VPNFilter Malware

dlink linksys netgear qnap huawei logos VPNfilter malware effected brands

VPNFilter Malware

dlink linksys netgear qnap huawei logos VPNfilter malware effected brandswas identified by Cisco’s Talos cyber intelligence agency.  They believe this is a likely state sponsored software program that is infecting standard home based routers.  Infected machines have been found in 54 countries.   These retail off the shelf routers do not use anti virus programs to protect the device from attack.  Intrusion detection is also not built into these devices.  But the most glaring error is the fact most of these devices are running with default usernames and passwords. Our home and small business routers are providing a big security opportunity for the bad actors on the Internet.

FBI request

On May 23rd the Justice department issued a press release asking for firewalls and network storage devices to be rebooted.  The FBI seized one of the command and control domain names that this bot network uses.  Rebooting your home or small business router helps the FBI locate infected devices.  The FBI is monitoring the traffic on the bot network from the command and control domain they captured.  Rebooting your device does not clear the problem with malware on your router or network storage device.  The device has been compromised.  Remediation is necessary.

Fixing your home router

Some of the software that runs your router has been altered.  The machine can not be trusted to send and receive information on the Internet.  Talos research now shows that the second level software that is downloaded after infection has the ability to scan all packets going through the device.  That means do not use your  credit card to purchase anything on the Internet.  This is why Amazon stores your credit card information with your account.

What to do

  • Find your router manufacturer and model number.  Using the table at the end of this blog check to see if your equipment is on the list of possibly compromised devices.
  • If your router is on the list remove the power cable from the back of the router.  Wait one minute and plug the cable back in.  Wait two to five minutes for the router to be operational again.  This is the FBI step.  The FBI will collect information from your machine if it is infected to aid their investigation.
  • Check your router model number.  Google this model number to find your user manual.  Open the user manual and find the section about the default password on the device.
  • Chances are that you will access your router from a web browser.  Open a new browser window.  Type 192.168.0.1 in the address bar at the top of the window.  Wait for a response.  If this times out try the address 192.168.1.1 in the address bar.  One of these addresses should work with your router.
  • Use your default username and/or password to access your router.
  • Go back to the manual and locate how to change the default password.
  • Now check the manual for how to disable remote access to the router settings.
  • Open a new tab in your web browser.  Search for the current firmware for your router on Google.  Download this software.
  • Check the user manual for the procedure to upload this firmware to your router. Replace your current compromised firmware with the freshly downloaded manufacture’s firmware.
  • Reboot your router to load the new clean updated firmware into the router memory.

Firewall replacement

One easy fix is replace your network router that you have had for the last six to ten years with a current model.  A new router off the retail shelf is probably not compromised.   It still has the same flaws as your ten year old router.  No anti-virus on the software that runs the device and no anti-intrusion software.  Router prices range from $90 to $350. During the installation change the default password and turn off remote support.  Check the user manual for help with this.

Another option is to buy a used router with OpenWRT, DD-Wrt, Tomato, Lede alternative firmware.  The factory firmware on Linksys routers was taken from the open source software sources.  Anyone can use and modify this software to improve performance, security, or add software options.  Several freelancers have made great improvements to standard router firmware.

If you have an old computer you can convert that machine to a true home next generation firewall.  The Sophos XG home firewall protects you from viruses, malware, intrusion protection, and phishing web sites.  This is a full product that gives you the same protection large corporations use to protect their offices.  A VPN server is included to give you safe internet browsing when you are using a public WiFi when you are away from home. You will need a second network card for the old computer.  Now you can stop threats at the Internet gateway to your home. Sophos uses a dual anti-virus scanning engine for double protection from online threats.

With the routers like these models you can add a filter to stop malware, viruses and annoying Internet ads with a RaTtrap. Rattrap connect between your cable or DSL modem and your router.   A RaTtrap device continuously receives threat information from RaTtrap security center online to protect you from current threats.

With so many options which one will you choose?

Upgrade your own router

To eliminate the security problems with factory installed firmware you can use third party software to solve security problems. DD-wrt, OpenWrt, Tomato, DEBwrt, HyperWRT are all open source firmware projects that create better solutions for many retail routers. Web sites for the firmware gives detailed instructions to install the new firmware on the routers. Below is a list of routers that can be upgraded using DD-wrt, Tomato or OpenWrt.

