malware scum *
* = may include TLA's.
Asus, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE: these are the vendors newly named by Cisco's Talos Intelligence whose products are being exploited by the VPNFilter malware. As well as the expanded list of impacted devices, Talos warned that VPNFilter now attacks endpoints behind the firewall, and sports a “poison pill” to …
Anyone who still uses the excellent HG Gomes firmware for Asus (no longer maintained) needs to bite the bullet and upgrade - it's vulnerable.
As Merlin still refuses to acknowledge that legal power restrictions are to ERP, not amplifier output, your best option is probably the Kong DD-WRT builds if you need to adjust power.
I've got an Asus RT-N16, firmware hasn't been updated for a while so I thought I'd check if infected to be on the safe side. There is no information on the web on how to do this so I improvised. VPN filter adds a cron job, asus routers don't have a crontab utility but you can still create cron jobs by putting it in "/var/spool/cron/crontabs/<admin user name>", enabled telnet to check it and nothing there so I'm assuming all is well.
I have a number of TL-WR*s of various models, some bought, but mostly leftover test equipment from old projects in a couple of jobs back. The procedure is:
1. Open the box.
2. Read the actual hardware version number
3. Download the OpenWRT (used to be) or now LEDE build for that hardware type.
Vulnerabilities? What vulnerabilities. Aaaaaahh... you are talking about the STOCK software used in these devices (*). The STOCK software in them in is criminal in its incompetence and is one of the reasons why regulatory intervention on updates and fitness for purpose in this area is long overdue. They should all have the CE and FCC marks revoked until that is sorted. All of them. No exceptions.
An excellent example of the level of understanding their developers show would be any TP-LINK switch where you cannot turn off the default vlan because "it will prevent the devices from talking to each other". That's the f**** idea of VLANs you retarded incompetent cretins.
Turning off vlan1 on juniper enterprise kit causes problems too. , it stops all kinds of stuff especially interoperability with other vendors kit.
It’s usually fine so long as you don’t enable end non uplink ports in default vlan. Use any other vlan consistently for normal ports especially if you are not vlaning
This post has been deleted by its author
Does the UTM now support RAID-1 on the HP Microserver? I have that configuration at home and remember that, at install time, that Sophos UTM wouldn't do software RAID-1.
(Been using it since the fairly early versions of Astaro linux - first as a dedicated machines, then as a VM and then back to a dedicated machine again. It Just Works(TM) - assuming that you configure it correctly).
Set up the Microserver with the free VMWare ESXi, and just run Sophos UTM as a VM, it works fine for me, performs great on SSD. As a bonus, allow it to also do your web page filtering to block the kids seeing dodgy stuff. Kudos for Sophos for allowing this :-)
... makes targeting a lot of them much, much easier with only minor modifications.
Evolution worked because there were and there are many different species with different attitudes - some could survive events that could kill others.
In software, instead, we see many people thinking we should have just one software to rule them all. The effect would be a catastrophic event will impact everything.
And no, no open source software will be ever fully secure, sorry... especially since lack of competition and homogeneity usually leads to complacency.
Correct, but those wanting a single software running the whole world imply it has to be their open source One.
Evidently, even if a single commercial software would become the only one it would be a big risk anyway. Competition increase quality, because you know you cold be replaced for a failure. When there's no choice, quality plummets - where can you go, otherwise?
No system will be fully secure as well - the less diversity, the bigger the risk of a large, unstoppable meltdown.
"those wanting a single software running the whole world imply it has to be their open source One."
Anyone who thinks it's desirable to have a single piece of software everywhere can be safely ignored, regardless of whether they want it to be OSS or not.
I support open source. I don't want only one open source thing to exist. For example, I like Linux and support it, but I don't have a problem with BSD, nor would I have a problem with any other open source operating system. I'm fine that non-free OS are there too, but I don't like the theory so much.
