Monday, August 29, 2011

You DO Have UPnP Disabled On Your Home Router, Right?

Unfortunately, the answer is probably "no" if you haven't explicitly turned it off. UPnP stands for User Plug 'n Play, which is a technology built into most or all home routers. Its purpose is to make the configuration of the router by new hardware that you add to your network as hands-off as possible. For instance, the XBox360 uses it to open certain ports (essentially, holes) on the router's firewall so that the XBox can talk to the XBox LIVE mothership and let you play games with your friends on the internet.

UPnP was, at one time, turned on by default in most routers. I don't know if that's still the case, but you should go find out... read on.

In a very early post to this blog I put forth a list of things that you should do to improve the security of your home network. Turning off the router's UPnP was one of those suggestions, the reason being that if you have a machine on your network that gets infected with certain kinds of malware, that program can leverage the UPnP on your router to open up whatever ports on your firewall that it wants to. This can allow the malware to easily communicate with its "command and control" master Somewher Out There On The Internet and receive instructions about what bad things to do to your network and also other networks out there. Examples of what it could do: join up with a "botnet" of other infected machines (not necessarily on your network); steal personal (e.g. financial) data from the infected machine and other machines on your network; send out massive amounts of spam and/or phishing email; and work with the botnet to mount "denial of service" attacks on whomever the botnet's owners are displeased with.

But that is not what prompted me to make this post. There is a newly discovered, additional vulnerability that exists in certain routers (e.g. several very popular models made by Linksys – one of those being the router that I run my home network on!). It turns out that on those routers, the UPnP functionality can be accessed not only from the "LAN side" of the router (i.e. the side that all of your home computers and other devices are connected to, either wired or wirelessly), but also the WAN (Wide Area Network) side – which is the side that's connected to the Internet. This means that the bad guys don't have to have to infect a system on your LAN – they can attack the router directly from the WAN side and turn on ports willy nilly, effectively opening up your LAN (home network) to their bag of tricks.

To be clear: this is really really bad. The researcher that discovered this issue, Daniel Garcia, wrote a freely downloadable utility called UMap that found over 600,000 vulnerable routers, out of about 7 million, or almost ten percent of the routers scanned.

The good news is that you can protect your network against these external attacks by (heard this before?) disabling UPnP on your router. And, chances are that you'll never know it's turned off, unless you have one or more devices on your network (like the XBox360) that needs to have specific ports opened on the router's firewall in order to work properly. In my opinion you should still turn UPnP off and open those ports manually.

If you have something on your network that needs one or more ports open, the procedure to do so manually varies between router manufacturers, so you'll have to consult the router's manual on how to do so. Look for "opening ports" or "port" forwarding. The general idea is that you're going to open one or more ports, or in some cases a range of ports, for a specific IP address (for our example, that of your XBox360). Here are the ports that it needs open in order to talk with the XBox LIVE portal:
  • Port 88 (UDP)
  • Port 3074 (UDP and TCP)
  • Port 53 (UDP and TCP)
  • Port 80 (TCP)
On my WRT54G, setting these ports for an XBox360 that has an IP address of looks like this:

You don't need to open port 80, as it's the port that HTTP works over, and you wouldn't be able to see any web pages if it wasn't open!! So the router opens it automatically.

One final note: once ports are opened/forwarded, they'll stay that way until you close them. It's recommended that you never have any more ports opened at a time than you really need. Trust me, there are nefarious parties out there using automated software to scan every IP address they can find for open ports, particularly some of the ones that can be easily used to to Bad Things (e.g. Microsoft's Remote Desktop, which uses port 3389). An open port is potentially a first step in hacking into a network.


Wednesday, June 8, 2011

RSA Security Dongles Are Compromised

For quite a while now I've been using a couple of those "dongles" that some banks make available (sometimes for free) to increase the security of my financial accounts - one works with my credit union and with PayPal, and the other with E*Trade. These devices have an LCD display that shows a six-digit number that changes every minute or so; when I log into the banking site it will ask me for the number that the dongle is currently showing, in addition to my password.

The bank has software that generates the same sequence of strings of numbers, based on the serial number of my particular device, so that they can verify the number I've entered.

