Further to my previous post, he's 1,100 reasons why you MUST change your home router's password today.

Posted by Geoff Palmer at 12:04 PM | Permalink | Comments ( 3 )

If you're running any sort of home router, it's time to change its password - NOW! Bruce Schneier's security blog carries details of a just-released drive-by pharming attack of breathless simplicity with potentially disastrous results;

First, the attacker creates a web page containing a simple piece of malicious JavaScript code. When the page is viewed, the code makes a login attempt into the user's home broadband router, and then attempts to change its DNS server settings to point to an attacker-controlled DNS server. Once the user's machine receives the updated DNS settings from the router (after the machine is rebooted) future DNS requests are made to and resolved by the attacker's DNS server.

And then the attacker basically owns the victim's web connection.

The main condition for the attack to be successful is that the attacker can guess the router password. This is surprisingly easy, since home routers come with a default password that is uniform and often never changed.

The proof-of-concept code lists attacks on Linksys, D-Link and NETGEAR home routers, and Cisco have confirmed that 77 of their routers are vulnerable.

Posted by Geoff Palmer at 6:24 PM | Permalink | Comments ( 1 )

In spite of their assurances to the contrary, Skype have been snooping on their users for the last couple of months. From mid-December up to the release of version 3.0.0.216 last Thursday, a third-party component built in to Skype called EasyBits was secretly probing users' machines and recording motherboard serial numbers. In fact, if it hadn't been for a stuff-up in the way the application handles 64-bit CPUs, nobody would have been any the wiser.

Skype insist they did no wrong and that their software really doesn't contain any spyware. But what of the third-part applications they incorporate into that software? And where did the captured information go?

The EasyBits addtion was to enable our old friend Digital Rights Management (DRM). It attempted to ensure that pay-for plugins weren't being nicked.

Incidentally, one of those plugins is the KishKish Lie Detector, a highly-dubious addition that supposedly monitors the real-time stress levels in the voice of the person you're talking to. Keep that in mind next time you phone in with a sickie!

Posted by Geoff Palmer at 11:31 AM | Permalink | Comments ( 3 )

If you steal an Xbox you've got around two weeks to register it with Microsoft, obtain replacement parts and, (if you're smart), on-sell it. At least that's the message the corporation's broadcasting with this story from Stuff (my italics);

Computer giant Microsoft refused police requests for information on a suspected burglary ring, claiming as a United States-based company that it was not subject to New Zealand laws. Police had to obtain a court order to seize details of a man they believed was linked to a series of Wellington burglaries - after he had given his details to the company seeking a replacement part for a stolen Xbox 360 console. The computer company had the man's name, address and phone number - but would not provide the information to police. The Privacy Act compels private and public organisations to divulge information to allow the law to be upheld. The saga began when a man accused of receiving a stolen Xbox 360 contacted Microsoft to register the stolen machine - and to ask for a replacement power cord. Police suspected that the man had links to a burglary ring in Wellington, but Microsoft would not pass details to police till they obtained a court-issued search warrant - nearly two weeks after the theft.

So precisely what New Zealand laws are Microsoft subject to? I'd like to invite to company to clarify.

I'll leave the last word to the victim who (declaration of personal interest) is the colleague of a friend of mine;


What do you think? Should Microsoft have helped the police? Or should multi-nationals be free act in whatever manner they see fit?

Posted by Geoff Palmer at 12:05 PM | Permalink | Comments ( 6 )

Some of the stories you may have missed amongst the hype...

Security experts have thrown doubt on Bill Gates' claim that Vista is "more secure" than other operating systems. It may be more secure than other versions of Windows, they said, but there are older operating systems that are still safer...    [more]


Microsoft has admitted that speech recognition features in Vista could be hijacked so that a PC tells itself to delete files or folders. Vista can respond to vocal commands and concern has been raised about malicious audio on websites or sent via e-mail. In one scenario outlined by users an MP3 file of voice instructions was used to tell the PC to delete documents...    [more]


Apple has some advice for PC-based iTunes customers that are considering upgrading to Windows Vista: Wait!
        In a support document updated Thursday, the company warned such customers that its digital music software has some compatibility issues with Vista, the latest version of Microsoft's flagship operating system. Among the known issues: Songs purchased from the iTunes music store may not play; contacts and calendar entries won't sync to customers' iPods; and customers could corrupt their iPod unless they eject it from Windows using iTunes...    [more]


Security tools that work with Windows Vista have failed tests to see if they can detect viruses circulating online.
        Microsoft's Windows Live OneCare security tool was one of four products that failed independent tests carried out by the Virus Bulletin.
        The security testing group found that Live OneCare missed far more active viruses than any other program tested...    [more]


Microsoft also drew criticism from environmentalists and consumer interests groups that Vista would force unnecessary purchases of computers that need more energy. Because only about 15 percent of existing computers have memory and graphics cards powerful enough to run premium versions of Vista, most users will have to buy a whole new computer if they want to upgrade.    [more]

Posted by Geoff Palmer at 11:48 PM | Permalink | Comments ( 1 )

"For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the [Internet Explorer] browser were publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users."

So reports Washington Post blogger Brian Krebs. It gets worse;

"In a total of ten cases last year, instructions detailing how to leverage critical vulnerabilities in IE were published online before Microsoft had a patch to fix them."

"Criminals specializing in Internet fraud continued to ply much of their trade with the aid of security flaws in the Microsoft browser last year. In 2006, the company issued patches to fix a total of four"zero day" flaws in IE. Zero-day (or 0day) attacks are so named because software vendors have no time to develop a fix for the flaws before they are exploited by cyber crooks for financial or personal gain."

In comparison;

"Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."
 
Click here for the full report, here for the accompanying chart and here to get Firefox.

Posted by Geoff Palmer at 3:54 PM | Permalink | Comments ( 0 )