So it's time to change ISP (again!)

So it looks like TalkTalk have had their customers' database exfiltrated and it seems they have done everything wrong! It's a shame as I've found them to be a fine ISP (MUCH better than Virgin) with good speeds and impressive uptime. They haven't bugged me endlessly with the TV and mobile up-sell and the bill has remains consistently ~£15 month^-1 less than Virgin ever was.

So, having watched with a mixture of annoyance and amusement here are a few thoughts; 

1. Don't claim that "we take customer account security extremely seriously" after a breach; behave like you believed it before the hack,
2. Don't hide behind the claim that "...we have been suffering a sustained attack" - all ISPs (or any big internet-property) is under constant DDoS and other assault; it's no excuse today.
3. Don't tell customers to go and update their user passwords and then have a broken website for twelve (and counting!) hours afterwards,
4. Hash your customer database with a reliable method (even MD5!) and salt the hash - in 2015 this is now considered standard practice for people who "take security extremely seriously" (sic),
5. Don't tell customers to "keep an eye on their bank accounts and credit card statements" - this is your fault, don't load the responsibility for the mess onto customers,
6. Put data security and best practice ahead of sponsoring TV talent shows,
7. Have a chief executive (who had the nerve to go on Newsnight) who actually knows how your customer database works - they're the CEO of an ISP for goodness sake!

So that's it; perhaps now ISPs will use results of proper pen-testing as marketing rather than the guff that passes for customer information currently in service provider adverts. If one company includes the word "bcrypt" on their website they'll get my business.

Nick McKeown talking Software Defined Networks at the IET this week

I went to the Appleton Lecture at the IET (my institute) this week; here it is as a webcast and well worth watching. The first half is all about the history of packet-switched networks but the meat of it is the second half were he talks about software defined networks.

From Wikipedia;

Software-defined networking (SDN) is an approach to computer networking which evolved from work done at UC Berkeley and Stanford University around 2008. SDN allows network administrators to manage network services through abstraction of lower level functionality. This is done by decoupling the system that makes decisions about where traffic is sent (the control plane) from the underlying systems that forward traffic to the selected destination (the data plane). The inventors and vendors of these systems claim that this simplifies networking. SDN requires some method for the control plane to communicate with the data plane. One such mechanism, OpenFlow, is often misunderstood to be equivalent to SDN, but other mechanisms could also fit into the concept. The Open Networking Foundation was founded to promote SDN and OpenFlow, marketing the use of the term cloud computing before it became popular.

Appleton Lecture 2014 - Software Defined Networks and the Maturing of the Internet Nick McKeown From: IET Appleton Lecture 2014, 30 April 2014, London 2014-04-30 00:00:00.0 News Channel >> go to webcast>> recommend to friend

Real live pictures via Antrica - over the Internet

Although it's a shaky iPhone video this is the Antrica system streaming over the public Internet between Root6 West (where the Dev team live) and the main Root6 offices in Wardour Mews. So - it's going via different bandwidth providers (so not just to Sohonet's local pop or anything); presumably all the way to the London Internet Exchange in Docklands. I limited the stream to 4 Mbit/sec and it went all afternoon without so much as a dropped frame. Compression artifacts are rare and minor.

Here is a screen grab from VLC (which can also be used as a viewer).

Friends don't let friends use stock firmware in their routers, part 2

Just a month since I wrote the first piece on this and there are more domestic router breaches.

1. "The Moon" worm on Linksys routers - The worm works by injecting vulnerable devices with a URL-encoded shell script that carries out the same seek-and-hijack behavior. The exploit may also change some routers' domain name system server to 8.8.8.8 or 8.8.4.4, which are IP addresses used by Google's DNS service. Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024. It seems that most E-series Linsys routers are vulnerable. 
2. ASUS routers expose shared USB drives over the public internet - The exploits against Asus routers has been known about by Asus for a year and they have yet to correct it in old and current models. 

 Ars Technica's stories are here and here. 

Do I really need to remind you NOT to use manufacturer firmware in your router when DD-WRT, Tomato and others are available?

Friends don't let friends use stock firmware in their routers

Over the years the number of security flaws that come as standard with £50 plastic-box routers have been numerous. That 'free' router that came from your ISP probably suffers from one of these;

1. UP & P enabled by default
2. PING on the WAN side enabled
3. Port 32764 left open

That last one is very serious as it allows a remote attacker to make a query of the router and dump out lots of diagnostic and configuration information. That may be of no consequence but it does allow a hacker to gain knowledge concerning your network and work on other attacks. The problem bedevils Linksys and Cisco models and SlashDot have a good write-up.

In a very real sense your router is the gateway between your network and the wild-west that is the public internet. If you can't even trust the little hardware device that sits in the cupboard under the stairs what can you do? Well, use an open source firmware in your router - Tomato is very user friendly and DD-WRT is very powerful. There are numerous others and since the source code is open it is regularly examined by the community that develops it and so many eyes spot any nasties (malicious or just bad programming) in the code.

I grabbed a couple of Buffalo models from eBay for when my eldest two went away to University and I wouldn't dream of letting my home network be based around a closed-source router.

UPnP - It was always a bad idea!

UPnP is a protocol that allows a router to listen out for requests to open ports and to make other configurations changes from a client machine WITHIN the LAN. It was popularized a decade ago by Microsoft with the original XBox. If you want to have a game that you're playing with others (who are all sat behind their own NAT routers) then the game has to have a way of opening a port on the router and mapping to the games console. That's what Universal Plug & Play achieves and once it was known that you needed it for XBox gaming no router manufacturer is going to not include it and have it set on by default. For years I've told people to disable it and go to the trouble of opening the required ports manually; Here's how you do it for XBox Live! It seems like a bit of malware on your LAN could have a field day opening up dangerous ports (think Windows filesharing etc) and all the benefit of having a NAT firewall has vanished; you're exposed to the Internet and nobody wants that! 

Anyhow - it turn out that some routers have UPnP enabled on their Internet-facing port! That's right; you send the correctly formed UDP-discovery packet at the Internet side of the router and along with being able to open ports you can query the router for lots of details about itself, allowing you to better tailor your attack for other known vulnerabilities of that specific model. HD Moore (of Metasploit fame) has had a cluster of machines probing the public Internet to see how many public-facing IP addresses had UPnP enabled and it turns out around 2% of hosts respond to WAN-borne UDP discovery packets. He repeated his scan weekly for six months and those eighty-one million routers remained reasonably constant. His blog post makes great reading and is here. 

In case your wondering if your router is vulnerable you can find a list of effected models here, and you'd be surprised how many big-name manufacturers are there. I suppose not many people ever bother to patch their router and so a lot of this code is probably a decade old. I encourage you to get a Linux-based router and load it up with DD-WRT or one of the other many good open-source router firmwares (I use DD-WRT but have used Tomato in the past). It goes without saying they are not vulnerable and they add so much functionality that you'll kick yourself for not using them sooner. 

Steve Gibson did an excellent Security Now! podcast on the matter last week; 

Steve has also extended his Shields Up!! router test to check for the vulnerability.