Dell's Laptops are Infected with 'Superfish-Like' pre-installed Malware

Similar to the Superfish malware that surrounded Lenovo laptops in February, another big computer manufacturer Dell spotted selling PCs and laptops pre-installed with a rogue SSL certificate that could allow attackers:

• To impersonate as any HTTPS-protected website and spy on when banking or shopping online.

The rogue certificate, dubbed eDellRoot, was first discovered over the weekend by a software programmer named Joe Nord. The certificate is so creepy that it automatically re-installs itself even when removed from the Windows operating system.

Superfish 2.0: Unkillable Zombie
The self-signed transport layer security (TLS) credential came pre-installed as a root certificate on Dell PCs and laptops that are signed with the same private cryptographic key, which is stored locally.
That means an attacker with moderate technical skills can extract the key and abuse it to sign forged version of TLS certificates for any HTTPS-protected site on the Internet, exposing users to all manner of SSL attacks.

The certificate key can be used to conduct man-in-the-middle (MITM) attacks on Dell owners, silently stealing user names, passwords, session cookies, and other sensitive information when the affected Dell machines are connected to a malicious Wi-Fi hotspots in cafes, hospitals or airports.

The problem is similar to the scandal that hit Lenovo in February when the PC manufacturer was caught pre-installing an invasive adware program called Superfish with a similar self-signed cert to inject third-party advertisements into websites on browsers.

Although Dell's case is different as there is no indication that the certificate is being used to inject advertisements on the laptops, the resulting security issue is the same.

Affected PCs and Laptops
The self-signed certificate key was discovered to be pre-installed as a root certificate on at least three Dell laptop models:

• Dell Inspiron 5000 series notebook
• Dell XPS 15
• Dell XPS 13

This indicates that the dangerous certificate may be present on a significant number of the Dell desktops and laptops currently on the market, specifically recent Dell Inspiron Desktop, XPS, and Precision M4800 and Latitude models.

To Check if Your Computer is Vulnerable
To discover the dangerous certificate:

• Open up the Start menu
• Select Run
• Type in certmgr.msc – the Windows certificate manager – into the box and Hit Enter
• Open up the Trusted Root Certification Authority folder on the left
• Select Certificates
• Search for eDellRoot

Once found, right-click over eDellRoot and hit "Remove." It appears to be gone, but actually it's not.

Reboot your computer and reopen certmgr.msc and search for the certificate "eDellRoot". Yeah, the removed root CA cert is back.

What Should You do? How to Remove?
It seems that even if the certificate is clearly fraudulent, Google Chrome and Microsoft Edge and Internet Explorer browsers always establish an encrypted Web session with no warnings.

But fortunately, Mozilla's Firefox web browser generates an alert warning that the certificate was not trusted.

So, Dell customers with new XPS, Precision, and Inspiron models are advised to use Firefox to browse the web.

To fix the issue completely, Dell users will need to manually revoke the certificate permissions, which is a complex and technically demanding task.

Moreover, security researcher Darren Kemp from Duo Security says that the problem may be even worse than what Nord suggested.

According to an analysis done by Kempa, a bundled plugin re-installs the root CA file when it is removed. So, to remove the eDellRoot certificate completely, you must:

• First delete Dell.Foundation.Agent.Plugins.eDell.dll from your system
• Then remove the eDellRoot root CA certificate

Dell's Response
In a statement, a Dell spokesperson said the company is investigating the report and looking into the certificate, but emphasized the company’s policy of minimizing pre-loaded software for security reasons.

"Customer security and privacy is a top concern for Dell," the spokesperson said. "We've a team investigating the current [issue] and will update you as soon as we have more information."

Node.js discloses two critical security vulnerabilities

Node.js is facing two security vulnerabilities, including a potentially major denial-of-service issue, with patches for the problems not available for a week. Releases of Node.js ranging from 0.12 to version 5 are vulnerable to one or both issues.

