9 C
Wednesday, September 20, 2017
Home Tags Network Address Translation (NAT)

Tag: Network Address Translation (NAT)

Disenchantment series will bring back tons of Futurama voice actors, staffers in 2018.
According to Gartner, there are currently over 6 billion IoT devices on the planet. Such a huge number of potentially vulnerable gadgets could not possibly go unnoticed by cybercriminals. As of May 2017, Kaspersky Lab’s collections included several thousand different malware samples for IoT devices, about half of which were detected in 2017.
Mobile developers building apps for iOS and Android have some new tools from Microsoft designed to make their lives easier. On Thursday, the company unveiled a series of apps and services, including one that's designed to let Windows-based developers test iOS apps from their PCs.Called Xamarin Live Player, the app allows developers to link their iOS or Android phones with Visual Studio on Windows or Mac and then test the .Net mobile applications they’re building in a matter of seconds.[ The art of programming moves rapidly.
InfoWorld helps you navigate what’s running hot and what's going cold. | Keep up with main topics in programming with InfoWorld’s App Dev Report newsletter. ]
It's designed to solve two key problems: developers needing to burn time setting up their development environments, and the time that it takes to compile applications, according to Microsoft Corporate Vice President Nat Friedman.To read this article in full or to leave a comment, please click here
Attackers are targeting more than 166 router models with an exploit kit called DNSChanger that is being distributed via malvertising. Researchers at Proofpoint said the exploit kit is unique because the malvertising component of the attack doesn’t target browsers, rather a victim’s router. Some of the vulnerable routers include specific models made by D-Link, Netgear and those that serve the SOHO market such as Pirelli and Comtrend, according to Proofpoint which published its research Tuesday. Owners of routers vulnerable to DNSChanger are urged to update their equipment’s firmware. The router vulnerability exploited by DNSChanger is not to be confused vulnerabilities found in Netgear routers last week that could allow an attack to gain root access to devices remotely. DNSChanger attacks begin with hackers buying and placing ads on mainstream websites.

Those ads contain malicious JavaScript code that can reveal a user’s local IP address by triggering what is called a WebRTC request to a Mozilla STUN server (stun.services.mozilla[.]com). WebRTC, is a protocol for web communication.
STUN (Session Traversal Utilities for NAT) servers send a ping back that contains the IP address and port of the client; from the server’s perspective.

The local and public IP addresses of the user can be gleaned from these requests via the JavaScript. Once attackers establish a target’s local IP address they try to ascertain whether the target is worth attacking.
If not, a victim is shown a benign ad.

Desirable targets receive a fake ad in the form of a PNG image. Proofpoint said JavaScript is then used to extract HTML code from the comment field on the PNG file and redirects victims to the landing page of the DNSChanger EK. Next, DNSChanger uses Chrome to load multiple functions including an AES key concealed with steganography in a small image.

The AES key is used to cloak traffic and decrypt router fingerprints used to determine if a target is using vulnerable model. “Once it performs the reconnaissance functions, the browser will report back to the DNSChanger EK which returns the proper instructions to perform an attack on the router,” Proofpoint said. “The Chrome browser is functioning correctly, but the router has vulnerabilities that can be exploited.

Because browsers must talk with routers through which clients connect to the Internet, legitimate traffic/connections can be exploited to change the router’s DNS settings,”Patrick Wheeler, director of threat intelligence at Proofpoint, said. “The browser is simply doing what it is supposed to, talking with the router and, ultimately, receiving DNS information from it.” In cases where the router is not vulnerable, attackers will use DNSChanger to attempt to use default credentials to change DNS entries.
If the vulnerability is present, attackers will use the known router exploits to modify the DNS entries in the router and also try to make administration ports available from external addresses for additional attacks. The goal is to change DNS records on routers so cybercriminals can steal traffic from large web ad agencies such as Propellerads, Popcash and Taboola. “At the time of our examination, they were redirecting the traffic to Fogzy (a.rfgsi[.]com) and TrafficBroker,” Proofpoint wrote. Wheeler said there are also indications that DNSChanger is being used in man-in-the-middle attacks. He added, “We do not rule out the possibility of future malicious actions depending on the motivation or goals of those controlling the exploit kit.” Mitigation efforts include applying the latest manufacturer router updates. Proofpoint also recommends a number of ways to tighten security to lesson the likelihood of an attack.

