LastPass password manager woes?

  If you are having issues accessing your LastPass vault you are not alone.

 Multiple users share your situation. LastPass is attempting to contact their users to share their (LastPass) findings.

LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services. It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure.

Use Multi Factor Authentication. Change your master password often. Keep that master password secure.

Apple Updates everything 13-Dec-2021

  Apple updates

 iOS 15.2

iPadOS 15.2

macOS 12.1

AppleTV 15.2

watchOS 8.3

Internet on Fire??

  A LOT of coverage in news outlets about "worst vulnerability ever", "Internet on fire", and similar stories.

 We will cover the details in the Cyber Security SIG meeting December 16 at 3pm via zoom. The session/presentation will be audio recorded so view the posted presentation notes if you want the details - as they become more known.

 The vulnerability is in the Apache log4j library. Most applications are developed then deployed using stock libraries for common functions. Logging is a common function and the Apache log4j library is a very popular application inclusion.

 Very popular.

 Thus applications used in both server applications, client applications, browsers, and social media platforms -  to name a few.

 So applications using Java include the log4j class, set parameters, and use the log4j library to handle application logging.

 Some detail: The Java Naming and Directory Interface (JNDI) provides naming and directory functions to Java applications. So an application needs/wants to log something - anything. If the API encounters a JNDI reference the API will to to the supplied resource and fetch whatever it needs to resolve the requested variable. It is possible to download remote classes and execute them.

 A simple Proof of Concept (PoC) was released recently. Exploits rapidly increased in frequency and severity.

 Any and everything may need a update. 

 Applications, sites, platforms, cloud services, Twitter, should be used with caution. 

 DHS and most national cyber agencies are issuing warnings. Please head them.

UPDATE:  The patch might be worse than the exploit.

VERY HEAVY scanning for vulnerable systems continues to increase.

 

Monterey may harm your MAC

  Apple released Monterey, an update to macOS recently. A small number of users are reporting the update makes their MAC unresponsive. 

 Consider a pause in updating. Do perform an extensive backup of your data. Have your laptop powered during the update.

 There are sites that offer guidance on restoring usability to bricked MACs. 

 Consider letting the update run overnight. Consider using the Computer Club's Help Center. Contact Apple for support.

Apple updates everything

  MacOS Monterey (12.0.1)

iOS 15.1

WatchOS 8.1

AppleTV 15.1

Safari

AND a lot of Apple Store Apps

More information to follow

FAKE U.S Government sites

 

Cumulative Update for Microsoft Windows 11

  A cumulative update for Microsoft Windows 11 released.

KB5006746.

OS Build 22000.282 Preview

Then a .NET 3.5 and 4.8 Preview will be available after the OS update 

Also my Windows DEV machine had a update to take that machine to build 22483.1011 from build 22483.1000.

And then. Updates to the Windows Store. Search for Android.

Click on Amazon Appstore app

SO not my PC. Perhaps the virtual android engine is not available.

Trying the preview

 I will update this blog as i find more. 

Contact the Windows SIG scccwindows@gmail.com with your experiences.

MacOS Monterey to be released 25-October-2021

  I have been running the beta release of macOS Monterey for a few months. A recent update to macOS 12.0.1 indicates more might be a follow on.

 An issue for older MACS might be the amount of free disk space required to load and perform the update.

 MacOS keeps a reserve of recently used files. When you attempt to load and perform the update that cache may prohibit the update. There are programs on the Internet to work this space issue. The ones I tried didn't work releasably, were more advertising, etc.

 If you see this when attempting to update:

read on. 

 A technique to flush the disk space held for recent file operations is to create a large requirement for disk space, then remove that temporary file.

 You can do this with the macOS terminal utility. You will need to invoke the terminal utility with Administrator access. Then use the dd command to create the temporary file, delete the temporary file when all free space gets exhausted, reboot, then attempt the update again. If your update fails due to free disk space issues you will need to free large files.

Chrome Security and feature Update

   Chrome version 95 released. Available on most platforms: Windows, Mac, Android, iDevices,

etc.  BUT not (so far) on ChromeOS.

 Chromium based browser (Edge, Brave. ToR, etc. are following.

