Gilbert Verdian – I Secure Enterprises

A researcher at Symantec today announced new threats against broadband routers.

This involves malicious users remotely logging into the router, changing the dns settings and thus redirecting users to fake sites to steal user information. This is not a new thing and this threat has been around for quite a while, it is about guessing passwords to obtain access to systems. No matter how much security is in place, a small mistake or an overlook by a user can compromise everything in place.

Just have a look at Phenoelit’s Default Password List and find your device on the list.

To protect against this threat:
– ALWAYS change the default username and password to something other than “admin, password”.
– Never turn on remote management on the router – home users really don’t need to do this
– Disallow the device responding to pings – hiding is good and your connection won’t come up in a ping sweep when people are searching for easy targets.

Something for vendors, maybe you can put in a blank initial password for the first time setup which then forces the user to change it part of the process, disable responding to pings and turn off remote management ports. To make it more complex:
– block all incoming ports on the “stateful” firewall for tcp, udp, icmp etc
– implement a fake tcp stack fingerprint – if someone scans you and sees you’ve identified yourself as an obscure piece of old networking equipment which they’ve never heard, they’re going to leave you alone
– implement basic IPS capabilities to detect common attacks and block them accordingly. A portscan from anyone against a router should implement an automatic firewall rule to block that ip.

Something to think about…

A good friend of mine emailed about a great new mac ad part of the “im a pc, im a mac” series. It just sums up security in windows perfectly!

Noticed something funny happening yesterday with DNS, it was only for a short amount of time, but it occurred on 3 different systems. For example when I went to google.com, it
was redirected to a sedo.com search page. My first thought was that google had not renewed their domain in time which happened with their google.de domain. Thinking nothing of
it, after a couple of minutes the symptoms were gone, until today.

My security feeds today had numerous stories about the root dns servers being hacked. There have been a couple of cases going back to the 80′s written about in
Clifford Stoll’s book, the Cuckoo’s Egg where hackers targeted the root servers. These servers are seen as trophy win, you get into these, you get into the backbone of the
internet, hence its alluring appeal. Naturally these servers need to be as secure as possible. Recently, Sun were commissioned to install Solaris 10 for the ISC F-ROOT server
f.root-servers.net (192.5.5.241).

The attack against the servers was a DDoS (Distributed Denial of Service), this consists of using thousands of zombie machines sending hundred of thousands of requests to try to
overwhelm them and deny it from delivering the service it is designed to deliver. In this instance, the servers stood up against the attack.

Just another day in the internet.

I decided to start this blog in order to discuss security from the front line. Being in the field for a number of years and in a position which gives great visibility on the latest in the industry, I felt this will be a great way to share the many things that occur along the way.

Hope you enjoy the ride.