Affected Routers to Upgrade
Asus Linksys NetGear
RT-10 E1200 R7000
RT-10U E2500 R8000
RT-N56U E3000 R8000
RT-N66U E3200 WNDR4000
E4200 WNDR4300

Brands and models affected by VPNfilter

Asus Devices DLink Devices Linksys Devices NetGear Devices
RT-AC66U DES-1210-08P E1200 DG834
RT-N10 DIR-300 E2500 DGN1000
RT-N10E DIR-300A E3000 DGN2200
RT-N10U DSR-250N E3200 DGN3500
RT-N56U DSR-500N RV082 MBRN3000
RT-N66U DSR-1000 WRVS4400N R6400
DSR-1000N R7000
R8000
Qnap Devices, TP-Link Devices Ubiquiti Devices WNR1000
TS251 R600VPN NSM2 WNR2000
TS439 TL-WR741ND PBE M5 WNR2200
running QTS software TL-WR841N WNR4000
WNDR3700
Mikrotik Devices Upvel Devices ZTE Devices WNDR4000
CCR1009 Unknown models ZXHN H108N
CCR1016 Huawei
CCR1036 HG8245
CCR1072
CRS109
CRS112
CRS125
RB411
RB450
RB750
RB911
RB921
RB941
RB951
RB952
RB960
RB962
RB1100
RB1200
RB2011
RB3011
RB Groove
RB Omnitik
STX5

KRACK your WiFi is not secure

WiFi Alliance with WAP2 and KRACL'ed added

You WiFi traffic Exposed by Krack

On October 17th new problems were announced with devices that use WiFi communications.  The most common type of encryption for WiFi networks is flawed.  There are several demos now available on Youtube to demonstrate this weakness. The bad guys just need to view the videos to exploit this problem.

For business people this means there are ten new ways someone can eavesdrop on your WiFi network.  Every WiFi device is affected. Your phone, tablet and WiFi connected computer are all vulnerable. This includes any wireless terminals, tablets and phones used for credit card transactions.

What action should you take now to protect your network and intellectual property?

  •  Apply the October security updates to all Microsoft Windows devices
  •  Apply IOS update 11.1 for all Apple wireless devices
  •  Apply the November 6th 2017 security update from Google for android devices. You will need to contact each Android vendor to see when and if the security release is available.
  •  Update all WiFi access points with patches for KRACK. This should protect even unpatched devices like your wireless security cameras.
  • Use a VPN, virtual private network, to protect your phone and/or tablet when you are away from the office.
  • Scan your networks to get a list of all WiFi devices. You need an inventory of what you have left to patch.

In the Scottsdale Air Park

Most businesses in the Scottsdale Air Park use Wifi. From the latest information there are over 12,074 unique hardware addresses that are using the WPA2 encryption in the Scottsdale Airpark.  Some devices have multiple addresses for one wireless device.  You can check the public listing for know WiFi access points at the WiGlE web site.  How do we know the number of access points?  Because your WiFi broadcasts the information out to the street or parking lot every day, night and weekend.  Anyone with a cell phone can see who you are and where you are located.  The app to scan an locate an access point within a few feet is free.

About 30% of Scottsdale Air Park Businesses have not corrected the Wifi vulnerability from six years ago, WiFi Protected Setup.  The current map is found at a shared Google map.  Security Industry professional believe that it will take decades to fix this latest problem.  The current survey shows that businesses in the Airpark do not correct know problems in a timely manner.  For safety tips to secure your WiFi check the 8 steps to safer WiFi page.

Router Solutions

Most business class routers have patches to protect against the KRACK problem.  Unfortunately most small businesses don’t use business class access points or routers.   An example is the manufacturer Netgear.  They have 46 products that are affected, but only fourteen have upgrades available by early November 2017.  Many consumer grade routers can be upgraded with alternate firmware to improve performance and security.  DD-wrt, Tomato and OpenWrt are three firmware replacements.   DD-wrt has more user support than the other two options.  The LEDE project is a branch of OpenWrt which has over 3000 applications that can run on a router.  A current list of router and mobile device patches available is here.  The patches are just one end of the communication channel that needs to be changed.

VPN for your mobile device

A VPN, virtual private network, creates an encrypted path back to a safe place to browse the Internet.  This prevents anyone from reading your information transferred to the safe Internet connection.  Commercial vendors include Private Internet Access, IPVanish and CyberGhost.  The cost is $35/year to $144/year.  These costs are for each employee.  Free VPN software is available, but those company monetize your connection in other ways by selling ads on the network or selling your online activity and browsing habits to outside companies.

If you use dd-wrt, Openwrt, or Tomato on the router at your office OpenVPN is available to safely connect all of your mobile internet traffic back to your office.  OpenVPN does not have a per user or monthly cost.  Some new Asus, Netgear, Linksys and TP-Link internet routers have OpenVPN support also.  For a business with outside sales or service personnel this is a safe secure solution.