Patch PATCH October 11

  iOS 15.0.2 released today  - Security issues

Chrome browser patch - Security issues

Windows Patch Tuesday - IMPORTANT

Facebook really down?

 

Facebook reports outage began at 10:39 AM October 4. Lasting over 6 hours, spokespersons indicated the outage was due to "faulty configuration change". In spite of chang board approvals, often the approved change may be implemented with error. Happens.

Facebook employees were locked out of their access, access to meeting rooms, and access to the server rooms to control or rectify the outage.

Apple releases iOS 15.0.1 and iPad 15.0.1

  Mostly usage fixes.

 Reported usage fixes

Netgear Router Vulnerability

 Multiple Netgear routers have a high severity (8.1) remote code execution vulnerability that could be exploited by remote attackers to take control if the system.

 The vulnerability is in the Circle component that updates parental control features - even if that feature is not enabled.

 Recommendation is to update the firmware. Updating infrastructure firmware is good security practice.

 The affected Netgear models:

• R6400v2 (fixed in firmware version 1.0.4.120)
• R6700 (fixed in firmware version 1.0.2.26)
• R6700v3 (fixed in firmware version 1.0.4.120)
• R6900 (fixed in firmware version 1.0.2.26)
• R6900P (fixed in firmware version 3.3.142_HOTFIX)
• R7000 (fixed in firmware version 1.0.11.128)
• R7000P (fixed in firmware version 1.3.3.142_HOTFIX)
• R7850 (fixed in firmware version 1.0.5.76)
• R7900 (fixed in firmware version 1.0.4.46)
• R8000 (fixed in firmware version 1.0.4.76)
• RS400 (fixed in firmware version 1.5.1.80)

iOS 14.8 and iPadOS 14.8 emergency update today 13-September

 Apple has released updates to iOS and iPadOS today, September 13, 2021

 The emergency update, on iOS 15 release eve, addresses the zero-click vulnerability used in the Pegasus spyware in news recently.

 Be warned - no beta testing was done for this release.

 One of our phones took several attempts to apply this update.

 Later today, Big Sur 11.6 Update.

Now, Update 12.5.4 for older iPhones and iPads

Chrome browser update

 Google Chrome is up to date

Version 93.0.4577.63 (Official Build) (64-bit)

Several SERIOUS security fixes 

and

some new functionality

Updates available for most platforms: Windows, macOS, Andriod, iOS, Linux, etc.

A LOT of older Wi-Fi devices are vulnerable

  Recent research has found a lot of older Wi-Fi gear may be vulnerable to being deployed into the Mirai botnet network. Once exploited the attacker may further compromise the device to gain access of your home network.

 A flaw in a VERY large number of devices using Realtek chips are vulnerable. Just visiting a malicious web site is enough to trigger the vulnerability and execute one of a series of exploits. 65 companies used the vulnerable chips in hundreds of products.  Scanning shows sever hundred thousand devices are currently connected to the Internet.

Wi-Fi routers, Wi-Fi access points, Wi-Fi range extenders, USB Wi-Fi network adapters and more have used the vulnerable chip sets.

 Realtek has released a firmware update, but your vulnerable device manufacturer may not.

 If your device is listed in the list below, check the manufacturer for firmware updates. Be especially wary of Suddenlink provided equipment on the list.

