riobard 243 days ago [-]
Yet another misuse of 1.1.1.1 in the figures.

Actually, it was a mistake NOT reserving more human-friendly IP blocks for documentation/example purpose. The three /24 blocks reserved all fail blatantly because nobody remembers them, and they look as unsuspicious as normal blocks.

1.2.3.0/24 would be a much better choice because people would easily remember them and know it's not "real", just like you would not take a phone number 123-4567 on a filled form as "real" (even though it might be).

Next time you make anything, please remember to design for human.

isostatic 243 days ago [-]
A whole 16 million IPs were allocated in 10.0.0.0/8 for private use, and "10" is pretty easy to remember. Trouble is people then used it.

By the time 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24 were allocated in RFC5737, it was too late.

IPv6 makes human IP addresses meaningless, but even they I believe they allocated 2001:DB8::/32

What a stupid address range for examples

prepend 243 days ago [-]
> IPv6 makes human IP addresses meaningless

Tell that to my blog dead:beef:dead:beef:dead:beef:dead:beef

chiph 243 days ago [-]
The 10.x region is the reason that a former employer is such a huge user of NAT. They'd acquire a business who were also using that range, and they'd integrate the networks via NAT because it was too hard & dangerous to change the acquired company's devices & services.
ge0rg 243 days ago [-]
Except that everybody knows that the "fake" phone number prefix is 555: https://en.wikipedia.org/wiki/555_(telephone_number) ;-)
AllegedAlec 243 days ago [-]
Except that 'everybody' in this case only means people in North America, and, reading the siblings of this comment, not even all of them.
codetrotter 243 days ago [-]
Not only people in North America — I’d say everybody that has an above average interest in movies. In Hollywood they use 555-xxxx all the time.
matte_black 243 days ago [-]
Except these days a real number is commonly used if it provides a marketing benefit, given how easy it is for people to pause movies and read all visible text.
deathanatos 243 days ago [-]
I'm watching Hawaii Five-Oh on Netflix at the moment, and the show regularly uses that prefix when a phone number is required for the plot. Makes me smile every time they do it.
xellisx 243 days ago [-]
555-1212
IncRnd 243 days ago [-]
Except that not everybody knows that. I use the # for information at stores, when asked for a #, and the cashiers usually have no idea what 555-1212 means. In my sample, the vast majority of people do NOT know.
mulletbum 243 days ago [-]
You might be confusing "do not know" for "do not care."
c22 243 days ago [-]
Yeah, my technique is to punch a random number into the machine, if it works then no problem, but if not the cashier will just scan the "store card" after the 2nd failure.
IncRnd 240 days ago [-]
That's my technique too, but when the cashier asks to look up my number I give them 555-1212. That is what fed into my comment. Most people don't care what number is used, but many also don't know that 555-1212 is the secondary information number. This, of course, depends upon their age and geography. This comes up in the friendly conversations that result upon them looking up the phone number.
isostatic 243 days ago [-]
When I bought large items at crappy retailers like currys, the often refused to serve me without a postcode. I'd use SW1A 1AA, 2AA or 0AA

Except when buying a TV -- that would be W1A 1AA

IncRnd 243 days ago [-]
Exactly.
isostatic 243 days ago [-]
Sadly the reverse lookup for 10 Downing Street is "Prime Minister and First Lord of the Treasury".

I told the cashier "That's me, don't you recognise me without the makeup?"

JorgeGT 243 days ago [-]
You should have said something like "note that the Chief Mouser to the Cabinet Office, albeit less known to the general public, also lives in the building", which is technically true.
discreditable 243 days ago [-]
Cashiers don't know, or don't care?
IncRnd 243 days ago [-]
Of course some know but don't care, but the majority I met don't know.
michaelmrose 243 days ago [-]
How did you ascertain that they didn't know?
IncRnd 243 days ago [-]
Because I was the one who provided the phone number and stood there talking with them.
michaelmrose 243 days ago [-]
How do you differentiate not caring what number you gave them from not knowing? The fact that they showed no reaction is more of a sign of how few fucks are given rather than everyone else's ignorance.
IncRnd 242 days ago [-]
How do you differentiate not caring what number you gave them from not knowing

I said how in the comment to which you replied.