However, if the choices are one open source thing or one closed source thing, I'm going to go with the open source thing, so long as they have similar features--I'm not going to throw away a modern and working product for some code written in 2003 and not maintained. The reason is that, when something terrible happens to it, there are many people who will work on making it work again. If, for example, we had a situation in which everything in the world ran under the same version of Linux, thus making it possible for someone to attack it all and take it down, I feel more confident that someone can get it back up than if it was windows running everything. Neither should be allowed to happen, but if something open source fails, you need to fix it yourself or someone who also uses it needs to fix it. If some closed source thing fails, the people who made it have to fix it, which breaks if the people don't want to, are not available, are busy, or have lost data they need for the task. So, no, I don't want open source dictatorship, but yes, I do tend to trust such software a bit more.
I think this should read 'most software' and not all. A very small percentage of software may be provably secure using mathematics or pure logic. Of course this is irrelevant if the hardware the software is hosted on is also not provably secure (extremely unlikely unless you're running on hardware of your own design?). I prefer the KISS hardware approach to securing software - if the little warning lights flash on that simple 'man in the middle' box I created myself then something unexpectedly got passed the first box and its time to wipe everything and start from scratch. In theory this can also be applied to nested containers and virtual machines, when the bad guys break those the same little activity warning lights can flash in the parent host machines. Anyone testing honey pots on the public internet may sniff some especially interesting traffic in their first level parent hosts maybe once or twice a year, the overwhelming majority of attack packets have rather well known fingerprints that rarely allow an escape to level two :)
>Evolution worked because there were and there are many different species with different attitudes
Yes but break things down and you start to get the same components being reused: Eyeball, DNA ... Hence why bacteria and some virus's can jump between species
"...one software to rule them all. The effect would be a catastrophic event will impact everything."
You mean like the microcode running inside most modern processors?
Imagine if one of the TLAs decided to test a worm that pushed a microcode patch which bricks CPUs by implanting a self-destruct sequence on next reboot. That might have rather more interesting consequences on the global business markets than Trumps trade war :)
dg834! About time you bought a new router, I'm surprised it is still working.
If you are using the standard netgear dg834 (g/gt/n) firmware, the following URL should display the nvram settings which includes passwords etc without requiring a password. (it just runs the nvram show shell command, it doesn't change any settings or do anything harmful)
I've split it in two as otherwise it gets truncated by the forum software.
I reported the password bypass vulnerability over 10 years ago, so they had plenty of time to fix it.
It was possible to patch it without flashing by injecting a script using the same exploits into the router's nvram that runs when booted.
Building a new firmware with a .htpasswd file linked to /etc/htpasswd in the ca directory should fix the password vulnerability, but not the shell exploit.
That works on the DGN series too. Geez I knew Netgear stuff was crap but that takes it to a new level. I once had a number of Netgear business model switches on a clients LAN that would leak broadcast traffic across VLANs. Even though there was a firmware update to address it they got replaced in short order with some HP Procurves.
Make sure you were logged out before testing for the password bypass, as I recall Netgear's firmware just used a cookie to check if you are logged in and won't ask for a password again until it has expired.
I've posted a hack to patch the password issue for the DG834N (may work on some other models), although it doesn't address any shell exploits, if it works and you log out after using the interface, you should hopefully at least need a password to exploit it.
Seems TP-Link were aware of this model being affected before the 23 May, as that's when the latest firmware dates from. No firmware updates for the v1 since 2015, now they seemed to think it needs an update to:
1. Optimise the compatibility with DT(Germany).
2. Optimise the compatibility with Edge.
"Honest, they're the only changes"
"Optimise the compatibility with Edge."
What the hell does that even mean? The web-based control interface in a router shouldn't be doing anything fancy. If it is, they need to fix that. If Edge can't handle simple web control interfaces, that's a problem with Edge, not the router. Nobody should be enabling a broken browser to remain broken.
>Never mind - figured it out. It uses default credentials.
I seem to remember that it was over 10 years back that this specific vulnerability - default admin credentials (ie. uName: Admin, Pword: 'password', 'admin' etc.) - was highlighted.
Whilst, I can understand why Cisco and other enterprise equipment vendors continue to supply equipment with default credentials, I don't understand why consumer and low-end SME equipment (ie. equipment that is likely to installed and maintained as single devices by non-technical users) continues to use default credentials.