Manufacturer	Affected Models
A-Link Europe Ltd	A-Link WNAP WNAP(b)
ARRIS Group, Inc	VAP4402_CALA
Airlive Corp.	WN-250R, WN-350R
Abocom System Inc.	Wireless Router ?
AIgital	Wifi Range Extenders
Amped Wireless	AP20000G
Askey	AP5100W
ASUSTek Computer Inc.	RT-Nxx models, WL330-NUL, Wireless WPS Router RT-N10E, Wireless WPS Router RT-N10LX, Wireless WPS Router RT-N12E, Wireless WPS Router RT-N12LX
BEST ONE TECHNOLOGY CO., LTD.	AP-BNC-800
Beeline	Smart Box v1
Belkin	F9K1015, AC1200DB Wireless Router F9K1113 v4, AC1200FE Wireless Router F9K1123, AC750 Wireless Router F9K1116, N300WRX, N600DB
Buffalo Inc.	WEX-1166DHP2, WEX-1166DHPS, WEX-300HPS, WEX-733DHPS, WMR-433, WSR-1166DHP3, WSR-1166DHP4, WSR-1166DHPL, WSR-1166DHPL2
Calix Inc.	804Mesh
China Mobile Communication Corp.	AN1202L
Compal Broadband Networks, INC.	CH66xx cable modems line.
D-Link	DIR-XXX models based on rlx-linux, DAP-XXX models based on rlx-linux, DIR-300, DIR-501, DIR-600L, DIR-605C, DIR-605L, DIR-615, DIR-618, DIR-618b, DIR-619, DIR-619L, DIR-809, DIR-813, DIR-815, DIR-820L, DIR-825, DIR-825AC, DIR-825ACG1, DIR-842, DAP-1155, DAP-1155 A1, DAP-1360 C1, DAP-1360 B1, DSL-2640U, DSL-2750U, DSL_2640U, VoIP Router DVG-2102S, VoIP Router DVG-5004S, VoIP Router DVG-N5402GF, VoIP Router DVG-N5402SP, VoIP Router DVG-N5412SP, Wireless VoIP Device DVG-N5402SP
DASAN Networks	H150N
Davolink Inc.	DVW2700 1, DVW2700L 1
Edge-core	VoIP Router ECG4510-05E-R01
Edimax	RE-7438, BR6478N, Wireless Router BR-6428nS, N150 Wireless Router BR6228GNS, N300 Wireless Router BR6428NS, BR-6228nS/nC
Edison	unknown
EnGenius Technologies, Inc.	11N Wireless Router, Wireless AP Router
ELECOM Co.,LTD.	WRC-1467GHBK, WRC-1900GHBK, WRC-300FEBK-A, WRC-733FEBK-A
Esson Technology Inc.	Wifi Module ESM8196 (therefore any device using this wifi module)
EZ-NET Ubiquitous Corp.	NEXT-7004N
FIDA	PRN3005L D5
Hama	unknown
Hawking Technologies, Inc.	HAWNR3
MT-Link	MT-WR600N
I-O DATA DEVICE, INC.	WN-AC1167R, WN-G300GR
iCotera	i6800
IGD	1T1R
LG International	Axler Router LGI-R104N, Axler Router LGI-R104T, Axler Router LGI-X501, Axler Router LGI-X502, Axler Router LGI-X503, Axler Router LGI-X601, Axler Router LGI-X602, Axler Router RT-DSE
LINK-NET TECHNOLOGY CO., LTD.	LW-N664R2, LW-U31, LW-U700
Logitec	BR6428GNS, LAN-W300N3L
MMC Technology	MM01-005H, MM02-005H
MT-Link	MT-WR730N, MT-WR760N, MT-WR761N, MT-WR761N+, MT-WR860N
NetComm Wireless	NF15ACV
Netis	WF2411, WF2411I, WF2411R, WF2419, WF2419I, WF2419R, WF2681
Netgear	N300R
Nexxt Solutions	AEIEL304A1, AEIEL304U2, ARNEL304U1
Observa Telecom	RTA01
Occtel	VoIP Router ODC201AC, VoIP Router OGC200W, VoIP Router ONC200W, VoIP Router SP300-DS, VoIP Router SP5220SO, VoIP Router SP5220SP
Omega Technology	Wireless N Router O31 OWLR151U, Wireless N Router O70 OWLR307U
PATECH	Axler RT-TSE, Axler Router R104, Axler Router R3, Axler Router X503, Axler Router X603, LotteMart Router 104L, LotteMart Router 502L, LotteMart Router 503L, Router P104S, Router P501
PLANEX COMMUNICATIONS INC., Planex Communications Corp.	MZK-MF300N, MZK-MR150, MZK-W300NH3, MZK-W300NR, MZK-WNHR
PLANET Technology	VIP-281SW
Realtek	RTL8196C EV-2009-02-06, RTL8xxx EV-2009-02-06, RTL8xxx EV-2010-09-20, RTL8186 EV-2006-07-27, RTL8671 EV-2006-07-27, RTL8671 EV-2010-09-20, RTL8xxx EV-2006-07-27, RTL8xxx EV-2009-02-06, RTL8xxx EV-2010-09-20
Revogi Systems
Sitecom Europe BV	Sitecom Wireless Gigabit Router WLR-4001, Sitecom Wireless Router 150N X1 150N, Sitecom Wireless Router 300N X2 300N, Sitecom Wireless Router 300N X3 300N
Skystation	CWR-GN150S
Sercomm Corp.	Telmex Infinitum
Shaghal Ltd.	ERACN300
Shenzhen Yichen (JCG) Technology Development Co., Ltd.	JYR-N490
Skyworth Digital Technology.	Mesh Router
Smartlink	unknown
TCL Communication	unknown
Technicolor	TD5137
Telewell	TW-EAV510
Tenda	AC6, AC10, W6, W9, i21
Totolink	A300R
TRENDnet, Inc., TRENDnet Technology, Corp.	TEW-651BR, TEW-637AP, TEW-638APB, TEW-831DR
UPVEL	UR-315BN
ZTE	MF253V, MF910
Zyxel	P-330W, X150N, NBG-2105, NBG-416N AP Router, NBG-418N AP Router, WAP6804

