Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - When cybercriminals chat, privacy isn't everything (securityledger.com) 1

chicksdaddy writes: Cyber criminals lurk in the dark recesses of the Internet, striking at random and then disappearing into the virtual ether. But when they want to talk shop with their colleagues, they turn to Redmond, Washington-based Microsoft and its Skype communications tools, according to an analysis by the firm Flashpoint.(https://www.flashpoint-intel.com/blog/cybercrime/cybercriminal-communication-strategies/)

Mentions of different platforms were used as a proxy for gauging interest in and use of these messaging services. Flashpoint analysts looked, especially, for invitations to continue conversation outside of cyber criminal marketplaces, like references to ICQ accounts or other platforms. The survey results show that, out of a population of around 80 instant messenger platforms and protocols, a short list of just five platforms accounts for between 80% and 90% of all mentions within the cyber underground. Of those, Microsoft’s Skype was the chat king. It ranked among the top five platforms across all language groups. That, despite the platform’s lack of end-to-end encryption or forward secrecy features and evidence, courtesy of NSA hacker Edward Snowden, that US spies may have snooped on Skype video calls in recent years, The Security Ledger reports. (https://securityledger.com/2017/04/skype-is-still-the-cybercriminal-chat-king/)

The conclusion: while security is a priority amongst thieves, it isn’t the sole concern that cyber criminals and their associates have. In fact, sophisticated hacking communities like those in Russia to continue to rely on legacy platforms like ICQ when provably more secure alternatives exist. The reason? Business.

“These cyber criminals have a lot of different options that they’re juggling and a lot of factors that weigh on their options,” said Leroy Terrelonge III, the Director of Middle East and Africa Research at Flashpoint. “We might suspect that cyber criminals use the most secure means of communication all the time, that’s not what our research showed.”

Submission + - FDA slams St. Jude Medical for ignoring security flaws in medical devices (securityledger.com)

chicksdaddy writes: The U.S. Food and Drug Administration issued a letter of warning to medical device maker Abbott on Wednesday, slamming the company for what it said was a pattern of overlooking security and reliability problems in its implantable medical devices at its St. Jude Medical division and describing a range of the company’s devices as “adulterated,” in violation of the US Federal Food, Drug and Cosmetic Act, the Security Ledger reports. (https://securityledger.com/2017/04/fda-st-judes-knew-about-device-flaws-2-years-before-muddy-waters-report/)

In a damning warning letter (https://www.fda.gov/ICECI/EnforcementActions/WarningLetters/2017/ucm552687.htm), the FDA said that St. Jude Medical knew about serious security flaws in its implantable medical devices as early as 2014, but failed to address them with software updates or by replacing those devices. The government found that St. Jude, time and again, failed to adhere to internal security and product quality guidelines, a lapse that resulted in at least one patient death.

St. Jude Medical, which is now wholly owned by the firm Abbott, learned of serious and exploitable security holes in the company’s “high voltage and peripheral devices” in an April, 2014 “third party assessment” commissioned by the company. But St. Jude “failed to accurately incorporate the findings of that assessment” in subsequent risk assessments for the affected products, including Merlin@home, a home-based wireless transmitter that is used to provide remote care for patients with implanted cardiac devices, the FDA revealed. Among the security flaws: a “hardcoded universal unlock code” for the company’s implantable, high voltage devices.

The report casts doubt on a defamation lawsuit St. Jude filed against the firm MedSec Holdings Ltd over its August, 2016 report that warned of widespread security flaws in St. Jude products, including Merlin@home. The MedSec report on St. Judes technology was released in conjunction with a report by the investment firm Muddy Waters Research, which specializes in taking “short” positions on firms. (https://securityledger.com/2016/08/the-big-short-alleged-security-flaws-fuel-bet-against-st-jude-medical/) At the time, MedSec said that the security of the company’s medical devices and support software was “grossly inadequate compared with other leading manufacturers,” and represents “unnecessary health risks and should receive serious notice among hospitals, regulators, physicians and cardiac patients.” St. Judes has called the MedSec allegations false, but it now appears that the company had heard similar warnings raised by its own third-party security auditor more than a year prior.