A bulletin issued today by the Node.js Foundation, which has jurisdiction over the popular server-side JavaScript platform, covers "a high-impact denial-of-service vulnerability" and a "low-impact V8 out-of-bounds access vulnerability." V8 is the Google-developed JavaScript engine leveraged by Node.js. Officially, the DoS issue is labeled as CVE (Common Vulnerabilities and Exposures) 2015-8027, while the access problem is identified as CVE-2015-6764.

 "We have two previously undisclosed vulnerabilities. One's not that a big deal [the out-of-bound access issue], one's a slightly bigger deal," said Mikeal Rogers, community manager for the foundation. "Both will be fixed on Wednesday (December 2)" via patches that will be available at Nodejs.org. Rogers said these vulnerabilities had not been exploited.

The bulletin describes the DoS vulnerability as widespread among Node versions. "A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high, and users of the affected versions should plan to upgrade when a fix is made available."

The out-of-bounds vulnerability description is less dire. "An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users, but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027." The 0.10x and 0.12x lines are not affected.

Despite the seriousness of the security issues, Node representatives stressed that users shouldn't be worried. The threat to the community is "minimal," Rogers said. "In fact, we already have fixes for both. It is a routine part of our security policy, which we take seriously, to inform our community of vulnerabilities, and then give them time to plan for an upgrade."

Rogers said Node.js security is under more scrutiny since the formation of the foundation, which is affiliated with the Linux Foundation. "We have much more formal and proper security policy now."

Chinese cybercriminal underground thriving more than ever

By the end of 2013, the Chinese cybercrime underground was a very busy economy, with peddled wares that not only targeted PCs, but mobile devices as well—making it its most prolific segment, according to Trend Micro’s report entitled “Prototype Nation: The Chinese Cybercriminal Underground in 2015.”

The report also saw cybercriminals abusing popular Web services such as the instant-messaging app (IM), QQ, to communicate with peers.

Today, the Chinese underground is thriving more than ever. Data (either leaked or stolen) are now being traded along with prototypes and new functional hardware, like point-of-sales (PoS) and automated teller machine (ATM) skimmers.

Tampered PoS devices are sold to resellers who may or may not know that these devices are rigged. Some PoS skimmers come with an SMS-notification feature that allows the cybercriminal to access the stolen data remotely every time the device is used.C

Commonly sold on B2B websites, ATM skimmers are fraud-enabling devices that allow fraudsters to carry out bank fraud and actual theft. The devices have keypad overlays that are used to steal victims’ PINs.

Pocket skimmers are also widely used. These small, unnoticeable magnetic card readers can store track data of up to 2,048 payment cards. They do not need to be physically connected to a computer or a power supply to work. All captured data can be downloaded onto a connected computer.

Singapore's infosec professionals rate cybersecurity readiness a 'C minus'

The world’s information security practitioners have given global cybersecurity readiness a “C” average with an overall score of 76 percent, according to the 2016 Global Cybersecurity Assurance Report Card released by Tenable Network Security, Inc.

Singapore, the only Asian country included in the report which focused on 6 countries, ranked 4th and received a C-.

According to survey data, global cybersecurity earned an overall score of 76 percent—an underwhelming “C” average. Nearly 40 percent of respondents said they feel “about the same” or “more pessimistic” about their organizations’ ability to defend against cyber attacks compared to last year.

When asked about the biggest challenges facing them today, the practitioners cited an overwhelming threat environment as the biggest challenge, while reporting relative confidence in the effectiveness of cybersecurity products.

“What this tells me is that while security innovations solve specific new challenges, practitioners are struggling to effectively deploy an overarching security strategy without gaps between defenses,” said Ron Gula, CEO, Tenable Network Security. “It’s no surprise that many in the profession feel overwhelmed by the increasingly complex threat environment. The recent, unprecedented cyberattacks have disrupted business for leading global companies, infiltrated governments and shaken confidence among security practitioners. With so much at stake, organizations need to know whether their security programs are effective or if they are falling short.”

Cloud days ahead
Respondents consistently cited cloud applications (graded D+) and cloud infrastructure (D-) as two of the three most challenging IT components for assessing cybersecurity risks.

