The IT Nerd

Most people think that home routers are “plug in and forget” items that allow them to get their devices onto the Internet with having to think about it any further. Except that they aren’t “plug in and forget” devices. They provide security for your home network, which means that you have to make sure that the firmware is up to date. That also requires that the vendor of the router is on top of security threats and the like, and that they are putting out firmware for you to install.

That’s where this study from the Fraunhofer Institute for Communication comes in. It involved 127 routers from seven manufacturers and found the following:

• The researchers compared the firmware images from each tested router with known vulnerabilities and exploits, and the findings were disturbing. Many of the routers were found to be affected by hundreds of known vulnerabilities. Not a single router tested found to be without at least one known vulnerability. And 46 of the routers tested had not received an update in the last year. And 22 had not updated in the last two years. In the worse case, some routers were found to have not been updated in five years.
• Even when routers had received updates, 50 were found to used hard-coded qualifications: The username and password were encoded into the router as a default, meaning that attackers could easily gain access.

Then there’s the question of who makes security a top priority. Here’s the answer:

Nonetheless, vendors seem to prioritize security differently. Especially AVM does a better job than the other vendors regarding most of the security aspects. However, AVM routers are not flawless as well. ASUS and Netgear do a better job on some aspects than D-Link, Linksys, TP-Link and Zyxel.

Now while I could quibble about aspects of this study, I think the study paints a pretty stark picture. And router companies need to up their game. But until they get around to doing that, here’s my advice to minimize your risk:

1. Buy a router from a company that is known to have frequent updates to their products, and who has a track record for updating their products over the long term.
2. Check for updates frequently and apply them ASAP. Because hackers are not looking for routers that are up to dat. They’re looking for the ones that aren’t.
3. Check the router logs from time to time to make sure that there’s no funny business goin on in terms of someone trying to break into your network.

Wired has a story on a new type of Mac ransomware that is out there. Now if you don’t download pirated software, this isn’t a threat to you. At least not at the moment. But that is likely to change given how sophisticated this ransomware is:

The threat of ransomware may seem ubiquitous, but there haven’t been too many strains tailored specifically to infect Apple’s Mac computers since the first full-fledged Mac ransomware surfaced only four years ago. So when Dinesh Devadoss, a malware researcher at the firm K7 Lab, published findings on Tuesday about a new example of Mac ransomware, that fact alone was significant. It turns out, though, that the malware, which researchers are now calling ThiefQuest, gets more interesting from there. In addition to ransomware, ThiefQuest has a whole other set of spyware capabilities that allow it to exfiltrate files from an infected computer, search the system for passwords and cryptocurrency wallet data, and run a robust keylogger to grab passwords, credit card numbers, or other financial information as a user types it in. The spyware component also lurks persistently as a backdoor on infected devices, meaning it sticks around even after a computer reboots, and could be used as a launchpad for additional, or “second stage,” attacks. Given that ransomware is so rare on Macs to begin with, this one-two punch is especially noteworthy.

Though ThiefQuest is packed with menacing features, it’s unlikely to infect your Mac anytime soon unless you download pirated, unvetted software. Thomas Reed, director of Mac and mobile platforms at the security firm Malwarebytes, found that ThiefQuest is being distributed on torrent sites bundled with name-brand software, like the security application Little Snitch, DJ software Mixed In Key, and music production platform Ableton. K7’s Devadoss notes that the malware itself is designed to look like a “Google Software Update program.” So far, though, the researchers say that it doesn’t seem to have a significant number of downloads, and no one has paid a ransom to the Bitcoin address the attackers provide. […] Given that the malware is being distributed through torrents, seems to focus on stealing money, and still has some kinks, the researchers say it was likely created by criminal hackers rather than nation state spies looking to conduct espionage.

Clearly this is pretty sophisticated stuff and the means of distributing it will likely become more targeted over time as I cannot see the authors of this ransomware sticking with the method of hoping that you will download pirated software. I say that because whoever designed this clearly has something more “interesting” in mind.

Here’s some general advice for you. Back you your files every single day. That way if you get infected by ransomware, you can just nuke the computer and restore your files and go on with your life without paying the ransom. Which by the way, paying the ransom is something that you should never, ever do as it only encourages the scumbags who make ransomware. And you might not get your files back either. Which means that you handed these scumbags your money for no good reason.

Israel based NSO Group is making noise today by making some stunning claims. The Financial Times has details, but let me boil it down for you. In short this company has been telling its government customers that its Pegasus malware can now extract far more data about any given individual. Specifically, it can snag data on the person’s smartphone, as well as covertly retrieve all of the information that person has stored on servers owned by Apple, Google, Microsoft, Facebook and Amazon. This is a stunning revelation, assuming that this is true of course. Which it could be because this is the same group who hacked WhatsApp back in May. That forced an emergency patch to be issued by Facebook who owns WhatsApp.

