skip to Main Content

Chances Are Your Router’s Firmware Blows

Linksys WRT-54G RouterYou surely have a lock on your front door. Do you have such a lock on your network? Though you may think so, but it may well be wholly unlocked. Or at least, you may not be able to know for certain that it’s locked. If you use a commercial Wi-Fi router from your ISP, or one of the big names like Linksys, Belkin, DLink et al, your network may not be as secure as you think.

At the outset let me state that, as someone who reads hereabouts, you’re no dummy. You’ve taken steps to ensure that the router doesn’t still have  the default admin password. You’re using modern encryption on your Wi-Fi. You’re being responsible, but there are things beyond your grasp.

The simple fact is that the firmware the runs most retail, commercial routers is closed source. As such, you have no ready way to verify it’s behavior. Yet, the manufacturer, by virtue of necessity, uses various common software modules to create their firmware. They may even use some open source modules, but end up with an closed source binary in the end.

The upshot of this reality is that you have a very small team of developers responsible for maintaining the code. That means updates come along slowly, if at all for older devices. By extension, serious security issues get addressed slowly, if they ever get addressed at all.

Read More

News Of The World & “Hacking” Cell Phone Voicemail

The recent blow-up in the UK over the tabloid media accessing people’s cellular voicemail is certainly interesting. Endless media outlets are reporting the crime as “hacking” cell phones or cell phone voice mail. Here are just a few examples:

I find that the use of the term “hacking” in this context rests uneasily with me. In my mind hacking implies that there’s an appreciable skill involved. The most basic of the techniques described I consider to be trivially simple. It requires no particular skill at all, just a little devilishness.

Read More

Life In The Time Of FireSheep

A couple of weeks ago at Toorcon security researcher Eric Butler released a curious new plug-in for the the popular Firefox web browser. Known as FireSheep this plug-in allows even an unskilled person to monitor traffic on an open wifi network. It further allows its users to capture the login data exposed as web browsers of other people on that WLAN perform logins to sites like Facebook, Twitter, FourSquare, etc.

I won’t go into how it works since others had done a nice job of that already. Suffice it to say that this is scary stuff given how common it is for people to use open wifi networks at public places, usually without giving it a second thought..

FireSheep was not intended as a tool for criminal or malicious activity. It’s release was intended to expose a security issue in the way web browsers handle cookies arising from login. While the login process itself is secure, the handling of the resulting cookies usually is not.

Whatever the intent, it’s certain that some less scrupulous people will use it or the lessons learned from it for illicit purposes such as identity theft.

Read More

Nerd Uno Dishes Out Advice on SIP Security

Ward Mundy over at Nerd Vittles has a great post today about SIP security. It’s entitled The Incredible PBX: Adding Remotes, Preserving Security. If you run an Asterisk based PBX you should probably read this. Now!

Ward’s advice really rings true (sorry for the telecom geek pun, it couldn’t be helped!)  His “Baker’s Dozen SIP Security Checklist” makes perfect sense. That doesn’t mean that I can’t add my own two cents.

Read More
Back To Top