Wednesday 13 January 2016

Your PC Will Be Hacked

Your PC Will Be Hacked

Not every security threat comes from the web. Wayne Williams reveals how your hardware may already have built-in flaws and explains how to fix them before it’s too late.

The last 12 months have been particularly bad for PC manufacturers – not only are sales down, but some companies have been exposed for pre-installing potentially dangerous and invasive software on their devices. This means that even if you’re very careful about what you download from the web, and where you get it from, your system could still be under threat from the ‘enemy within’ – built-in security flaws that leave it vulnerable to hackers and malware infection. In this feature, we highlight the worst of these hidden holes and explain how to fix them.

Over the following six pages, we explain how to check for (and remove) Lenovo’s Superfish adware, and secure the highly vulnerable Lenovo Solution Center. We also look at problems found on Dell and Toshiba PCs; explain how the Raspberry Pi isn’t as secure it should be; and look at problems that affect popular routers from companies including Netgear, TP-Link and D-Link.


FIND & FIX FLAWS ON YOUR PC


LENOVO


Superfish


Many manufacturers bundle additional software with their PCs. This often includes free third-party programs and trial versions of commercial offerings, such as anti-virus software. Although this ‘bloatware’ is annoying, you can usually remove it without any problems. However, last February it was discovered that the latest laptops from Chinese computer manufacturer Lenovo contained a nasty piece of adware called Superfish, which made it possible to sneak ads into secure HTTPS web pages in a way that posed a serious threat to users’ security.

The Electronic Frontier Foundation (EFF, www.eff.org), which defends consumer privacy rights, said of the discovery: “Lenovo has not just injected ads in a wildly inappropriate manner, but engineered a massive security catastrophe for its users. The use of a single certificate for all of the MITM [man in the middle] attacks means that all HTTPS security for at least Internet Explorer, Chrome and Safari for Windows, on all of these Lenovo laptops, is now broken. If you access your webmail from such a laptop, any network attacker can read your mail as well or steal your password. If you log into your online banking account, any network attacker can pilfer your credentials. All an attacker needs in order to perform these attacks is a copy of the Superfish MITM private key. There is (apparently) a copy of that key inside every Superfish install on every affected Lenovo laptop, which has now been extracted and posted online.”

To help you find out if you’ve been affected by Superfish, password specialist LastPass has created an online Superfish Checker, which can be accessed at lastpass.com/superfish. Visit the link and it will tell you if you are safe, and what actions to take if you aren’t.

Lenovo stopped preloading the ‘badware’ after the flaw was discovered and promised never to preload Superfish on its laptops again. The company also completely disabled server side interactions, which effectively stopped Superfish from working. Finally, the firm released a Superfish Removal Tool, which you can download from bit.ly/superfish388.

Lenovo Solution Center


The most recent scandal to rock Lenovo concerns the company’s own Lenovo Solution Center (LSC) – a preinstalled piece of software designed to “allow users to perform diagnostic functions and quickly identify the status of PC system hardware and software health, network connections and the presence of security features such as firewalls or antivirus programs.”

In December, Carnegie Mellon’s Computer Emergency Readiness Team (CERT) discovered that the bloatware suffered from multiple vulnerabilities, which meant that certain Lenovo computers could be hijacked by malicious websites. According to the vulnerability note (bit.ly/cert388): “By convincing a user who has launched the Lenovo Solution Center to view a specially crafted HTML document (such as a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with SYSTEM privileges. Additionally, a local user can execute arbitrary code with SYSTEM privileges.”

For your PC to be affected, you need to have actually launched the LSC at least once. Closing it won’t stop the problem, and CERT recommends uninstalling the program. Lenovo responded to the problem by telling users to remove the software and then issued two updates covering the different versions. These updates are now offered automatically if you open LSC, but you can also download and install the relevant updated package directly from bit.ly/lsc388.

DELL


eDellRoot


Dell recently decided to take advantage of rival PC manufacturer Lenovo’s Superfish problems by presenting itself as a more secure alternative. Promoting its new XPS 15 laptop in November, the company declared “Dell is serious about your privacy” and then went on to say: “Worried about Superfish? Dell limits its pre-loaded software to a small number of high-value applications on all of our computers. Each application we pre-load undergoes security, privacy and usability testing to ensure that our customers experience the best possible computing performance, faster set-up and reduced privacy and security concerns.”