Those recommendations include changing the default local IP range on routers, disabling remote administration features on SOHO routers and using ad-blocking browser add-ons.
Sometimes the best thing to say about a wireless router in your house is that once it's set it, you forget it exists.

As long as the devices that need the Wi-Fi connection can get on and function, that's all that matters, right? Maybe, but we also live in the age of leaks, wiki and otherwise.
If you're worried about the security of your home network, and by extension your personal data—especially from hackers who could casually sit in a car outside and get access to your systems—then you need to put a padlock on that wireless. You may also want to prevent others from using your network, hackers and freeloaders alike. So what do you do? Follow these tips and you'll be well ahead of most home Wi-Fi users. Nothing will make you 1,000 percent safe against a truly dedicated hack.

Crafty social engineering schemes are tough to beat.

But don't make it easy on them; protect yourself with these steps. Time-Tested Wi-Fi (and All Around) Security Change Your Router Admin Username and Password Every router comes with a generic username and password—if they come with a password at all. You need it the first time you access the router.

After that, change them both.

The generic usernames are a matter of public record for just about every router in existence; not changing them makes it incredibly easy for someone who gets physical access to your router to mess with the settings. If you forget the new username/password, you should probably stick to pencil and paper, but you can reset a router to its factory settings to get in with the original admin generic info. Change the Network NameThe service set identifier (SSID) is the name that's broadcast from your Wi-Fi to the outside world so people can find the network. While you probably want to make the SSID public, using the generic network name/SSID generally gives it away.

For example, routers from Linksys usually say "Linksys" in the name; some list the maker and model number ("NetgearR6700").

That makes it easier for others to ID your router type.

Give your network a more personalized moniker. It's annoying, but rotating the SSID(s) on the network means that even if someone had previous access—like a noisy neighbor—you can boot them off with regular changes.
It's usually a moot point if you have encryption in place, but just because you're paranoid doesn't mean they're not out to use your bandwidth. (Just remember, if you change the SSID and don't broadcast the SSID, it's on you to remember the new name all the time and reconnect ALL your devices—computers, phones, tablets, game consoles, talking robots, cameras, smart home devices, etc. Activate Encryption This is the ultimate Wi-Fi no-brainer; no router in the last 10 years has come without encryption.
It's the single most important thing you must do to lock down your wireless network. Navigate to your router's settings (here's how) and look for security options.

Each router brand will likely differ; if you're stumped, head to your router maker's support site. Once there, turn on WPA2 Personal (it may show as WPA2-PSK); if that's not an option use WPA Personal (but if you can't get WPA2, be smart: go get a modern router).
Set the encryption type to AES (avoid TKIP if that's an option). You'll need to enter a password, also known as a network key, for the encrypted Wi-Fi. This is NOT the same password you used for the router—this is what you enter on every single device when you connect via Wi-Fi.
So make it a long nonsense word or phrase no one can guess, yet something easy enough to type into every weird device you've got that uses wireless. Using a mix of upper- and lowercase letters, numbers, and special characters to make it truly strong, but you have to balance that with ease and memorability. Double Up on Firewalls The router has a firewall built in that should protect your internal network against outside attacks.

Activate it if it's not automatic.
It might say SPI (stateful packet inspection) or NAT (network address translation), but either way, turn it on as an extra layer of protection. For full-bore protection—like making sure your own software doesn't send stuff out over the network or Internet without your permission—install a firewall software on your PC as well. Our top choice: Check Point ZoneAlarm PRO Firewall 2017; there's a free version and a $40 pro version, which has extras like phishing and antivirus protection.

At the very least, turn on the firewall that comes with Windows 8 and 10. Turn Off Guest Networks It's nice and convenient to provide guests with a network that doesn't have an encryption password, but what if you can't trust them? Or the neighbors? Or the people parked out front? If they're close enough to be on your Wi-Fi, they should be close enough to you that you'd give them the password. (Remember—you can always change your Wi-Fi encryption password later.) Use a VPN A virtual private network (VPN) connection makes a tunnel between your device and the Internet through a third-party server—it can help mask your identity or make it look like you're in another country, preventing snoops from seeing your Internet traffic.
Some even block ads.

A VPN is a smart bet for all Internet users, even if you're not on Wi-Fi.

As some say, you need a VPN or you're screwed.

Check our list of the Best VPN services. Update Router Firmware Just like with your operating system and browsers and other software, people find security holes in routers all the time to exploit. When the router manufacturers know about these exploits, they plug the holes by issuing new software for the router, called firmware.

