Saturday, September 15, 2012

Somebody's Knockin' on the Door

Recently, I set up a Synology DS-112j Diskstation NAS (Network Addressable Storage Device) box at our 2nd home in Hawaii to store remote backups from the very similar DS-112 Diskstation that's on my main home network in California. In order to get backups to work I had to open some ports on the Hawaii modem/router's firewall; one of them is port 22 which is used for SSH (SSL-based secure shell) logins and encrypted file transfer.

The Diskstation has an Auto-Block feature that will "black-list" any IP address that attempts to connect to it "x" number of times in "y" minutes; I configured it to block any IP that tries 10 times in 5 minutes. In just three days, I had six addresses blocked. Details are below; I did "whois" lookups on all of them to see who they belong to:

Host [117.79.91.252] has been blocked at [Tue Sep 4 10:03:02 2012]: Beijing Sanxin Shidai Co.Ltd

Host [190.145.23.98] has been blocked at [Mon Sep 3 20:58:44 2012]: Telmex Colombia S.A.

Host [203.217.144.17] has been blocked at [Mon Sep 3 09:52:59 2012]: RVRNET-IN (Hyderabad)

Host [119.226.139.254] has been blocked at [Mon Sep 3 03:39:38 2012]: SIFYNET (India)

Host [61.136.171.198] has been blocked at [Sun Sep 2 19:17:00 2012]: CHINANET Hubei province network

Host [74.50.27.101] has been blocked at [Sun Sep 2 16:00:14 2012]: ADDD2NET-DOT-COM -- Anaheim, CA

What I believe we're seeing here is automated software scanning WAN IP addresses for common open ports (FTP, SSH, etc.), and upon finding one, the software does password "dictionary"-based login attempts (i.e. using very large lists of common passwords). What do they do once they "get in"? I have no specific idea, but I would assume that they then use LAN-targeted software to scan for other computers on the LAN, shared drives, personal/financial data, etc. and then they suck up whatever they can find. And then, they probably sell it. OR they attempt to install malware on machines that are not running firewalls and/or anti-malware software (such as Microsoft Security Essentials, which is what I use since it's free and pretty good).

Fortunately I use very robust passwords on all of my routers, NAS devices, etc. but I have to admit it's still a bit unnerving to have these guys banging on my NAS's door 24/7. So I'm really liking the Auto-Block feature!

At any rate, I think the implications are clear -- keep your router(s) locked down to only have open ports that are required for whatever you need to get done. You can do an external port scan of your home network using this page -- it has various kinds of scans, and you can get an idea of the "surface area" of your home network's exposure to the internet.

Monday, August 29, 2011

You DO Have UPnP Disabled On Your Home Router, Right?

Unfortunately, the answer is probably "no" if you haven't explicitly turned it off. UPnP stands for User Plug 'n Play, which is a technology built into most or all home routers. Its purpose is to make the configuration of the router by new hardware that you add to your network as hands-off as possible. For instance, the XBox360 uses it to open certain ports (essentially, holes) on the router's firewall so that the XBox can talk to the XBox LIVE mothership and let you play games with your friends on the internet.

UPnP was, at one time, turned on by default in most routers. I don't know if that's still the case, but you should go find out... read on.

In a very early post to this blog I put forth a list of things that you should do to improve the security of your home network. Turning off the router's UPnP was one of those suggestions, the reason being that if you have a machine on your network that gets infected with certain kinds of malware, that program can leverage the UPnP on your router to open up whatever ports on your firewall that it wants to. This can allow the malware to easily communicate with its "command and control" master Somewher Out There On The Internet and receive instructions about what bad things to do to your network and also other networks out there. Examples of what it could do: join up with a "botnet" of other infected machines (not necessarily on your network); steal personal (e.g. financial) data from the infected machine and other machines on your network; send out massive amounts of spam and/or phishing email; and work with the botnet to mount "denial of service" attacks on whomever the botnet's owners are displeased with.