Submission + - AIG Now Selling Cyber Insurance to High Net Worth Individuals (securityledger.com)

chicksdaddy writes: It turns out that the rich really aren't like everyone else — they have more cyber insurance. That, after insurance giant AIG announced Monday that it has started offering cyber insurance to protect individuals and families from ransomware attacks, data theft and cyber bullying, The Security Ledger reports. (https://securityledger.com/2017/04/the-rich-arent-like-everyone-else-they-have-more-cyber-insurance/)

But don’t go looking to sign up at Wal-Mart: the service is only available to AIG’s Private Client Group (http://www.aig.com/individual/insurance/private-client-group), which caters to high net worth and ultra high net worth individuals and families.

The service is the first of its kind to provide what insurers call “first party coverage” -basically: insurance to make the affected party whole after an adverse incident. In a sign of the times, AIG said it will pay for things like school relocation for children traumatized by cyber bullying and ransom to cyber criminals in the hope of restoring data and technology held hostage by crypto-ransomware.

Private Client Group customers must have real estate or other assets like boats or art with a value of more than $1 million, said Jerry Hourihan, president of AIG’s Private Client Group for the U.S. and Canada.

Hourihan said that the new service is based on similar insurance that AIG offers to businesses and is a response to inquiries and demands from its high net worth clients, who have become increasingly concerned about cyber threats, he said. The insurance would be purchased as a so-called “rider” to a traditional home insurance policy and add about 10% or 15% to the annual premium.

It's not a big stretch for AIG because it turns out there's not much daylight between really well off families and businesses. “Our clients have domestic employees and family offices to help manage their lives. They take on quasi commercial exposure," Hourihan said.

There are no immediate plans to offer similar protections to families of ordinary means, despite a recent survey by the firm Accenture that found as many as 1 in 4 Americans has been the victim of data theft. (https://securityledger.com/2017/02/silent-epidemic-data-theft-has-become-a-public-health-crisis-digital-guardian/)

Submission + - Huge Necurs Botnet Adds DDoS Module (securityledger.com)

chicksdaddy writes: One of the globe’s largest networks of infected systems (or “botnets”) is now equipped with features that will allow it to launch denial of service attacks that could dwarf anything seen to date, the security Anubis Networks, a division of BitSight Technologies, reported.(http://blog.anubisnetworks.com/blog/necurs-proxy-module-with-ddos-features)

Research by Anubis found that the Necurs botnet, a global network of more than one million machines infected with the Necurs malware added a module in recent months that permits it to launch distributed denial of service (or DDoS) attacks against designated targets. The botnet has mostly been used for distribution of spam email to date and has not be enlisted to launch DDoS attacks.

Necurs has been documented since 2014 and spreads via infected email attachments. It is often installed as a secondary program by other “downloader” programs, according to an analysis by Trend Micro. To date, Necurs has been employed almost exclusively to send out spam email messages. However, the software is modular and supports other features, as well, Anubis notes. A module added in late August appears to provide DDoS attack features to the botnet, Anubis researchers said. Reverse engineering of the module identified commands used to send HTTP or UDP requests to arbitrary Internet addresses in an endless loop – typical denial of service activity.

DDoS features are not uncommon in botnet malware. What is different is the size of the Necurs botnets compared with others, including the recent Mirai botnet that took down managed DNS provider DYN, The Security Ledger notes (https://securityledger.com/2017/02/locked-and-loaded-huge-botnet-updated-for-ddos/). Mirai, which launched the largest denial of service attacks on record, topped out at around 200,000 infected hosts. But research by BitSight puts the number of nodes in the Necurs botnet at more than 650,000 as of June, 2016. The number may be smaller now, but an infection map currently puts the number of Necurs hosts at 208,000 – almost three times the size of the Mirai botnet (77,000 hosts).(https://intel.malwaretech.com/botnet/necurs)

Submission + - Too Few Women in Cyber Security? Blame Mr. Robot. (securityledger.com) 1

chicksdaddy writes: Women are under-represented in the field of technology, where they make up only 26% of professionals in the field of computing -that's actually down from their share of the workforce in 1990. At Facebook, just 17% of technical positions are occupied by women. (http://www.huffingtonpost.com/2015/03/27/women-in-tech_n_6955940.html) But the numbers in information security are even worse. There, just 11% of information security workers are women. (http://www.forbes.com/sites/stevemorgan/2016/03/28/calling-all-women-the-cybersecurity-field-needs-you/#68022bfb5ca4)

