Newly discovered router flaw being hammered by in-the-wild attacks

 

Update and secure your routers.  If you don’t know how to do it you can schedule an appointment with us.

From Ars

Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.

FURTHER READING
How one rent-a-botnet army of cameras, DVRs caused Internet chaos
Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.

SANS Dean of Research Johannes Ullrich said in Monday’s post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland. They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.

FURTHER READING
Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net
The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service. Included as a module for the Metasploit exploitation framework, the attack code opens the port 80 Web interface that enables remote administration. From there, devices that use default or otherwise weak authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks.
BadCyber researchers analyzed one of the malicious payloads that was delivered during the attacks and found it originated from a known Mirai command-and-control server.

“The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared,” BadCyber researchers wrote in a blog post. “It looks like someone decided to weaponize it and create an Internet worm based on Mirai code.”

All bases covered

To infect as many routers as possible, the exploits deliver three separate exploit files, two tailored to devices running different types of MIPS chips and a third that targets routers with ARM silicon. Just like the Metasploit code, the malicious payloads use the exploit to open the remote administration interface and then attempt to log in using three different default passwords. The attack then closes port 7547 to prevent other criminal enterprises from taking control of the devices.


These SNES-era Kirby games were considered lost until this week

I’m always happy when any forgotten media gets discovered and released.

 

From ARS

These four early Kirby games will now have their ROMs preserved, thanks to the efforts of a group of preservationists.

A group of dedicated game preservationists has obtained a set of obscure Japanese Kirby games from the Super Famicom era in order to archive them for future generations. But the uncertain fate of such early games presages a much bigger problem facing digital game preservation going forward.

Even die-hard Kirby fans would be forgiven for not knowing much about Kirby’s Toy Box, a collection of six mini games that was only available through Japan’s Satellaview, an early satellite-based distribution service for the Super Famicom (the Super NES in the West). That system only let you download one game at a time to a special 8-megabit cartridge, though, and you could only download when that specific game was being broadcast across the narrow satellite feed.

Thus, existing copies of most Satellaview games are available only if they happen to be the last game downloaded to individual cartridges (Satellaview broadcasts ended in the late ’90s). While some of these games have been publicly dumped and preserved as ROM files, many exist only in the hands of Japanese collectors. Sometimes, those individuals are reluctant to release the digital code widely.

That’s why gaming historians were so intrigued when a Japanese auction popped up listing four of the Kirby’s Toy Box mini games (Circular Ball, Cannon Ball, Pachinko, and Arrange Ball) for sale on four separate Satellaview cartridges. As Video Game History Foundation founder Frank Cifaldi put it on Twitter, “finding 3 different ones from 1 seller is a miracle.”

Preservationists including Cifaldi and Matthew Callis sought out donations to help win the auctions and preserve the game data for future generations. Yesterday morning, the group announced it had won all four cartridges for a total of ¥85,500 (about $813.08, as reported by Kotaku). “Still missing most of Nintendo’s Satelleview [sic] output, but at least we’ve got most of the Kirbys now,” as Cifaldi put it.

A growing digital preservation problem

The quest to save today’s gaming history from being lost forever

The shaky fate of these early digital downloads likely points to future issues we’ll face when it comes to longterm preservation of modern games distributed exclusively as downloads. Last year, Sony shut down PlayStation Mobile, cutting off access to plenty of great Vita titles from smaller indie publishers. Xbox Live’s Indie Games program will fully shut down in 2017, leaving quite a few hidden gems of its own without an online home. And Apple has begun the process of culling “problematic and abandoned” older games from the App Store, continuing a process of game removal already started by many iOS game publishers themselves.

When Sony, Microsoft, and Nintendo eventually shut down their PS3, Xbox 360, and Wii servers for good, hundreds of digital download games will only exist as scattered copies on various console hard drives. That’s already happening with games like P.T., Konami’s free cult horror classic that was pulled down from PSN unceremoniously in 2015. That move led to a spike in prices for secondhand PS4 consoles that happened to have the game trapped on their hard drives.

