Patching Your Mouse? Yes, Really!

Strange as it may seem, if you have a certain type of wireless mouse you may be vulnerable to an attacker being able to inject keyboard keystrokes into your computer; with this they are able to do just about anything you can imagine (and a fair bit you cannot) to your computer and use access to your computer to spy on your activities.

Now this attack does require physical proximity. The advertised range of the vulnerable devices is 10m, and an attacker could well be using an external antenna to extend that considerably, so physical proximity is not impossible.

The main vulnerable device are the Logitech family of wireless mice and keyboards – basically anything using the Unify wireless dongle :-

Whilst the problem may have been fixed in the newest devices, it makes sense to assume you are vulnerable with any device purchased any time before 31st March, 2017 (older devices can stick around on shelves a long time).

To fix the problem merely requires a firmware update, but who thinks of checking whether their mouse needs a firmware update? And how frequently?

The firmware update is relatively easily applied, and can be applied with all of the major desktop operating systems – Windows, OSX, and Linux.

Updating the Firmware with Windows (and OSX)

The process of updating the firmware with OSX is as similar to updating with Windows, that repeating the instructions with OSX screen shots instead of Windows screen shots would be unnecessarily repetitive.

To start with, you will need to download and install the Logitech software (http://support.logitech.com/en_us/software/unifying). Once installed open it :-

Click on the “Advanced” option :-

At this point, click on “Check for updates” to ensure that the software’s idea of what the latest firmware is reflects the latest changes. Then for each of the devices listed in the left hand side (including the “Unifying receiver”), click on the “update firmware” button if it is not greyed out.

Once clicked, the screen will show :-

(Yes I have changed mice)

Simply click “Update”, and you will then be asked to turn off your mouse and turn it back on again.

Repeat this process for all of the entries in the “tree” of devices (including the wireless dongle itself).

Updating the Firmware with Linux

If you just happen to be running Fedora Core 26 (or possibly earlier although this is very new functionality), the firmware updates may have shown up automatically within GNOME Software where the operating system updates also show up :-

If you wish to do this the manual way, you can open up a terminal and running the following commands :-

$ sudo fwupdmgr refresh
$ sudo fwupdmgr update

With the exception of the diversion into geek-land, this is how firmware updates should be managed – one central place to get and apply updates without having to know that your mouse needs a firmware update.

Having said that, only two major manufacturers (Logitech and Dell) have currently signed up to this piece of Linux.

Posted in Technical | Tagged | Comments Off on Patching Your Mouse? Yes, Really!

Think Work, Think VPN

We are encouraging everyone who works remotely to immediately start up a VPN connection (to our VPN of course!) whenever they start working remotely. This is for a variety of reasons, but includes :-

  1. Any on site services that you might need for working are being made available only via the VPN. This includes some on site services that were previously more widely available.
  2. Any site where you might connect to Google service and/or UoP services may be compromised and your traffic would be visible to hackers. Using the VPN means all traffic is encrypted – a hacker will see that you are connecting to a UoP VPN but that is all. Without a VPN, any amount of additional information may be leaked – perhaps WordPress credentials to an official UoP blog site!
  3. By using the UoP VPN, all your traffic goes via our firewall which gives you an additional level of protection against malware that you are unlikely to find on the average cybercafe’s firewall (if they have one at all).

Apart from all those reasons, it is also sensible from a practicable point of view – if you immediately bring up the VPN when working, you won’t be slowed down when you need to use the VPN. Rather than trying to use an internal service, wait for an error to occur, and then remember that you need to use the VPN, it will just work.

The “Work Anywhere” articles for Personal Devices and UoP Laptops will give you directions to the relevant article on setting up the VPN.

Posted in General | Tagged , | Comments Off on Think Work, Think VPN

Updating Windows Servers

You might think it is easy to update Windows servers, but apparently that is not always the case. It is easy to simply “check for updates” when you first install a server, and then forget about it.

Which is the wrong thing to do.

The first thing to do is to make sure you are installing updates automatically :-

It may be that your server will eventually become something important enough that it will be sanctioned for manual patching during monthly maintenance windows; even so you should start with automatic patching and switching to manual patching is part of making the server “live”.

You can also alter the maintenance window, but the default option is usually sensible (03:00 nightly).

