OnsitePCSolution_Office_365_Vulnerability

Noam Liran, the chief software architect at Adallom, recently detected a flaw in Microsoft Office 365 which can easily expose account credentials through Word Documents that are hosted on a webserver which is currently invisible to existing anti-virus software.

What Specifically Is The Problem?

When a user downloads a document from a SharePoint server, the user is required to log in their account first – after which the server verifies the login credentials and then issues an authentication token. Liran discovered that he can use his own server to copy the responses which are sent from the sharepoint.com domain server.  At that point he can generate and fake the token. An attacker doing this can inject his code to connect to an untrusted web server to capture the user’s private Office 365 authentication token.  This allows the attacked to go to the user’s organization’s SharePoint site to access anything they want without the user knowing. According to Liran this is a perfect cyber crime in which the organization does not know they have been hit.

Microsoft has been working on this vulnerability, but at the time of this writing the backdoor still existed.

How would this work in the real world?:

  • The user will get an e-mail asking them to review a document or visit a webpage. This document could be coupons, someone’s CV or contract.
  • The user will click on the link and be redirected to Sharepoint which will ask to open the document in Word. If the user accepts, Word will request the document from the malicious webpage.
  • The malicious webpage in turn will ask Word for an Office 365 token. The malicious webpage gives Word a legitimate looking document in return. The attacker will then have the Office 365 token and access to the organization’s data.

OnsitePCSolution_Word_Document

This is a serious potential threat to organizations and companies that use Office 365. Important company data can be stolen without anyone knowing. The attacker could also monitor the data which could be confidential. The attacker also has access to delete the data.

What Can I Do To Protect My Business?

Until Microsoft comes up with a solid solution to this vulnerability, users should not open any unknown or suspicious looking emails.  They should also confirm from known senders to verify the authenticity of the email.  It is also important to absolutely avoid clicking on any unknown URLs and links or open attached documents in a file.

For further assistance, let your office IT support know about this vulnerability and stay ahead of a corporate data breach.

 

 

Read More


DLink_Router

An easy hack that affects D-Link routers has recently been discussed in this article from devttys0.com. The writer of the article, Craig, goes through the steps of how the exploit works in great detail. If you are running a D-Link router in your home or office, should you be worried? We will go over a summary of the exploit here.

What’s the problem?

In a nutshell, if someone is connected to your home or office network they can change the user agent, which tells the website a little bit of information about your computer, giving them access to change the main settings of your D-Link router. The user agent needs to be set to “xmlset_roodkcableoj28840ybtide” which is backwards for “Edit by 04882 Joel Backdoor”, further pointing to this being originally used as a backdoor to the D-Link settings.

dlink-admin-page

Once an attacker is connected to your D-Link settings they can change passwords, network settings and wireless settings. A hardware reset should fix you right up if you are attacked.

How can I check my home/office wifi?

The first thing you want to do is to flip your D-Link router over and check if the model matches any of the following:

DIR-100
DI-524
DI-524UP
DI-604S
DI-604UP
DI-604+
TM-G5240

Several Planex routers also use the same firmware:

BRL-04UR
BRL-04CW

Even if your model number is not listed, there is no guarantee the D-Link or Planex router you are running will not have the same or similar problem. The exploit was tested on a specific version of the D-Link router software but there is no note of it being fixed. The only way to be 100% sure your D-Link device is not affected is to try the exploit explained in the above article yourself, or ask your office/home IT support staff.

What to do if I am running an affected router?

You do have a few options if you are running a D-Link router that could be vulnerable.

1. Make sure the settings of your router are not accessible from the internet. This will help prevent attackers from the internet, but if someone is connected to your wifi or network in your home or office you are still vulnerable.

2. Replace your D-Link router with a model that is not affected. This may be the only guaranteed way to avoid becoming a victim.

Onsite PC Solution is based in San Jose California and provides small and medium sized business IT support.

Read More


 


A recent article in the German computer security magazine c’t has exposed infections on wireless routers running a custom router software called DD-WRT. What does this mean for your office network? If your office wireless router is running DD-WRT and has not been updated since 2009 your entire office network and everyone who connects to your wifi can be at risk of having their private data stolen. Lets look deeper into the problem:

wifi_infected

What are the risks?

If your router is infected, every person who connects to your wifi can have their usernames, passwords, bank login information, credit card information, or any information they type in and send over the internet stolen. The virus writers then receive this information and either use it to steal corporate data, commit credit card fraud, or sell the information on the black market.

What is DD-WRT?

Most wireless router manufacturers lock away features of your router and sell them at a lower price point. They then take the same hardware and repackage it at a higher price, only unlocking those features. DD-WRT is a custom open source software that runs on your office wireless routers in place of the limited software that came with your router. It then unlocks all of the features and options that were originally unavailable to you, unleashing the true potential of your wireless router.

How do I know if I have DD-WRT?

DD-WRT can be shipped with the wireless router, or it can be installed manually. The quickest way to check if you have DD-WRT installed on your office wireless devices is to ask your office IT person. If they aren’t easily accessible, you can attempt to check yourself using the following steps on a Windows XP/Vista/7 and above computer:

1. Run IP Config and get your Default Gateway.

windows_xp_run_cmd

On Windows XP/Vista, click on Start then Run and type “cmd” without the quotes and press Enter.

Windows_7_start_menu

On Windows 7, go to Start and type in “cmd” without the quotes into the Search Programs and Files box and press enter.

Follow these steps to open “cmd” on a Window 8 computer.

2. In the cmd window, type “ipconfig” without the quotes and press enter.

ipconfig

You should see something similar to the above screen. Make note of the Default Gateway value.

3. Check for DD-WRT and the version it is running.

Checking_dd-wrt

Open your favorite web browser, and enter only the Default Gateway numbers into the address bar and press enter.

If you see the above screen load, you have a wireless router with DD-WRT installed. Now check the date DD-WRT at the top right corner. If it is dated 2009 or earlier, you are vulnerable.

If you are still not sure, contact your office IT person to confirm.

What do I do if my wifi is vulnerable?

Since DD-WRT is supported by a volunteer community, testing can be limited, allowing bugs to pass to the public. Unfortunately since this virus is so new, there is no guaranteed way to check if a router is infected with this virus. The best course of action is to update the DD-WRT software on the router, or to use a router that does not have DD-WRT.

Read More