Sure, we’ll likely be able to find copies of many of the biggest and most popular of these digital-exclusive games in order to export them to a more permanent and emulatable archival format (a recent DMCA decision makes this whole process easier when it comes to mimicking authentication servers). But as servers go offline and games are scattered among myriad distinct consoles, assembling anything close to a complete understanding of today’s digital game marketplace is going to get very tough very quickly. As is the case with many early films that have been lost forever, we may not know what hidden gaming treasures have been lost to history.


2.2 Billion Records Stolen So Far In 2016!

As I tell everyone your information is out there, we have lost the privacy war. The big retail chains sometime make the news when they get hacked.  The real threat though are the ones that don’t make the news or we don’t know about, banks, medical records, insurance companies.  There are thousand of companies whose sole business model is collecting your data, how forth coming do you expect these businesses to be when they have a data breach.

 

From ARS

There has been yet another major data breach, this time exposing names, IP addresses, birth dates, e-mail addresses, vehicle data, and occupations of at least 58 million subscribers, researchers said.

The trove was mined from a poorly secured database and then published and later removed at least three times over the past week, according tothis analysis from security firm Risk Based Security. Based on conversations with a Twitter user whofirst published links to the leaked data, the researchers believe the data was stored on servers belonging to Modern Business Solutions, a company that provides data storage and database hosting services.

Shortly after researchers contacted Modern Business Solutions, the leaky database was secured, but the researchers said they never received a response from anyone at the firm, which claims to be located in Austin, Texas. Officials with Modern Business Solutions didn’t respond to several messages Ars left seeking comment and additional details.

Risk Based Security said the actual number of exposed records may be almost 260 million. The company based this possibility on an update researchers received from the Twitter user who originally reported the leak. The update claimed the discovery of an additional table that contained 258 million rows of personal data. By the time the update came, however, the database had already been secured, and Risk Based Security was unable to confirm the claim. The official tally cited Wednesday by breach notification service Have I Been Pwned? is 58.8 million accounts. In all, the breach resulted in 34,000 notifications being sent to Have I Been Pwned? users monitoring e-mail addresses and 3,000 users monitoring domains.

According to Risk Based Security, the account information was compiled using the open source MongoDB database application. The researchers believe the unsecured data was first spotted using the Shodan search engine. The publication of the data happened when a party that first identified the leak shared it with friends rather than privately reporting it to Modern Business Solutions.

By the tally of Risk Based Security, there have been 2,928 publicly disclosed data breaches so far in 2016 that have exposed more than 2.2 billion records. The figures provide a stark reminder of why it’s usually a good idea to omit or falsify as much requested data as possible when registering with both online and offline services. It’s also a good idea to use a password manager, although this leak was unusual in that it didn’t contain any form of user password, most likely because the data was being stored on behalf of one or more other services.


Members of DDoS Service Busted

From Krebs

Two young Israeli men alleged to be the co-owners of a popular online attack-for-hire service were reportedly arrested in Israel on Thursday. The pair were arrested around the same time that KrebsOnSecurity published a story naming them as the masterminds behind a service that can be hired to knock Web sites and Internet users offline with powerful blasts of junk data.

Alleged vDOS co-owner Yarden Bidani.

Alleged vDOS co-owner Yarden Bidani.

According to a story at Israeli news siteTheMarker.comItay Huri and Yarden Bidani, both 18 years old, were arrested Thursday in connection with an investigation by the U.S. Federal Bureau of Investigation(FBI).

The pair were reportedly questioned and released Friday on the equivalent of about USD $10,000 bond each. Israeli authorities also seized their passports, placed them under house arrest for 10 days, and forbade them from using the Internet or telecommunications equipment of any kind for 30 days.

Huri and Bidani are suspected of running an attack service called vDOS. As I described inthis week’s story, vDOS is a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline.

The two men’s identities were exposed because vDOS got massively hacked, spilling secrets about tens of thousands of paying customers and their targets. A copy of that database was obtained by KrebsOnSecurity.

For most of Friday, KrebsOnSecurity came under a heavy and sustained denial-of-service attack, which spiked at almost 140 Gbps. A single message was buried in each attack packet: “godiefaggot.” For a brief time the site was unavailable, but thankfully it is guarded by DDoS protection firm Prolexic/Akamai. The attacks against this site are ongoing.

