SECURITY WARNINGS & Notices - Please post them here

[polonus]

Seems a rather serious hole and it hasn't been patched until now:
http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-remote-hack/

Users are adviced not to use mentioned NETGEAR routers.

polonus

[Eddy]

Netgear heeft de laatste tijd wel heel vaak problemen met de veiligheid.
Hier is nog zo'n voorbeeld ervan.
http://kb.netgear.com/28393/NETGEAR-Product-Vulnerability-Advisory-ReadySHARE

[polonus]

Yep, it is all a question of money they do not wanna spend on it,
and we mean moral banktruptcy of firmware here,
that is why there is so many hacks an IoT malbots around.

Situation is not gonna change soon and we have to fend for ourselves, dear Eddy.

Change software to XWRT-Vortex seems to mitigate the problem (info credits: @tigs)

suswrt-Merlin (or XWRT or Cross-WRT) firmware for Netgear R7000 router.

At this point when you have a working version based on a Asuswrt-Merlin v380.63_2
that does not requires to flash the custom CFE. Firmware is pretty stable.

Download links:
XWRT for Netgear R7000 v380.63_2 is here
(previous versions are also available at this link)
Official site, Changelog. -> http://www.kb.cert.org/vuls/id/582384

The recommended procedure for initial flashing:
1. Reset your router to factory defaults via the web interface.
2. Flash the R7000_xxx.xx_x.chk file via the web interface.
3. Do another factory reset via the new web interface.
4. Configure everything else.

Procedure for upgrade:
1. Reboot your router via the web interface or power cycle.
2. Flash the R7000_xxx.xx_x.trx file via the web interface.
3. Check new options and configure everything else.

Link to the "back to stock" firmware (v1.0.3.80_1.1.38) is here.
Important: If You want to go away from XWRT back to tomato or dd-wrt
you MUST first flash the "back to stock" firmware image, or you will brick your router. 

polonus

[polonus]

We live in times of large scale automated threats for the as per default firmware world.
Next up issue coming towards a router near you might be NAS-sing:

Read:  https://wrgms.com/synologys-secret-telnet-password/

polonus

[Pondus]

More on the Netgear routers

CERT >  Multiple Netgear routers are vulnerable to arbitrary command injection  >>  https://www.kb.cert.org/vuls/id/582384

https://www.neowin.net/news/cert-advises-users-to-discontinue-use-of-two-netgear-routers-due-to-major-security-flaw

[polonus]

A temp fix: http://www.sj-vs.net/a-temporary-fix-for-cert-vu582384-cwe-77-on-netgear-r7000-and-r6400-routers/

Other netgear routers they may be vulnerable:

Netgear R6400 (Also known as AC1750 Smart WiFi Router)
R7500 (Nighthawk X4 AC 2350)
R7800 (Nighthawk X4S Smart WiFi Gaming Router)
R8500 (Nighthawk X8 Tri-Nand WiFi Router)
R8000 (Nighthawk AC3200)
R9000 (Nighthawk AC7200 X10 Smart WiFi Router)
And the ever-polular R7000 & R7000p (Nighthawk AC1900)

pol

[Be Secure]

August: A Spy Trojan for All Seasons
http://www.infosecurity-magazine.com/news/august-a-spy-trojan-for-all-seasons/

84% of Phishing Sites Last for Less Than 24 Hours
http://www.infosecurity-magazine.com/news/84-of-phishing-sites-last-for-less/

KFC warns 1.2 million Colonel's Club loyalty scheme members of data breach after website hacked
http://www.mirror.co.uk/news/uk-news/kfc-warns-12-million-colonels-9426835

[Asyn]

Security vulnerabilities fixed in Firefox ESR 45.6
https://www.mozilla.org/en-US/security/advisories/mfsa2016-95/

[Be Secure]

Half of World’s Top Websites are Vulnerable to Attack
http://www.infosecurity-magazine.com/news/half-of-worlds-top-websites-are/

[Asyn]

Microsoft Security Bulletin Summary for December 2016
https://technet.microsoft.com/library/security/ms16-dec

[polonus]

Vital update for Joomla hole: https://developer.joomla.org/security-centre/664-20161201-core-elevated-privileges.html

Update: https://www.joomla.org/announcements/release-news/5693-joomla-3-6-5-released.html

polonus

[Eddy]

Yahoo discloses hack of 1 billion accounts

https://techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/

Affected users will be required to change their passwords, but they do not force people to change it.

[DavidR]

Yahoo discloses hack of 1 billion accounts

https://techcrunch.com/2016/12/14/yahoo-discloses-hack-of-1-billion-accounts/

Affected users will be required to change their passwords, but they do not force people to change it.

It is amazing that this actually goes back as far as 2013 and is only being reported now. I do recall another article reporting this some time ago and getting advised to change password, etc.

[polonus]

Hi Eddy,

Some at Yahoo knew about that 3 years ago.

1. Data-breaches and data-leaks will continue, because software will always have bugs.

2. Normal functioning devices will always get into the hands of people,
    that have very little knowledge how to use them properly.

3. Making things upgradable hinders standardisation.

4. IPv4 and IPv6can be spoofed much too eassily.

5. Abuse of infrastructure will continue by guys that abuse for money or for political ends.

6. Experts that can make a difference do not wanna discuss things.

7. Conclusion: This is why we stay where we are, that is at the same ever so high threat level.

Damian

[Eddy]

The Follow up on Yahoo discloses hack of 1 billion accounts
https://www.bloomberg.com/news/articles/2016-12-15/stolen-yahoo-data-includes-government-employee-information

DavidR,
there was another hack in 2014 where data of +/- 500 million people where stolen and it was disclosed in September this year.
This is a hack that took place in August 2013 and only was discovered last month because the hackers offered the list online.

It sure makes you wonder about the security (department) at Yahoo.