This is a follow-up article to my earlier article Eircom Exposes Its Broadband Customers to Serious Security Risks. If you’re following the comments on that article you’ll see that I’m trying to bring these problems to Eircom’s attention. I haven’t gotten very far yet but I’ll keep updating those comments with what ever progress I manage to make. However, there has been another development that I feel I need to bring to people’s attention. This afternoon I was anonymously sent some very interesting information regarding yet another alleged hole in Eircom’s security. I MUST STRESS THAT I HAVE NOT VERIFIED THESE CLAIMS as to do so would involve attempting to break in to someone’s network and that’s illegal. However, should this prove to be true Eircom has yet another problem to fix. In this article I’ll start by explaining the alleged problem, then propose a simple solution, and end with some simple advice for Eircom customers who wish to protect themselves from these security vulnerabilities.

[tags]Eircom, Security[/tags]

Read more

Tagged with:

I had heard complaints from people in the past that Eircom didn’t seem to do the whole security thing properly at all. I guess I just hopped they’d have sorted themselves out by now. They haven’t. I’m not sure if it’s down to incompetence or just not caring about their customers, but, in my book there are no valid excuses for leaving your customers exposed. Eircom have chosen to give their customers a wireless router. This makes things a lot simpler for the customer since it means they don’t have to go messing around with cables and such, but it potentially opens them up to significantly higher security risks. In the relationship between an Internet Service Provider (ISP) and a customer, the ISP must be the one on top of security issues. The average broadband customer cannot realistically be expected to be a security expert. Customers can only be expected to follow instructions from their ISP, and they have every right to assume that these instructions will not expose them to serious risks. Having gone through the process of setting up Eircom broadband for my grandfather last weekend I can tell you they are totally failing to protect their users by instructing their customers to set up their networks in a way that is highly insecure.

[tags]Eircom, Broadband, Ireland, Security, WEP[/tags]

Read more

Tagged with:

I’m not really sure what the collective noun for releases is so I’m using glut 🙂 Anyhow, I seem to have done nothing but update stuff in the last 24 hours. First FireFox and Thunderbird from Mozilla, then an Airport patch and an OS X security update from Apple, then a new Mac RDP client from Microsoft, and finally, an updated version of JellyfiSSH. Apart from the last two these are all security updates. I don’t have much I want to say about the security updates but I do just want to mention two important fixes which seem to be included. Firstly, there is a patch for mDNSResponder which should plug the hole which the rumoured Mac worm which was never released supposedly used. Secondly, there are a few patches for SAMBA so it looks like the SAMBA flaws I recently gave off to Apple for not patching promptly have finally been patched. Mind you, the descriptions on the Apple site are none too clear so I’m not really certain these updates really fix either of these holes. Anyhow, the real reason for this post is to have a look at the new RDP client from MS and the update to JellyfiSSH.

[tags]Apple, OS X, Security, JellyfiSSH, Microsoft, RDP[/tags]

Read more

Tagged with:

I regularly have a go a Microsoft for not patching vulnerabilities quickly enough. The recent shambles with the animated cursor flaw proves that MS still have a long way to go in terms of security. However, they are a not alone. Apple have a definite advantage over MS when it comes to security, they have built OS X on top of the very robust and security conscious FreeBSD distribution of Unix, while MS are building on the shoddy foundation that is DOS and early versions of NT. A lot of current Windows vulnerabilities lie in this very old code, the Animated Cursor flaw being a good recent example. However, Apple are being complacent. They seem to be drinking too much of their own cool-aid and are acting as if OS X really is immune from attack. It is of course not immune, and with Apple TV and the iPhone now also running OS X it’s becoming a bigger target every day. When vulnerabilities are reported Apple have to respond promptly, unfortunately the current SAMBA flaw in OS X proves they are not doing this.

[tags]SAMBA, OS X, Security, Apple[/tags]

Read more

Tagged with:

Time to Secure Your Browser

Filed Under Computers & Tech, Security on April 24, 2007 | 1 Comment

What started off as a hack of a MacBook Pro at a security conferences has now been revealed to be a hack exploiting a vulnerability in the way Quicktime talks to Java. What does this mean? It means that this is not just an issue for Mac users, Windows users are vulnerable too! Thankfully the solution is simple, turn off Java (not JavaScript) in your web browser.