Where did I say, "fact that they showed no reaction"? Why do you interpret something unstated as a fact?

michaelmrose 242 days ago [-]
Because you failed to bother to give a more comprehensive answer when I asked how you knew I extrapolated. Did you personally conduct a survey?
smudgymcscmudge 243 days ago [-]
Wasn’t 555-1212 the only 555 number that worked?
mikestew 243 days ago [-]
It used to connect you to directory information (as in "I need to number for mikestew in Seattle...") for the specified area code (or local, if no area code specified). I don't know if it still works or not.
jasonjayr 243 days ago [-]
There are other codes in there, caller & circuit id read-backs and other utilities the telco will use. They're usually private, but no serious harm if the public find out about them.
tinus_hn 243 days ago [-]
If you make it foolproof, the world will just create better fools.
oasisbob 243 days ago [-]
We haven't always had CIDR.

Saying that not carving a single /24 out of a class A network is bad UX when variable length netmasks weren't even in use yet is a fundamentally silly misreading of history.

throwawya1w2 243 days ago [-]
I thought my home network was secure. Last week, I turned on my Surface and its lock screen had a "remote session active" screen. Before I could do anything, it turned itself off. When I turned it back on, it showed "low battery" and turned off. I have no idea if this was a bug or somebody remotely accessed it. I had everything updated to the latest software/firmware. Remote desktop itself was disabled on the surface (though it had "allow remote assistance" enabled"). I didn't have router web administration enabled. Router admin password as well as wifi password were unique, 15-20 chars long and I never used them anywhere else. Same thing for my Microsoft account that I use for Windows login. Wifi also had MAC address filtering enabled. There was only one more person using my network, and its unlikely they would do this because I don't think they know my password. And I don't think they are that technically knowledgeable other than to use a PC for browsing. I also had a Synology NAS with OpenVPN. Router was configured to forward the VPN port, but Synology's firewall was configured to allow connections only from 2 IP ranges that my phone gets when on mobile network. Strangely, after this incident, I turned off the VPN and now my NAS goes to sleep properly. It never used to sleep before. I sit right next to the NAS and I could hear the HDDs reading/writing all the time, although slowly. I always used to think may be someone was slowly copying files from my NAS.

I had earlier setup a pfsense box purely for ad blocking and to keep out Google/Microsoft creepware. But I had stopped using it because of the learning curve. Now, I am learning how to properly configure it.

Its kind of amusing if you think about it. In olden days, people had to worry about physical attack of their house. Nowadays, I am more worried about these virtual attacks.

tinus_hn 243 days ago [-]
Routers and NAT only protect against incoming connections. If someone can force your computer to make an outbound connection there is no protection.
throwawya1w2 243 days ago [-]
The Surface was factory reset only a few days back. I don't use it that much except for occasional ebooks. The only software I had in it were Firefox, Chrome, Office and Drawboard if you don't consider all that Candy crush/Soda crush/Animal kingdom bloat that MS likes to push on us (which I promptly uninstalled).

I have to admit that I downloaded the pdf ebooks from piracy sites. So don't know if they had some malware in them. I did scan them with MBAM, Avira, MS Defender before use though. Note that i didn't download them from Surface. I downloaded them using a Ubuntu VirtulaBox VM running on another laptop. I restore the VM to a previous snapshot each time after use.

tinus_hn 243 days ago [-]
It could very well be the original Microsoft software doing this. Check if your Microsoft account and other cloud accounts you are using on that machine have been compromised.
netsharc 243 days ago [-]
And securing houses is easy, with locks, metal parts, and alarms. You know what you're doing network-security-wise but you still don't know if the baddies got in or not...
tbihl 243 days ago [-]
Of course, securing your home is only easy because of geographic separation between yourself and the types of places where thieves will break through a non-reinforced wall while you're out of town.
mondoshawan 243 days ago [-]
The typical aphorism is "Locks only keep honest people honest."