The next step is to configure Windows Update to check for updates to other Microsoft products which seems to require an Internet connection suitable for web browsing. If you are running a server on a server network (and you should be), then this requires the proxy to be configured :-

The address for the proxy server is “wwwcache.port.ac.uk” on port 81 (obviously only if you’re on campus). Once that is configured, you can click on the “Find Out More” link on the Windows Update settings page (this is shown at the bottom). This opens up a web browser that allows you to click on a license acceptance page before changing your server’s settings (and if you’re not somewhat taken aback by a web page being able to change your server settings, you’re not thinking “security first”).

The final step is really a warning about what happens when adding a role and/or features to Windows; there are usually updates to apply after that has happened. Below is a screenshot of the result of running “check for updates” after adding a role to a server :-

Before the new role was added, the same screen showed that it was fully patched!

There is a great deal more to updating Windows servers than this, but this should be sufficient to get started in a less than totally insecure way.

Posted in Technical | Tagged , , | Comments Off on Updating Windows Servers

The Ukranian Ransomware (Petya, NotPetya, WannaCry2)

Those keeping aware of the security scene may well have become aware of the latest ransomware worm hitting around the world. Various names have been associated with this outbreak, and the most readily identifiable name (Petya) is technically incorrect.

This is a classic ransomware infection with the added bonus of the ability to cross-infect machines on the local network using both the vulnerability that WannaCry exploited (“ETERNALBLUE”) and another Windows vulnerability that allows an attacker (or a piece of malware) to execute code on a target computer using compromised account credentials.

Once infected, the ransomware stays hidden whilst it starts encrypting files. This example also forces a reboot after an hour at which point it displays an information page :-

At this point it is too late (especially as the address wowsmith123456@posteo.net has been shut down). Paying to decrypt your files is unlikely to be effective (and is unethical).

Now for the good news :-

  • It appears that this spreads through local networks and not via the Internet.
  • It is probable that the initial infection occurs through a compromised update to a piece of Ukrainian tax software.

So in all likelihood, we are relatively safe from this infection.

However ransomware is incredibly disruptive when it performs a cross-infection like this or WannaCry and it seems likely that this kind of incident will be repeated. So we have to expect to be targeted in the future.

Whilst we already have protection in place, and will be looking to increase those protections, there are no guarantees that a widespread ransomware infection will not strike us.

For further information there are numerous sources of information – the first in the list are relatively light in terms of technical content :-

Posted in Active Attacks, Malware | Tagged , | Comments Off on The Ukranian Ransomware (Petya, NotPetya, WannaCry2)

WannaCrypt or the NHS Worm

As many of you will be aware, the NHS suffered from a mass outbreak of a ransomware worm last Friday which has since spread to many other organisations around the world. For more general information please see The Register’s article which is a good summary and links to more detailed works.

For various technical reasons we may be somewhat better protected than some organisations but it is also possible we may also fall victim to this. To help IS it would be helpful if you were to :-

  1. Be especially wary of unexpected mail attachments. The attack was alleged to have started with an emailed attachment. Even if the attack did not start via email, being wary is still good advice.
  2. Be especially wary of offers of protection. Even if they are from “Microsoft” (they likely are not). Scammers will use this opportunity to drag more money out of their victims.
  3. If you happen to be running an un-managed Windows system, please make sure that it is properly patched as soon as possible. In particular MS17-010 should be installed.
    1. In a small number of cases, managed Windows workstations may still be vulnerable if they have not been turned on and/or rebooted since the patch was released. Such machines should be rebooted as soon as possible.

How It Works

The initial infection will either occur via a malware infected email (once it is read or in some cases previewed), or via a vulnerability in the Windows file-sharing network protocol. There is currently no evidence to show that it started with a malware infected email (which we would normally expect at this stage), but neither is there evidence to show that it did not.

Once infected, the malware will try to encrypt files on all reachable drives and try to infect neighbouring machines using the previously mentioned Windows file-sharing vulnerability.

In circumstances where this vulnerability is very widespread, an entire organisation can be brought down.

The “Kill Switch”

The original malware would not try to infect a host if it successfully made a connection to a certain website address. This was an attempt at making it harder to analyse, but in this case failed.

A security researcher registered the relevant DNS domain so that connections were successful in what turned out to be an attempt to slow down the rate of infection.

However it may very well be the case that later versions of the malware have been released without the “kill switch”.

Posted in Active Attacks | Comments Off on WannaCrypt or the NHS Worm

Keeping Your Account Safe

We are seeing an increase in the number of compromised accounts due to various forms of attack, and decided to highlight some core protections for your account. If your account is compromised, you may find yourself locked out of the account at an inconvenient time (Google does this automatically), find yourself sending huge quantities of spam, or more serious repercussions.