Read more

Tagged with:

In my rather long post on JavaScript security on the 15th I described a possible future scenario where JS could be used to attack home broadband routers. I was off sick last week so this morning I was catching up on some RSS feeds I subscribe to and was shocked to see the follow advisory issued on the 16th by US CERT:

In an announcement made yesterday, security researchers at
Symantec and Indiana University School of Informatics revealed
that they had uncovered a serious new security threat targeting
home broadband routers. The attack, dubbed Drive-By Pharming,
allows an attacker to change the configuration of a home router
when a user unknowingly visits a malicious website. The website
employs malicious JavaScript code that allows an attacker to log
into many types of home routers if the default password has not
been changed. Once logged in, the attacker is able to change the
configuration of the home router, including the Domain Name
Server (DNS) server settings.

This type of attack is particularly concerning for a few reasons:

  • Simply viewing the malicious webpage is all that is required
    for a user to fall victim to this attack.
  • Many home users fail to change the default password on their
    broadband routers. The Symantec report indicates that 50% of
    all users could fall into this category.
  • Changing the Domain Name Server (DNS) server settings allow
    an attacker to redirect the home user to a DNS server of
    their choice. This includes a malicious server set up by the
    attacker to direct users to other malicious websites, where
    information such as financial account numbers, passwords,
    and other sensitive data can be stolen.

Symantec notes that the best defense against this type of attack
is for home users to change their default password. The
following links provide support resources for three of the more
common home router vendors:

US-CERT cautions users to avoid clicking on links sent in
unsolicited emails. Users should also remain cautious when
browsing the web and avoid visiting untrusted sites. More
information can be found in Securing Your Web Browser document.

To learn more, or to view a flash-animation of the attack, visit
Security Response Weblog.

This is pretty much exactly the scenario I warned about and it’s happening for real in the wild, NOW! If you have a broadband router make sure you change it’s password and give serious consideration to only enabling JS on sites that need it and not just surfing with JS on all the time. The threat is no longer hypothetical!

Tagged with:

I’m actually surprised by how little discussion I’ve seen about January’s month of Apple Bugs. For those of you not familiar with the Month of Apple Bugs (MoAB) project, the idea was to post one Apple related bug each day in January 2007. Perhaps one reason for the lack of discussion is that the bug for the 31st of January has not been released yet. A very ominous title (“Unspecified Kernel Remote Fun”) has been posted but nothing more. People may be waiting to see just how bad these supposed remote exploits are before commenting. However, I’ve been digesting the thirty bugs we do have for a few weeks now and I think I’m ready to share some of my thoughts, even if may have to alter my views a bit when (and if) last bug is finally released.

[tags]Apple, Security, MoAB[/tags]

Read more

Tagged with:

A couple of months back I wrote two articles singing JavaScript’s praises from a programmer’s point of view (JavaScript – Much more than Java’s Mini-Me & Hidden JavaScript). In the last one I hinted that there would be a follow-on article showing a darker side to JS. This is that article, just a few months later than I’d planned. Unlike the previous two articles this one is not really aimed at programmers, it’s aimed at anyone who surfs the web.

JavaScript (JS) can be used to really enhance usability on the web. We all like having drag and drop capability on the web, we like the way AJAX lets pages only refresh the bits that need to change instead of whole pages, and we even like those cool JS transitions and graphic effects. A lot of people refer to these things as Web2.0, but I’m not going to. I prefer to think of Web2.0 as being about community involvement rather than any particular technology. It’s a frame of mind not a software version! You can have Web2.0 without JS or AJAX. The key point is that we are all getting used to the enhancements JS can bring to the web environment. But there is a cloud on the horizon and it is growing.

The sometimes controversial security expert Steve Gibson has been warning us about the dangers of browsing with JS turned on for years now. In the beginning people ridiculed him, but his views are gaining more and more acceptance as the dangers start to become real rather than theoretical. I think the recent MySpace JS worm and the release of proof-of-concept code for a JS port-scanner by SPI Labs have really started to focus people’s minds on the dangers of JavaScript.

[tags]JavaScript, JS, XSS, Security[/tags]

Read more

Tagged with:

« go back