But that is not what prompted me to make this post. There is a newly discovered, additional vulnerability that exists in certain routers (e.g. several very popular models made by Linksys – one of those being the router that I run my home network on!). It turns out that on those routers, the UPnP functionality can be accessed not only from the "LAN side" of the router (i.e. the side that all of your home computers and other devices are connected to, either wired or wirelessly), but also the WAN (Wide Area Network) side – which is the side that's connected to the Internet. This means that the bad guys don't have to have to infect a system on your LAN – they can attack the router directly from the WAN side and turn on ports willy nilly, effectively opening up your LAN (home network) to their bag of tricks.

To be clear: this is really really bad. The researcher that discovered this issue, Daniel Garcia, wrote a freely downloadable utility called UMap that found over 600,000 vulnerable routers, out of about 7 million, or almost ten percent of the routers scanned.

The good news is that you can protect your network against these external attacks by (heard this before?) disabling UPnP on your router. And, chances are that you'll never know it's turned off, unless you have one or more devices on your network (like the XBox360) that needs to have specific ports opened on the router's firewall in order to work properly. In my opinion you should still turn UPnP off and open those ports manually.

If you have something on your network that needs one or more ports open, the procedure to do so manually varies between router manufacturers, so you'll have to consult the router's manual on how to do so. Look for "opening ports" or "port" forwarding. The general idea is that you're going to open one or more ports, or in some cases a range of ports, for a specific IP address (for our example, that of your XBox360). Here are the ports that it needs open in order to talk with the XBox LIVE portal:
  • Port 88 (UDP)
  • Port 3074 (UDP and TCP)
  • Port 53 (UDP and TCP)
  • Port 80 (TCP)
On my WRT54G, setting these ports for an XBox360 that has an IP address of 192.168.2.112 looks like this:


You don't need to open port 80, as it's the port that HTTP works over, and you wouldn't be able to see any web pages if it wasn't open!! So the router opens it automatically.

One final note: once ports are opened/forwarded, they'll stay that way until you close them. It's recommended that you never have any more ports opened at a time than you really need. Trust me, there are nefarious parties out there using automated software to scan every IP address they can find for open ports, particularly some of the ones that can be easily used to to Bad Things (e.g. Microsoft's Remote Desktop, which uses port 3389). An open port is potentially a first step in hacking into a network.

References:


Wednesday, June 8, 2011

RSA Security Dongles Are Compromised

For quite a while now I've been using a couple of those "dongles" that some banks make available (sometimes for free) to increase the security of my financial accounts - one works with my credit union and with PayPal, and the other with E*Trade. These devices have an LCD display that shows a six-digit number that changes every minute or so; when I log into the banking site it will ask me for the number that the dongle is currently showing, in addition to my password.

The bank has software that generates the same sequence of strings of numbers, based on the serial number of my particular device, so that they can verify the number I've entered.

This is known as multi-factor authentication, where the password is one factor and the dongle's currently shown number is another. (There are also software versions of the dongle that run on the iPhone, etc.) This multi-factor approach can, when done right (see below), offer a tremendous amount of login security and in fact they are used by various gub'ment agencies and the military.

The dongle for my E*Trade account is made by a company called RSA. They are (or were?) a highly-respected company in the information security business. However, a few weeks back someone managed to break into their computer network and steal a bunch of data related to the dongle technology. They were very mum about just what was stolen for quite a while, but yesterday they finally admitted that the devices are compromised, and in fact just last week there was a cyber-breakin at Lockheed-Martin that was made possible by the RSA breach.

So, will I continue to use my RSA dongle? Yes I will - but the password that I use with it is a reasonably robust one so even if the bad guys can predict what number my RSA gizmo is going to spit out next, they still won't have my password. Also, I can't imagine that the people that stole the RSA tech are going to be coming after my measly bank accounts when there are far juicier targets out there. But I will say yet again that you should always use strong passwords for financial sites and such.

By the way - RSA, in its ongoing damage control efforts, announced that it will provide replacements for the forty million dongles that they have sold, on a request basis. Ouch!

I'll close with a little editorial: As an RSA SecurID user, I have watched this whole thing unfold from the beginning with interest, and to this day RSA continues to (try to) reassure its customers that Everything Is OK, that their technology is safe and sound, blah blah blah - just like they did when the breach was first discovered. I will opine that the more often a company makes those assurances in a situation like this, the more concerned we should become. I suspect they're more concerned with their stock price than the security of their customer base...

Hmmm, am I being overly cynical here?

Tuesday, May 3, 2011

Free! (Fake) Antivirus Software!

Hopefully you've heard about the plethora of fake AV programs making the rounds these days that are used to infect PCs -- I have come across this kind of thing three times in the last couple weeks and it's pretty impressive how the crooks manage to hijack the browser. Let's take a look at how it goes down.

Let's say you're looking for images of, oh say some famous person that just got capped, and Google reports back with a bunch. You click on one, and -- well, because the one you picked points to a site that has been compromised, the fun begins.


From this point on, you're pretty much just along for the ride. No matter what you click on in that dialog -- even the "X" that's supposed to close the window -- you will end up with a free malware scan of your system! How generous! Except that it's not really scanning anything.

That screen will crank along, pretending to find a whole slew of bad things on your system, and will eventually display this "window", saying that 405 files was found, and that you can download something called Windows Defender:

Once again, it doesn't matter what you click on -- the "Windows Security Alert" is not actually a conventional Windows dialog, it's just a simulated one that is really one big clickable area. Assuming you don't have "automatically download files" turned on in your browser (please tell me you don't), after clicking pretty much anywhere, you'll get something like this -- but don't press Run for crying out loud!:


Hopefully by this time you've realized that things are not what they seem to be, so you decide to close and restart your browser. Nope, not gonna happen - from the point that you get that free "scan", any effort to close the browser results in


At that point the only way to close IE is to use the Windows Task Manager and do an "End Task" on it.

This whole chain of events depends on something called "scripting", which allows websites to automate some behaviors in the browser. By default, IE uses its "Medium High" security setting for Internet web sites, but this setting will allow the above sequence of events to occur. You could set IE to "High" but that locks things down to the point where the web is not very usable.

So yet again I will recommend using something other than IE as your default browser; as I've said at least a couple times my favored setup is Firefox with the NoScript plugin. If you're reading this in IE, don't wait another minute to go to http://www.mozilla.com/firefox/. Install that and then go to http://noscript.net/ and install that. By default, NoScript blocks all scripted behavior but with some simple clicks you can either temporarily or permanently allows the various scripting elements that most websites have to work. The latter option causes NoScript to remember the pages that you've allowed so that the next time you go to one it will behave the way you want it to without having to Allow it again.

Firefox can import all of your IE Favorites (bookmarks) very quickly, and then you can set it to be your default browser by going to Options in Firefox > General tab and enabling "Always check to see if Firefox is the default browser on startup".

Finally: even without NoScript, the fake AV thing doesn't work in Firefox - apparently this malware is targeted at IE only.

Thursday, December 30, 2010

I Gotcher Security/Privacy Checklist for 2011 Right Here, Pal

Another year, another cou-ple dollars, another couple or three or six hundred serious security flaws in Windows/MacOS X/*nix/Adobe Reader/Adobe Flash/Photoshop/Microsoft Office/Internet Explorer/Safari/Firefox/JavaScript/etc/etc that have been (and in many cases, still are) leveraged by the crooks to separate you from your money and personal/private information.

With the roller coaster ride known as 2010 winding down, I thought I'd summarize many of the things I've posted about thus far in a "yearly review" item - let's call it the 2011 12-Step Internet Security and Privacy Checklist:

1. STOP USING IE. Assuming you're a Windows user - surely you're not still using Internet Explorer as your default browser? (Mac-o-philes need not smirk here - I will predict that Safari will become more and more targeted by the criminal world; you have been warned.) I suggest Firefox + the NoScript plugin, or possibly Google Chrome + its NotScript plugin - although I have far less experience with Chrome so I can't unequivocally recommend it.