 

SeniorAdvisor Data Breach

  Researchers discovered the Web site SeniorAdvisor was hosted on a misconfigured Amazon S3 bucket. SeniorAdvisor claims to be the largest ratings and review website for senior care and services across U.S. and Canada.

 Over 3 million names and contact details were exposed. Data was unencrypted and unprotested.

 Using tools like MyLife and similar, if your relative or neighbor was a SeniorAdvisor user your details are a click away.

MacOS Big Sur 11.5.2 released today August 11-2021

  Little information on issues resolved with this release.

Apple updates 26-July-2021

 iOS 14.7.1  iPadOS 14.7.1 update issued today

BigSur 11.5.1

D-Link router vulnerabilities - Patch available

  D-Link DIR-3040 wireless router vulnerabilities fixed by Hotfix released by D-Link. 

 A plea to keep routers, cable modems, wireless access points and other perimeter devices, firmware, and systems updated.

 Check then double check for external access to your local area network devices.

 Secure these devices before someone finds and then exploits that access.

Summer of SAM Windows HIVE permission vulnerability

  Recent research has revealed that Microsoft Windows 10 and 11 versions may have left or changed permissions on the SYSTEM and SAM hives in the Windows registry such that any local user can access the information stored in these registry hives. The SAM hive contains hashes of users on that windows system! Including the Administrator account(s). 

 The discovery is hitting security news sites today (July 20, 2021) so attackers are or will soon be aware.

 The above commands will indicate if your versions of Windows has the misconfiguration. Most users are reporting the problem has existed since Windows 10 version 1809.

 While Windows is running these hives are locked.

BUT Volume Shadow Copy has read these hives and abusers CAN read those volume copies.

Methods to read the contents of these hives and obtain hashed passwords and other security configuration settings involve some knowledge that attackers have.

The hive permissions, the still unpatched (third time) Print Spooler vulnerability kinda makes a bad period for Microsoft.

iOS 14.7 released today 19-July-2020

 Updates to iPhone iOS 14.7

AppleTV, iWatch

BUT no iPadOS?  Me neither

Might be rush to support MagSafe?

Might be residual problem(s) with iPadOS?

Firefox Version 90 release

 Firefox browser update to Release 90 Yesterday July 13, 2021.

Features:

Windows users can have updates applied in background without Firefox running. What could possible go wrong?

Version 2 of Firefox SmartBlock feature.

Various security issues fixed.

US Presidential Execurity Order 9-July-2021

 Technology based. 72 provisions:

Hearing aids over the counter sales

FTC ban on non-compete clauses (or restrict?)