Really, even securing your house is tricky. My place in Florida was built with the hinges to the front door on the /outside/ because of local building codes. Unfortunately, I only realized that after it was built. The locks are nice, but any enterprising thief would simply pop the hinges and remove the door if I hadn't taken steps to prevent it.

Bypassing locks is easy, and security systems are only useful when law enforcement is at the ready (rare in many places).

c22 243 days ago [-]
I had a girlfriend who would leave her sliding glass door ajar with a 2x4 to prevent it from being opened enough to let a person through. This was until I demonstrated that, unlatched, the door could just be lifted out of its frame and set aside.
epicide 243 days ago [-]
I think their point was that the person has to be at your house. E.g. they can't systematically and remotely try the door handle of homes halfway around the world.
ComodoHacker 243 days ago [-]
Have you looked into Windows logs?
throwawya1w2 243 days ago [-]
I saw these entries in Event Viewer -> TerminalServices-LocalSessionManager.

I tried to turn it on around 8:50 pm. Here, "SURFACE\name" is my MS account.

> 4/9/2018 8:49:40 PM Remote Desktop Services: Session logoff succeeded: User: SURFACE\name Session ID: 3

> 4/9/2018 8:49:40 PM Session 3 has been disconnected by session 3

> 4/9/2018 8:49:40 PM %s from %S( #0x%x/0x%x )

> 4/9/2018 8:49:40 PM Session 3 has been disconnected, reason code 11

> 4/9/2018 8:49:41 PM Session 4 has been disconnected, reason code 11

> 4/9/2018 8:49:41 PM Remote Desktop Services: Session has been disconnected: User: SURFACE\name Session ID: 3 Source Network Address: LOCAL

> 4/9/2018 8:51:00 PM Begin session arbitration: User: SURFACE\name Session ID: 4

> 4/9/2018 8:51:00 PM End session arbitration: User: SURFACE\name Session ID: 4

>4/9/2018 8:51:00 PM Remote Desktop Services: Session logon succeeded: User: SURFACE\name Session ID: 4 Source Network Address: LOCAL

>4/9/2018 8:51:00 PM Remote Desktop Services: Shell start notification received: User: SURFACE\name Session ID: 4 Source Network Address: LOCAL

I am not sure if the entries at 8:49 pm is what I saw as the "remote session active". Also, I am not sure if this LocalSessionManager is the right place to look.

RaleyField 242 days ago [-]
Your post prompted me to check my own Even Viewer. After some frenzied searching for the meaning of "Remote Desktop Services" entries in my own logs I figured that alarm seems to stem only from unfortunate naming of events that LocalSessionManager drops. As this document describes[0] and after confirming with another account the events are generated when one account wishes to run a processes under another account ("Run as administrator/different user" functionality). It might be that Windows Update triggered this on your computer, consider also that Windows Update sometimes updates third party drivers and one wouldn't expect they follow all best practices.

[0] https://docs.microsoft.com/en-us/windows-hardware/customize/...

ComodoHacker 243 days ago [-]
There should be another TerminalServices-something or RemoteDesktop-something log which logs connection attempts in more detail.
throwawya1w2 243 days ago [-]
Regarding pfsense, I want to add some more info just so that people may not getting any wrong idea about it.

I stopped using pfSense because I had enabled many block lists in pfBlockerNg and it was blocking sites like Github. Now, I am learning how to properly configure it. I also setup an ELK dashboard yesterday night. This is a heatmap of the scans in last 30 minutes.

https://imgur.com/a/cU5F0

sokoloff 243 days ago [-]
To save some googling, as neither this article nor the Akamai report defined “APT”:

https://en.m.wikipedia.org/wiki/Advanced_persistent_threat

tbihl 243 days ago [-]
At this point, if you're reading an Akamai report, APT probably stands alone as a term. On a list of abbreviations their readers should know, it's not quite 'IP address', but surely it's ahead of 'DNS'.
kuon 243 days ago [-]
Why is UPnP even a thing? I mean, with NAT hole punching you can do P2P, and if you are hosting anything (web server or even bit torrent), manually forwarding a port should be within your reach.

