You surely have a lock on your front door. Do you have such a lock on your network? Though you may think so, but it may well be wholly unlocked. Or at least, you may not be able to know for certain that it’s locked. If you use a commercial Wi-Fi router from your ISP, or one of the big names like Linksys, Belkin, DLink et al, your network may not be as secure as you think.
At the outset let me state that, as someone who reads hereabouts, you’re no dummy. You’ve taken steps to ensure that the router doesn’t still have the default admin password. You’re using modern encryption on your Wi-Fi. You’re being responsible, but there are things beyond your grasp.
The simple fact is that the firmware the runs most retail, commercial routers is closed source. As such, you have no ready way to verify it’s behavior. Yet, the manufacturer, by virtue of necessity, uses various common software modules to create their firmware. They may even use some open source modules, but end up with an closed source binary in the end.
The upshot of this reality is that you have a very small team of developers responsible for maintaining the code. That means updates come along slowly, if at all for older devices. By extension, serious security issues get addressed slowly, if they ever get addressed at all.
Continue reading “Chances Are Your Router’s Firmware Blows”
We’re very happy with the combination of a Grandstream GVR3550 Network Video Recorder (NVR) and GXV3672 IP surveillance cameras. That combination provide a reliable, affordable solution to monitoring events hereabouts. The GVR3550 accommodates a up to four, 3.5” hard drive providing up to 16 TB of space, and capable of recording up to 36(!) camera streams.
This week the company launched a smaller version, the GVR3552. The half-rack-width form-factor accommodates two 2.5” hard drives, up to 4 TB in total. The storage can be arranged in RAID0 or RAID1. Two drives has bandwidth to record 16 streams at 720p or 8 streams at 1080p.
The device has an HDMI output that allows real-time monitoring of up to 4 cameras. That’s exactly right-sized for many homes and small businesses.
The list price for the GVR3552 is just $149, without hard drives, making it quite a bargain. I think it’s especially suitable for the DIY crowd, like myself.
While I have been basically offline for the past week, I took some time while awaiting one of my flights home to read some news. That little exercise revealed that the Freeswitch community call this past week featured Phil Zimmermann describing VoIP encryption and more specifically his ZRTP protocol. Happily, the recording of the call was put online Thursday.
Phil is of course one of the leading lights in the world of encryption. The call features Phil speaking plainly and openly about the need for encryption and the manner of its implementation in ZRTP.
The call remains a community call, so it goes off in various directions at times, including a little Asterisk bashing. However, Phil makes a good effort to keep the call informative, making it a great listen for anyone interested in voice security.
The recent blow-up in the UK over the tabloid media accessing people’s cellular voicemail is certainly interesting. Endless media outlets are reporting the crime as “hacking” cell phones or cell phone voice mail. Here are just a few examples:
I find that the use of the term “hacking” in this context rests uneasily with me. In my mind hacking implies that there’s an appreciable skill involved. The most basic of the techniques described I consider to be trivially simple. It requires no particular skill at all, just a little devilishness.
Continue reading “News Of The World & “Hacking” Cell Phone Voicemail”
A couple of weeks ago at Toorcon security researcher Eric Butler released a curious new plug-in for the the popular Firefox web browser. Known as FireSheep this plug-in allows even an unskilled person to monitor traffic on an open wifi network. It further allows its users to capture the login data exposed as web browsers of other people on that WLAN perform logins to sites like Facebook, Twitter, FourSquare, etc.
I won’t go into how it works since others had done a nice job of that already. Suffice it to say that this is scary stuff given how common it is for people to use open wifi networks at public places, usually without giving it a second thought..
FireSheep was not intended as a tool for criminal or malicious activity. It’s release was intended to expose a security issue in the way web browsers handle cookies arising from login. While the login process itself is secure, the handling of the resulting cookies usually is not.
Whatever the intent, it’s certain that some less scrupulous people will use it or the lessons learned from it for illicit purposes such as identity theft.
Continue reading “Life In The Time Of FireSheep”
Ward Mundy over at Nerd Vittles has a great post today about SIP security. It’s entitled The Incredible PBX: Adding Remotes, Preserving Security. If you run an Asterisk based PBX you should probably read this. Now!
Ward’s advice really rings true (sorry for the telecom geek pun, it couldn’t be helped!) His “Baker’s Dozen SIP Security Checklist” makes perfect sense. That doesn’t mean that I can’t add my own two cents.
Continue reading “Nerd Uno Dishes Out Advice on SIP Security”