Four Commandments From a Cyberparent

"Children at School" by Lucélia Ribeiro, used under license CC BY-SA 2.0 / modified from original

One recent evening I spoke to a home school parents group about keeping their kids safe online. Having worked in the cyber security industry professionally for over 15 years, I've seen far too many ways that computers and their users can be abused. But panic isn't a healthy or productive response. Disconnecting from modern technology would mean giving up the amazing things technology has made possible, such as:

• Amazon created the Dash Button - stick one near a place where you use consumables. Running low on laundry detergent? Just press the button, and more will be delivered tomorrow. (Keep out of reach of children!)
  
• A recent Twitter conversation discussed how Skype is being used by hearing-impaired people to communicate in sign language, from their mobile devices, anywhere in the world. Wow.
  
• Two-factor authentication using Apple Watch means you can log into an account on your phone or laptop, then click a button on your watch to say "yes, it's really me."
  
• A paralyzed soldier is able to walk thanks to an exoskeleton (okay, okay, this one's not strictly Internet-related, but it's an amazingly cool piece of the future!)

Instead of letting paranoia take hold, I prefer to take a few precautions and enjoy the benefits of living in the future. I teach my children the same.

A great debate: is a smartphone really a second factor?

Here's a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro @johnnysunshine tweeted the above last week, and sparked a lively debate.

Before answering the question, let's back up a bit and explain two-factor authentication (or 2fa). To borrow an analogy I first used two years ago: 10,000 years ago, Grog and Mag formed a secret club. To ensure new members of the club would be accepted, they came up with a secret phrase. Thus was born the first password. One day Narg overheard two members greeting one another and learned the secret phrase. Thus occurred the first password breach.

Passwords can be stolen though, whether through a server database breach, or via a phishing scam, or by keylogging malware that captures the password as you enter it into a webpage. If a password is the only thing protecting your account, then a stolen password lets an attacker pretend to be you. If the attacker knows the right password, the server or website has no way of knowing it's an impostor.

By adding a second factor - something you physically possess (an identification card, or a token generator, or - the crux of today's question - a phone), the bar for an attacker is raised. Individually, each factor might be relatively easy to defeat. Gaining access to both a password and a device at the same time though takes more effort, and is far less likely. Not impossible, but less likely.

ARRIS (Motorola) SURFboard modem unauthenticated reboot flaw

"Wipeout" by Dan Davison, used under license CC BY 2.0

Update April 8: Tom's Guide and The Wire Cutter both report having received a statement from ARRIS that they have updated the SB6141 firmware and are in the process of making it available to service providers. As cable modems are not consumer-updateable, it is up to Internet Service Providers to deliver the update to modems. 

Update April 10: The original post was based on first-hand testing with the SURFboard 6141 modem. It turns out the same flaw existed in the older SURFboard 5100 model at least as early as 2008. Multiple individuals have also contacted me both publicly and privately to confirm the same flaw exists in the popular but dated 6121 model. In addition, Michael Horowitz wrote for Computerworld about this very issue in February 2015, and described blocking LAN access to the cable modem using router settings. If you do not use a router model that Michael demonstrates, the iptables rules at the end of the original post below will work on any Linux-based router that allows command line access.

Update April 11: ARRIS published a note stating that contrary to their box markings and SURFboard 6141 product page claims, 135 million referred to the total number of all SURFboard modems in production, not the number of SB6141 units. A subset of this number are affected by this flaw.

Update March 30, 2017: Most ISPs have now pushed an updated firmware that eliminates the reboot and reset features (but doesn't actually secure the UI). I left the proof of concept online for a year but have now taken it down.

Original post:

Want to annoy some friends? Ask them to visit this website:

RebootMyModem.net

Actually, don't ask them to do that until explaining that it is a proof of concept example that may in fact interrupt their Internet connection.

ARRIS (formerly Motorola) SURFboard modems are highly popular broadband cable modems with a reputation for reliability. The SB6141 model in particular can be found for around $70 US, is capable of supporting well over 150 megabit speeds, and works with all the major US Internet providers. According to ARRIS' documentation, the SB6141 is the world's most popular cable modem with over 135 million in production. [See April 11 update above for a disclaimer about the number of units affected.]

Rebooting one remotely is so easy, it doesn't even require a password.

Certain SURFboard modems have an unauthenticated cross site request forgery flaw. The modems have a static IP address that is not consumer-changeable, and the web UI does not require authentication - no username or password is required to access the administration web interface.

Malware-laden "speeding ticket" emails crafted using GPS data from users' own phone

Over the weekend, I came across an ingenious phishing scam seen in a small Pennsylvania town. Residents of Tredyffrin, PA have been receiving email claiming to be a speeding citation from the local police department, but containing accurate data including locations, posted speed limits, and actual driving speeds. The data is believed to come from a mobile app with permissions to access GPS data, though the actual app has not been named (nor is it certain whether it is a compromised legitimate app, or a malicious app built for the scam).

Targeted victims receive an email similar to the following:



As the email contains actual and accurate location and driving speed data, the Tredyffrin Police suspect a "free mobility or traffic APP" is involved. The attached "infraction statement" does not actually contain a license image nor any means of paying a fine; instead, it contains malware.

Oh no! Introducing kids to computers might encourage HACKERS!

Time to rant for a few minutes. A British tabloid author published a story this week entitled "Will the BBC's free micro:bit computer create a generation of teenage HACKERS?" I generally ignore inane stories such as this, but in this case an article with dangerously uninformed opinions is getting a fair amount of attention. 

This article is so far off base, I don't know where to start. 

The BBC, the United Kingdom's public broadcasting company, has launched an initiative to put miniature DIY computers in the hands of students. According to the story, each year 7 student (roughly equivalent to 7th grade in the US) in England, Wales, Northern Ireland and Scotland will receive a micro:bit computer. The goal is to teach kids the basics of computer circuits and computer programming, which some kids may then build upon with more advanced education.

The author tries to make a case that teaching young kids computing skills will encourage a new generation of malicious hackers. 

In the wake of a disaster, be alert for relief scams

Updated 2016 October 7: As Hurricane Matthew makes its way up the US East Coast, I've updated this post with advice both for would-be givers dodging fake charities, and for those affected by disaster avoiding unscrupulous contractors.

The morning (local time) of Tuesday March 22, 2016, an airport and a metro train station in Brussels, Belgium, were struck by separate but presumably linked explosions (warning: the linked articles contain some disturbing images). 

As appalling as it is, major internationally-publicized disasters such as this invariably are followed by "cyber opportunists," criminals who take advantage of the publicity for their own nefarious gain. Two common methods are fraudulent requests for assistance, and malware-laden websites using search engine optimization to appear high in search results for news on the events of today.

A great debate: smartphones and two-factor authentication

Here's a polarizing question: is a phone a second factor, in the context of two-factor authentication? Fellow infosec pro @johnnysunshine tweeted the above last week, and sparked a lively debate.

Read more about the debate on CSOonline.