I've been using an OpenBSD based router for years with no UPnP support and never had any issue (like unable to play online games or anything). I'm really curious why it's present on all home routers.

puwhfgwheg 243 days ago [-]
Hole punching is ineadequate for routers with address-dependent NAT mappings or with DS-Lite/CGNAT. With UPnP-IGD or NAT-PCP/PMP the CPE can forward the port mappings to the AFTR/CGN.
LinuxBender 243 days ago [-]
UPnP / SSDP is a half baked standard will be a thing for the foreseeable future unfortunately. I say half baked, because with just a little effort and critical thinking, users would have full control over the interaction between their systems and their routers.

For starters, a lot of gaming companies now depend on people having this so that the users run the servers instead of the gaming company having to pay for the infrastructure. They won't begin to explain to kids how to forward ports.

Many app makers now assume this as well and certainly do not want to explain to non technical users how to forward ports to a machine on their network.

IoT is just leveraging an existing precedence.

kuon 243 days ago [-]
I guess that's how we end up with situations like http://www.insecam.org/

I think this kind of knowledge should be common, I mean, you should have a "network" course at school, learn how to forward ports and basis about how internet works.

Well, this is another discussion.

243 days ago [-]
Sukotto 243 days ago [-]
Ok. What specific steps should we be doing to ensure a home router is configured safely?

Please assume a consumer grade router given by the ISP and _maybe_ another one bought off the shelf at a box retailer. Also assume unable or unwilling to flash firmware.

ge0rg 243 days ago [-]
Disable UPnP in the router settings. In theory, that should close the hole.

Disable remote maintenace / web access. Many router web UIs have exploitable flaws that can be used to bypass password authentication.

Ensure that you are always running the latest firmware version. If there are no up-to-date versions / the router is too old, you might complain to the ISP. However, they might try to sell / rent you the latest and greatest router model then.

prepend 243 days ago [-]
It looks like this exploit gets around disabled remote maintenance, since it makes remote traffic seem local.

Disabling upnp will do it. I’m going to set up blocking all inbound on 1900 on ISP’s router stopping traffic before it gets to my home router. I might finally be grateful for being forced by the isp to use their hardware for nothing other than a hop between my network’s router and the isp’s network.

EADGBE 243 days ago [-]
> Disable remote maintenace / web access

By this do you mean a public remote address/login or the generic 192.168.0.X login page when on the serving network?

ourmandave 243 days ago [-]
Side note: If there's one tech support job for friends and family I don't mind doing it's helping them replace the slow modem their ISP is "renting" them.

I was paying $60 per year for a DOCSIS 2 modem. Replaced it with a DOCSIS 3 for $90. Huge speed boost for almost free.

commandlinefan 243 days ago [-]
I've been begging my wife for years to let me upgrade the crap modem that the ISP is loaning us. She's terrified that if I touch anything, it's all going to break, and since she works out of the house, she won't be able to get online. Sigh...
tbihl 243 days ago [-]
And based on the last 3 providers I've had, you were getting a steal at $60/yr
chrisper 243 days ago [-]
Make sure companies care about their products and not only about money. My Swiss ISP is providing in-house developed hardware and it's quite good. I was quite surprised.
herbst 243 days ago [-]
Probably not talking about USP or Swisscom then :) I use init7 now for a while with my own router and seriously never had so few networking issues ever.
chrisper 243 days ago [-]
I have no issues with the Swisscom box.
herbst 243 days ago [-]
Well the one my ISP gave me did not only crash regularly but also auto enabled WPS, and a remote telnet administration port every other day which was insecure as fuck. These were only the obvious flaws.