Go into your router settings every month or so and do a quick check to see if you need an update, then run their upgrade. New firmware may also come with new features for the router, so it's a win-win. If you're feeling particularly techie—and have the right kind of router that supports it—you can upgrade to custom third-party firmware like Tomato, DD-WRT or OpenWrt.

These programs completely erase the manufacturer's firmware on the router but can provide a slew of new features or even better speeds compared to the original firmware.

Don't take this step unless you're feeling pretty secure in your networking knowledge. Turn Off WPS Wi-Fi Protected Setup, or WPS, is the function by which devices can be easily paired with the router even when encryption is turned on, because you push a button on the router and the device in question.
Voila, they're talking.
It's not that hard to crack, however, and means anyone with quick physical access to your router can instantly pair their equipment with it. Unless your router is locked away tight, this is a potential opening to the network you may not have considered. 'Debunked' Options Many security recommendations floating around the Web don't pass muster with experts.

That's because people with the right equipment—such wireless analyzer software like Kismet or mega-tools like the Pwnie Express Pwn Pro—aren't going to let the following tips stop them.
I include them for completion's sake because, while they can be a pain in the ass to implement or follow up with, a truly paranoid person who doesn't yet think the NSA is after them may want to consider their options.
So, while these are far from foolproof, they can't hurt if you're worried. Don't Broadcast the Network Name This makes it harder, but not impossible, for friends and family to get on the Wi-Fi; that means it makes it a lot harder for non-friends to get online.
In the router settings for the SSID, check for a "visibility status" or "enable SSID broadcast" and turn it off.
In the future, when someone wants to get on the Wi-Fi, you'll have to tell them the SSID to type in—so make that network name something simple enough to remember and type. (Anyone with a wireless sniffer, however, can pick the SSID out of the air in very little time.

The SSID is not so much as invisible as it is camouflaged.) Disable DHCP The Dynamic Host Control Protocol (DHCP) server in your router is what IP addresses are assigned to each device on the network.

For example, if the router has an IP of, your router may have a DCHP range of to—that's 26 possible IP addresses it would allow on the network. You can limit the range so (in theory) the DHCP wouldn't allow more than a certain number of devices—but with everything from appliances to watches using Wi-Fi, that's hard to justify. For security you could also just disable DHCP entirely.

That means you have to go into each device—even the appliances and watches—and assign it an IP address that fits with your router. (And all this on top of just signing into the encrypted Wi-Fi as it is.) If that sounds daunting, it can be for the layman.

Again, keep in mind, anyone one with the right Wi-Fi hacking tools and a good guess on your router's IP address range can probably get on the network even if you do disable the DHCP server. Filter on MAC AddressesEvery single device that connects to a network has a media access control (MAC) address that serves as a unique ID.
Some with multiple network options—say 2.4GHz Wi-Fi, and 5GHz Wi-Fi, and Ethernet—will have a MAC address for each type. You can go into your router settings and physically type in the MAC address of only the devices you want to allow on the network. You can also find the "Access Control" section of your router to see a list of devices already connected, then select only those you want to allow or block.
If you see items without a name, check its listed MAC addresses against your known products—MAC addresses are typically printed right on the device.

