Tag Archives: Default Passwords

Blog Post Shout Out: Creating Passwords and Internet Privacy

This blog post shout out will focus on both security and privacy related issues.

While there has recently been a renewed focus to phase out passwords, until that happens we need to continue to manage them.

The following article discusses (among other topics) managing passwords. It focuses on providing security while making it easier for users to remember them. It also raises doubts about the need for changing passwords so often and provides evidence to back this up.

All of this advice may useful if you are trying to create or update your corporate password policy to make it more user friendly while still maintaining security.

How to hack the hackers: The human side of cybercrime by M. Mitchell Waldrop (Nature Journal)

================================
In an effort to preserve your privacy you may be using a VPN (defined) connection when browsing the internet using your computer or mobile devices.

However as noted by F-Secure in this FAQ article, this may not be enough to fully protect your identity since some information (namely your real IP address) can still be leaked via WebRTC traffic. Within that FAQ article they provide advice on how to prevent this leak for the most common web browsers.
================================
Related to the above topic of VPNs, using public Wi-Fi hotspots isn’t a good idea if you want to preserve your privacy as this Kaspersky article demonstrates.

While a VPN can assist with preserving that privacy when using a public Wi-Fi, it isn’t a perfect solution. For example, apps installed on mobile devices can still leak data as discussed in this article.

However, it possible to better control such data leakage on Android and Apple iPhones. A guide to do this for Android is available here.

For an iPhone, you can open Setting -> Mobile data and change the settings according to your preference. However, when you connect to a public Wi-Fi hotspot all the network connections in use by the apps will begin new connections or resume existing connections.

To minimise the amount of data leaked you should use a VPN (as I have already discussed above) for your mobile device. In addition, you should use the Low Power Mode option of your iPhone from Settings -> Battery and change the setting. This setting change will halt background tasks, delete Wi-Fi access point associations, previous new emails being received and automatic downloads. More information on this setting is available from here.

Next, turn on your VPN (Settings -> General -> VPN). A list of popular VPN providers is available here.

Using the above steps will help to minimise the amount of data leaked if you are privacy conscious and use an Android powered device or an iPhone. Full disclosure: as you know I use an Android phone so I haven’t intentionally provided more information/discussion on the iPhone.

I hope that you find the above references useful in maintaining your security and privacy. Many thanks to a colleague (you know who you are) for contributing the advice on using VPNs with mobile devices.

Thank you.

Several Consumer Broadband Routers Use Static Passwords

Several consumer broadband routers from varying manufacturers have been found to contain static administrative passwords. The names/models of the affected routers (at the time of writing) are shown below:

  • ASUS DSL-N12E
  • DIGICOM DG-5524T
  • Observa Telecom RTA01N
  • Philippine Long Distance Telephone (PLDT) SpeedSurf 504AN and Kasda KW58293
  • ZTE ZXV10 W300

Please refer to this CERT knowledge base article for the most up to date list of affected models.

Why Should This Issue Be Considered Important?
Using these static credentials a remote attacker could potentially gain access to your broadband router and make any changes they wish to it’s settings/configuration.

How Can I Protect Myself From This Issue?
Unfortunately it does not appear that the manufacturers of these routers intend to provide mitigations or updates to the routers firmware to address their use of static administrative passwords.

In order to prevent an attacker from being able to access your router remotely, please follow the workaround provided in this CERT knowledge base article. This workaround will involve blocking the SNMP ports (161, 162 as well as Secure SNMP ports 10161 and 10162) to prevent the attacker being able to determine the MAC address of your router. This is important since the password for all routers affected by this issue is XXXXairocan where XXXX is the last four characters of the routers MAC address. An SNMP query to your router is used to obtain the appropriate MAC address.

See Aside and Aside 2 for definitions of SNMP and MAC addresses (respectively).

You may need to refer the documentation (if any) for your router in order to determine the exact steps needed to block the above mentioned ports using the routers firewall. A Google search for your router model or a call to your Internet Service Provider (ISP) may also help with this.

If you own one of the affected routers (or you know someone that does) I hope that the above advice is useful in protecting you from this potential threat.

Thank you.
=======================
Aside:
What is SNMP?
Simple Network Management Protocol (SNMP) is a device management protocol. It is used to manage devices such as routers, servers and network printers (among others). If a device develops a fault or requires attention it can notify the network administrator using SNMP e.g. that a printer is low on ink or that a server is under heavy CPU or memory load. Further information on SNMP is available here.

=======================

=======================
Aside 2:
What is a MAC address?

