Skip to content

Firewalls

Updated! Vulnerability in Cyberoam appliance

1) Stay on Version 10.6.5 – In our testing of Version 10.6.6. of CROS (Cyberoam Firmware), we discovered a bug that causes blocking of certain web content. We request customers stay on 10.6.5 until this is fixed.

2)To get patched for the SQL Vulnerability simply make sure that “Allow Over-the-air Hotfix” option is enabled on Cyberoam device as shown in the image below. Devices that already have this option enabled will automatically fetch the fix and remain protected.

Click here for larger image in browser

(System>Maintenance>Updates and then check the “Allow Over-the-air Hotfix Box)

To see if you are patched, You can login to the SSH/telnet console session of the unit and execute following command to check Hot Fix version:

console> cyberoam diagnostics show version-info

The Hot Fix version should be displayed as 1 or higher.

 

——–
Full Knowledge-base Article:
here

——
Other news
– Over the next two weeks we will be updating our store site for Fortinet & Meraki. Other updates after these.

Our Blog Site: Here

Contact US

 

Vulnerability Affecting Cyberoam Appliances

A SQL injection vulnerability has been discovered in Cyberoam appliances running the Cyberoam operating system (CROS) that allows for unauthenticated remote code execution.

A small percentage of appliances have been impacted by a cryptominer that consumed CPU cycles, and our investigations have found no evidence that any data has been compromised or exfiltrated from those appliances.

For customers running CROS version 10.6.1 and above that use the default setting of automatic updates, the hotfix was automatically installed, and there is no action required. Customers who have changed their default settings will need to apply the update manually.
Remediation

CROS Version

Patch Distributed

Version 10.6.3 and above

December 7, 2017

Version 10.6.1, 10.6.2.x

December 8, 2017

All versions prior to 10.6.1

Upgrade to current CROS version

 
Full Knowledge-base Article here

FireEye pulls Equifax boasts as it tries to handle hack fallout

Oh well, we all new FireEye was more bluster than solid security

Quote

“Brandan Schondorfer of Mandiant registered the domain Equihax.com on Tuesday (5 September), two days before the breach was publicly disclosed”

FireEye removed an Equifax case study* from its website in response to a recently disclosed mega-breach at the credit reference agency.

Equifax’s endorsement that FireEye’s tech protected it against zero-day and targeted attacks had more than the whiff of hubris about it once it emerged hackers had successfully pwned the credit reference agency’s systems and accessed all manner of sensitive information.

..

Equifax has reportedly hired incident response experts at FireEye Mandiant to investigate the breach. These experts have also been helping with PR aspects of damage limitation, it seems. Brandan Schondorfer of Mandiant registered the domain Equihax.com on Tuesday (5 September), two days before the breach was publicly disclosed, thereby preventing anyone else intent on poking fun at Equifax – or perhaps worse, run phishing attacks – from getting their hands on the domain.

Other aspects of Equifax’s overall incident response (analysed in depth in a post by security blogger Guise Bule here) have been less assured. For example, security experts at Sophos have criticised Equifax’s use of PINs – based on the date and time of when a request was made – to freeze consumer credit files. Crooks have a far better chance of determining these PINs and unfreezing credit files than if they were randomly generated. Worse yet, compromised server logs might be used to determine PINs

D-Link Router Riddled with Zero-Day Flaws

A pity the poor home internet user. The crap they buy or are given by their ISP makes them think they are protected. Not. Oh wait, the average small business has these also. Ooops.

Quote

A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first.

Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without disclosing the issue to D‑Link beforehand because of a previous negative experience with the firm. He disclosed nine vulnerabilities to D‑Link back in February, but only one of them resulted in a patch from the manufacturer.

“The D‑Link 850L is a router overall badly designed with a lot of vulnerabilities,” Kim offers in a somewhat dismissive summary seemingly borne out of exasperation with the networking kit maker.

..

Kim concludes by referencing his previous negative experiences with D‑Link in explaining why he had gone public this time before advising punters of the vulnerable equipment and to use other kit instead:

Due to difficulties in previous exchange with D‑Link, full disclosure is applied. Their previous lack of consideration about security made me publish this research without coordinated disclosure. I advise to IMMEDIATELY DISCONNECT vulnerable routers from the internet.

Trump: Blame the Computers not Russia

Trump: “I think we ought to get on with our lives. I think that computers have complicated lives very greatly. The whole age of computer has made it where nobody knows exactly what is going on. We have speed, we have a lot of other things, but I’m not sure we have the kind the security we need,” Trump said according to press pool report. He was at the Mar-a-Lago resort at the time of making the statement.” Source

Actually, I agree with Trump on this. We do not have the security we need. More fundamental to that, we do not have a mindset that puts computer security first. We bolt the front door and secure our physical premises with 24/7 monitoring services, yet we leave the barn door wide open for our online presence be it email, social media, browsing and shopping.

Privacy and security is an option when in fact it should come first. Imagine if the internet was built from the ground up with privacy and security as the foundation layer? That would mean no web bugs, tracking cookies, targeted advertising, privacy statements like Netflix’s (for example) that say, let me rape you and sell my experience and if you do not agree, your option is to cancel your subscription.