Mobile devices (D) also were reported as particularly challenging when assessing cyber risks. The inability to even detect transient mobile devices in the first place (C) was another big challenge for the world’s security practitioners.

On the upside, respondents largely believe they have the tools in place to measure overall security effectiveness (B-) and to convey security risks to executives and board members. On the downside, respondents question whether their executives and board members fully understand those security risks (C+) and are investing enough to mitigate them (C).

Overall Cybersecurity Assurance Report Cards by Country

•     Australia: D+ (69 percent)
•     Canada: C+ (77 percent)
•     Germany: C- (72 percent)
•     Singapore: C- (72 percent)
•     United Kingdom: C (74 percent)
•     United States: B- (80 percent)

Overall Cybersecurity Assurance Report Cards by Industry

•     Education: D (64 percent)
•     Financial Services: B- (81 percent)
•     Government: D (66 [percent)
•     Health Care: C (73 percent)
•     Manufacturing: C (76 percent)
•     Retail: C+ (77 percent)
•     Telecom & Technology: B- (81 percent)

“These index scores reflect a startling lack of ability to detect and assess cyber risk in both cloud infrastructure and applications as well as mobile devices,” said Gula. “Another concern is the uphill battle security professionals face in mobilizing their organizations’ leadership to prioritize security. There’s a disconnect between the CISO and the boardroom that must be bridged before real progress can be made.”

Many embedded devices ship without adequate security tests

An analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufactuers.

The study was performed by researchers from the Eurecom research center in France and Ruhr-University Bochum in Germany, who built an automated platform capable of unpacking firmware images, running them in an emulated environment and starting the embedded Web servers that host their management interfaces.

The researchers started out with a collection of 1,925 Linux-based firmware images for embedded devices from 54 manufacturers, but they only managed to start the Web server on 246 of them. They believe that with additional work and tweaks to their platform that number could increase.

The goal was to perform dynamic vulnerability analysis on the firmware packages' Web-based management interfaces using open-source penetration testing tools. This resulted in 225 high-impact vulnerabilities being found in 46 of the tested firmware images.

A separate test involved extracting the Web interface code and hosting it on a generic server so it could be tested for flaws without emulating the actual firmware environment. This test had drawbacks, but was successful for 515 firmware packages and resulted in security flaws being found in 307 of them.

The researchers also performed a static analysis with another open-source tool against PHP code extracted from device firmware images, resulting in another 9046 vulnerabilities being found in 145 firmware images.

In total, using both static and dynamic analysis the researchers found important vulnerabilities like command execution, SQL injection and cross-site scripting in the Web-based management interfaces of 185 unique firmware packages, affecting devices from a quarter of the 54 manufacturers.

The researchers focused their efforts on developing a reliable method for automated testing of firmware packages without having access to the corresponding physical devices, rather than on the thoroughness of the vulnerability scanning itself. They didn't perform manual code reviews, use a large variety of scanning tools or test for advanced logic flaws.

This means that the issues they found were really the low hanging fruit -- the flaws that should have been easy to find during any standard security testing. This begs the question: why weren't they discovered and patched by the manufacturers themselves?

It would appear that the affected vendors either didn't subject their code to security testing at all, or if they did, the quality of the testing was very poor, said Andrei Costin, one of the researchers behind the study.

Costin presented the team's findings at the DefCamp security conference in Bucharest on Thursday. It was actually the second test performed on firmware images on a larger scale. Last year, some of the same researchers developed methods to automatically find backdoors and encryption issues in a large number of firmware packages.

Some of the firmware versions in their latest dataset were not the latest ones, so not all of the discovered issues were zero-day vulnerabilities -- flaws that were previously unknown and are unpatched. However, their impact is still potentially large, because most users rarely update the firmware on their embedded devices.

At DefCamp, attendees were also invited to try to hack four Internet-of-Things devices as part of the on-site IoT Village. The contestants found two critical vulnerabilities in a smart video-enabled doorbell that could be exploited to gain full control over the device. The doorbell also had the option to control a smart door lock.