A media access control (MAC) address is the unique identifier of a network interface card (NIC). This NIC can be wired or wireless. For a common Ethernet network a MAC address is made up of 6 groups of two hexadecimal digits which are separated by hyphens ( – ) or semi colons ( : ). Hexadecimal is a numbering system that has 16 values increasing in value from 0 to 9 and a to f, more information on hexadecimal.

An example MAC address would be 00:0A:11:22:33:44. A MAC is sometimes referred to as the physical address since this address is assigned in the factory to the network card (NIC) of your device (similar to a unique serial number).

The first 6 digits of a MAC address are called the prefix and are associated with the name of the network card manufacturer e.g. Broadcom or Realtek etc. The remaining 6 digits are the unique numbers that are used to identify your specific network card.

You may be wondering why MAC addresses are used when computers have IP addresses already?
The answer is that the OSI networking model is made up of 7 layers. The network access layer 2 uses MAC addresses to tell the difference between one device on the network and another. At layer 2, network bridges, switches and wireless access points operate and do so without the use of IP addresses.

As mentioned above devices are uniquely identified by their MAC address. Layer 2 uses MAC addresses so that it can operate with other network transmission standards other than TCP/IP if required. Layer 3 uses IP addresses (which form the IP of TCP/IP) and at this layer routers use them to forward traffic to the correct devices/destinations.

Network switches (devices that send traffic between devices and routers on the network in order to move network data/traffic to it’s eventual destination) use MAC addresses to tell the difference between the devices connected to their ports and to determine which device to send specific network traffic to.

When a packet (piece of data) is going to be sent on the network, for example your web browser (an application) requests a new webpage. This is done at the top layer of the TCP/IP model (layer 7 the application layer). As the request moves down the network stack in your operating system more and more data is added to it by each layer namely layer 6, layer 5 and so on. Layer 3 and above use IP addresses while layer 2 uses MAC addresses since by this time the layer 3 information is no longer present (it is designed to be removed once used by layer 3 devices).

The MAC address of the networks card(s) installed within your system can be displayed using the following commands:

=======================
Linux (from a terminal window) (the MAC address will appear as “HWaddr”):
ifconfig –a
=======================
Apple Mac OS X:
Please see this link for the necessary steps.
=======================
Windows:
Press the Windows key and the letter R to open a Run box. Type cmd and press Enter
Type the following command (the MAC address will appear as “Physical address”):

ipconfig /all
=======================

Cisco Comms Software and Security Appliances Use Default Credentials and Keys

In late June and early July this year Cisco released security updates for its Unified Communications Domain Manager Software, Cisco Web Security Virtual Appliance (WSAv), Cisco Email Security Virtual Appliance (ESAv), and Cisco Security Management Virtual Appliance (SMAv) devices to resolve their use of default passwords and SSH keys. Such default keys/credentials are not uncommon as mentioned in my post detailing SAP’s use of a default encryption key for their HANA database. It should be noted that Cisco is not the only vendor to have used default SSH (Secure Shell) keys.

When the Unified Communications Domain Manager Platform Software is installed a fully privileged account is created by default and the password to access this account is the same for all software installations. If the password was obtained by an attacker, they could remote and anonymously connect to the system running this software via SSH and take complete control of that system (since the default account created has root privileges).

A similar default SSH key was found to be in use within the above mentioned Cisco security appliances. Just as detailed above an SSH key is present on all of these appliances by default. Again if this key was obtained and used by an attacker, they would have complete control of your Cisco security appliances. Fortunately both of these classes of issues for Cisco products were discovered by internal security testing and not by attackers leveraging them before they were patched/fixed.

Update: July 13th 2015: The Cisco security advisory for the relevant Cisco security appliances mentioned below clarifies (within the “Details” section) that the static SSH keys stored within the Cisco security appliances are the private keys. Since SSH uses asymmetric cryptography if an attacker obtains the private key they can impersonate the security appliance and decrypt communications among these appliances. The attacker would need to use a man in the middle attack (MITM, MITM defined) in order to decrypt the communications.

How Can I Protect Myself From These Issues?
If your company uses any of the above mentioned Cisco products, please follow the directions within the Cisco security advisories mentioned below to resolve these critical vulnerabilities:

Multiple Default SSH Keys Vulnerabilities in Cisco Virtual WSA, ESA, and SMA
Cisco Unified Communications Domain Manager Default Static Privileged Account Credentials

As mentioned in this news article Cisco have resolved such flaws in the past and the potential for attack/exploitation is very real since the exploit framework Metasploit has exploits for similar flaws and firms such as Rapid7 are building libraries of known SSH keys.

Thank you.