If you don’t want to monitor security for your computers and network we can help. There are simple inexpensive solutions to your network security. Just call us at (480) 822-7222.
For a free security assessment.
Altura IT provides affordable network security for small businesses in the Scottsdale area.

Yahoo Breach

yahoo_logo
Everyone knows about the Yahoo’s data breach that affected 500 million user accounts. This is another opportunity to look at how you manage your online passwords and accounts.

If you have a Yahoo account change your password now. Use a password that is not used on any other online or offline account. Duplicate passwords are used by 73% of Internet users. Password managers are the right tool to make this easy. LastPass offers a free computer account for all passwords and important information. When using LastPass you only need to remember one pass phrase to unlock thousands of unique passwords.

autochangepw4To change your Yahoo password log into your email account.  Point your mouse at your name in the top right corner of the screen. Click on Account Info from the menu that appears. On the account information screen click on Account Security on the menu list on the left side of the screen.  After changing your Yahoo password, find the “Disable security questions” on the left of the Account Security screen.  Click on the link to clear all of you current security questions.

Yahoo also offers two step authentication. With this authentication you will need to have a password and a code sent to your cell phone to access your yahoo account. This occurs the first time you login from a new smartphone, tablet or computer.  TwoFactor lists all of the websites that have two factor authentication available.

A Yahoo account key can secure your account without using a password.  It does require that you use your cell phone to authorize each access from a new device.  Yahoo account key setup instructions are found here.

It is not just your login information that is at risk. Beware of phishing emails that are not from Yahoo. Yahoo is sending out an email to affected users.  Yahoo states “the email does not ask you to click on any links or contain attachments and does not request your personal information. If the email you received about this issue prompts you to click on a link, download an attachment, or asks you for information, the email was not sent by Yahoo and may be an attempt to steal your personal information. Avoid clicking on links or downloading attachments from such suspicious emails.” Do not download or click on any links sent in an email claiming to come from Yahoo. Any message containing a link or attachment is not from Yahoo.

If you have any questions or want to know more about how to secure your business on the Internet please contact us.

Ransomware in Office 365 email

Avanan’s blog reported a large ransomware attack against Office 365 users. Avanan’s Cloud Security Platform started to detect a massive attack on June 22nd. The payload was inside an attached Microsoft Word file. By June 23rd Microsoft was blocking the distribution of this attachment in email messages. Avanan estimated that 57% of companies using Office 365 email received at least one message last week.

A variant of the Cerbex ransomware was found in the offending email attachments. If Cerbex executed on any computer all of the working files would be encrypted. A demand message for a $500 payment in bitcoins to unlock the files appears. All of your files are gone. Your last resort is a good offsite backup of everything that you have ever created.

Cerbex ransomware when Microsoft Macros are enabled

If you do not have an advanced malware protection service like Avanan then protect your office by disabling unsigned macros in Microsoft Word. If you have a domain controller you can block macro files from the Internet for all of your computers. The instructions from Microsoft can be found here.

McAfee Labs has seen a 165% rise in ransomware attacks in the first quarter of 2015. Seven hundred thousand attacks were detected just by McAfee in Q1, 2015. In April of 2016 Hory county school district in South Carolina paid over $10,000 in ransom to restore encrypted files from just one attack. In 2015 the FBI received 2,453 complaints about ransomware, costing the companies or users more than $24 million dollars.

An ounce of prevention is less than a pound of cure once again.

Who is watching your data? Need some help? Just send us an email.

LinkedIn passwords revisited

LinkedIn Password breach
Last week 117 million accounts and passwords for LinkedIn accounts became available for sale on the Internet. LinkedIn did confirm that this list came from a data breach in 2012.  This represents about one quarter of the accounts at LinkedIn. If you receive a message from LinkedIn to reset your password you need to refresh this information.  A message from LinkedIn also means your password is at least 4 years old. It also means your encrypted password can be hacked. LinkedIn did not change it’s password policy until after the data breach in 2012.

Your LinkedIn email address may also get a message from LeakedSource that solicits you to join there service because they have a copy of the database information. At their blog post is a list of the top 50 passwords used on LinkedIn from this list of 117 million accounts.  You can check to see if you use one of the easiest passwords to compromise on LinkedIn.

We all have scores of passwords that give us access to everything from games to our professional profile. Using a password manager can reduce the complexity of managing this mess. It is time to move your passwords from that list in the book, your excel spreadsheet, word document or your contact list on your phone. If you have employees a policy and procedure should be in place to manage all of the information necessary to run your business.

