Securing Home and Small Business Routers

Original release date: December 15, 2015

Home and Small Business routers have become the ideal target for attackers seeking to gain control over a user's gateway to the Internet. Router misconfigurations (e.g., default credentials, interfaces open to the Internet) or the lack of security precautions (e.g., absence of updates) may make users susceptible to exploitation. Once an attacker gains unauthorized access to a vulnerable router, they may be able to obtain sensitive information from a user's computer or perform other attacks. Users and administrators are encouraged to review Security Tip ST15-002 for guidance on how to secure home and small business routers.

Additionally, the Carnegie Mellon CERT Coordination Center (CERT/CC) continues to test small office and home office (SOHO) routers for vulnerabilities. US-CERT encourages users and administrators to review CERT/CC Router Vulnerability Notes for information on recently found vulnerabilities in some routers.


This product is provided subject to this Notification and this Privacy & Use policy.


Internet Systems Consortium (ISC) Releases Security Updates for BIND

Original release date: December 15, 2015

ISC has released security updates to address vulnerabilities in BIND. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition.

Available updates include:

  • BIND 9 version 9.9.8-P2
  • BIND 9 version 9.10.3-P2
  • BIND 9 version 9.9.8-S3

Users and administrators are encouraged to review ISC Knowledge Base Article AA-01317 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Wish list app from Target springs a major personal data leak

(credit: Chris)

The next time a friend or family member asks you to install a gift-registry app, remember this: the app is almost certainly soaking up lots of your personal details. In the case of one such app from retailing giant Target, it's more than happy to make those details public. Witness the following:

(credit: Avast)

According to researchers from security firm Avast, the database storing the names, e-mail addresses, home addresses, phone numbers, and wish lists of Target customers is available to anyone who figures out the app's publicly available programming interface. In a blog post published Tuesday, they wrote:

If you created a Christmas wish list using the Target app, it might be accessible to more people than you want to actually receive gifts from. The Target app keeps a database of users’ wish lists, names, addresses, and e-mail addresses. But your closest family and friends may not be the only ones who know you want a new suitcase for your upcoming cruise!

To our surprise, we discovered that the Target app’s Application Program Interface (API) is easily accessible over the Internet. An API is a set of conditions where if you ask a question it sends the answer. Also, the Target API does not require any authentication. The only thing you need in order to parse all of the data automatically is to figure out how the user ID is generated. Once you have that figured out, all the data is served to you on a silver platter in a JSON file.

The JSON file we requested from Target’s API contained interesting data, like users’ names, e-mail addresses, shipping addresses, phone numbers, the type of registries, and the items on the registries. We did not store any personal information, but we did aggregate data from 5,000 inputs, enough for statistical analysis.

Officials for Target weren't immediately available for comment. This post will be updated if they respond later.

Read 1 remaining paragraphs | Comments

Mozilla Releases Security Updates for Firefox and Firefox ESR

Original release date: December 15, 2015

The Mozilla Foundation has released security updates to address vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 43
  • Firefox ESR 38.5

US-CERT encourages users and administrators to review the Security Advisories for Firefox and Firefox ESR and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.