For years, I have given advice to everyone that the first line of security for your home PCs is a NAT router between your home network and the Internet. While that is still true, there is one situation where the protection normally afforded you by the router is non-existent, leaving your public IP address visible to the world and your home network open to attack. I have actually observed the phenomenon I will describe in a moment, so I know it is an issue and something you should know about. It’s highly unlikely it could be exploited on any large scale, but it’s possible, so something worth discussing. In any event, the concept is out there, so someone is sure to try it.
This reader question came up in Security Now! Episode 133:
Question #5, Sami Lehtinen…from Helsinki, Finland makes a GREAT observation about dangerously leaky “hardware” firewalls. He says: I wanted to warn people about potential problems with regular home routers such as the more expensive and fancy firewall routers that are very configurable. That configurability can backfire nastily….
While the router is booting – it’s quite a long process – parts of the system start with default configuration, like the switch portion. This causes all LAN, WAN and DMZ ports to be completely bridged for about one minute. After that, normal NAT/SPI, DHCP, et cetera, function returns….
What Sami discovered is that you are directly connected to public Internet for about a minute while the router reboots. Steve Gibson concurs and proposes his solution, which I wholeheartedly endorse:
So this is a very real problem. What, I mean, the takeaway from this actually is to – what I would do is, and I’m probably going to do it from now on, I don’t reboot my router very often, but I would disconnect my LAN side connection for a couple minutes until the router comes up and it settles down, and then bring my local network up inside….
Since Microsoft began to ship versions of Windows with its firewall enabled by default (Windows XP Service Pack 2, August 25, 2004), there hasn’t been much attention put on system survival time. That’s not to say the issue is dead, it’s just not as big an issue as it used to be. I have often said that any system connected to the Internet is under attack 24/7; in fact, I have published some of my own statistics in the past (see Unpatched PC “0wn3d” in Four Minutes or 16 Hours; Which is it?). So, what is survival time? Thanks to dshield.org for this excellent definition: “The survival time is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.”
How long would your unpatched system survive today if it’s plugged directly into the Internet? Let’s look at some historical data:
This tells me that while things appear to be improving, you still have an average of around an hour to get an upatched machine up and running on the Internet, assuming you’re not behind a firewall or NAT router (which would be the average consumer, I think).]]>
As old as this issue is, you’d think it would be solved by now; in fact, everyone thought it was. Many browsers and plug-ins protect against it. But it showed up in a different form that no one had considered until it was revealed at Black Hat. The hacker discovered that not only can you browse to your router’s web browser using the private gateway IP (192.168.xxx.xxx or whatever), you can also get there using its public IP–the address on WAN IP–even if you have disabled remote administration from the WAN side. Steve Gibson, in his usual, thorough manner, analyzed the matter in Security Now! episode 260.
And so the next-generation attack that was revealed last week, which I’m sure all of the various firmwares are in the process of scrambling around to fix right now, solves, well, what it does is it gets around the blocks against internal LAN access IPs by using your public IP. And of course the remote DNS server gets your public IP because that’s the IP from which the request comes to it. It’s emitted by your computer, asking for the IP address of attacker.com. Well, that comes from your public IP. So it’s able to return the public IP to the [attacker] script running in a plug-in, which then knows how to get around the use of private IPs on the LAN to access your router.
Everyone should immediately check this list to see if your router is vulnerable. If it is, then you should go to the manufacturer’s website to check for firmware updates to your router.]]>
This really isn’t anything new, it’s just back in the news again. According to this article on Forbes.com:
Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon Fios or DSL versions. Users who connect to the Internet through those devices and are tricked into visiting a page that an attacker has set up with Heffner’s exploit could have their router hijacked and used to steal information or redirect the user’s browsing.
It’s the old DNS Rebinding Attack I wrote about two years ago:
So, what’s new about this? Is this some sort of new approach to vulnerability? Must have been a slow security news week. Not this week, however. A newly-discovered 0-day vulnerability in Windows is the top of the news right now. My take on that one tomorrow.]]>
According to the article, experts in the UK don’t see such a ruling as affecting them anytime soon.
Asked whether a law such as this could ever transfer to the UK, Stuart Okin, managing director of Comsec Consulting, said: “I don’t ever see that coming over here as I don’t see how it could be policed in the UK.
“In Germany there is a different culture, and when rules come into play they are obeyed without question. In the UK I am not saying that no one will do it, but it is not advisable and realistic to work.”