So imagine Dell’s horror and embarrassment when, shortly afterwards, it was hit by not one but two security shockers that were just as bad as Superfish. Some of the company’s laptops shipped with an HTTPS root certificate that could allow malicious software or a hacker to impersonate any website and install malicious code. The eDellRoot certificate was issued by Dell and therefore had a valid signature, which meant it wasn’t picked up by Windows’ built-in security controls. While hackers would need a private key created by Dell to create an apparently valid HTTPS certificate, Dell (like Lenovo) included this key on the affected laptops. Whoops!

Once the story broke, Dell issued an apology (bit.ly/dellapology388) and provided a removal tool on the same page (as well as manual removal instructions) so that users could banish the root certificate.

Dell tried to downplay the incident, stressing that “the certificate is not malware or adware. Rather, it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers. This certificate is not being used to collect personal customer information. It’s also important to note that the certificate will not reinstall itself once it is properly removed using the recommended Dell process.” But malware or not, it still put users at risk.

Dell System Detect


Two days after Dell issued its eDellRoot apology, the company found itself in hot water once again. As part of the investigation into the eDellRoot certificate, the firm ordered a review of all its bundled software. Remember Dell’s claim that everything it pre-loads has been tested to ensure complete safety? It turns out that this wasn’t the case after all.

The investigation found that the Dell System Detect application (which interacts with the Dell Support website to offer more personalised support) and its DSDTestProvider root certificate did much the same as eDellRoot.

You can use the same removal tool that Dell has set up for eDellRoot to also fix the System Detect problem. There’s also an update for the application available at bit.ly/dellsd388 that addresses the security vulnerability, if you don’t want to completely remove System Detect.

Security companies such as Malwarebytes classify Dell System Detect as a Potentially Unwanted Program (PUP) and can remove it for you. Additionally, Microsoft now recognises the eDellRoot and DSDTestProvider certificates as “nontrusted”, which means that bad guys can no longer take advantage of them.

TOSHIBA


Toshiba Service Station


Toshiba has had a troubled time of late. It was embroiled in a $1.3bn accounting scandal and there were rumours circulating that the company had plans to spin off its PC division – which is no longer particularly lucrative – and potentially merge it with another PC manufacturer as part of a wide-ranging restructuring process.

At the beginning of December 2014, it was found that the pre-installed Toshiba Service Station (which “allows your computer to automatically search for Toshiba software updates or other alerts from Toshiba that are specific to your computer system and its programs”) could be exploited to “bypass any read-deny permissions on the Registry for lower-privileged users.” Or, to put it another way, it could give an attacker the ability to read most of the Registry with system privileges.

To fix this problem, users are advised to completely remove the Toshiba Service Station software. You should be able to do this through the ‘Uninstall a program’ list in the Control Panel. If not, try a dedicated uninstaller such as Revo Uninstaller (www.revouninstaller.com) or IObit Uninstaller (bit.ly/uninst378).

Weak SSH Keys


Raspberry Pi microcomputers come with quite a lot of programs bundled in their operating systems, but this software serves a useful purpose and couldn’t be described as bloatware. However, while that aspect of the device gets a clean bill of health, the most popular Pi operating system isn’t without vulnerabilities.

SSH Keys are used to identify a system to an SSH (Secure Shell) server, and are more secure than using a password. SSH can, for example, be used to gain access to a Raspberry Pi’s command line from another computer on the same network. However, due to an incorrect boot sequence in the Raspbian operating system, the Raspberry Pi was found to generate a weak and predictable SSH key on its first boot by failing to enable the hardware random number generator by default. The problem is explained by a developer called oittaa at bit.ly/pi-ssh388 and is something that will hopefully be addressed in a future security patch.

Remove bloatware from a new PC


1 If your PC comes bundled with a lot of junk you don’t want, the best approach is to format the hard drive and install a clean copy of Windows. However, if you feel that’s too much hassle, you can use a program such as PC Decrapifier (www.pcdecrapifier.com) instead. Launch the program, then click Analyze.