A high-end D-Link router was also compromised through a vulnerability in the firmware version that the manufacturer shipped with the device. The flaw was actually known and has been patched in a newer firmware version, but the router doesn't alert users to update the firmware.

Finally, the participants also found a lower-impact vulnerability in a router from Mikrotik. The only device that survived unscathed was a Nest Cam.

Details about the vulnerabilities have not yet been shared publicly because the IoT Village organizers, from security firm Bitdefender, intend to report them to the affected vendors first so they can be patched.

Most Small UK Businesses Have No Security Oversight

Smaller UK businesses typically don’t assign an employee to be responsible for information security education and implementation—and are becoming fraud victims as a result.

As detailed in its State of the Industry report, appropriately-named information destruction expert Shred-it has found that nearly half (46%) of small business owners have no employee responsible for managing data security issues internally. Even more concerning, more than a quarter (27%) of small businesses do not have information security policies and procedures in place at all.

And, a third of those who do have policies in place admit to never training their employees on their protocols.

If data security is not made a priority, businesses are left exposed to data breaches, fraud, heavy legal fines from the Information Commissioner’s Office (ICO) and other regulatory bodies, and loss of customers and business partners—all of which can cause irreversible damage.

Since April 2010, the ICO has issued over £7 million worth of fines to organizations that have experienced a data breach. Despite such high figures and the irreversible damage to a company’s reputation as a result of a breach, businesses are still not doing enough when it comes to data security, the report concluded.

In addition to appointing a data protection officer, companies can reduce the risk of workplace fraud by implementing a few best practices. For instance, surprise audits: Conduct unscheduled workplace audits to assess how employees process, store and destroy confidential information.

Frequent training on the risks of fraud and how to prevent it is also important, along with education about vulnerable areas in which to avoid leaving confidential information in the office and off-site.

Shred-it is also calling on the UK government to implement legislation to ensure all businesses have a dedicated employee responsible for raising awareness of the importance of data security, understanding changes to legislation and enforcing data security procedures in the workplace.

“There is a strong correlation between data security practices and data breaches. Introducing legislation which mandates an employee specifically responsible for raising awareness of data security in the workplace and implementing a ‘culture of security’, will help protect businesses  against fraud and help them avoid financial or legal penalties,” said Robert Guice, SVP, EMEA, Shred-it.

To ensure all companies in the UK follow similar standards in data protection compliance, Shred-it has also urged the government to introduce legislation which ensures organizations have dedicated employees responsible for managing and monitoring data security issues on a day-to-day basis.

The longest continuous attack recorded by Kaspersky Lab lasted almost two weeks

The longest continuous attack recorded by Kaspersky Lab in the third quarter of 2015 lasted for 320 hours, or almost two weeks. This is one of the findings of the new quarterly DDoS report, based on constant monitoring of botnets and observing new techniques utilised by cybercriminals.

The Q3 report shows that DDoS attacks remain highly localised. 91.6% of victims’ resources are located in only 10 countries around the world, although we have recorded DDoS attacks targeting servers in 79 countries total. What is even more significant is that DDoS attacks are most likely to originate from the same countries.The longest continuous attack recorded by Kaspersky Lab in the third quarter of 2015 lasted for 320 hours, or almost two weeks. This is one of the findings of the new quarterly DDoS report, based on constant monitoring of botnets and observing new techniques utilised by cybercriminals.

The Q3 report shows that DDoS attacks remain highly localised. 91.6% of victims’ resources are located in only 10 countries around the world, although we have recorded DDoS attacks targeting servers in 79 countries total. What is even more significant is that DDoS attacks are most likely to originate from the same countries.

China, the United States of America and South Korea occupied top positions in both ratings of the most frequent attack sources and targets. Although other cybercrime syndicates, focusing on things like credit card theft, may operate far from their country of residence, this is not the case for DDoS.

More than 90% of attacks lasted less than 24 hours but the number of attacks lasting over 150 hours grows significantly. The highest number of attacks on the same victim was 22, on a server located in The Netherlands.