Why aren't more women drawn into the information security field, with its high salaries and flexible, family- and lifestyle-friendly workplaces? Blame Mr. Robot, says Chenxi Wang, a Computer Science Ph.D and the Chief Strategy Officer at the firm Twistlock. Wang says that the image the show promotes of hackers: young, hoodie clad, anti-social and male is the exact opposite of what young, highly educated women are likely to be drawn to. "Whenever you think about security you think of a guy in a hoodie in a dimly lit space, hacking a remote computer," Wang said on RSA Conference TV. (https://youtu.be/Fsz5IAeJZsE) "Mr. Robot really personifies that, but if you talk to high school girls, I'm not sure how many of them would consider that an attractive field," she said. "We need to change the rhetoric and how we talk about our work."

Want to attract women to the field? Talk about the pro-social aspects of computer security, not the anti social ones. (Wang uses the example of a researcher applying fraud detection algorithms to help the World Bank spot development aid fraud.)

The stakes are high. The US faces a massive information security worker shortage of over 200,000 workers.(http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#49b12aba7d27) Absent qualified candidates to fill jobs, companies are looking to invest in automation and machine learning solutions — raising the possibility that many of those white collar jobs will be "filled" by computers, if at all.

Submission + - 14,000 Domains Drop Dyn's DNS Service After Mirai Attack (securityledger.com)

chicksdaddy writes: How much does a DDoS attack cost your business? That's a difficult question to answer and often depends on the type of business you operate. But in the case of managed DNS provider DYN, the answer is pretty concrete: about 8%.

New data suggests that some 14,500 web domains stopped using Dyn's Managed DNS service in the immediate aftermath of an October DDoS attack by the Mirai botnet. That is around 8% of the web domains using Dyn Managed DNS, The Security Ledger reports. (https://securityledger.com/2016/10/shoddy-supply-chain-lurks-behind-mirai-botnet/)

The new estimate comes from data compiled by the firm BitSight (https://www.bitsighttech.com/).

The October attack on Dyn by the Mirai botnet caused short-lived pain for Internet users trying to reach popular web sites like PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify. The Bitsight data suggests the attacks may have had more lasting implications for Dyn – and other Internet companies like it.

“The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai),” said Dan Dahlberg, a Research Scientist at BitSight Technologies in Cambridge, Massachusetts. Dahlberg was speaking at an event in Cambridge on January 24.

To determine the impact of the Mirai attack on the firm, BitSight, which provides security rating services for companies, analyzed a set of 178,000 domains that were hosted on Dyn’s managed DNS infrastructure before ad immediately after the October 21st attacks. Around 145,000 of those exclusively used Dyn as their managed DNS provider. While around 33,000 used Dyn as one of their authoritative DNS providers.

Following the attack, 139,000 of the 145,000 domains continued to use Dyn exclusively, a loss of 6,000 domains or around 4% of the total. Among those domains that used Dyn along with other managed DNS providers, 25,000 continued to use Dyn after the attack, a loss of 8,000 domains or 24%. The absolute numbers are a sample based on observed domains using Dyn prior to the attack occurring, BitSight said.

Submission + - SPAM: 14,500 Domains Dropped Dyn After Mirai Attack

chicksdaddy writes: The Mirai botnet attacks that took managed Domain Name System services from New Hampshire based Dyn offline in October caused short-lived pain for Internet users trying to reach popular web sites like PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify.

The attacks may have had more lasting implications for Dyn – and other Internet companies like it. New data suggests that around 8% of the web domains relying on Dyn’s managed DNS service dropped the service in the immediate aftermath of the attack, The Security Ledger reports. ([spam URL stripped])

Approximately 14,500 web domains that used Dyn’s managed Domain Name System services prior to the Mirai attack stopped using them immediately following the attack, according to data compiled by the firm BitSight ([spam URL stripped]) – a big blow to the company that was on the receiving end of the global Internet of Things botnet attack.