Sometimes your only choice is changing the ISP.

cleanyourroom 243 days ago [-]
Disable upnp. Define port forwarding statically where necessary.
ge0rg 243 days ago [-]
The full Akamai report linked from the article also outlines that this technique (accessing UPnP from the Internet while pretending to come from the LAN) allows to expose the router's LAN services (e.g. web interface) on the Internet. I wouldn't be surprised if it could be also used to scan your LAN and to connect to any local machines, to access unauthenticated resources and to brute-force your passwords.
243 days ago [-]
bhouston 243 days ago [-]
A lot of people have insecure computers/file servers inside of their local firewall.
orliesaurus 243 days ago [-]
How do I know if my router is affected? EDIT: nvm, here is the list https://www.akamai.com/us/en/multimedia/documents/white-pape...
kevinSuttle 243 days ago [-]
Script doesn't appear to be formatted for copy/paste...
always_good 243 days ago [-]
Nothing is going to change until this kind of stuff affects the financials of the people using these bad router configs, compromised internet of thing devices, malwared computers, and anything else that creates a bunch of outbound traffic.

It should be impossible to be unaware that your home network's outbound is saturated all month. It's ridiculous.

rando444 243 days ago [-]
So the way to get the elderly, non-tech savvy, and low usage users to buy a new router is to make them suffer financially?
AndyMcConachie 243 days ago [-]
This Phrack article predates their 2011 reference to successful UPNP exploit by 3 years.

http://phrack.org/issues/65/5.html#article

UPNP is a mess and I'm not even sure if there is a way to proplerly make it secure.

techload 243 days ago [-]
I'm surprised that there are no TP-Link routers on the list of affected manufacturers.
mondoshawan 243 days ago [-]
Surprised to see Ubiquiti on that list. Thankfully, the EdgeRouter series doesn't show up there!

Still, I'll be blocking port 1900 and focusing more on defense in depth on my home net...

The irony is that back when I was a teenager adminning our home routers, I'd always disable UPnP simply because of what it is -- at the time it stood to reason that any consumer POS device could bypass the firewall with it and do horrible things from the inside out. Nowadays I've become a bit lazy because I think I'm pretty fatigued at fighting this kind of junk.

milankragujevic 243 days ago [-]
Me too, but I'm quite disappointed that Netis is on the list, with literally every model they made, and I have installed about 50 routers from Netis for neighbors because I thought they were "not that bad" given they cost $10 with a 2 year warranty. But, I was wrong.
dralley 243 days ago [-]
Good. I updated the firmware on my Archer C7 anyway, though.
notyourday 243 days ago [-]
I know I'm a strange fellow, but I am having a hard time to understand why consumer grade routers are such garbage.

I have been using 2x wall-mounted industrial mini PCs running Debian to cover 2400 sq two story house. They just work. They have no software that is tricky or unknown. Hell, the one that has a cross connect to the cable modem even run a firewall. Speeds blow consumer routers out of the water. I even have a guest network so the visitors can access internet and not see anything else they are not supposed to have access to. Cost? $300 for both.

ryandrake 243 days ago [-]
You can buy these things for $15. How much rigorous design, care, and quality testing do you think they get? To these companies, “software” is just a line on the BOM, like a screw or plastic piece. It’s something you source as cheaply as possible and pour into the product as the last step in the assembly line.

It’s amazing that these devices even work.

outworlder 243 days ago [-]
True.

But you can get Mikrotik routers for about $50, which are great. Also you can choose to have a dedicated router with no wireless, and have a dumb access point dealing with the wireless part. However, ordinary consumers won't bother.

sigstoat 243 days ago [-]
> I know I'm a strange fellow, but I am having a hard time to understand why consumer grade routers are such garbage.

i work at a contract engineering firm which employs a lot of folks who've stuffed linux into embedded products (frequently ones expensive enough that if you have to ask the price, you can't afford it), though not afaik any routers.

in general:

this kind of work is done by firmware engineers who were hired because they had "linux" on their resume. they have no networking experience, and know less about security. to the extent that the project manager is aware that security is a thing, they assume any "technical" person is as good as any other on the subject. how the devices will be kept up to date is not discussed until right before the software is delivered (if ever).

gerbilly 243 days ago [-]
>I have been using 2x wall-mounted industrial mini PCs

Can you share the manufacturer/model # of the devices you are using?

notyourday 243 days ago [-]
My current favorite is ZCY (X30 and X32). They are basically Intel BayTrails. You just need to remember that BayTrails have this funny feature where they would not boot off the GPT partition, so you need to make sure your boot devices are MBRs.