The report also showed that Linux-based botnets are significant, accounting for up to 45.6% of all attacks recorded by Kaspersky Lab. Main reasons include poor protection and higher bandwidth capacity.

“Based on our observations and direct measurements, we cannot pinpoint one exact direction in which the underground business of DDoS attacks is moving," commented Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Lab.

"Instead, the threat appears to be growing everywhere. We have recorded highly complex attacks on banks, demanding a ransom, but have also observed new, low-cost methods designed to put a company’s operations down for a significant amount of time. Attacks are growing in volume with most of them aiming to attack, disrupt and disappear, but the number of lengthy attacks, capable of bankrupting a large, unprotected business is also on the rise. These significant developments make it imperative for companies to take measures to prevent the very real threat and increased risk posed by DDoS attacks.”

The study also found that cybercriminals go on vacation too, just like regular people, with August the quietest month of the quarter for attacks. Meanwhile, banks are frequent targets of complex attacks and ransom demands.

China, the United States of America and South Korea occupied top positions in both ratings of the most frequent attack sources and targets. Although other cybercrime syndicates, focusing on things like credit card theft, may operate far from their country of residence, this is not the case for DDoS.

More than 90% of attacks lasted less than 24 hours but the number of attacks lasting over 150 hours grows significantly. The highest number of attacks on the same victim was 22, on a server located in The Netherlands.

The report also showed that Linux-based botnets are significant, accounting for up to 45.6% of all attacks recorded by Kaspersky Lab. Main reasons include poor protection and higher bandwidth capacity.

“Based on our observations and direct measurements, we cannot pinpoint one exact direction in which the underground business of DDoS attacks is moving," commented Evgeny Vigovsky, Head of Kaspersky DDoS Protection, Kaspersky Lab.

"Instead, the threat appears to be growing everywhere. We have recorded highly complex attacks on banks, demanding a ransom, but have also observed new, low-cost methods designed to put a company’s operations down for a significant amount of time. Attacks are growing in volume with most of them aiming to attack, disrupt and disappear, but the number of lengthy attacks, capable of bankrupting a large, unprotected business is also on the rise. These significant developments make it imperative for companies to take measures to prevent the very real threat and increased risk posed by DDoS attacks.”

The study also found that cybercriminals go on vacation too, just like regular people, with August the quietest month of the quarter for attacks. Meanwhile, banks are frequent targets of complex attacks and ransom demands.

Backdoor in Baidu Android SDK Puts 100 Million Devices at Risk

The China's Google-like Search Engine Baidu is offering a software development kit (SDK) that contains functionality that can be abused to give backdoor-like access to a user's device, potentially exposing around 100 Million Android users to malicious hackers.

The SDK in question is Moplus, which may not be directly available to the public but has already made its way into more than 14,000 Android apps, of which around 4,000 are actually created by Baidu.

Overall, more than 100 Million Android users, who have downloaded these apps on their smartphones, are in danger.

Security researchers from Trend Micro have discovered a vulnerability in the Moplus SDK, called Wormhole, that allows attackers to launch an unsecured and unauthenticated HTTP server connection on affected devices, which works silently in the background, without the user's knowledge.

This unsecured server does not use authentication and can accept requests from anyone on the Internet. Though the server is controlled by the attacker, who can send requests to a particular port of this hidden HTTP server to execute malicious commands.

Malicious Functionalities of Wormhole
Currently, the researchers have identified that the SDK is using the port 6259 or 40310 to perform malicious activities on affected Android devices, which includes:

•     Send SMS messages
•     Make phone calls
•     Get mobile phone details
•     Add new contacts
•     Get a list of local apps
•     Download files on the device
•     Upload files from the device
•     Silently install other apps (if the phone is rooted)
•     Push Web pages
•     Get phone's geo-location, and many more

Since the SDK automatically installs the Web server when a Moplus SDK app is opened, hackers just need to scan a mobile network for port 6259 or 40310, thereby finding vulnerable devices they can abuse.

