Thursday, February 20, 2014

Breaking down the Asus router bug

Tuesday I wrote about an apparent bug in the ASUS RT-AC66R and RT-AC66U routers that prevents them from recognizing a new firmware version is available. After investigating further, the root cause turned out to be a simple matter of ASUS not updating the file on their live updates server that reports the latest firmware for each router model. Depending on the specific model, ASUS wireless routers download a text file (strangely labeled as a zip file) from http://dlcdnet.asus.com/pub/ASUS/LiveUpdate/Release/Wireless or /Wireless_SQ. This file lists all supported models of router, along with the latest firmware version for each. These files appear to have not been updated since October 9, 2013, the date of the 3.0.0.4.374.979 firmware release.

Tuesday, February 18, 2014

How much do you know about your home router?

As much as vendors would like to deny it, setting up a secure home network is not plug and play. It behooves you to understand at least the basics, or to consult with someone that does. An improperly secured wifi router is a gateway into your home.
Bottom Line Up Front: If you own an Asus router, update the firmware immediately. Do not rely on the firmware check function built into the router – go to support.asus.com and find the latest firmware version available for your model of router.

Yesterday afternoon, Ars Technica published an article about a “white hat” hacking incident. Certain Asus routers have a vulnerability in the AiCloud service (Asus’ proprietary web service, which enables FTP and Samba/ file sharing, among other things) whereby an unauthenticated user from the Internet could gain access to hard drives connected to the USB port on the router, either to read data off the drive, or write new data to the drive. This vulnerability was in fact reported last June, but not fixed by the vendor until last week.

The Ars Technica article describes an unsuspecting user finding an unexpected text file on his hard drive, a text file describing the flaw and calling Asus out for not fixing it 8 months after responsible disclosure.

Been "Targeted?"

It's been a while since I blogged ... amazing how life gets in the way sometimes. Today I want to talk for a bit about the Target data breach that happened last November and December. I won't spend too much time on the technical details (several others have done an outstanding job on that front). Instead, I'll look at it from the "what now?" point of view.

Some background is in order though. Around December 12, 2013, the US Justice Department alerted Target that credit cards used at Target stores were subsequently being used fraudulently. By December 15, Target confirmed the "possibility" of a data breach. After substantial forensic work, a few things are becoming known.

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.