If you use Office 365 you can manage passwords to Internet sites.  After you log into Office 365 you can unlock access to LinkedIn, Dropbox, Box and thousands of other sites. Multi-factor authentication is available on Office 365 to make sure only the account holder can access your online accounts.  You do not have to authenticate each time you access the account you can authorize a device to access Office 365 for 2 weeks before you are prompted to check a text message or authentication app on your phone.

LastPass is an app that works with your computer, tablet or phone to save passwords.  The consumer version is free to use on your computer.   Twelve dollars per year gets you access from your phone or tablet.   A corporate version is available for $24 per year.  LastPass has features that can change passwords automatically and save them to your password vault. Forms can be filed with two clicks of your mouse saving time online typing static information.

If you want help to manage your passwords just email us.

Comcast Accounts for Sale

ComCastOver the weekend someone on the dark web of the Internet started selling a list of Comcast usernames and passwords.  The complete list had 590,000 email addresses and passwords.  Comcast was quick to respond to this disclosure. By Saturday night Comcast had a copy of the list and checked each entry to determine which accounts were valid. Two hundred thousand accounts at Comcast were forced to reset the password on the next login.

A Comcast representative confirmed that their security teams were certain that none of their systems had been compromised to release the account information.  The possible source for the know good email addresses and passwords could be Phishing attacks or malware installed on the victims computers. Keylogging malware can capture usenames and passwords from your keyboard.

“We’re taking this seriously and we’re working to get this fixed for those customers who may have been impacted,” a Comcast spokesperson told the Washington post adding, “but the vast majority of information out there was invalid.”

Comcast does not offer multi-factor authentication for your account.  Multi-factor authentication requires a password and one other form of identification to allow access to the account.  The other identification can be a text message, smart phone app or a security key in your computer.  If your password is compromised or lost your account is still safe with two factor authentication or multi-factor authentication. If your email is important then you should be using the best in class protection for your messages.  This should include everyone that has a bank account or brokerage account.  Your email is the destination for password reset confirmation messages.

You can check to see what services use multi-factor authenitcation at TwoFactorAuth.

If you are tired of looking for your password in a pile of post-it notes or a book you can use a password manager. Do you use the same password on multiple web sites?  LastPass is free to use on your computer and it does support multi-factor authentication. You can try LastPass here .

Want to know more about how to secure your life online? Click to Send message

Free UTM

Free Next Generation Firewall

Now you can get a free Cyberoam Next Generation firewall when you purchase 3 year total value subscription.Cyberoam NG firewall

What you Get:

  • Gateway Anti-Virus & Anti-Spyware
    • protects your network from  malware, viruses, worms, spyware, backdoors, Trojans and keyloggers.
  • Anti-Spam
    • real-time spam protection over SMTP, POP3, IMAP protocols, protecting your business from zero-hour threats and blended attacks that involve spam, malware, botnets, phishing, and Trojans.
  • Web Application Firewall
    • secure your internal websites and Web-based applications in your business against attacks such as SQL injection, cross-site scripting (XSS), URL parameter tampering, session hijacking, buffer overflows, and more, including the OWASP Top 10 Web application vulnerabilities. Adopting the OWASP Top Ten is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.
  • Web filtering
    • comprehensive URL databases with millions of URLs grouped into 89+ categories.  Fine tune what your employees have access to on the Internet.
  • Intrusion Prevention System
    • Automatically detects, blocks, drops suspicious traffic coming in or going out of your network.
  • 24 x 7 Email, phone and chat Tech Support
  • A free Cyberoam NG firewall
    • NG 25 or NG25wING
      • 110 Mbps throughput on the appliance
      • NG25wING has up to eight WiFi access points available for your network
    • NG35, NG35wING,
      • 210 Mbps throughput on the appliance
      • NG25wING has up to eight WiFi access points available for your network
    • NG50
      • 550 Mbps throughput on the appliance
    • NG100
      • 750 Mbps throughput on the appliance
    • NG200
      • 1.4 Gbps throughput on the appliance

Business Class service that you can afford

It is time to retire the retail router that connects your business network to the Internet.  Your business information and your public image need not be tarnished because of weak or nonexistent protection. You can stop many of the problems before they even reach any of your computers.  If someone in your office does make a mistake the appliance can stop the information from going outside the US to criminals in other countries.

Data leak prevention can be customized for each group or individual.  Policies can be created to forward email for departing employees to their supervisor. Another policy can stop everyone or a specific person or group from uploading documents to the web, web mail, ftp site or peer to peer sharing site. Even transfers to web sites using SSL conception can be blocked with a policy on the appliance. Web chat can be limited by keywords and file transfers blocked. Or you can just block instant messaging sites if you do not use this for your business operations. This simply means you have control of your Internet connection.

Get this deal today just email us at Altura IT

Installation and setup is available if you want help to get started.