Wormhole is More Dangerous than Stagefright 
The vulnerability, according to researchers, is potentially easier to exploit than the Stagefright flaw, as Wormhole doesn't require social engineering to infect an unsuspecting user.

Trend Micro has also found at least one malware strain (detected as ANDROIDOS_WORMHOLE.HRXA) in the wild that takes advantage of Wormhole in Moplus SDK.

Researchers informed both Baidu as well as Google of the vulnerability.

As a result, Baidu has just pushed a partial fix for the problem by releasing a new version of the SDK that removed some of the SDK's functionality, but not all. The HTTP server remains online and active; however, Baidu assured its users that no backdoor exists now.

This isn't the first time a Chinese company has caught distributing malicious SDK. Just a few days ago, the Taomike SDK – one of the biggest mobile ad solutions in China – was caught secretly spying on users' SMS messages and uploading them to a server in China.

The same malicious functionality was also discovered two weeks back in another SDK developed by Youmi; that affected 256 iOS apps, which were caught using private APIs to collect users private data. However, Apple eventually banned those apps from its App Store.

Akamai warns of 3 new reflection DDoS attacks

Akamai Technologies, Inc. says it has observed three new reflection distributed denial of service (DDoS) attacks in recent months. An advisory from Akamai details the DDoS threat posed by NetBIOS name server reflection, RPC portmap reflection, and Sentinel reflection in full, including payload analysis, a Snort rule, and system hardening best practices

What is DDoS reflection?
In a reflection DDoS attack, also called a DrDoS attack, there are three types of participants: the attacker, victim servers that act as unwitting accomplices, and the attacker’s target. The attacker sends a simple query to a service on a victim host. The attacker falsifies (spoofs) the query, so it appears to originate from the target. The victim responds to the spoofed address, sending unwanted network traffic to the attacker’s target. Attackers choose reflection DDoS attacks where the victim’s response is much larger than the attacker’s query, thus amplifying the attacker’s capabilities. The attacker sends hundreds or thousands of queries at high rates to a large list of victims by automated the process with an attack tool, thus causing them to unleash a flood of unwanted traffic and a denial of service outage at the target.

“Although reflection DDoS attacks are common, these three attack vectors abuse different services than we’ve seen before, and as such they demonstrate that attackers are probing the Internet relentlessly to discover new resources to leverage,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “It looks like no UDP service is safe from abuse by DDoS attackers, so server admins need to shut down unnecessary services or protect them from malicious reflection. The sheer volume of UDP services open to the Internet for reflection DDoS attacks is staggering.”

The attack tools for each of the new reflection attacks are related – they are all modifications of the same C code. Each attack vector requires the same basic recipe – a script that sends a spoofed request to a list of victim reflectors. The command-line options are similar.

NetBIOS name server reflection DDoS attack
The NetBIOS reflection DDoS attack – specifically NetBIOS Name Service (NBNS) reflection – was observed by Akamai as occurring sporadically from March to July 2015. The primary purpose of NetBIOS is to allow applications on separate computers to communicate and establish sessions to access shared resources and to find each other over a local area network.

This attack generates 2.56 to 3.85 times more response traffic sent to the target than the initial queries sent by the attacker. Akamai observed four NetBIOS names server reflection attacks, with the largest recorded at 15.7 Gbps. Although legitimate and malicious NetBIOS name server queries are a common occurrence, a response flood was first detected in March 2015 during a DDoS attack mitigated for an Akamai customer.

RPC portmap reflection DDoS attack 
The first RPC portmap reflection DDoS attack observed and mitigated by Akamai occurred in August 2015 in a multi-vector DDoS attack campaign. RPC portmap, also known as port mapper, tells a client how to call a particular version of an Open Network Computing Remote Procedure Call (ONC RPC) service.

The largest responses had an amplification factor of 50.53. A more common amplification factor was 9.65. Of the four RPC reflection attack campaigns mitigated by Akamai, one exceeded 100 Gbps, making it an extremely powerful attack. Active malicious reflection requests were observed by Akamai almost daily against various targets in September 2015.