security Archives

Home » security » Page 46

Read this if you have a D-Link router

Dave Farquhar security October 15, 2013August 3, 2017capacitor, d-link, Micro Center, tp link, vulnerability

Leave it to a security vulnerability to interrupt a perfectly good discussion, but it doesn’t get much worse than this. If you have an older D-Link router, it’s possible to completely bypass the authentication on its administrative web interface.

Dave Farquhar

David Farquhar is a computer security professional, entrepreneur, and author. He has written professionally about computers since 1991, so he was writing about retro computers when they were still new. He has been working in IT professionally since 1994 and has specialized in vulnerability management since 2013. He holds Security+ and CISSP certifications. Today he blogs five times a week, mostly about retro computers and retro gaming covering the time period from 1975 to 2000.

dfarq.homeip.net

Ctrl-Alt-Del history: non revisionist edition

Dave Farquhar Retro Computing, security September 30, 2013April 30, 2023

When it comes to Ctrl-Alt-Del history, there’s a lot of selective memory going on.

Bill Gates said in September 2013 that he regrets the use of Ctrl-Alt-Del as a logon sequence, while David Bradley, the IBM PC engineer who built that feature into the first IBM PC, says he doesn’t know why Microsoft chose to use that sequence for logon anyway.

Both of them, for whatever reason, are forgetting a few things.

Dave Farquhar

dfarq.homeip.net

“Mario” from “Microsoft” calls the wrong guy

Dave Farquhar scams, security September 27, 2013December 5, 2015computer security, nintendo, old windows, troubleshooting, Windows XP

“Mario from Microsoft” called me last night. I’ve never heard a Mario with that kind of accent, and, I thought he worked for Nintendo. I’ll bet he gets that a lot.

“Microsoft has no reason to be calling me,” I said to “Mario.”

“Oh, we’re a Microsoft certified partner,” he said.

“That’s nice,” I said. “I’m certified too. What’s going on?”

“You are having computer issues,” he said. Read more

Dave Farquhar

dfarq.homeip.net

The outbound firewall controversy

Dave Farquhar security September 20, 2013September 19, 2013firewall, malware

So, do you need an outbound firewall? Two people say no.

I agree but I disagree. I like the idea behind an outbound firewall, but in practice, I find they don’t work. The human element makes them fail. Whenever a computer asks for permission to do something, people generally fall into two camps: People who say yes all the time, and people who say no all the time. With the people who say yes all the time, the malware gets to do whatever it wanted anyway, so the firewall fails to do its job. With the people who say no all the time (Why does Internet Explorer want to connect to the Internet?), nothing works.

Ultimately, the argument against them is that if you don’t trust a piece of software to connect to the Internet, you shouldn’t have that software on your computer at all. I agree completely with that argument. Only install trusted software that you get from trusted sources, learn how to check the MD5 or SHA1 signatures to ensure the software is what it says it is, and then and only then install it.

A firewall is one of the most basic of security tools. You need one to protect yourself against basic threats. Not having one is negligent. But trying to turn that firewall into something other than a basic tool–something it’s not–generally isn’t going to get you very far. A firewall with training wheels on it isn’t a substitute for security awareness.

And here’s the thing. The Windows built-in firewall does block certain outbound connections, mostly on antiquated ports that are generally used for malware more frequently than for legitimate purposes anymore. It just doesn’t jump up and down and tell you that it’s doing it. It just quietly does its job, which is exactly what you want your firewall to do.

Dave Farquhar

dfarq.homeip.net

The trouble with routers

Dave Farquhar Hardware, security August 30, 2013May 17, 20171980s, antivirus, asus, d-link, firewall, Justification, linksys, netgear, vulnerability, Windows XP

I see the advice going around, again, to disable the Windows firewall and rely on an external router, the justification being that it makes your computer “invisible.” It doesn’t. Only IPV6 can do that–and then, only if you don’t use it for anything.

The trouble with that advice is that there are botnets targeting routers. Routers are nothing special; they’re small computers running Linux on an ARM or MIPS CPU, typically outdated versions with old vulnerabilities that can be exploited by someone who knows what to look for. One example of this is the Aidra botnet. Typically Aidra is used to attack outside targets, but it’s not outside the realm of possibility for an infected router to turn on and attack the machines it’s supposed to protect. And if you’ve turned off your firewall, then you have no protection against that.
Read more

Dave Farquhar

dfarq.homeip.net

DoSing your cubicle neighbor

Dave Farquhar security, War Stories August 23, 2013August 22, 2013unix

My baby at work is a centralized logging tool. That means my system has to touch every other system in this large company’s large network, which is kind of cool. Not many projects deal with that many different things, and I’m seeing some things I haven’t seen since college–and never expected to see in the real world, actually.