This is known as multi-factor authentication, where the password is one factor and the dongle's currently shown number is another. (There are also software versions of the dongle that run on the iPhone, etc.) This multi-factor approach can, when done right (see below), offer a tremendous amount of login security and in fact they are used by various gub'ment agencies and the military.

The dongle for my E*Trade account is made by a company called RSA. They are (or were?) a highly-respected company in the information security business. However, a few weeks back someone managed to break into their computer network and steal a bunch of data related to the dongle technology. They were very mum about just what was stolen for quite a while, but yesterday they finally admitted that the devices are compromised, and in fact just last week there was a cyber-breakin at Lockheed-Martin that was made possible by the RSA breach.

So, will I continue to use my RSA dongle? Yes I will - but the password that I use with it is a reasonably robust one so even if the bad guys can predict what number my RSA gizmo is going to spit out next, they still won't have my password. Also, I can't imagine that the people that stole the RSA tech are going to be coming after my measly bank accounts when there are far juicier targets out there. But I will say yet again that you should always use strong passwords for financial sites and such.

By the way - RSA, in its ongoing damage control efforts, announced that it will provide replacements for the forty million dongles that they have sold, on a request basis. Ouch!

I'll close with a little editorial: As an RSA SecurID user, I have watched this whole thing unfold from the beginning with interest, and to this day RSA continues to (try to) reassure its customers that Everything Is OK, that their technology is safe and sound, blah blah blah - just like they did when the breach was first discovered. I will opine that the more often a company makes those assurances in a situation like this, the more concerned we should become. I suspect they're more concerned with their stock price than the security of their customer base...

Hmmm, am I being overly cynical here?

Tuesday, May 3, 2011

Free! (Fake) Antivirus Software!

Hopefully you've heard about the plethora of fake AV programs making the rounds these days that are used to infect PCs -- I have come across this kind of thing three times in the last couple weeks and it's pretty impressive how the crooks manage to hijack the browser. Let's take a look at how it goes down.

Let's say you're looking for images of, oh say some famous person that just got capped, and Google reports back with a bunch. You click on one, and -- well, because the one you picked points to a site that has been compromised, the fun begins.

From this point on, you're pretty much just along for the ride. No matter what you click on in that dialog -- even the "X" that's supposed to close the window -- you will end up with a free malware scan of your system! How generous! Except that it's not really scanning anything.

That screen will crank along, pretending to find a whole slew of bad things on your system, and will eventually display this "window", saying that 405 files was found, and that you can download something called Windows Defender:

Once again, it doesn't matter what you click on -- the "Windows Security Alert" is not actually a conventional Windows dialog, it's just a simulated one that is really one big clickable area. Assuming you don't have "automatically download files" turned on in your browser (please tell me you don't), after clicking pretty much anywhere, you'll get something like this -- but don't press Run for crying out loud!:

Hopefully by this time you've realized that things are not what they seem to be, so you decide to close and restart your browser. Nope, not gonna happen - from the point that you get that free "scan", any effort to close the browser results in

At that point the only way to close IE is to use the Windows Task Manager and do an "End Task" on it.

This whole chain of events depends on something called "scripting", which allows websites to automate some behaviors in the browser. By default, IE uses its "Medium High" security setting for Internet web sites, but this setting will allow the above sequence of events to occur. You could set IE to "High" but that locks things down to the point where the web is not very usable.

So yet again I will recommend using something other than IE as your default browser; as I've said at least a couple times my favored setup is Firefox with the NoScript plugin. If you're reading this in IE, don't wait another minute to go to Install that and then go to and install that. By default, NoScript blocks all scripted behavior but with some simple clicks you can either temporarily or permanently allows the various scripting elements that most websites have to work. The latter option causes NoScript to remember the pages that you've allowed so that the next time you go to one it will behave the way you want it to without having to Allow it again.

Firefox can import all of your IE Favorites (bookmarks) very quickly, and then you can set it to be your default browser by going to Options in Firefox > General tab and enabling "Always check to see if Firefox is the default browser on startup".

Finally: even without NoScript, the fake AV thing doesn't work in Firefox - apparently this malware is targeted at IE only.