On Friday, the DHS took another step forward[news.com] in their drive to increase the reliability of state drivers’ licenses by releasing their “Final Rule,”[dhs.gov] of minimum standards for compliance. These changes are required by the REAL ID Act of 2005 and have been a source of controversy in the security and civil-rights communities. Additionally, some states have passed legislation rejecting REAL ID.
GNUCitizen[gnucitizen.org] has released details of a new attack[gnucitizen.org] on UPnP-enabled home routers that can be perpetrated by a Flash object running on the browser of any user. I haven’t tested this, but it looks like it should work even if executed under a non-privileged account. (You do use non-privileged accounts, right?) It should work because this attack vector doesn’t do anything particularly suspicious, and certainly not something that would require administrator privileges. There are several very bad results from this attack, but a worst-case scenario is described in the details published on GNUCitizen’s website:
The most malicious of all malicious things is to change the primary DNS server. That will effectively turn the router and the network it controls into a zombie which the attacker can take advantage of whenever they feel like it. It is also possible to reset the admin credentials and create the sort of onion routing network all the bad guys want.
That would suck.
What’s interesting here is that this is not a vulnerability in UPnP itself. A pre-existing web session with the home router is a prerequisite for this attack to occur. However, GNUCitizen has several other discussions which show that a simple XSS attack is all that is needed to establish the prerequisite. So this is an attack vector that is opened by another exploit entirely!
The AP has released a story [FOXNews.com] detailing that a New Jersey company which provides accounting software to the adult-entertainment industry has been hacked. The software apparently tracks referrals from one website to another and determines how much each website owner is supposed to be paid based on those referrals. The breach allowed the attackers to obtain the subscriber lists of several adult websites. Those subscribers are now being spammed with targeted adult advertisements from competitor websites. The greatest quote from the article from the owner of several adult websites: “There’s a loss, in my opinion, of user confidence.”
Did anyone notice this story on SecurityFocus? It’s an article discribing a series of attempted malware infections that were first reported by the SANS Internet Storm Center over Christmas. Apparently, three people reported buying digital picture frames made by the same manufacturer from three different Sam’s Club stores. When plugged into a computer, the malware on the picture frames attempted to perform various nasty things.
This type of threat is likely to increase as more and more devices become digitally aware. Your best bet for protecting yourself is to disable the autorun feature in Windows. That way you can scan and examine the devices you attach to your computer before the malware they may be hosting has an opportunity to become a part of your digital life.
Comcast is unveiling a new cable Internet standard today at CES. The new standard is DOCSIS 3.0, and promises to allow download speeds of 150Mbps. That’s faster than the 100Mbps most home-user network interface cards currently support. Comcast believes they will have the technology available to millions of homes in 2009.
In other news, dozens of RIAA and MPAA execs have been found cowering in the fetal position in the corner of their offices…