2 The software will scan your system looking for bundled junk to remove, then present its findings. Items are sorted into Recommended, Questionable, and Everything Else. Tick the boxes for items you don’t want on your PC and click the Remove Selected button.

3 Another excellent free program you could try is Should I Remove It? (www.shouldiremoveit.com). This scans your PC and lists all the programs on it, colour coding them so you can see at a glance which software other users have removed. Click an item to find out what it is. You can uninstall it from here, too.

REMOVE SECURITY FLAWS FROM YOUR ROUTER


NETGEAR


SOAP vulnerability


In February last year, a security researcher called Peter Adkins found a flaw in the SOAP service embedded in some Netgear routers. SOAP (Simple Object Access Protocol) is used by the Netgear Genie Desktop app and allows users to change their router settings. The flaw could have allowed attackers to steal passwords and wireless keys. It also potentially allows a snooper to discover your router’s serial number and details of connected devices.

To bypass the problem, make sure you have the latest Netgear firmware installed, and disable remote management if you have previously enabled it.

DNS vulnerability


In October, two security companies, Compass Security and Shellshock Labs, discovered an exploit that allows hackers to gain “full remote unauthenticated root access” of affected Netgear routers. Compass Security claimed that over 10,000 routers have been exploited by the flaw, while Netgear, speaking to the BBC, said the number was less than 5,000. The BBC report (bit.ly/netgear-bbc388) focused on a security researcher in the US whose Netgear router had its admin settings altered, resulting in browsing data being directed to a malicious internet address.

Following the BBC report, Netgear released a fix for affected routers which you can download from bit.ly/netgearfix388.

SEC Consult


NetUSB


Last May, SEC Consult Vulnerability Lab (bit.ly/seccvl388) discovered that millions of routers (and other internet-connected devices) were at risk from remote hacking, thanks to a vulnerability found in a piece of proprietary software called NetUSB. Created by Taiwanese company KCodes, NetUSB is intended to provide “USB over IP” functionality – that is, provide network access between USB devices and certain routers and other access points. However, there was a major vulnerability in the authentication check that occurs before establishing a connection between devices.

According to company researcher Stefan Viehbock: “As part of the connection initiation, the client sends his computer name. This is where it gets interesting: the client can specify the length of the computer name. By specifying a name longer than 64 characters, the stack buffer overflows when the computer name is received from the socket. All the server code runs in kernel mode, so this is a ‘rare’ remote kernel stack buffer overflow.”

Among the infected routers found by SEC Consult Vulnerability Lab were devices from TP-Link, D-Link, and Netgear. According to the security firm’s advisory on the flaw (bit.ly/netusbtxt388), NetUSB can sometimes be disabled via the web interface, but this may not mitigate the vulnerability. Updating your router’s firmware may fix the problem. TP-Link was among the first of the manufacturers to issue a patch for the flaw.

EURECOM


Widespread vulnerabilities


In November, the Eurecom research centre in France and Ruhr University Bochum in Germany performed an analysis on hundreds of routers and DSL modems and found that nearly 10% had high-risk vulnerabilities. Most were potentially very easy to fix, which suggested that the manufacturers were failing to perform adequate security tests on the equipment. The full report is available in PDF format from bit.ly/routersecuritypdf388.

There’s no easy way to find out if your router is at risk from these vulnerabilities (running Avast’s network check – see below – might spot some of them) but you can safeguard your system by ensuring your router is running the very latest firmware. Check the support page on the manufacturer’s website. Installing a new version involves ‘flashing’ the ROM (so-called because the ROM memory is usually flash memory) but this is easy enough to do.


Check your router for vulnerabilities


1 Avast (www.avast.com) added router security to the 2015 edition of its free anti-virus software and has beefed this up further in the 2016 release. Open the program, click the Scan button and click ‘Scan for network threats’. It will check your PC, router and other connected devices for vulnerabilities.

2 You can stop the network scan at any time. Provided your home network is properly secured, you’ll see a message next to each item reporting that there were ‘No problems found on this device’. Pay special attention to the router entry. You can rescan your system at any time.

3 If your router is incorrectly configured or there are other problems with it, you’ll be able to take action to fix the problems. Clicking the router information will reveal more details about it, including its name and vendor. The software can’t always detect every router’s make and model, but covers most major brands.