Interestingly, I suspect that consumer products such as the BT Home Hub, EE Smartbox, Virgin Media Hub etc. which (for years) have used unique default credentials, aren't vulnerable. Although some with pseudo-random credentials can be compromised: https://www.pcworld.com/article/2976584/home-networking/some-routers-vulnerable-to-remote-hacking-due-to-hard-coded-admin-credentials.html
The unique default credentials used in some routers, while better than using a single login would not necessarily guarantee they are secure, although they probably wouldn't be likely targets for this given they are not straight forward.
Some use relatively short passwords of known length and even a limited set of characters, so a dictionary attack could be practical.
Some of the sky routers generated a unique adsl password and wifi credentials using the mac address (there was a website to calculate adsl passwords given the mac etc), so if in wifi range it might even be possible to determine the wifi password.
Never stick with default passwords, and that includes the default wifi password.
>Never stick with default passwords, and that includes the default wifi password.
The trouble is that in the vast majority of home installs, the router is simply taken out of the box, plugged in and switched on. The credentials, which several providers conveniently provide on detachable cards (eg. BT Home Hub) only being consulted to get the WiFi SSID and password. So whilst the advice may be sound, don't expect it to be heeded. Also if it is heeded, expect in many cases the 'secure' password to be replaced by either no password or something simple like "password". Which effectively was the rationale behind the movement over a decade back to get consumer gear shipped with 'complex' unique credentials.
"The trouble is that in the vast majority of home installs, the router is simply taken out of the box, plugged in and switched on."
And in some cases, that's done by the ISP technician that's installing it. The user/s might never have to deal with the router except to find out the WiFi password.
When Telstra ripped out all the copper and replaced it with FTTH in my area (state government deal involving a new childrens hospital and the need to move an exchange), the Telstra technician would have done so, except I had constructed my own router. He had to call back to HQ, then wait an hour for them to send a senior technician, who I had dealt with before. In the end, they dealt with installing the fibre and the box it plugs into, and left it up to me to deal with the router. Which consisted of me typing in a short Linux command. Worked perfectly first time.
Most ISP's these days ship out obligatory routers with no admin password (well you might get a junior admin password, but super admin belongs to the ISP). I had to threaten to take my ISP to court to get a Cisco modem substitute for the router. With the modem, I can put my own router behind it (I did that before with the default router but that leads to some issues with obtaining an IP address on external services as often one gets the front router IP and not the external IP).
In any case, unique admin ID's and passwords per issued device are a pretty good start to security. Heads above the primitive but brutal VNPFilter exploit.
Coverage of this thing is generally horrible.
How can you actually detect if your device has been compromised?
How do you mitigate the attack?
What are the specific attack vectors?
Three pieces of information that would be good to have in an article of this nature.
MY router isn't on the vulnerable list...but so what? A lot of routers that weren't on the first list now are listed as vulnerabe. There is no reason to trust that new list is comprehensive.
For my fellow commentards - patting yourself on the back because you adopted some other router brand/platform/homefgrown kludge isn't at all helpful if there is no information given on how to detect a compromised device.
Logged into my (ASUS, but not the listed as vulnerable model) router , found the router telling me "the fiirmware update failed"...and I hadn't triggered an update. Additionally, Username and password have both been changed from the defaults per every best practice ever. So, Whiskey Tango Foxtrot??
Totally agree. I have no idea if my router has been infected and other than advice to reboot my router (which I typically do weekly) there has been no outlining of steps to detect and protect yourself beyond hope your ISP has updated your router (as far as I can tell my only option as I can't find a way check for firmware updates).
Any advice would be appreciated.
In addition to defective firmware or software, many routers are compromised because users fail to change the default passwords. Most Biz oriented routers have true hardware firewalls unlike consumer grade routers which rely on (poor) software for security. Many of the consumer grade routers never even get proper firmware updates to block known malware so the problems are just amplified with every new malware.
Biting the hand that feeds IT © 1998–2020