Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Hidden backdoor discovered in wireless routers from Tenda

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

October 23, 2013

Internet security researchers sais today they have discovered a hidden backdoor in all wireless routers made by Chinese hardware maker Tenda.

Craig Heffner, the same security researcher who uncovered a backdoor in routers from D-link, discovered the latest issue. He uncovered the functionality, which ships with Tenda's products, after unpacking firmware updates and locating what he described as suspicious code at the outset.

Hackers can take over the router and execute commands by sending a UDP packet with a special string, The Hacker News claims.

"The backdoor only listens on the LAN, thus it is not exploitable from the WAN. But it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting,” Heffner explains in a detailed advisory.

“My new ReaverPro box made relatively short work of cracking WPS,” he claimed, “providing access to the WLAN and a subsequent root shell on the router, and that's very bad.”

Heffner also says that the backdoor exists on Tenda’s W302-R and W330-R router models as as well as re-branded models, such as the Medialink MWN-WAPR150N.

"They all use the same 'w302r_mfg' magic packet string," he notes. Follow-up work by other internet security researchers also uncovered a more comprehensive list of potentially backdoored products.

Source code for the GoAhead web server used in Tenda products has been made available on GitHub. We've asked Tenda for its reaction but have yet to hear back from the company. We'll update this story as and when we hear more.

In other internet security news

For more than 10 years now, Paypal has enabled internet users and ecommerce sites to send and receive payments with a level of security that's usually very good. Now there's a new service that someone else is offering, but it somehow doesn't offer the same level of security, some internet security experts suggest.

Not content with traditional internet shopping as we know it, a new startup service called Square has launched a peer-to-peer payment system. But it's secured only by an SMTP password...

Square – the payment firm developed by Twitter founder Jack Dorsey – has debuted the new service, Square Cash, which authorizes transactions with an email.

You just email the payment recipient, you also CC, and specify the amount of cash to be moved in the subject line.

The money is then deducted from one's debit or credit card (which must be registered with the service – either in advance or Square sends you instructions on how to do so) and credited to the recipient, who will in turn be asked to provide one debit card if he or she is not already registered with the service.

The key to securing Square transactions, however, is that their security depends entirely on the impossibility of forging an email message.

Square apparently wanted to simplify the process of sending and receiving money, and thinks that email should be sufficiently secure to authorize payments totalling up to $2,500 a week.

As an SMS is sent to the payee every time money is deducted, they've plenty of time to dispute a payment during the 1-2 business days it takes to process.

Forging emails isn't as trivial as it used to be some years ago, when one could telnet into an SMTP server and spit out an email from anyone.

These days, SMTP servers commonly require a username and password, and use Transport Layer Security, but you might not wish to bet your bank account on it. They are now a bit more secure yes, but email communications are still largely viewed as insecure unless they are encrypted with strong SSL technology and backed by a valid certificate from a trusted entity.

A while back, Square tried implementing an iPhone-based magnetic-stripe card reader without any obvious security features, but if the company can get away with it in most cases, then the security is probably good enough. Or is it?

Square Cash transactions cost 2.75 percent per transaction, but the dealbreaker may be those two business days it takes for transactions to be credited to the recipient's account, while similar services offered by some banks can do the same thing in less than one business day.

In other internet security news

An internet security researcher based in Germany is asking why Google is still using the unsafe RC4 and MD5 cipher as its first-default technology for SSL connections.

The change has gone unnoticed since December 2010, when the Android 2.3 release swapped from a default preference for the AES256-SHA1 cipher, followed by the 3DES and the AES128, instead defaulting to RC4-MD5 and RC4-SHA1 as its first and second default preference.

For those unfamiliar with encryption implementations, there's a long list of different cipher types available to encryption applications.

And to fully ensure that both ends can negotiate an encrypted connection, each end needs to know which ciphers the other end can support, which means stepping through a list of ciphers during the traditional handshaking.

As the researcher, George Lukas notes, internet security exploits based on MD5 collisions have been known for several years and continue.

The guilty party, he asserts, isn't the Android development team, but rather Java developers, and it's an implementation recommendation first made in 2002.

As Lukas notes-- “So what the Google engineers did to reduce our security was merely to copy what was in the Reference Implementation, defined by the inventors of Java!

In the Java reference implementation, the code responsible for creating the cipher list is split into two files. First, a priority-ordered set of ciphers is constructed in the CipherSuite class,” he writes. “Then, all enabled ciphers with sufficient priority are added to the list for CipherSuiteList.getDefault().

The cipher list hasn't experienced relevant changes since the initial import of Java 6 into Hg, when the OpenJDK was brought to life.

Finally, the cipher order on the vast majority of Android devices was defined by Sun Microsystems in 2002 and taken over into the Android project in 2010 as an attempt to improve compatibility.

RC4 is considered problematic since 2001 (remember WEP?), and MD5 was broken in 2009. We'll keep you posted on this as well as other developments.

In other internet security news

The lack of the most basic security at Mexican banks has allowed cybercriminals to place their own malware-ridden CDs into ATM machines in order to gain control of the easily-compromized cash machines.

The so-called Ploutus malware was installed after criminals acquired access to the ATM’s CD-ROM drive and inserted a new boot CD into it.

The hacking attempt was possible because many ATMs in Mexico use a simple lock that is easily picked, allowing the attackers to gain physical access to the ATMs.

Attacks involving getting malware on ATMs are rare but far from unprecedented. Normally, all sorts of trickery is necessary before being able to get a trojan onto a target machine, but in Mexico, it's very easy.

Malware-based ATM scams have previously involved using corrupt insiders to infect hole-in-the-wall machines. Learning how an ATM machine works by posing as an repair technician is also unnecessary thanks to Ploutus. And you don't need a genius security researcher to develop a friendishly cunning ATM attack, either.

Schoolboy errors made the self-service ATM-pawning tactic all too easy for Mexican crooks. The extent of the resulting scam - either in terms of how much money was lost or how many machines were infected - still remains unclear for now.

But details of how the malware itself works are fairly well understood. Information security firm Trustwave has completed an analysis of the malware used in Mexico after obtaining samples of the malicious code.

Infected machines still carry out their normal functions of dispensing cash, but if a particular key combination is input into the compromised device, the attacker will be presented with a hidden GUI, written in Spanish, complete with drop-down menus apparently designed for a touch screen.

Once criminals input a passcode - derived from a fixed four digit PIN combined with the figures for the date and month – they obtain the ability to dispense money from the compromised ATM.

"If you are a bank or the owner/operator of ATMs in Mexico, you will want to closely examine your machines for evidence of tampering," says Josh Grunzweig, an ethical hacker in TrustWave's SpiderLabs team."

"Banks and ATM owner/operators outside of Mexico could also benefit from an inspection of their ATMs," he added.

"Examples of targeted malware like Ploutus serve as a reminder of the importance of a thorough security review of ATMs and the back-end systems connected to them," he added.

Grunzweig has put together a blog post explaining how the malware works - containing code snippets and a screenshot of the GUI cybercrooks are able to feast their eyes upon once the malware is installed on compromized cash machines.

This is ATM fraud without recourse to skimmers to harvest the card details of consumers or other more complex approaches. So far, Ploutus-based attacks were targeted against ATMs at off-premise locations, according to self-service device information security software developer SafenSoft.

"The emergence of new malware with ability to directly extract cash from ATMs is a very alarming sign for self-service device security," says Stanislav Shevchenko, chief technology officer at SafenSoft.

Malware like this allows the cybercriminals to skip the whole process of cash withdrawal they have to take part in after using traditional ATM trojans and skimmer-like devices to steal the plastic card information.

Additionally, by spreading malware like that criminals can easily bypass the traditional antivirus-based protection on the ATMs. If that trojan gets massively distributed, then any bank without specialized protection software on its ATMs will have a difficult time getting ahead," he added.

In other internet security news

It looks like Symantec is taking full credit for luring a the powerful Zero Access botnet into an effective sinkhole where it can't do anymore harm to internet users.

ZeroAccess has been active for the past two years already and is one of the largest known botnets in existence. It has upwards of 1.9 million infected computers and servers forming its nasty army, all remotely controlled by miscreants.

It's estimated that this group of computer robots is literally put to work generating tens of millions of dollars annually.

It's claimed that cyber criminals make money from the infected Windows machines by instructing the computers to virtually and fraudulently click on web adverts, thus ramping up income for an affiliate ad network or, to a lesser extent, mine for new Bitcoins.

By subverting the communications system used by the bots to organize, Symantec has sinkholed (IE- gained control or disabled) more than half a million bots, Symantec claims.

This will have made a serious dent in the number of zombie drones under the thrall of the ZeroAccess group. Symantec added that it's working with ISPs and government computer security teams such as CERT globally, in an effort to help get infected computers cleaned up as fast as possible.

ZeroAccess infects Microsoft-powered computers caught up in drive-by-downloads-- booby-trapped websites attempt to exploit security holes in web surfers' machines to install the malware.

It then uses a rootkit to hide itself from the operating system and the victim, set itself up on a secret file system, downloads yet more bogus software, then connects itself to other infected systems and opens up more backdoor access.

And the whole process is repeated over and over. The Zero Access botnet is very sophisticated and powerfully resilient, using a peer-to-peer architecture to communicate in the wild.

So it seems to enjoy a high degree of redundancy and no central command-and-control server for the good guys to target. As a result, nobody is under any illusions that Symantec's action has finally put an end to the zombie network.

More details and additional information on the takedown effort can be found in a blog post on Symantec's site.

In other internet security news

Leaked documents in the wild now provide evidence that GCHQ planted malware in the systems of Belgacom, the largest telecommunications company in Belgium.

According to slides obtained by NSA whistleblower Edward Snowden and supplied to German newspaper Der Spiegel, the attack targeted several Belgacom employees and involved planting hacking technology called 'Quantum Insert' which was developed by the NSA.

The attack technique surreptitiously directs victims to spook-run websites where they are exposed to secondary malware infection.

The ultimate goal of "Operation Socialist" was to gain access to Belgacom's Core GRX routers in order to run man-in-the middle attacks against targets roaming with smartphones.

The leaked documents reveal that spooks in Cheltenham were particularly interested in BICS - a joint venture between Belgacom, Swisscom and South Africa’s MTN - which provides wholesale carrier services to mobile and fixed-line phone companies around the world, including trouble spots such as Yemen and Syria.

BICS is among a group of companies that run the TAT-14, SEA-ME-WE3 and SEA-ME-WE4 cables connecting the United States, Britain, Europe, North Africa, the Middle East and Singapore to the rest of the globe.

Early goals for the spies included mapping its network to understand Belgacom's infrastructure as well as investigating VPN links from BICS to other telecoms providers. The leaked slides describe the exercise as already being a success and close to achieving its ultimate goal of compromising enough of Belgacom's infrastructure to run man-in-the-middle attacks.

One slide explains spooks had successfully compromised "hosts with access" to Belgacom's Core GRX routers, leaving them just one step away from their objective. The slides themselves aren't dated but other leaked documents date the compromise of Belgacom's systems to around three years ago in 2010.

In a statement issued earlier this week, Belgacom admitted its internal systems were compromised but played down the impact of the breach, saying that the intrusion didn't compromise the delivery of communications. It added that the intrusion is under investigation by Belgian law enforcement.

If GCHQ was indeed the agency concerned at that time, then this investigation is unlikely to go anywhere soon, and the most that can be expected is some sort of diplomatic complaint from Belgium to Britain, its EU and Nato partner.

We've asked Belgacom if it has any comment on Der Spiegel's revelations. In response, a spokesman supplied the following short statement which clarifies that Belgacom filed a criminal complaint in July shortly after detecting the hacking attmpts, and long before going public with the problem on Monday.

Belgacom said-- "We have filed on July 19 a formal complaint against an unknown third party and have granted since then our full support to the investigation that is being performed by the Federal Prosecutor."

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: Craig Heffner.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.

Click here to order our special clearance dedicated servers.