“The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai),” said Dan Dahlberg, a Research Scientist at BitSight Technologies in Cambridge, Massachusetts. Dahlberg was speaking at an event in Cambridge on January 24.

To determine the impact of the Mirai attack on the firm, BitSight, which provides security rating services for companies, analyzed a set of 178,000 domains that were hosted on Dyn’s managed DNS infrastructure before ad immediately after the October 21st attacks. Around 145,000 of those exclusively used Dyn as their managed DNS provider. While around 33,000 used Dyn as one of their authoritative DNS providers.

Following the attack, 139,000 of the 145,000 domains continued to use Dyn exclusively, a loss of 6,000 domains or around 4% of the total. Among those domains that used Dyn along with other managed DNS providers, 25,000 continued to use Dyn after the attack, a loss of 8,000 domains or 24%. The absolute numbers are a sample based on observed domains using Dyn prior to the attack occurring, BitSight said.

Link to Original Source

Submission + - Trump Wasn't Wrong To Secure @POTUS with a Gmail Account (securityledger.com)

chicksdaddy writes: The world is having a collective freak out about the serial (https://www.nytimes.com/2017/01/25/technology/donald-trump-phone-social-media-security.html?_r=0) security lapses (https://www.rt.com/usa/375109-trump-administration-private-server-rnc/) of the newly enshrined Trump administration. That includes the revelation, this week, that the Leader of the Free World is using a lowly Google Gmail account to secure @POTUS, the official Twitter account of the U.S.’s Chief Executive. (https://theintercept.com/2017/01/26/donald-trump-is-using-a-private-gmail-account-to-secure-the-most-powerful-twitter-account-in-the-world/)

For a President and Administration as unconventional as Mr. Trump, the news about how The Most Powerful Twitter Account in the World was being secured was just another data point in a raucous and singularly unprofessional first week in office – the online equivalent of trash talking the United States’ second largest trading partner. (https://www.nytimes.com/2017/01/26/us/politics/mexico-wall-tax-trump.html)

But is having the Chief Executive’s Twitter account secured by a Google Gmail account really a security lapse? Not necessarily, according to security experts. In fact, Gmail may offer superior security to government-run platforms, The Security Ledger argues. (https://securityledger.com/2017/01/trump-securing-potus-with-gmail-is-reasonable-heres-why/)

“Companies like Google and Microsoft have invested billions of dollars in securing their infrastructure,” said John Ackerly, the CEO at the firm Virtru, a secure email provider. “If want your data to be secure, it’s tough to beat Google, Microsoft or Amazon’s cloud,” he said.

Indeed, Gmail offers a wide range back-end and front end security features that make it among the most difficult platforms to compromise – providing users take advantage of those features. Among them: detection of nation-state attacks, protection against account takeovers, strong encryption for all Gmail data both at rest and in transit, and the availability of strong second-factor authentication options such token based authentication and soft second factors like SMS codes and Google Authenticator.

In contrast, the U.S. government has struggled to secure its own IT assets. In fact, a report by GAO in 2015 listed “personal identity verification” (http://www.gao.gov/assets/680/670936.pdf) as a top cyber security challenge for government agencies. By GAO’s accounting, only 41 percent of user accounts at 23 civilian agencies had required these credentials for accessing agency systems.

Submission + - Second Ukraine Power Outage Linked to Russian Hackers (securityledger.com)

chicksdaddy writes: A December power outage in the city of Kiev in December has been linked to hacking activity by groups believed to be working on behalf of the government of Russia, according to published reports. (https://securityledger.com/2017/01/second-ukraine-power-outage-linked-to-russian-hackers/)

Russian hacking crews were behind a brief power outage at the Pivnichna remote power transmission facility last month, using software based attacks to shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour. Hacking crews appear to be using the Ukraine as a test bed to hone skills that could be used against other adversaries, according to Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, the website Dark Reading reported on Tuesday.

Speaking at the S4 Conference in Miami on Tuesday (http://www.cvent.com/events/s4x17), Krotofil said that the outage at Pivnichna was part of a month-long campaign by Russian hacking groups that included attacks on railways and other critical infrastructure. While not intended to cripple the country, the attacks were designed to sow confusion and chaos, she said.

