Alert: WiFi networks susceptible to hack from “KRACK” vulnerability
Important news has come in over the weekend regarding a “KRACK” attack against modern WiFi networks, whereby an attacker can silently capture and read data transmitted over the WiFi network, despite the data being encrypted – capturing usernames and passwords, credit cards, bank logons, emails, and much more.
It is extremely serious, and whilst it is early days, the hack method is likely to be weaponized in short notice by those of malicious intent.
Updates to this issue
23/10/2017: All of our clients running Ubiquiti UniFi access points have now had those access points patched and are no longer vulnerable. Sophos and Cyberoam devices do not yet have a patch available.
What we’re doing about it
Clients using our Ubiquiti UniFi WiFi access point systems will be upgraded automatically over the next few days, requiring a minor outage to WiFi as the devices reboot. This will be done outside of business hours.
Clients using other WiFi access point systems will be contacted in the next few days to arrange an upgrade to their devices providing WiFi where upgrades have been made available by the vendors, and where no upgrade is available we will be contacting you with further information.
Technical information about the issue
The information below is an excerpt from www.krackattacks.com, taken on 16th October 2017, where the discoverers of the vulnerability discuss it in great detail:
We discovered serious weaknesses in WPA2, a protocol that secures all modern protected Wi-Fi networks. An attacker within range of a victim can exploit these weaknesses using key reinstallation attacks (KRACKs). Concretely, attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted. This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos, and so on. The attack works against all modern protected Wi-Fi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. Note that if your device supports Wi-Fi, it is most likely affected. During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. For more information about specific products, consult the database of CERT/CC, or contact your vendor.
For more information
This issue is still quite new, and we will be updating this blog post on a regular basis as news unfolds. You can also keep an eye on our Facebook feed for updates. Meanwhile, please contact us should you have any queries or concerns about your own WiFi systems.
My WiFi already sucks, hacking is the least of my concern – can you make it better?
YES we can! If you suffer from poor WiFi coverage, slow WiFi speeds, or poor WiFi signal across your office space or multiple story office or home, we can assist. Maybe you want to offer secure guest WiFi within your office, or a WiFi hotspot at your restaurant, cafe, club, function room?
Not a problem, just get in touch with us and we’ll be able to assist. It’s cheaper than you think and you’ll wonder why you waited til now to get it sorted!
Critical vulnerability in Apple iPhone detected – Apple issues forced global update
Attention iPhone users! Overnight on the 26th August 2016, Apple released a critical patch to their iPhone and iPad software that addresses three previously unknown vulnerabilities, which could give a malicious user complete access and control over an iPhone.
Codenamed “Pegasus”, the malware gives attackers full control of the iOS device, and unfortunately for iOS users, becoming infected could be as simple as clicking a link on a website.
From the news.com.au website (click here for the full article):
“It basically steals all the information on your phone, it intercepts every call, it intercepts every text message, it steals all the emails, the contacts, the FaceTime calls,” he said.
“It also basically backdoors every communications mechanism you have on the phone,”
“It steals all the information in the Gmail app, all the Facebook messages, all the Facebook information, your Facebook contacts, everything from Skype, WhatsApp, Viber, WeChat, Telegram — you name it.”
Apple are recommending to update your iPhone immediately, by going to the Settings menu > General > Software Update.
We are recommending that you back up your iPhone first, to ensure that you don’t lose any photos or data. iPhones are notorious for botched updates requiring a factory reset, so place it safe and backup your phone before you run the upgrade. If you need a hand, just let us know!
Update: TeamViewer accounts breached – serious security threat to systems
Serious security threat to systems, risk reduced by swift, proactive action
Important note and update: Regarding this breach, it is important that our clients understand that activIT systems does not use TeamViewer for remote connections to our client systems, and as such the majority of our clients computers are unaffected by this TeamViewer security issue.
However, a number of our clients are engaged with third party vendors, and TeamViewer is commonly used by those vendors to remotely provide support to line of business applications. Many of these third party vendors access our clients systems whilst those systems are unattended, and many of those systems are server environments. In addition, many people use TeamViewer for casual access to remote computers that they own. It is highly feasible that should one of those systems be breached, our clients would not know about it until it is far too late.
As security is our responsibility, we have taken a proactive approach and implemented a short term security measure to mitigate the risk to our clients by disabling TeamViewer on our clients systems, where we have those systems under our management.
We encourage all clients to liaise with your third party software vendors in order to ensure that they have changed the passwords associated with their TeamViewer accounts; for our clients on our activCare service plan, we will be doing this for you this week.
Original notice issued this morning by activIT systems
It has recently been reported that there have been a large number of TeamViewer users having their computers accessed by unauthorised third parties. It appears that this situation has occurred due to TeamViewer’s systems being breached, with account credentials stolen, thus allowing access to the PCs within the associated account. There have been reports of PCs being accessed and online banking, PayPal and other financial related services having money stolen from within.
To protect our clients from having this happen we have disabled the TeamViewer remote access software on all PCs we have under management to prevent any unauthorised parties being able to gain control of them. If you require the use of this software please contact us to discuss the options available and to allow us to detemine if it is safe for you to use TeamViewer.
More information on TeamViewer accounts is available from here: https://www.teamviewer.com/en/help/410-what-is-a-teamviewer-account-and-how-do-i-sign-up-for-one
News reports from affected users are available here: http://arstechnica.com/security/2016/06/teamviewer-users-are-being-hacked-in-bulk-and-we-still-dont-know-how/
A response from TeamViewer regarding the situation is available here: http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
If you have any queries please contact us or phone us on 1300 228 480.
eDellRoot certificate security issue – our clients are now safe
activIT systems has issued a security fix that will automatically apply to all Dell PCs under our care – regardless of whether you’re on a contract with us or not – to address a potentially security issue identified a few days ago by security researchers that affect in certain Dell systems. The vulnerablity could potentially allow malicious or fraudulent websites to present themselves as legitimate.
This fix has automatically and “silently” been applied to affected systems from 5pm Thursday 26th November. If you would like to test for yourself whether your system is vulnerable, you can click the link below to check your system. The website is only compatible with Google Chrome or Internet Explorer, and will not work on Firefox.
If this site loads and displays an image, it means your PC is vulnerable to this security flaw. If your browser warns you of a security error when you attempt to view it, your PC is not vulnerable to the issue. If the test indicates your PC is at risk, please inform us so we can take action to fix the problem.
If you’d like to manually run the fix or inform your colleagues that are using IT providers other than us, it can be downloaded from Dell’s website.
Unfortunately, security threats like this becoming increasingly common online, and it’s important to take steps to protect yourself. Our computerCare protection solution will ensure that you have an effective and current antivirus, your software and operating system are always updated with the latest security fixes, and constantly monitors your PC for potential threats.
Beware of unexpected “Scanned Documents” arriving in your Inbox .. they’re laden with viruses
It seems the scammers are getting craftier by the minute, now sending you fake emails with attachments, using your own domain name, and purporting to be from your own scanner or photocopier!
In the example below, it looks like a legitimate scan-to-email you’d expect from a multifunction centre or photocopier, however there are a few giveaways that indicate that the message is suspicious:
- Unexpected file format: The scanned document is not a PDF or a JPG file, but rather a Microsoft Word .DOC file. The vast majority of scanners – and typically those that are only high end, configured for Optical Character Recognition – can send you a .DOC file directly from the scanner itself
- Unexpected scanner model: The scanner model, in this case a Fuji Xerox DocuCentre, doesn’t actually exist in our company!
- Unexpected sender email address: All of the scan-to-emails that our photocopier sends, don’t come from firstname.lastname@example.org ..
- Unexpected email! In this case, I wasn’t expecting any scan-to-email messages. Alarm bells are ringing!!
Importantly, it seems that the virus-laden email is evading detection by many spam filters and antivirus applications. Talk amongst our industry peers is rife with reports of the email successfully bypassing many different spam filters and antivirus applications.
If you spot an unusual and unexpected email like the above, DO NOT OPEN THE ATTACHMENT! If in doubt, please check with us – contact us on 1300 228 480, or forward the suspect email to email@example.com
Thanks, and keep your Inbox safe!
Critical Flaws in Adobe Flash, Reader, Shockwave and Java
Critical security patches have been released for the popular Adobe Flash, Reader and Oracle Java software which most people have installed on their PCs. We urge everyone to install the latest versions available of these products, if using Internet Explorer on Windows then please install the latest Windows updates which will also include the latest version of Flash Player for Internet Explorer. Google Chrome users will be automatically updated via the Chrome auto update function.
All of the applications listed above will be automatically updated for our clients on our computerCare and activCare services, which checks for updates to these applications and many more twice daily.
See this article for further information about the exploits: http://krebsonsecurity.com/2015/07/adobe-ms-oracle-push-critical-security-fixes/
Please don’t hesitate to contact us should you have any concerns about the security and safety of your computer systems, via phone at 1300 228 480, or contact us via email at www.aitsys.com.au/support
Los Pollos Hermanos – more ransomware doing the rounds, disguised as chicken
Aaaaand the Crypto viruses keep coming… This time, using the popular TV show Breaking Bad‘s fictional food outlet as a gimmick.
In what appears to be a salute to the TV show, the Breaking Bad Ransomware appears on your system showing the Los Pollos Hermanos Chicken Food chain shown in the show.
Behind this notice the virus is similar to previous crypto viruses. If infected, you computers files become encrypted and in order to get your files back, the virus directs you to a website where you can pay a ransom using untraceable Bitcoins. Payment for the ransom appears to vary between $450 and $1000.
