Monday, April 25, 2016


Years of perseverance led to the Senior Champion Rabbit Showman award.

Allow me to digress from computer security, and talk about something else for my 200th blog post.

The last week of January, my daughter was named the senior division Rabbit Showmanship Champion at the county Youth Livestock Show, and won a fancy belt buckle (pictured above). This award means far more to me than a grand champion animal would (though I'd love for our family to produce the latter too), because of what it represents.

Showmanship involves a student's knowledge of their animal and breed, the responsibility they display, how well they present themselves and their animal, and how well they control their animal. While a champion animal involves the student taking good care of it, there is also a lot of genetics and a good bit of luck involved in raising a winning animal. Showmanship on the other hand is entirely up to the student.

What makes me the most proud though is not that she won the buckle. It's how she got to this point.

Thursday, April 14, 2016

Got QuickTime? Take a moment to "unget" it

Correction: the original post referred to ZDI as a division of HP; Trend Micro bought ZDI from HP in October 2015. At this point, the discontinuation of Apple's QuickTime for Windows product is a statement from Trend Micro and not publicly confirmed by Apple. Regardless, QuickTime has publicly-disclosed flaws that can be exploited to take control of your PC, and has not fixes available.

Apple just discontinued and published removal instructions for QuickTime for Windows, a once-popular video player and web browser plugin. Software that lingers on past a vendor dropping support for it can quickly become a gateway for malicious hackers to enter your computer - Windows XP has been an infamous example since Microsoft dropped support for it in April 2014.

QuickTime is no exception: Trend Micro's Zero Day Initiative found a few new vulnerabilities that can be exploited to take control of your PC, and so recommends that you remove QuickTime right away. To be fair, the risk here is a bit less than it is with, say, Adobe's Flash Player or Microsoft's Silverlight. While those products can run in your browser automatically upon loading a webpage, the QuickTime plugin is an older format that most browsers no longer support. One would have to open a QuickTime movie outside a browser (perhaps from an email attachment) to be at risk.

But here's the kicker: Apple's own Software Update utility still offers to install it for you. Don't. I still recommend keeping Apple Software Update - let it keep any Apple software you do use up to date - but don't let it install QuickTime!


  • ZDI-16-241: Apple QuickTime moov Atom Heap Corruption Remote Code Execution Vulnerability
  • ZDI-16-242: Apple QuickTime Atom Processing Heap Corruption Remote Code Execution Vulnerability
  • Apple HT205771: Uninstall QuickTime 7 for Windows
  • US-CERT TA16-105A: Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
  • CSOonline: CERT advisory urges QuickTime removal due to vulnerabilities, Apple does too

Tuesday, April 12, 2016

Four Commandments From a Cyberparent

These four "commandments" form a solid foundation for teaching kids to be safe online.
"Children at School" by Lucélia Ribeiro, used under license CC BY-SA 2.0 / modified from original
One recent evening I spoke to a home school parents group about keeping their kids safe online. Having worked in the cyber security industry professionally for over 15 years, I've seen far too many ways that computers and their users can be abused. But panic isn't a healthy or productive response. Disconnecting from modern technology would mean giving up the amazing things technology has made possible, such as:

  • Amazon created the Dash Button - stick one near a place where you use consumables. Running low on laundry detergent? Just press the button, and more will be delivered tomorrow. (Keep out of reach of children!)
  • A recent Twitter conversation discussed how Skype is being used by hearing-impaired people to communicate in sign language, from their mobile devices, anywhere in the world. Wow.
  • Two-factor authentication using Apple Watch means you can log into an account on your phone or laptop, then click a button on your watch to say "yes, it's really me."
  • A paralyzed soldier is able to walk thanks to an exoskeleton (okay, okay, this one's not strictly Internet-related, but it's an amazingly cool piece of the future!)

Instead of letting paranoia take hold, I prefer to take a few precautions and enjoy the benefits of living in the future. I teach my children the same.

Tuesday, April 5, 2016

A great debate: is a smartphone really a second factor?

Here's a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro @johnnysunshine tweeted the above last week, and sparked a lively debate.

Before answering the question, let's back up a bit and explain two-factor authentication (or 2fa). To borrow an analogy I first used two years ago: 10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.

Passwords can be stolen though, whether through a server database breach, or via a phishing scam, or by keylogging malware that captures the password as you enter it into a webpage. If a password is the only thing protecting your account, then a stolen password lets an attacker pretend to be you. If the attacker knows the right password, the server or website has no way of knowing it's an impostor.

By adding a second factor - something you physically possess (an identification card, or a token generator, or - the crux of today's question - a phone), the bar for an attacker is raised. Individually, each factor might be relatively easy to defeat. Gaining access to both a password and a device at the same time though takes more effort, and is far less likely. Not impossible, but less likely.

Friday, April 1, 2016

ARRIS (Motorola) SURFboard modem unauthenticated reboot flaw

The world's most popular cable modem can be rebooted with no authentication required.
"Wipeout" by Dan Davison, used under license CC BY 2.0

Update April 8: Tom's Guide and The Wire Cutter both report having received a statement from ARRIS that they have updated the SB6141 firmware and are in the process of making it available to service providers. As cable modems are not consumer-updateable, it is up to Internet Service Providers to deliver the update to modems. 

Update April 10: The original post was based on first-hand testing with the SURFboard 6141 modem. It turns out the same flaw existed in the older SURFboard 5100 model at least as early as 2008. Multiple individuals have also contacted me both publicly and privately to confirm the same flaw exists in the popular but dated 6121 model. In addition, Michael Horowitz wrote for Computerworld about this very issue in February 2015, and described blocking LAN access to the cable modem using router settings. If you do not use a router model that Michael demonstrates, the iptables rules at the end of the original post below will work on any Linux-based router that allows command line access.

Update April 11: ARRIS published a note stating that contrary to their box markings and SURFboard 6141 product page claims, 135 million referred to the total number of all SURFboard modems in production, not the number of SB6141 units. A subset of this number are affected by this flaw.

Update March 30, 2017: Most ISPs have now pushed an updated firmware that eliminates the reboot and reset features (but doesn't actually secure the UI). I left the proof of concept online for a year but have now taken it down.

Original post:

Want to annoy some friends? Ask them to visit this website:
Actually, don't ask them to do that until explaining that it is a proof of concept example that may in fact interrupt their Internet connection.

ARRIS (formerly Motorola) SURFboard modems are highly popular broadband cable modems with a reputation for reliability. The SB6141 model in particular can be found for around $70 US, is capable of supporting well over 150 megabit speeds, and works with all the major US Internet providers. According to ARRIS' documentation, the SB6141 is the world's most popular cable modem with over 135 million in production. [See April 11 update above for a disclaimer about the number of units affected.]

Rebooting one remotely is so easy, it doesn't even require a password.

Certain SURFboard modems have an unauthenticated cross site request forgery flaw. The modems have a static IP address that is not consumer-changeable, and the web UI does not require authentication - no username or password is required to access the administration web interface.