A week or two ago, we had some trouble pulling the logs in from a highly specialized system. That happens. Unix is easy, Windows is almost as easy–yes, the world of logging is a little bit upside down–but the one-off systems that don’t fit into neat categories take a lot longer to bring into the fold.

The problem was that the user account my tool uses kept getting locked out. Read more

Dave Farquhar

dfarq.homeip.net

Webcam spying gets more attention

Dave Farquhar security August 20, 2013November 3, 2025computer security, Exploitation, Whitelist

So, apparently Miss Teen USA’s computer got infected with a webcam-spying remote access trojan. So someone got some sneaky pictures of her, and tried to blackmail her. Fortunately, instead, she decided to talk about it.

This is good. The majority of people don’t take computer security seriously enough. This could get some people talking, finally.

Unfortunately, the one effective technique against something like this–application whitelisting–isn’t available for the home versions of Windows. Most people think of application whitelisting is a corporate thing, but a signature-based whitelist would keep this kind of software from running on a home PC, which is the target for webcam snooping. Home users need it too. And unfortunately, it’s the people who are most likely to buy the cheaper home version who need it the most. Are you listening, Microsoft?

In the meantime, keep a piece of tape on your webcams, I guess.

But maybe now that Miss Teen USA is running around the talk show circuit talking about this stuff, people will start thinking that maybe, just maybe, bad stuff doesn’t always just happen to other people’s computers. Because it doesn’t.

As a security professional, I’m glad for anything that raises awareness. Because security awareness is one of the DSD Top 35 migitations–it’s #20. And of the 35, it’s the hardest to buy.

And if you’re not scared enough yet, it’s possible to do webcam spying not only with a laptop, but also with a smart TV. It’s a little harder with smart TVs because they’re all a little different, but nobody thinks about their smart TV, and the manufacturers rarely, if ever update them to fix security bugs. Fortunately, TV hacking is, as far as we know, more in the realm of theory right now than active exploitation, but it’s only a matter of time before that changes. The time to pressure manufacturers–or just stop buying smart TVs–is now.

Dave Farquhar

dfarq.homeip.net

Bad news about smartphones, but maybe not all bad

Dave Farquhar security August 15, 2013AES, NSA

When you install Java on a Windows box, it brags that it runs on 3 billion devices. It’s not joking. A fair chunk of those 3 billion devices are the SIM cards that register your cell phone on its network. And those SIM cards frequently are woefully insecure. The mid-90s called, and they want their crypto back.

Via a text message you’ll never see, it’s possible to hack the 56-bit DES encryption used by many cards, or the triple-DES-in-name-only crypto used in others–repeating wimpy 56-bit crypto with the same key three times doesn’t make it any less wimpy–then send the cards a malicious Java applet, which busts out of the security on the ancient version of Java on your card, and ride this cascade of security flaws to do lots of nasty things like listen in on phone calls and intercept text messages.

Even if half of Americans don’t seem to mind the NSA listening to their phone calls, I’m pretty sure a majority of Americans don’t want the Russian Mafia listening to them. Read more

Dave Farquhar

dfarq.homeip.net

Watch your embedded security

Dave Farquhar security August 5, 2013

If there’s a theme I’ve heard over and over again this year, it’s that it’s time to pay attention to security in embedded devices like routers, other network equipment, televisions, and the other devices around us. This is the soft underbelly, and frankly, it’s probably a time bomb.

The astonishing thing is that we’re now protecting our computers with devices that have bigger security holes than our computers do. Read more

Dave Farquhar

dfarq.homeip.net

Wget is not a hacking tool

Dave Farquhar security August 1, 2013January 11, 2022prison, Whitelist

The Bradley Manning verdict came out this week, and the less I say about Manning himself the better, but one thing in the press coverage definitely bothered me, and I want to set that straight.

The prosecution attempted to tie him to Julian Assange, saying he coached Manning on the use of “hacking tool wget.”

Wget isn’t a hacking tool. Read more

Dave Farquhar

dfarq.homeip.net