The infection does appear to require user intervention to set it off and bypass virus scanners – note that virus scanners will protect you from viruses but only up to the point where you “open the door” and let them in.
The virus appears to arrive via email in the form of a courier email with a PDF document attached. Upon opening this document, which appears to look quite legitimate, the virus is unleashed and begins to wreak havoc on your system.
So please, be sceptical of unknown senders in your email, and check them thoroughly before opening. If an email look suspicious, chances are it probably is and should be deleted immediately.
Australian Federal Police phishing scam – they’re at it again!
Doing the rounds at the moment is an email purporting to be from the AFP, telling you that you’ve got a traffic infringement and you need to click on the button to download the notice.
This email reeks of being suspicious – and it is. It’s a fairly convincing phishing email, until you look at it with a skeptical eye.
How to quickly spot this is a scam
- We are fairly certain the AFP does not issue traffic infringements – that is best left to the state police. The AFP have far better things to do than chase up negligent drivers.
- Why would the AFP send you an email rather than a letter in the mail, and how would they even know your email address?
- It’s anonymous – it doesn’t have YOUR name on it.
- The date of issue and due date are both four years in the past, making this infringement well overdue. More likely the AFP are after you for missing your court date, after you didn’t pay your fine in 2011.
- The email gives you an option to unsubscribe, which is very odd. What would be the purpose of unsubscribe from a notification like this .. so you don’t get any more fines in the future? Sweet!
The link to ‘see your traffic infringement’, actually takes you to a Russian website, selling such random items as 44 gallon drums, rechargeable batteries, and apparently Samsung Galaxy tablets. There doesn’t appear to be any malicious payload either, however we really recommend not to click on the ‘see your traffic infringement’ button anyway.
Thunderbolts and lightning, very very frightening … if you’re a modem
The home of one of our business clients was struck by lightning back in January, causing most of their electrical devices within the house to stop working. They’ve been hanging on to a “mystery bag” for us since then. We picked it up from them late last week, only to find burnt out wires, blown up plastic, scorch marks, and exploded circuitboards and electrical components. It’s their Netgear modem!!
With lightning striking a tall gum tree about 40 metres away from the house, the electrical current tore through the house and literally blew the modem to smithereens. The AC power pack was blown out of the power board and the two prongs bent by the force of the current, exploded capacitors and other circuitry within the modem, and smashed the modem itself into pieces.
You can imagine what kind of damage this would cause to a PC or server, and why top quality power protection for IT equipment is so essential in any business. Thankfully our clients laptop was not attached to the power grid at the time!
Moral of the story: If you rely on your IT equipment, don’t skimp on power protection. If you do want to skimp on power protection, then don’t skimp on your backup strategy!
New dangerous file locker and ransomware encountered – Win32/VirLock.J
We were unlucky enough to encounter the really nasty Win32/VirLock.J virus at a client we just started working with yesterday, on a system that was not protected by any antivirus. The really nasty virus packs three punches:
- It locks you out of your system, asking you to pay a ransom in Bitcoin – recovery from this is possible but not straight forward
- It encrypts your files and embeds the virus itself in those files – but the virus changes slightly, morphing and making it harder to detect
- When you try to view one of the encrypted files, the virus decrypts the file and then installs itself on your system – this means if you try to open the file on another computer, you’ll infect that computer as well.
This particular issue has clocked up around 7 hours of work to clean it up thus far .. and what makes it worse, the client does not yet have adequate backup in place on this system, which performs critical tasks at their retail store.
We don’t yet know how this virus made its way on to the system, but the suspects at the moment are USB key sharing, and running unpatched Java and Adobe Flash plugins in a web browser (this is so easy to prevent its not funny – we do it with computerCare automatically for you each day).
Please please please – if you have important data on your laptop or desktop, ensure you run top quality antivirus, regularly patch your applications and web browsers, and have an automated data backup system in place for the important data.
Additional information is available here: http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter
A file infected with VirLock will be embedded into a Win32 PE file and the .exe extension appended to its name, unless it was already an executable file. When it is executed, it decrypts the original file from within its body, drops it to the current directory and opens it. The decryption methods are described later in the article. This behavior clearly sets it apart from typical filecoders.
VirLock then installs itself by dropping two randomly named instances of itself (not copies – the virus is polymorphic, so every instance is unique) into the %userprofile% and %allusersprofile% directories and adds entries in the Run registry keys under HKCU and HKLM so that they are launched when Windows boots up. These instances, which only contain the virus body without a host file to decrypt, are then launched. More recent variants of VirLock also drop a third instance that is registered as a service. This approach serves as a simple self-defense mechanism for the malware – processes and files get restored when they’re terminated or deleted.