That may very well be, but I call it a wrong target. The real culprit is the illegal downloader whose intent is clearly to hide his actions by stealing someone’s network identity – a crime in itself. Any time you assign illegal activity the wrong source, you end up with a legal quagmire that is certain to take years to sort out in the courts.
Moreover, I don’t think you can force an individual (not in this country at least) to learn a technology in order to use it. After all, one doesn’t have to learn the technology of the internal combustion engine in order to mow the lawn, one just has to know how to start the engine. Furthermore, we assume that the manufacturer has taken the necessary steps to make the device function properly and safely and if it doesn’t, the manufacturer is liable in most cases.
SANS News Bites Editor Stephen Northcutt extends this idea to the access point, “We all need to keep our eyes open, because if the access point itself has vulnerabilities that lead to filesharing then who is to blame. …if you meet the letter of the law, and “protect” your network and someone computes the WPA key and downloads files over your network, who gets sued and why?”
I won’t say it can’t happen here; that would be naive beyond belief. I will say that it’s a very bad idea to try force people into securing their access points. It would be much more workable if the manufacturers opted to make their equipment secure by default.
What do you think?]]>
While the manufacturers try to patch such vulnerabilities, users often don’t apply the patches and even if they do, determine hackers often find other ways in. As recently as October, 2009, a blogger who stumbled across a vulnerability in more than 65,000 Time Warner Cable customer routers says the routers are still vulnerable to remote attack, despite claims by the company that it patched the routers. A report by Wired found that 45 percent of 2,729 publicly accessible Linksys routers still had a default password in place.
And that is precisely why you should put this on your list as Golden Rule #3: Always change the default user name and password of any configurable device you put on your home network.]]>
Windows users will remember back before Windows XP Service Pack 2 was released that simply plugging your computer into your cable or DSL modem was almost certain to result in your being compromised in short order. (Who can forget the havoc that Sasser and other worms wreaked before Microsoft wised up and finally turned the firewall on by default?) Running naked with all ports open to the world is a gold-gilt invitation to every criminal and mischief maker on the Internet, and while running a software firewall is a good idea, it’s not nearly enough–crackers have known for some time how to disable the Window’s firewall.
Consider this: every IP address owned and/or issued by your Internet Service Provider, no matter who that may be, is constantly being targeted by hackers that are scanning the’Net for vulnerable systems, and worms, viruses and other malware that have already infected machines on the ‘Net. (As I write this, the IP address assigned to me by my cable Internet provider has been scanned or probed 46 times in the last hour; this goes on 24 hours a day, seven days a week.) I certainly don’t want my PC’s software firewall subjected to this kind of thing. Yet, most people, not knowing any better, plug their computer directly into the broadband modem. There is absolutely no reason to do this when there is an inexpensive, simple, yet effective first line of defense available at any big box electronics or office supply superstore–a router (Fig. 1).
Through the beauty of Network Address Translation (NAT), even the cheapest router becomes an effective hardware firewall, virtually making your PC invisible to the ‘Net. NAT Router Security Solutions by Steve Gibson of “Security Now!” explains NAT in detail. Here’s one of his illustrations from that article:
I must mention that except for one, easy configuration change that is absolutely essential, these simple devices work fine right out of the box. The average user can plug it in and not have to worry about a complicated setup process.
Golden Rule #2: A first, important step in securing your PC is to install and configure a NAT router.]]>
As of today, I’m embarking on a major pre-release revision of the eBook, 14 Golden Rules of Computer Security to make sure all of the bases are covered in a logical combination and sequence. In essence, the book will begin with the concept of a security baseline—the bare security essentials—for a normal home PC setup and will branch from there.
What’s a good PC security baseline? In “The Lazy Man’s Way to System Security,” I proposed these four bare security essentials: “…a NAT router; a good antivirus program; a good anti-malware program; and, a good software firewall.” That was good enough at the time, but these days antivirus, antimalware and a software firewall are usually combined into a single suite. I choose to align with Windows Secrets’ Security Baseline page: “…a hardware firewall that’s built into your [NAT] router, security software that guards against all types of malware threats, a software-update service to ensure that your applications are patched against the latest exploits, and a secure browser.”
There are many possibilities for implementing those four basic items and that will be well covered in the book.]]>
Whether or not your equipment is vulnerable depends on three things:
- Your device is a mipsel (MIPS running in little-endian mode, this is what the worm is compiled for) device.
- Your device also has telnet, SSH or web-based interfaces available to the WAN, and
- Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.
“This technique is one to be extremely concerned about,” the researchers say, “because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information.”
If you believe your equipment is vulnerable or has been compromised, you should immediately take the following actions: