Journalist John Leyden recently contacted us for our opinion on vulnerability research by Tom Forbes. The focus of Forbes' research was Dell's "System Detect" utility and a flaw that allows for remote code execution. Forbes reported his findings last November and Dell mitigated the issue in January (and also again last week).
But a significant problem remains from our point of view.
Older versions of the software don't update themselves and there remains a lot of vulnerable computers out there. Over time, our customers have scanned various versions of System Detect many hundreds of thousands of times. It's very prevalent software. From just our customer base statistics within the last two weeks, we can see approximately 100,000 customers queried reputation checks on System Detect. Only about one percent of our customers are now running the latest version (6.0.14, represented by red in the chart below).
Older versions of System Detect create a run key in the registry that starts the service automatically. So vulnerable versions run persistently even though it's only needed when visiting Dell's support site. The latest version — 6.0.14 — doesn't create a run key.
Exploiting older versions of System Detect is very easy. It only requires that the target visits a URL with some variation of "dell" in its domain. Exactly where in the URL varies depending on the version of the software.
We used Forbe's research and our own black-box testing to run three versions of System Detect, observing network traffic and replaying the same traffic with small modifications. We confirmed the older versions can be used to launch calc.exe from a targeted machine (i.e., Remote Code Execution).
For the 220.127.116.11 version, the domain part of the referer-field's URL needs to contain "dell.com" but it accepts also "www.notreallydell.com", so it's highly vulnerable.
Version 6.0.9 was released after Forbes reported the issue to Dell. It requires that the domain contains ".dell.". This means it also accepts "a.dell.fakesite.ownedbythebadguys.com", so it's also just as vulnerable to a web-based attack.
The current version, 6.0.14, requires that the domain is "*.dell.com" which more or less addresses the problem, especially when combined with the lack of autostart. If you need to have a version installed, it should be this one.
Older versions should definitely be uninstalled as soon as possible.
Just when we thought this Nordea phishing campaign is over, it reared its ugly head once again. It made its comeback on March 5th.
The phishing site looks pretty similar to the actual Nordea Finnish website.
Many of us in the Labs are Nordea customers, so we know that if the perpetrator is able to steal information from this page, there is nothing else they can do other than login to accounts once and check the balance. They will be unable to do any transactions since they would need more than one pin number.
However, the ones behind this did their homework.
If someone falls victim to this attack, they will be led to yet another page that asks for the previous pin and the next four pins.
After this page, the victim will be asked for the last 4 digits of their credit card and CVV.
Once all those information are stolen, the fake page will redirect to the real Nordea website.
As expected, for the last 7 days, majority of the phishing site visitors were from Finland.
We do have a detection already that covers this.
And it's good to note that if you are using our product, when you visit the real Nordea bank, Banking Protection will trigger and isolate unknown traffic during your banking session.
On Monday, I was testing our Freedome VPN for Windows and eventually… I forgot that I was using our London exit node.
And then I attempted to log in to Twitter.
This was the result:
And then I received this message via e-mail:
An unusual device or location?
In order to determine that I was attempting to log in from an "unusual" location, Twitter must be keeping a history of my previous IP addresses to compare against. This type of security feature is not new, Facebook has been doing this sort of thing for years already. But I've not yet seen it from Twitter. (A few years ago, Twitter seemed to be actively against such an idea.) Unlike Facebook, I don't see anyplace from which I can download my own connection history. Previous IP addresses used are available to those who download a Facebook archive. But IP address information isn't in the Twitter archive that I downloaded today.
So then the questions I now have for Twitter is this: for how long have my connections been logged and tracked? And when will a copy of the data be available to me?
Twitter "may" receive information such as IP address and will "either delete Log Data or remove any common account identifiers" "after 18 months." The language about 18 months was first included in version 5 of the policy, June 23, 2011.
So then that just leaves this question: can I please get a copy of the data?