Huri and Bidani were fairly open about their activities, or at least not terribly careful to cover their tracks. Yarden’s now abandoned Facebook page contains several messages from friends who refer to him by his hacker nickname “AppleJ4ck” and discuss DDoS activities. vDOS’s customer support system was configured to send a text message to Huri’s phone number in Israel — the same phone number that was listed in the Web site registration records for the domain v-email[dot]org, a domain the proprietors used to help manage the site.

At the end of August 2016, Huri and Bidani authored a technical paper (PDF) on DDoS attack methods which was published in the Israeli security e-zine Digital Whisper. In it, Huri signs his real name and says he is 18 years old and about to be drafted into the Israel Defense Forces. Bidani co-authored the paper under the alias “Raziel.b7@gmail.com,” an email address that I pointed out in my previous reporting was assigned to one of the administrators of vDOS.

Sometime on Friday, vDOS went offline. It is currently unreachable. Before it went offline, vDOS was supported by at least four servers hosted in Bulgaria at a provider calledVerdina.net (the Internet address of those servers was 82.118.233.144. But according toseveral automated Twitter feeds that track suspicious large-scale changes to the global Internet routing tables, sometime in the last 24 hours vDOS was apparently the victim of what’s known as a BGP hijack.

BGP hijacking involves one ISP fraudulently “announcing” to the rest of the world’s ISPs that it is in fact the rightful custodian of a range of Internet addresses that it doesn’t actually have the right to control. It is a hack most often associated with spamming activity. According to those Twitter feeds, vDOS’s Internet addresses were hijacked by a firm called BackConnect Security.

Reached by phone, Bryant Townsend, founder and CEO of BackConnect Security, confirmed that his company did in fact hijack Verdina/vDOS’s Internet address space.Townsend said the company took the extreme measure in an effort to get out from under a massive attack launched on the company’s network Thursday, and that the company received an email directly from vDOS claiming credit for the attack.

“For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.”

I noted earlier this week that I would be writing more about the victims of vDOS. That story will have to wait for a few more days, but Friday evening CloudFlare (another DDoS protection service that vDOS was actually hiding behind) agreed to host the rather large log file listing roughly four months of vDOS attack logs from April through July 2016.

For some reason the attack logs only go back four months, probably because they were wiped at one point. But vDOS has been in operation since Sept. 2012, so this is likely a very small subset of the attacks this DDoS-for-hire service has perpetrated.

The file lists the vDOS username that ordered and paid for the attack; the target Internet address; the method of attack; the Internet address of the vDOS user at the time; the date and time the attack was executed; and the browser user agent string of the vDOS user.


Over 40 million usernames, passwords from 2012 breach of Last.fm surface

New password leaks from years ago are coming to light constantly now.  More important than ever to change your passwords and not use the same password on multiple sites.

 

From ARS:

The contents of a March 2012 breach of the music tracking website Last.fm have surfaced on the Internet, joining a collection of other recently leaked “mega-breaches” from Tumblr, LinkedIn, and MySpace. The Last.fm breach differs from the Tumblr breach, however, in that Last.fm knew about the breach when it happened and informed users in June of 2012. But more than 43 million user accounts were exposed, including weakly encrypted passwords—96 percent of which were cracked within two hours by researchers associated with the data breach detection site LeakedSource.

Last.fm is a music-centered social media platform—it tracks the music its members play, aggregating the information to provide a worldwide “trending” board for music, letting users learn about new music and share playlists, among other things. The 2012 database breach contained usernames, passwords, the date each member joined the service, and internal data associated with the account. The passwords were encrypted with an unsalted MD5 hash.

“This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords, a sizable increase from prior mega breaches,” a member of LeakedSource wrote in a post about the data. Ars confirmed the LeakedSource data using our own Last.fm account information.

The contents of the database are somewhat representative of where passwords were in 2012 (and possibly still are on many services). Of the 41 million passwords that were successfully extracted, 255,000 of them were “123456.” The next most popular password, used by 92,000 users, was “password.”