2. STAY UPDATED. No matter what your operating system is, make sure it's always got the latest updates. Windows can be configured to automatically download and install priority updates, or just download them and let you know that they're ready. I suggest at least the latter. The same goes for whatever browser(s) you use. (Chrome doesn't give you a choice - it updates itself transparently whenever a new version is published.)

3. FIX YER ACROBAT/READER SOFTWARE. If you use Adobe Acrobat or Adobe Reader to view .pdf files, (a) update to the latest "X" version, and then immediately do this:
  • open Edit > Preferences
  • in the JavaScript part, turn off "Enable Acrobat JavaScript"
  • in the Trust Manager part, turn off "Allow opening of non-PDF file attachments with external applications"
If you're running version 9 and don't want to update to version X*, please do still do the above steps.

Adobe continues to doggedly leave these things turned on by default in each new version of Acrobat and Reader, which is just plain irresponsible on their part.

* that link points at an installer that doesn't require you to first load the !@#$% Adobe Download Manager. Just say NO to ADM.

4. Another thing about Acrobat and Reader - there are alternatives. I have tried FoxIt a couple times but the rendering quality is noticeably poorer than what Adobe does. More recently I've started using the Google Docs Viewer for reading PDF files in Firefox (it works in all of the other browsers as far as I know).

5. WEAR PROTECTION. For Windows users - now that Microsoft has its free MS Security Essentials anti-malware software available, there is no excuse to not be running some kind of antivirus/antimalware protection. I will go further and say that I personally see no reason to pay anyone for this kind of functionality - e.g. Symantec, McAfee, etc. By all accounts MS does a very good job with MSSE.

6. CONNECT SECURELY. There is another nice utility plugin for Firefox called HTTPSEverywhere. If you do financial stuff on-line, you might've noticed that your browser's address bar will (hopefully) say something like "https://www.yourbank.com" when you're logged into the financial site... The "s" in "https" means "secure". Many other non-financial sites support the https protocol, as well as the usual "http" protocol.

Here's what HTTPSEverywhere does for the sites it knows about, that can support https connections: It will force you to connect with https rather than http. At the moment the list includes Facebook, Google Search, Twitter, Meebo, NY Times, Washington Post, bit.ly, Hotmail, Microsoft, Wikipedia, Wordpress.com, Google APIs, and quite a few others. When you are connected via https your connection cannot be snooped, which is very nice if you're connected to the 'net using an open wifi hotspot that does not provide a Virtual Private Network connection to the Internet.. In general you always want "https" if it's available, no matter what you're doing.

7. BE SELFISH. Turn off any unnecessary "network shares" on all of your computers.

8. USE PASSWORDS. Make sure every machine on your network is login password-protected.

9. MASSAGE YOUR ROUTER. Make sure your router (or modem/router - i.e. the box that you got from your cable or phone company that hooks you up to the internet) is properly configured.

Typically the router configuration is accessed through a mini-web server that is built into the router - and typically it will have an address of something like 192.168.1.1.

In that particular case, you can go to your browser and type in "http://192.168.1.1" and the web interface will show up. (Other addresses are possible; consult the router or router/modem manual for more details about your particular box.) Here are some things to keep in mind:
  • Change the default administrative password for the router. E.g. for Linksys routers, all of the ones I've used have a default password of "admin". If you don't do anything else, do this.
  • Make sure that you're using at least WPA encryption if your router has wi-fi capability. WPA2 is better, WEP is sorta kinda better than nothing, but not much. IMO the wireless interface of a router is its weakest link in terms of people getting onto your network and possibly stealing private (e.g. financial) information from other computers connected to your network.
  • turn off anything that says "Plug and Play".
  • Make sure the NAT firewall is enabled. It might just say "Firewall".
  • Don't have any more ports (holes) opened in your firewall than absolutely necessary. If you open one or more up and then stop using whatever program needs them open, close them.