And home router manufacturers that make appliances so easily hacked it is a joke. And Microsoft windows that to this day facilitates users running with administrator privileges in everyday use. And the IoT – internet of things that have little if any security. And the mindset of the average consumer the allows Amazon’s Alexa into their home. Completely secure, right? Yeah sure, Why then, I ask, did this happen: “Amazon had been served with a search warrant in a murder case, as detectives in Bentonville, Ark., want to know what Alexa heard in the early morning hours of Nov. 22, 2015 — when Victor Collins was found dead in a hot tub behind a home after an Arkansas Razorbacks football game. (Read more) Come on! Lock the door, arm yourself to the teeth, **but** let a device with 7 microphones listening to every sound in your house connected to ?? and easily hacked by ?? (you’ll never know!). By the way, the same goes with Siri and Google voice on your smart phones.

Don’t blame the Russians, blame yourself. Yes, the mindset needs to change indeed.

Happy New Year.

Fortigate Back Door

Quote

Fortinet has admitted that many more of its networking boxes have the SSH backdoor that was found hardcoded into FortiOS – with FortiSwitch, FortiAnalyzer and FortiCache all vulnerable…..”Following the recent SSH issue, Fortinet’s Product Security Incident Response team, in coordination with our engineering and QA teams, undertook an additional review of all of our Fortinet products,” said the company in a blog post.

“During this review we discovered the same vulnerability issue on some versions of FortiSwitch, FortiAnalyzer and FortiCache. These versions have the same management authentication issue that was disclosed in legacy versions of FortiOS.”

Now the risk list includes FortiAnalyzer versions 5.0.5 to 5.0.11 and 5.2.0 to 5.2.4, FortiSwitch versions 3.3.0 to 3.3.2, FortiCache 3.0.0 to 3.0.7 (but branch 3.1 is not affected) along with gear running FortiOS 4.1.0 to 4.1.10, 4.2.0 to 4.2.15, 4.3.0 to 4.3.16, and the builds 5.0.0 to 5.0.7.

In all cases, the problem can be sorted by updating to the latest firmware builds. Don’t delay – hackers are closing in on the backdoor management authentication issue.

“Looking at our collected SSH data, we’ve seen an increase in scanning for those devices in the days since the revelation of the vulnerability,” said Jim Clausing, a mentor with the SANS Institute.

“Nearly all of this scanning has come from two IPs in China (124.160.116.194 and 183.131.19.18). So if you haven’t already applied patches and put ACLs/firewall rules in front of these devices limiting access to ssh from only specific management IPs, you have probably already been scanned and possibly pwned.”

Comcast (monopolist) using browser injection Upsell New Modems

quote

We already know that Comcast can — and does — inject alerts into users’ web browsers to alert them to potential copyright infringement, but the nation’s largest Internet provider can also use this ability to interrupt your enjoyment of the web in order to remind you to upgrade your modem.

Consumerist reader and Comcast customer “BB” says that the cable company upgraded the network in his area in recent months, and has been writing and calling him regularly about upgrading his modem ever since.

“For months we received multiple letters in the mail, explaining how we were missing out on the great new capabilities of their network,” writes BB. “This eventually escalated to repeated phone calls from Comcast, stating that we should really upgrade our modem.”
Thing is, BB owns the modem he uses and he’s experienced no problems with service or speeds since the network upgrade. He’d rather not spend money on a new modem — or pay Comcast too much to rent one from the company — when what he has is working just fine.

And BB is not some minor Internet user with an ancient desktop computer that he only uses to check email once a week. In fact, he’s a software developer living — like many of us — in a home with multiple web-connected devices.

“We stream Netflix and YouTube and our Internet speed is great for everything we need,” he writes. “Why should I spend the money?” ….“Now they’ve moved to more aggressive measures to try to get me to upgrade,” writes BB. “The other day as I was browsing the web on my phone, on my home WiFi, I got a pop-up notice while browsing on wired.com.” (see screenshot above)

In big red letters, the notice alerts BB that there is some “Action Needed” on his service.

It reads:
“Our records indicate that the cable modem, which you currently use for your XFINITY Internet service, may not be able to receive the full range of our speeds. To ensure you’re receiving the full benefits of your XFINITY Internet service, please replace your cable modem.”

Use HTTPS and change your DNS to a non Comcast DNS. Above all, do not use any Comcast firewall/routers as they are cheap, insecure and feature COmcast’s ability to turn your paid for internet connection into a public wifi access point which they on-sell to others at your expense. That should be disabled.

Comcast is an example of what is wrong in the country. In many markets it acts and is a monopolist. It is time to separate content delivery from transmission and end the monopoly and duopoly market conditions.

Comcast resets 200k cleartext passwords,

Quote

Zimbra mail server exploit claimed as source of dump

A hacker has tried to sell 200,000 valid cleartext Comcast credentials he claims he stole in 2013 from the telco’s then-vulnerable mailserver.

The telco has reset passwords for the affected accounts after news surfaced of the credentials being sold on the Python Market hidden marketplace.

Of the total pool of 590,000 accounts for sale for US$1,000, the company says around a third were accurate.

It told the Chicago Tribune the data was probably obtained through phishing, malware, or a breach of a third party site.

But the hacker responsible for the selling of the credentials, known as Orion, told Vulture South he obtained the credentials when he popped a Comcast mail server in December 2013.

He said the breach yielded 800,000 Comcast credentials of which 590,000 contained cleartext passwords.

Comcast has been contacted for comment.

“So in 2013 December the f****s at NullCrew came across an exploit for Zimbra which Comcast used at this domain *****.comcast.net ,” Orion says.

“NullCrew only got [about] 27k emails with no passwords lol while I got 800k with only 590k users with plaintext passwords.”

I do not whether to laugh or cry at all the businesses that think they are secure using the likes of Comcast and Verizon email. What is even worse is the firewalls these outfits provide. They are as bad as no firewall at all.