Anything that doesn't match up may be an interloper. Or it might just be something you forgot about—there is a lot of Wi-Fi out there. Turn Down the Broadcast PowerGot a fantastic Wi-Fi signal that reaches outdoors, to areas you don't even roam? That's giving the neighbors and passers-by easy access. You can, with most routers, turn down the Transmit Power Control a bit, say to 75 percent, to make it harder. Naturally, all the interlopers need is a better antenna on their side to get by this, but why make it easy on them?
Up to half a million downloads clocked for one poision app. More than 400 malicious apps from a single attacker have been successfully uploaded to the Google Play store, with one downloaded up to half a million times, Trend Micro malware researcher Echo Duan says. The malware is disguised as various games, phone boosters, and themes that when executed can compromise devices and connected networks, download additional payloads, and enslave handsets into botnets. Such malware is usually barred from the Google Play store thanks to security analysis checks Mountain View runs to determine apps that steal user data, spam with advertisements, or adversely impact privacy. The prolific authors who have created some 3000 variants of the DressCode malware have had a significant win in breaching Google's defences since apps hosted on the Play store are considered and marketed as safe. Duan says the malware attempts to gain a foothold on any networks the compromised handsets are connected to making it a threat to to enterprises and small businesses. This malware gives attackers an avenue into internal networks which compromised devices are connected to—a notable risk if the device is used to connect to company networks. "If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard," Duan says. "With the growth of bring your own device programs, more enterprises are exposing themselves to risk via care-free employee mobile usage. "[The installed SOCKS proxy] can be used to turn devices into bots and build a botnet." DressCode and you.
Image: Trend Micro. Duan says the malicious code was a small fraction of the total app codebase making it "difficult" for Google to detect. One app offering a Grand Theft Auto theme for Minecraft clocked between 100,000 and 500,000 downloads according to Google Play's metric bands. Compromising modern Android handsets is increasingly difficult for regular malware players thanks to big leaps in defensive upgrades, but most phone users run old, unsupported, and dangerously exposed versions of the mobile operating system. Some 35 percent of Android users operate version five (Lollipop) of Google's platform released in 2014, while about 25 percent run ancient version 4.4 (Kitkat) published in 2013. Fewer than 10 percent run Android version six (Marshmallow) released last year and virtually no one other than owners of Nexus 6P devices sports version seven (Nougat) published last month. Outside of the Nexus line, handsets everywhere are locked into custom vendor ROMs and as such must reply on manufacturers to push through Google's security updates and patches. Trend Micro says it flagged some 16.6 million malware detections as of August, 40 per cent up on January figures. ®
EnlargeCurious Expeditions reader comments 4 Share this story Google Play was recently found to be hosting more than 400 apps that turned infected phones into listening posts that could siphon sensitive data out of the protected networks they connected to, security researchers said Thursday. One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server.

The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network.

Trend Micro has found 3,000 such apps in all, 400 of which were available through Play. Enlarge "This malware allows threat actors to infiltrate a user's network environment," Thursday's report stated. "If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard." The report continued: The malware installs a SOCKS proxy on the device, building a general purpose tunnel that can control and give commands to the device.
It can be used to turn devices into bots and build a botnet, which is essentially a network of slave devices that can be used for a variety of schemes like distributed denial-of-service (DDoS) attacks—which have become an increasingly severe problem for organizations worldwide—or spam email campaigns.

The botnet can use the proxied IP addresses also generated by the malware to create fake traffic, disguise ad clicks, and generate revenue for the attackers. Google representatives didn't immediately respond to e-mail seeking comment for this post. Trend Micro's report comes three weeks after researchers from separate security firm Checkpoint said they detected 40 DressCode-infected apps in Google Play. Trend said that only a small portion of each malicious app contained the malicious functions, a feature that makes detection difficult.
In 2012, Google introduced a cloud-based security scanner called Bouncer that scours Play for malicious apps.
Since then, thousands of malicious apps have been detected by researchers.

This raises a question: if outside parties can find them, why can't Google find them first?
Just 20 per cent were the result of hacking One in four breaches (25.3 per cent) in the US financial services sector over recent years were due to lost or stolen devices, according to a new study. Cloud security firm Bitglass further reports that one in five recorded breaches over the last 10 years were the result of hacking. More than 60 financial sector organisations suffered recurring breaches in the last decade, including most major banks. While hacking accounted for a disproportionate number of the individuals affected by financial services breaches, only one in five leaks were caused by hacking. Other breaches were the result of unintended disclosures (14 per cent), malicious insiders (13 per cent), and lost paper records. In 2015, 87 breaches were reported in the financial services sector, up from 45 in 2014.
In the first half of 2016, 37 banks have already disclosed breaches. One in seven (14 per cent) of leaks can be attributed to unintended disclosures and a similar 13 per cent to malicious insiders. JP Morgan Chase, the US’s largest bank, has suffered several recurring breaches since 2007.

The largest breach event, the result of a cyber-attack in 2014 affected an estimated 76 million US households. Other breaches at JPMorgan stemmed from lost devices, unintended disclosures, and payment card fraud. Bitglass's Financial Services breach report is based on an analysis of all breaches in the financial services sector since 2006 with data aggregated from public databases and government mandated disclosures. “Financial institutions are prime targets for hackers and are rightfully concerned about the threat of cyber-attacks, device theft, and malicious insiders,” said Nat Kausik, chief exec of Bitglass in a canned quote. “To stay one step ahead as data moves beyond the firewall, firms in this sector must encrypt cloud data at rest, control access by contextual risk, and protect data on unmanaged devices.” ® Sponsored: 2016 Cyberthreat defense report