Am 19.02.2013 05:53, schrieb Chris Cappuccio:
Kevin Chadwick [ma1l1i...@yahoo.co.uk] wrote:
Every firewall/router product that I have purchased has been
compromised so far.
I don't believe this at all. Not one bit.
I could believe it but that doesn't mean that I do. 90% of the routers
on my street will be insecure and even using old sps, upnp or wep.
Common, mass attacks are becoming more sophisticated every day.
All of them. The cat-and-mouse game is continually tilting against the
vast majority who only take the most basic security measures. So it's
typically a big problem when new major vulnerabilities are found in
consumer grade equipment.
If I buy a car, and don't know how to operate it, and cause harm, nobody
would blame the manufacturer.
But If john Doe buys a "firewall" (hey, it says so on the lable on the
box, so it HAS to be a "firewall") and gets exploited by a
drive-by-download, the "firewall" *has* to be bad.
Here's a simple example from the past week:
Someone just pointed out that most of the Linux UPNP routers out there
listen to UPNP port forwarding requests FROM EXTERNAL SOURCES!
So now everyone is releasing patches, and that's only IF the code on
the router is still even maintained. And this new (and pretty fucking
obvious) hole was just pointed out to the general public.
To see that router vendors are mass producing junk that listens to
a UPNP port forwarding request from the fucking INTERNET shows that
anyone who doubts the security of their XYZ router is probably on
to something.
Yeah, you can parade the idea that "you should have disabled UPNP",
and that is a smart choice. But very few UPNP routers will come with
UPNP disabled. And the UPNP insecurity that is well known is at least
supposed to have a basis in an already-compromised INSIDE host,
not take port forwarding requests from the INTERNET.
So if vast numbers of routers are listening to admin commands from
0.0.0.0/0, and you don't believe "at all" that "every router"
this apparent troll has bought has been compromised, then you need
to think more creatively. And this guy needs to disable UPnP, and
maybe change his router admin password while he's at it. (And
reflash the firmware, and reformat his computer, re-flash
his DVD ROM, GPU, and so on.)
Hey, we are talking about users having adobe reader and java on their
systems (most of them not up-to-date) and you want them to secure their
BRAND-X plastic crap, they bought for 9.99$ at XYZ-mart?
If I don't know how to maintain my car (although I theoretically know
how combustion engines work), I take it to someone who does!
But when it comes to computers, everybody thinks "My name is Karl, ich
bin expert!" (pun definitely intended).
So, why not throw some bucks at somebody who, at least to some extent,
knows what he is doing?
Just go to the nearest university and look for some computer science
students..chances are, that you find somebody who knows, what he is
doing (and is willing to help you, if you give him some bucks).
And back to OP....I would love to see *all* of the compromised gear and
do a forensic analysis...just for the fun of it!
And I have seen some consumer grade equipment, and in recent times they
*try* to secure their equipment (no WEP,randomized passphrases both for
WPA and for admin accounts,no public acessible admin and so on).
Yes, UPnP and those exploits of WPS (you definitely don't want to hear
my opinion about this cumbersome piece of...well you know it), exist,
but if you have somebody (see above) who knows what he is doing, he'll
fix it for you (JUST BY TURNING IT OFF!)
I tend to think OP was exploited from the inside, not by exploiting
their "web sharing thingie"
Just think about it...what is more likely...exploiting a reasonably
up-to-date Linux/VmWorks "router" or hitting a vulnerable
java/adobe/flash/windows/IE/whatever hastily-cobbled-together client
application.
so long,
Matthias