Internet subscribers to get more choices & better service

Right to repair - all electronics not just farm equipment

More rules or surveillance

Patent policy reform

and more

An example of Broadband disclosure:

Microsoft emergency patch for PrintNightmare released today July 6

 Microsoft today released patches for CVE-2021-34527, the vulnerability also known as "PrintNightmare". Patches are currently available for these versions of Windows:

• Windows 10 Version 21H1 (32-bit, x64, ARM64)
• Windows 10 Version 2004 (32-bit, x64, ARM64)
• Windows 10 Version 1909  (32-bit, x64, ARM64)
• Windows 10 Version 1809  (32-bit, x64, ARM64)
• Windows 10 (32-bit and x64)
• Windows RT 8.1
• Windows 8.1 (32-bit and x64)
• Windows 7 SP1 (32-bit and x64)
• Windows Server, version 20H2 (ARM, 32-bit, x64, Server Core)
• Windows Server, version 2004 (ARM, 32-bit, x64, Server Core)
• Windows Server 2019 (including Server Core)
• Windows Server 2012 R2 (including Server Core)
• Windows Server 2008 R2 SP1 and SP2

Interesting inclusion   Windows 7

Interesting exclusion  Windows 10

If you have a printer shared from a Windows machine and have not disabled the print spooler service, consider the patch.

Interesting that Microsoft recognizes and auto corrects PrintNightmare

Microsoft PowerShell PATCH ASAP

  Available at Microsoft Store.

Recommended version 7.2 or higher.

CVE score 9.8

Western Digital woes increase

  The older MyBook Live network attached storage appliances surprised their users with a wiped network storage device. 

 The devices affected had support stopped some years ago. The devices still functioned as network attached storage - BUT the devices may have been hosting botnets, spam forwarders, and storage of malware as well. Some theorize a rival botnet gang is responsible for remotely wiping (removing ALL files using Internet access) the devices to block a rival botnet group.

 Newer Western Digital devices running MyCloud OS 5 should be ok.

A series of Western Digital devices can't run MyCloud OS 5. Thus those devices are vulnerable. Those devices can be used to run botnets, spam forwarders, and malware hosts.

 Disconnecting any Western Digital devices from the Internet is a good first step. Updating the MyCloud OS to at least version 5 (if possible) as a next step. Do these steps AFTER securing a known good backup. Malware loaded onto another system on your home network which is then capable of wiping your files and folders is a possibility even with the Western Digital updates.

This release from Western Digital:

Western Digital has determined that Internet-connected My Book Live and My Book Live Duo devices are under attack by exploitation of multiple vulnerabilities present in the device. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device. To help customers who have lost data as a result of these attacks, Western Digital will provide data recovery services, which will be available beginning in July. My Book Live customers will also be offered a trade-in program to upgrade to a supported My Cloud device. The My Book Live firmware is vulnerable to a remotely exploitable command injection vulnerability when the device has remote access enabled. This vulnerability may be exploited to run arbitrary commands with root privileges. Additionally, the My Book Live is vulnerable to an unauthenticated factory reset operation which allows an attacker to factory reset the device without authentication. The unauthenticated factory reset vulnerability has been assigned CVE-2021-35941. We have heard concerns about the nature of this vulnerability and are sharing technical details to address these questions. We have determined that the unauthenticated factory reset vulnerability was introduced to the My Book Live in April of 2011 as part of a refactor of authentication logic in the device firmware. The refactor centralized the authentication logic into a single file, which is present on the device as includes/component_config.php and contains the authentication type required by each endpoint. In this refactor, the authentication logic in system_factory_restore.php was correctly disabled, but the appropriate authentication type of ADMIN_AUTH_LAN_ALL was not added to component_config.php, resulting in the vulnerability. The same refactor removed authentication logic from other files and correctly added the appropriate authentication type to the component_config.php file. We have reviewed log files which we have received from affected customers to understand and characterize the attack. The log files we reviewed show that the attackers directly connected to the affected My Book Live devices from a variety of IP addresses in different countries. Our investigation shows that in some cases, the same attacker exploited both vulnerabilities on the device, as evidenced by the source IP. The first vulnerability was exploited to install a malicious binary on the device, and the second vulnerability was later exploited to reset the device.

For customers who have lost data as a result of these attacks, Western Digital will provide data recovery services. My Book Live users will also be offered a trade-in program to upgrade to a supported My Cloud device. Both programs will be available beginning in July, and details on how to take advantage of these programs will be made available in a separate announcement.