Saturday, July 26, 2014

Securing a home network with the RT-AC87 wireless router

Let's say you want a wireless network in your home or small office. Maybe it's a new home, or maybe you're upgrading to something faster / more reliable / with better range. So you run down to the nearest big box retailer or online electronics shop, purchase something that looks good, unbox it, plug it in, and you are good to go, right?

Not quite. As nice as it would be if setting up a secure wireless network were just a matter of unboxing and plugging in a new router, it takes a few more steps to properly set things up. The good news is basic home network security is not terribly complicated - and the better news is newer wireless routers make it easier than ever to set things up safely. In this post I use the new ASUS RT-AC87U (aka RT-AC87R) to demonstrate basic secure installation.

TL;DR: see the brief checklist at the end for simple steps to secure a home wireless network.

Sunday, July 20, 2014

ASUS RT-AC87U / RT-AC87R first look

I've spent some time digging around the software on a few ASUS wireless router models this year, after finding a flaw that prevented the routers from recognizing new firmware was available in February. Along the way I found a modest bug in which the routers revealed the administrator password in clear text anytime the administrator was logged in (which was essentially always, since the routers did not automatically log you out). This week I had the privilege of exploring a pre-release unit of the brand new RT-AC87U, which uses multiple bands and multiple antennae to achieve what ASUS dubs “AC2400.” I'll write more in a few days, but here are my first impressions.

Monday, July 14, 2014

Digital certificates could allow spoofing ... could you give it to me in English?

On July 10, Microsoft published a bulletin stating that improperly issued digital certificates could allow spoofing. What exactly does that mean though? And for that matter, what is a digital certificate anyway?

In the physical world, you often conduct business with others face-to-face. If you do not personally know someone, you might rely on a trusted third party to vouch for the person's identity. That trusted third party might be a mutual friend, or it might be a government office that issues identification documents (passports, driver's licenses, state identification cards, school IDs, and the like). Digital certificates are the online equivalent of an identification card. See my article on the Heartbleed OpenSSL vulnerability for a thorough (but easily readable) explanation of digital certificates.

Friday, July 11, 2014

Gameover Zeus is back

I have received multiple email spam this afternoon, all with the following pattern:

Payment to <email>
Random order number and purchase amount
Link to Dropbox

The download link goes to variations on The retrieved file for this sample has filename GBWNkgcdZ5GFTcBjE6gXTflu3VPLZDCX3zDEXM4ku35IhUrh5haqM9jidSC4nVkF@dl=1, sha256 b4b0d32c8aba6b319587f0828e607327fcdc763a39af4a0479efd2ec49fba949. VirusTotal finds only 1 of 54 tested AV detect it (as Spyware.Zbot.VXGen).

This is a different subject, hash, and detection from what Malcovery reported yesterday, but is still consistent with the Gameover Zeus botnet.

If you receive this spam, don't click the link.

Wednesday, July 9, 2014

TxDOT fixes security issues with

In April, I reported several security concerns to the Texas Department of Transportation, which is responsible for among other things toll roads throughout the state. The concerns had to do with the billing and management website for TXTAG, one of several tolling systems in the state. Specifically, the login design made it easy for someone with ill intent to gain unauthorized access to a substantial portion of driver accounts, and having gained access, to acquire complete credit card numbers along with the collateral necessary to use them (expiration date, mailing address, cardholder name).

Tuesday, July 8, 2014

Dear TSA, my phone is not a bomb. See? It powers on!

Security Theater: the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.
On Sunday the Transportation Security Administration announced new "enhanced security measures" at some overseas airports. (The TSA does not perform security screening overseas, but it does specify requirements for flights entering the US) The new rule? Travelers must power on electronic devices such as cell phones. If the device does not power on, it will not be allowed on board the aircraft - and the passenger will be subject to additional screening. The theory is that if a device does not power on, a traveler may have replaced the batteries with explosives.

Tuesday, July 1, 2014

A Facebook "social experiment" to manipulate your feelings

For one week in early 2012, Facebook ran a somewhat creepy social psychology experiment on about 690,000 users of the web site. In conjunction with Cornell University and the University of California, the social media site attempted to control the emotional state of users by controlling the type of posts that showed up on a person’s news feed. Specifically, the organization reduced the amount of “emotional content” in the news feed, in some cases reducing only negative content, and in other cases reducing only positive content. As reported in the study, “These results indicate that emotions expressed by others on Facebook influence our own emotions.” At the risk of sounding unprofessional, "well, duh."