10. USE "LASTPASS". I continue to love this free, secure, backed-up-in-the-cloud password and private data manager product. I won't go into it here since I already did that not too long ago.


11. BACK UP YER STUFF. This is a huge topic, and I won't go into detail, but - do you have at least two, recent backup copies of all of the stuff on your computer(s)/mobile devices that you can't live without? E.g. photos, financial data files, the latest version of the Great Novel that you're working on, critical account information for on-line resources that you use (LastPass can help here), address book/contact database, etc. I say two backups because many people would tell you that if you only have one copy "somewhere", you're not really backed up. You need to have two copies of all of the important stuff, ideally on different kinds of media (DVD-R, CD-R, CD-RW, USB memory stick, cloud backup....), and certainly not in the same location - i.e. carry one of the copies in your car or keep one at your mom's house or something.

12. DONT EVER CLICK ON A LINK IN AN EMAIL. E.g. if you get a notice that seems to be from Microsoft or Adobe or whoever (whomever?) that you need to update something, don't click on the link that is provided. Instead, navigate to the vendor's website in your browser and find the update - if it actually exists - yourself. You might even try googling it - e.g. "acrobat x update".

OK, that's your twelve steps. I'm sure I left something important out - there are so many things to worry about when you're toodling around the World Wide Web - but any and all of these things will help at least a little bit in keeping you and yours safer in the new year to come.

Tuesday, November 23, 2010

Firefox Saves the Day

I just got to see a new feature in Firefox 3 at work, and it's pretty cool.

I had an email in my GMail spam folder that looked like this:


Looks pretty legit, right? The link text appears OK. However, the actual link looks something like (part of the URL intentionally deleted):

http://smtp.cremadescalvosotelo.com/bankofamerica=JSPR53/e-online-banking...

So obviously it's at best a personal information phishing site. Well, I decided to see where that would take me, so I clicked on it. However, Firefox saved me from myself:


Clicking on the "Why was this page blocked?" button shows this:

I tried this in Internet Explorer and I'm happy (and a bit surprised) to report that it gave a similar "you really don't want to go there" message.

However, even though our browsers sometimes try to protect us from ourselves, links in emails should never be clicked on. If you get a message from your bank that wants you to log in for whatever reason, go to your browser and type in the URL that you know to be the correct one for your bank (if you don't have it bookmarked) rather than click on anything in an email.

Friday, November 19, 2010

Stuxnet Worm - still in the news

I have posted three times about the Microsoft Windows "Shortcut (LNK)" vulnerability since July. A lot has transpired since then; it's been found to be one of six security issues in Windows that are leveraged by the Stuxnet worm (some of which were previously unknown in the security community).

Stuxnet is in the press right now as being one of the most serious security threats ever unleashed, and is said to be a sort of "new animal" in cyber-warfare. I'll provide some links for further reading below, but the apparent intent and sophisticated behavior of Stuxnet is so, well, awesome (in a bad way) that I do want to summarize what's been learned:
  • Its targeted behavior is very specific - although it propagates via Windows (using USB memory sticks and/or network connections), its ultimate target is a particular brand of industrial controller computer made by Siemens, that are network-connected to those Windows systems
  • Not only is it Seimens "SCADA"-system specific, but its end target are "variable-frequency drives" made by two specific companies, that regulate the speed and operation of electric motors
  • Only motors that are programmed to run within a specific speed band are targeted
  • The speed band corresponds to speeds used by uranium refinement centrifuges
  • The end result is that Stuxnet causes those motors to periodically overspeed and underspeed

It's still not known who wrote Stuxnet, but there is universal agreement that its sophistication and complexity are unprecedented, and unfortunately is probably the first shot fired in a new level of cyber-warfare.

As promised, here are some links if you want to dig deeper:

I promise we have not heard the end of this "worm".

"Shall we play a game?"