Mozilla Releases Security Update

Original release date: November 28, 2016

Mozilla has released a security update to address a vulnerability in Firefox versions 49 and 50. A remote attacker could exploit this vulnerability to take control of an affected system.

Available updates include:

  • Firefox 50.0.1   

Users and administrators are encouraged to review the Mozilla Security Advisory for Firefox and apply the necessary update.

This product is provided subject to this Notification and this Privacy & Use policy.

Newly discovered router flaw being hammered by in-the-wild attacks


Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers.

Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks. The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers. The devices leave Internet port 7547 open to outside connections. The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware. According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes.

SANS Dean of Research Johannes Ullrich said in Monday's post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend. In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch. Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland. They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support. The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world.

Read 8 remaining paragraphs | Comments

Darknet – The Darkside 2016-11-28 15:03:45

Pulled Pork is a PERL based tool for Suricata and Snort rule management – it can determine your version of Snort and automatically download the latest rules for you. The name was chosen because simply speaking, it Pulls the rules. Using a regular crontab you can keep your Snort or Suricata rules up to date […] The post Pulled Pork –...

Read the full post at

Ransomware locks up San Francisco public transportation ticket machines

Enlarge (credit: YouTube)

Black Friday was a black day for San Francisco's Municipal Transportation Agency, as an apparent crypto-ransomware infection spread across the Muni system's networks, taking down ticketing for Muni's train stations and systems used to manage the city's buses. The operator of the ransomware demanded $73,000 in exchange for restoration of Muni's data, according to a report from the San Francisco Examiner.

The malware's effects were visible on screens in station agents' booths at multiple Muni train stations, which displayed the message, "You Hacked, ALL Data Encrypted." The ransom message gave an e-mail address ([email protected]) that has been tied to ransomware attacks with variants of malware known as Mamba and HDDCryptor, a class of crypto-ransomware first identified from different samples in September by Morphus Labs and Trend Micro.

A mash-up of some basic malware code with open source and freeware Windows software, HDDCryptor goes after the entire network of its victims—encrypting entire local and networked drives. The malware uses an open source disk encryption tool called DiskCryptor and identifies physical and network shares to encrypt using Windows' "GetLogicalDrives" volume management function. It also uses code from the free network password recovery software Netpass.exe. HDDCryptor then overwrites the Master Boot Record of the infected machine—in some cases forcing a reboot of the system—to display its message.

Read 3 remaining paragraphs | Comments