So it is well worthwhile sticking to at least some but preferably all of the following safety tips :-

  1. Use a long and strong password for your account.
  2. Do not share passwords – neither with other people nor with other sites. Your ebay account should have a different password to your University account.
  3. Avoid using your University username on other sites. If one of the other sites is compromised and the account details leaked, it can look like your University account is also compromised.
  4. Enable two-factor authentication.
  5. Be wary of entering your account credentials into a web-based form. You of course need to authenticate to use Google (for example), but you need to be sure it is actually Google asking for authentication.
  6. Don’t follow email links and enter your account credentials. In fact be very careful about following links in email full stop. And yes that applies to trusted correspondents too – once someone has their account compromised, one of the first things to occur is the attacker will use their account to email a form to everyone asking them to login.
Posted in Active Attacks, Passwords | Comments Off on Keeping Your Account Safe

‘Phishing’ Emails With Your Home Address

This article is currently being drafted, and will be added to over time. In the meantime, Sophos have an article that goes into some detail about what is going on here. Some key points :-

  1. Don’t click on the encrypted attachment (named something.dot).
  2. Don’t decrypt the attachment.
  3. To the best of our knowledge, the personal data contained within the email is from web site data leaks – which web sites is unknown.

The email in question can be identified because it :-

  1. Contains your residential address.
  2. Has a password-protected (and encrypted) attachment and the email lets you know what that password is … very poor security.
  3. The language of the email is odd.

The attachment itself contains Word macros which (when enabled) in turn pulls down some malware to infect your computer.

Posted in Active Attacks, Email | Tagged | Comments Off on ‘Phishing’ Emails With Your Home Address

Is IS Aware Of What Password You Have?

One of the more interesting questions that arose from the recent password audit is whether IS is aware of account passwords – i.e. do we know your password.

The short answer to that is: No, but with a caveat.

First of all, only one person in IS has any authorised access at all to any disclosed passwords. The password auditor (that’s me).

Secondly, only weak passwords are available. Strong passwords – those passwords that cannot be “cracked” within a reasonable time-frame – are not available.

Finally, I don’t want access to the passwords, so although I have theoretical access to the weak account passwords I make sure that the association between usernames and passwords is broken very quickly – I may know that “fred” has a weak password but not what password it is, and I may know that X is a widely used password, but I don’t know who uses that password.

Posted in Passwords | Comments Off on Is IS Aware Of What Password You Have?

How SHA-1 Is Broken

(This gets very esoteric very quickly)

Those of you paying attention may have realised that very recently (January this year), browsers started complaining about security when connecting to sites whose SSL certificates used the SHA-1 hashing algorithm within the certificate. This was due to a theoretical weakness in the algorithm known about as far back as 2005.

What has changed since then is that Google researchers have now demonstrated the attack, and whilst it is not practicable (with the possible exception of nation state attackers), it is now well past time that SHA-1 was gracefully retired. Especially when you consider that a methodology that is not sensibly practicable today may well be usable in 5-10 years.

SHA-1 is a cryptographic hashing algorithm whereby any individual lump of data can be uniquely expressed with a single hash and no other lump of data can share that hash value. Or more precisely it is difficult to generate a collision whereby two lumps of data hash to the same value. If you run a SHA-1 tool against a file, it should return a unique value unless the file is identical :-

The first command shows incorrect behaviour whereby two different files result in identical hash values; the second command shows the correct behaviour demonstrating that the files contain different contents.

In practice, an attacker would have to produce a lump of data that generates the same SHA-1 hash value as a the lump of data that she wanted to ‘impersonate’, which has not been demonstrated. Google’s researchers have simply generated two lumps of data which generate the same SHA-1 hash value … which is somewhat easier.

Cryptographic hash functions are used as a building block to build secure cryptography, and using a weak hashing algorithm will fundamentally result in less secure cryptography.

Posted in Technical | Tagged , , | Comments Off on How SHA-1 Is Broken

Phishing: What To Do In The Aftermath

In the event that you have given away your account details in response to a phishing attack, and either discovered yourself that your account is compromised or you have been told so by IS, then there are some steps to take in the aftermath :-

  1. Change your password to one that is long and strong.
  2. Turn on “two factor” authentication.
  3. Check the signature set for your account; phishers are known to have set inappropriate signatures to be attached to all outgoing emails. The quick check? Send a quick email to your personal email address and check what the signature says.
  4. Check the “rules” for incoming email messages to make sure nothing has been added. Phishers have been known to set up new rules to delete all incoming messages.

 

Posted in Email, Passwords | Comments Off on Phishing: What To Do In The Aftermath