Research was conducted by Information Systems Security Partners (ISSP) (https://www.issp.ua/contact.php?l=en), a Ukraine firm. Speaking to the conference via a pre-recorded video, Oleksii Yasynskyi, head of research at the company, said that the attacks were the work of more than one cyber criminal group that worked in concert with each other. Attacks against Ukraine critical infrastructure and other interests began over the summer, ISSP said, with spear phishing attacks directed at a Ukraine bank.

Submission + - Vermont Utility Hack Story shows why Gov's Grizzly Steppe Report is so bad (securityledger.com)

chicksdaddy writes: The Washington Post’s story, Saturday, which claimed that Russian hacking groups had penetrated the United States electrical grid (https://www.washingtonpost.com/world/national-security/russian-hackers-penetrated-us-electricity-grid-through-a-utility-in-vermont/2016/12/30/8fc90cc4-ceec-11e6-b8a2-8c2a61b0436f_story.html) is a great example of why the Obama Administration's Grizzly Steppe report was a big mistake. It is also a case-in-point against casual attribution of cyber attacks, The Security Ledger writes. (https://securityledger.com/2017/01/opinion-confusion-over-vermont-utility-underscores-risks-of-cyber-attribution/)

As we now know, the Washington Post used claims that “code associated with the Russian hacking operation dubbed GRIZZLY STEPPE" had been detected within a system owned by Burlington Electric as proof that the Russians had hacked into the U.S. grid.

But no such hack of the electrical grid took place. The computer infected with the malware was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia told The Burlington Free Press on Saturday (http://www.burlingtonfreepress.com/story/news/local/vermont/2016/12/30/russia-hacked-us-grid-through-burlington-electric/96024326/)

The Washington Post subsequently corrected its article, saying that no hack of the U.S. grid took place.Though it did NOT retract the story as some have claimed. Still, the confusion over “the Vermont incident” gets to the heart of criticisms that followed the release of the DHS and FBI Joint Analysis Report (JAR) on Russian hacking activity on U.S. shores. Specifically: the U.S. Government’s Report lumped together under one banner a wide range of hacking groups and hacking tools – some of them long used and widespread. In some cases, the groups in questions have only tangential connections to the government of Russia. In other cases, tools and techniques for attacking organizations – including whole families of malware – were thrown under the GRIZZLY STEPPE umbrella. The effect was to water down the report while dangerously muddying the public’s understanding of what Russian government hackers are and are not doing.

The report about the Vermont hack proceeded from that assumption, citing intelligence from unnamed government sources that malicious code found at the utility was put there and controlled by “the Russians,” who “did not actively use the code to disrupt operations.”

The truth is that if any evidence exists linking the malware discovered on a machine owned by Burlington Electric to operatives of the government of Russia, none was presented. It’s not clear if the Washington Post ever asked for such proof. As Robert Lee noted in a blog post on Saturday: “the indicators supposedly were related to Russia because the DHS and FBI said so – and supposedly that’s good enough,” he wrote.(http://www.robertmlee.org/analytical-leaps-and-wild-speculation-in-recent-reports-of-industrial-cyber-attacks/)

By ignoring context and a fair amount of private and public sector research in lumping together Black Energy and a wide range of other, similar threats under a common banner (GRIZZLY STEPPE), a report that was supposed to nail the lid shut on Russian hacking in U.S. elections has only raised more questions about the U.S. government’s evidence against Russia and whether that evidence is being interpreted in ways that distort its actual meaning or import. The Washington Post story marked just the first, errant conclusions drawn from that errant report. Others are sure to follow – blurring rather than sharpening our understanding of the risks posed by Russia and other online adversaries.

Comment The Story was Corrected, NOT Retracted! (Score 2) 574

Did anyone bother to notice that this entire thread is based on an inaccurate assertion? The story was NOT retracted. It was CORRECTED - meaning that a piece of inaccurate information in the original story (about the laptop being connected to the ICS/SCADA system) was rewritten to clarify that the computer was not connected to that part of Burlington Electric's network. A retraction would mean WAPO removed the story from its website and disavowed its contents. No such thing happened. In fact, you can still read the story using the link provided in the Slashdot post - a sure sign that it HASN'T BEEN RETRACTED!!! Slashdot should probably RETRACT the incorrect story about the Washington Post's (non-existent) retraction.

