New Router Malware might be affecting your home/office router

From Talos:

Given our observations with this threat, we assess with high confidence that this list is incomplete and other devices could be affected.








TS439 Pro

Other QNAP NAS devices running QTS software



WIRED has an article about this cybersecurity hazard here:

WIRED has reached out to Netgear, TP-Link, Linksys, MicroTik, and QNAP for comment on the VPNFilter malware. Netgear responded in a statement that users should update their routers’ firmware, change any passwords they’ve left as the default, and disable a “remote management” setting that hackers are known to abuse, steps it outlines in a security advisory about the VPNFilter malware. The other companies have yet to respond to WIRED’s request.

Phishing Attacks with Unicode Domains

One more attack vector to be thinking about!

From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters. It is possible to register domains such as “”, which is equivalent to “а”. It may not be obvious at first glance, but “а” uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041). This is known as a homograph attack.

Chrome 59 will protect you from these phishing attempts by converting the maliciously-similar name to the Punycode version, thus making you aware of something amiss.

Firefox users can limit their exposure by going to about:config and settingnetwork.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to /u/MARKZILLA on reddit for this solution.

Thus, the attack form of will show as

On Twitter @Xudong_Zheng  says a simple way to limit the risk from bugs such as this is to always use a password manager, which can identify that the similar letters are not the same.


Thunderbird Mail Program for Mac is blocked by Google

Google blocks Thunderbird from checking gmail if a certain setting is turned on via Google’s account security settings screen.

Some devices and apps use insecure sign-in technology to access your data.

Choosing Disable prevents these less secure devices and apps from accessing your Google Account.

Choosing Enable increases your chances of unauthorized account access but allows you to continue using these less secure devices and apps.

Mozilla explains the problem here:


Poodle vulnerability—what to do

October 2014 brought with it a new cyber-attack method to the Internet: POODLE, the ‘Padding Oracle On Downgraded Legacy Encryption’ attack. The attack is against the SSLv3 protocol, which powers the HTTPS secure browsing system we’re all used to.

What can you do?

1. Check your browser:

Then disable SSLv3 support in your browser(s):

Firefox was the easiest to change. Safari has no known fix yet, and Mac Chrome requires a command line tweak to modify.  Even the Chrome Canary build is still vulnerable.


2. Check to see if your web server is vulnerable:

Then ask your hosting company to disable SSLv3 on the server:


Test for the Shellshock bug in BASH

From ArsTechnica:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case.

Visual Map of Internet Attacks

A computer security firm called Norse

has released a stunning data visualization map of internet attacks. It shows a fraction of the scope of constant threats affecting countries today. You can see penetration attempts in real time over services like http (web servers) and smtp (email servers), and more.


Norse visual map of internet attacks
Norse visual map of internet attacks

via PC World from this article.



Be aware of the Heartbleed bug

On April 8 I was notified by WiredTree, our hosting company, that their servers had been patched against a newly discovered (and serious) flaw in the SSL encryption technology which underpins secure browsing over https.

It is called the Heartbleed bug.

Our servers were not affected, as they ran CentOS5 and did not use Litespeed. Other sites which did use LiteSpeed were affected.

Read more at:


An article on Thursday explains how the bug crept in the Open Source software.

Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.

That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.

Target website hiding its data theft warning

Target’s had a big red target leveled at its data systems recently; the intrusion and theft of over 100 million consumer credit & debit card information is almost the largest in history.

It’s website features a notice to consumers; but strangely, 2 seconds after the home page loads, an ad overlay obscures the warning text and link.

Purposeful or by accident, it’s a big oops on top of the disaster.

See the site 1 second after load:

website shows theft message at page load
The Target website shows theft message at page load

And 2 seconds later:

Target homepage after 2 seconds; the warning is covered over
Target homepage after 2 seconds; the warning is covered over

Intentional or by accident?

Does the law require companies to disclose breaches?
As an aside, most States do not require the companies disclose successful network breaches to their customers. A law firm has published a useful chart to track State-by-State requirements.

The write:

Perkins Coie’s Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification.  The chart is for informational purposes only and is intended as an aid in understanding each state’s sometimes unique security breach notification requirements.  Lawyers, compliance professionals, and business owners have told us that the chart has been helpful when preparing for and responding to data breaches.

Maine has such a disclosure law on its book.

Website hacks are like lawn dandelions

Google acknowledged (and fixed) a major vulnerability in its and domains.

Redirection, cross-site scripting, cross-site request forgery, and SQL-injection vulnerabilities are to websites what dandelions are to suburban lawns. Even sites maintained by experienced and highly vigilant Web developers are likely to suffer from these Web-application bugs.

From ArsTechnica. Read more here.