Just got another X32 for a different project. I replace broadcoms with Atheros and use little VESA mounts mounts from Ebay that I drill into a dry wall by the ceiling. After that mounting them on a wall is no different than attaching them to the backs of the monitors.

I recommend AliExpress as the source for the systems themselves ( blows ebay out of the water ). Strangely, mounts are cheaper on Ebay.

xiao_haozi 243 days ago [-]
You don't happen to have a writeup about your hardware selection and how you configured these do you? I've been thinking of going this way in a new house.
gvb 243 days ago [-]
I followed the Ars guide to building a linux router from scratch and adjusted to fit my network needs:

https://arstechnica.com/gadgets/2016/04/the-ars-guide-to-bui...

notyourday 243 days ago [-]
I have a pile of notes that I was planning on organizing and publishing over next week or so. I will get back to this thread or submit it when it is done.
ShorsHammer 243 days ago [-]
Had experience with multiple ISP's pushing their own heavily marked-up and broken routers. I assume its a good money maker.

If only there was a slither of corporate responsibility and associated punishment, probably a big ask from governments benefiting handsomely from the vulnerabilities despite the loss to the citizens they represent.

Guess it could be considered a new form of taxation? National security only really extends the physical domain.

dcow 243 days ago [-]
I don't really think this is one of those cases unless I missed some trend recently where the govt is using misconfigured routers to access home networks... This is an overly scary article about running upnp on the wrong interface.
ShorsHammer 243 days ago [-]
Sorry perhaps I don't understand your point, but the research in this article is entirely about governments and bad actors penetrating home networks for their own use.[1]

Are you suggesting private APT's exist? Seen no evidence so far that it's anyone but a dozen nations who lamely try to rebrand every now and then.

UPnP is a world of trouble in general, but even moreso for the average person disabling it in a house full of kids. There's needs to be responsibility taken by any large tech company pushing insecure products on their customers.

[1] researchers at Symantec had uncovered parts of this proxy network due to their ongoing investigation into the “Inception Framework,” and the APT group behind it.

dcow 243 days ago [-]
Sorry perhaps I don't understand your point, but the research is about governments and bad actors penetrating home networks for their own use.

Source? This isn't a new report. All it talks about is that misconfigured upnp is used by one APT framework (see: https://www.symantec.com/blogs/threat-intelligence/inception...).

vuln 243 days ago [-]
Umm... It was leaked the CIA (the US government exploited home routers...

https://arstechnica.com/information-technology/2017/06/advan...

alexharrisnyc 243 days ago [-]
We have found a large amount routers hitting our servers at my current job using routers with poor or no security. It seems as if they tend to be using email password dumps and just going through their lists through these routers trying to log into our site.
milankragujevic 243 days ago [-]
I sent an Email to Telecom Serbia warning them that ZTE ZXHN H1X8N XDSL modems they've been giving to customers are vulnerable and they should push new settings through CWMP that disable UPnP.
jacksmith21006 241 days ago [-]
One of the reasons went to using the Google WiFi as home as did not want to worry about things like this or keeping my network gear up to date.
0xffff2 243 days ago [-]
How many home routers are there in the world? 65,000 actually sounds like a shockingly low number to me.
campuscodi 243 days ago [-]
Akamai found evidence of compromise on 65,000. Said around 4 million were vulnerable.
trumped 243 days ago [-]
My router is affected but I would never enable UPnP or remote management ...