Now both Apple, Amazon and Microsoft have put out statements saying they’re investigating this threat. And the word on the street is that Apple has blocked previous versions of this malware before. So this may be either a non-factor very quickly. or it might be the start of a game of cat and mouse that has users of these devices in the middle.

UPDATE: Mike Beck, Global Head of Threat Analysis for Darktrace reached out to me with this comment:

“This news highlights the reality of the cyber arms industry – private organisations, of which NSO is one example, are developing and selling spyware which is then often used by government agencies to catch sophisticated criminals. It stands to reason that national governments who are not equipped with large national intelligence budgets will look to the private sector to provide this capability.

However, if private sector companies are authorised to develop cyber weapons, outside of the accountability of government institutions, there are concerns about how these tools can be used. In the wrong hands, we could see this malware used to collect intelligence on average citizens and even used against nation-states, as part of cyber-warfare.

As the world’s attitude towards cyber-security matures, we can expect international law to control the use of these weapons. Meanwhile the likes of Apple, Google and Facebook will need to demonstrate that they can identify security threats and intervene rapidly, before user data is breached. AI will be a necessary ally to achieve this, given the complexity of today’s threat landscape, and the volume and diversity of the data systems that require protecting.”

You might recall that British Airways was the victim of a massive data breach that caused heads to explode on both sides of the Atlantic ocean. Today BBC is reporting that they might get slapped with a £183m fine which is a record for this sort of thing, The previous biggest fine was the £500,000 fine imposed on Facebook for its role in the Cambridge Analytica data scandal. But under GDPR, companies who get pwned are subject to fines of either:

• Up to €10 million, or 2% annual global revenue – whichever is greater
• Up to €20 million, or 4% annual global revenue – whichever is greater

So if a company makes more than €20 million in terms or revenue, then they are subject to the 4% number. That would be British Airways. Now the airline has 28 days to appeal. But I for one hope that the appeal fails so that it would send a message that you can’t screw up and not expect to get punished. Which is the way it should be.

There is a dangerous new piece of Mac malware masquerading as a Flash player that is making the rounds. It’s been discovered by Intego and the details have been posted vis this blog post. Now here’s the first reason why this is dangerous:

If a user opens the .dmg disk image and opens the Player app (which has a Flash Player icon), the Trojan horse will first check to see whether it is running inside a virtual machine (VM). Malware analysts often examine malware inside a VM to avoid unintentionally infecting their own computers while working with dangerous files, so malware authors sometimes implement VM detection and behave differently to make it more difficult to analyze the malware’s behavior.

I have never seen a piece of malware do this before. That makes it very difficult to study and create countermeasures against. That’s not good. Now here’s the second reason why this is dangerous.

The OSX/CrescentCore Trojan app also checks to see whether any popular Mac antivirus programs are installed.

If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.

Clearly that means that this malware is targeting Mac users that don’t run anti-virus apps. Of which there are many as there is still this rather flawed perception that Mac users don’t need protection from malware via an antivirus app. Thus the take home message is that you need the protection of an antivirus app whether you run Mac or PC products. But there’s another take home message. There is no need for Flash. Don’t download any version of Flash be it the legit version or the fake versions. Most websites have dumped Flash and Adobe will not be supporting it after next year. Protect yourself and don’t download Flash of any sort.

From the “worst idea ever” file comes a report in Politico that the Trump administration held a National Security Council meeting on Wednesday that weighed the challenges and benefits of encryption. And in said meeting, this happened:

Senior officials debated whether to ask Congress to effectively outlaw end-to-end encryption, which scrambles data so that only its sender and recipient can read it, these people told POLITICO. Tech companies like Apple, Google and Facebook have increasingly built end-to-end encryption into their products and software in recent years — billing it as a privacy and security feature but frustrating authorities investigating terrorism, drug trafficking and child pornography.

“The two paths were to either put out a statement or a general position on encryption, and [say] that they would continue to work on a solution, or to ask Congress for legislation,” said one of the people.

But the previously unreported meeting of the NSC’s so-called Deputies Committee did not produce a decision, the people said.

A decision to press for legislation would have far-reaching consequences for the privacy and security of tens of millions of consumers and effectively force companies such as Apple and Google to water down the security features on their smartphones and other devices.

I honestly don’t know which is worse. The fact that this is being discussed at all, or it’s being discussed behind closed doors. But in any case, Trump isn’t the first president to try this. Obama tried something like this, and before him the second George Bush tried  something like this, and Bill Clinton tried something like this too. None of those went anywhere because they all got epic pushback on various fronts. I expect that to happen here too as Silicon Valley are no fans of the Trump administration. And congress are unlikely to go along with this. Though it does bear watching as this is far from being a trivial exercise.