable To Hackers: Truth Or Fiction?

Posted in Security with tags on December 30, 2008 by itnerd

This is going to become a very interesting topic to watch for at least the next three weeks or so. According to a security researcher, a bug in Windows Media Player is a gateway for hackers to inject hostile code onto vulnerable systems. The research has been published on Security Tracker and on SANS complete with a proof of concept sample. However Microsoft has denied that this causes nothing more than a crash of Windows Media Player:

Those claims are false. We’ve found no possibility for code execution in this issue. Yes, the proof of concept code does trigger a crash of Windows Media player, but the application can be restarted right away and doesn’t affect the rest of the system.

They then go on to rip the researcher a new one:

Unfortunately, the researcher chose not to come to us with this initial report. If he had, we would’ve done the exact same investigation we just completed. When we were done, we would have let them know what we found, asked him if he thinks we might have missed something, continued the investigation if there was more information and ultimately closed the case if we didn’t find a vulnerability. This is how we handle all of the cases we investigate with responsible researchers every year. And even when people choose not to report issues responsibly, we do the same thing: launch an investigation to fully research the claims and take action to appropriately address any and all issues that we find in that investigation.

Oh, in case you were wondering, Microsoft said that the flaw had already been identified during routine code maintenance and corrected in Windows Server 2003 Service Pack 2. Other fixes for other operating systems are apparently coming “real soon now.”

So is this fact or fiction? Until I see someone verify this research, it’s hard to say. But if you see a fix for this on the next “patch Tuesday” then it may be fact.

Leave a comment »

« Older Entries