Submission + - NIST wants public's help with crypto-cracking quantum computers (securityledger.com)

chicksdaddy writes: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help (https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information) heading off what it calls “a looming threat to information security:” powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information, The Security Ledger reports.

In a statement Tuesday, NIST asked the public to submit ideas for “post-quantum cryptography” algorithms that will be “less susceptible to a quantum computer’s attack.” NIST formally announced its quest in a publication on The Federal Register. (https://www.federalregister.gov/documents/2016/12/20/2016-30615/announcing-request-for-nominations-for-public-key-post-quantum-cryptographic-algorithms)

Dustin Moody, a mathematician at NIST said the Institute's main focus is developing new public key cryptography algorithms, which are used today to protect both stored and transmitted information.

“We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” Moody said. They are FIPS 186-4, NIST SP 800-56A and NIST SP 800-56B.

Researchers have until November, 2017 to submit their ideas. After the deadline, NIST will review the submissions. Proposals that meet the “post-quantum crypto” standards (http://csrc.nist.gov/groups/ST/post-quantum-crypto/minimum-accept-reqs.html) set up by NIST will be invited to present their algorithms at an open workshop in early 2018.

Submission + - NETGEAR finds more routers vulnerable, pushes emergency patch (securityledger.com)

chicksdaddy writes: Consumer home networking firm NETGEAR has issued an emergency software patch for a serious vulnerability in its home routers, even as the company doubles the list of affected hardware.

The company said on Tuesday (http://kb.netgear.com/000036386/CVE-2016-582384?cid=wmt_netgear_organic) that it is providing a “beta version” of router firmware that addresses an arbitrary command injection vulnerability that was disclosed in firmware used by a number of wireless routers sold to consumers and small businesses. NETGEAR said the software update is still being tested and will only work on three versions of its routers: the R6400, R7000 and R8000. The company also acknowledged that five more routers are affected by the flaw and remain unpatched: the R7900, R7300, R7100LG, R6700 and R6250.

The company said the new firmware has not been fully tested and “might not work for all users.” The company offered it as a “temporary solution” to address the security hole. “NETGEAR is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible,” the company said in a post to its online knowledgebase early Tuesday.

The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious “arbitrary command injection” vulnerability in the latest version of firmware used by a number of Netgear wireless routers. (https://www.youtube.com/watch?v=kOZs90BGPFk) The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. CMU urged NETGEAR customers to stop using affected routers until a fix can be found. (https://www.kb.cert.org/vuls/id/582384)

The vulnerability was discovered by an individual using the handle Acew0rm (@acew0rm1), who says he contacted NETGEAR about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.

Submission + - Vulnerability in Netgear Wifi Routers Prompts Warning to Stop Using Them (securityledger.com)

chicksdaddy writes: A serious and easy to exploit security hole in the software that runs certain models of wifi routers made by the firm Netgear prompted experts at Carnegie Mellon to urge customers to stop using them until a fix can be found.

The warning comes in a vulnerability note (VU#582384)(https://www.kb.cert.org/vuls/id/582384) published on Friday by Carnegie Mellon University’s CERT. An “arbitrary command injection” vulnerability in the latest version of firmware used by a number of Netgear wireless routers.

The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. A proof of concept exploit for the hole was published online (https://www.exploit-db.com/exploits/40889/) on Wednesday by an individual using the handle Acew0rm (@acew0rm1).

Firmware version 1.0.7.2_1.1.93 (and possibly earlier) for the R7000 and version 1.0.1.6_1.0.4 (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited “community reports” that indicate the R8000, firmware version 1.0.3.4_1.1.2, is also vulnerable.

The warning comes amid increased concern about the security of home routers, following widespread attacks in recent weeks that have targeted the devices in Germany, the UK and other countries.

In statements on Twitter (https://twitter.com/acew0rm1), AceW0rm said that he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then. He released information on the hole as well as proof of concept exploit code.

A search of the public Internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.

Slashdot Top Deals

"Trust me. I know what I'm doing." -- Sledge Hammer

Working...