Michael Horowitz

About the Author Michael Horowitz


Verifying and testing that Firefox is restricted to TLS 1.2

TLS is the protocol invoked under the covers when viewing secure websites (those loaded with HTTPS rather than HTTP). There are multiple versions of the TLS protocol, and the most recent version, 1.2, is the most secure. Last time, I discussed tweaking Firefox so that it only supports TLS version 1.2 and not the older versions (1.0 and 1.1) of the protocol.

But that begs the question: what happens when a security-reinforced copy of Firefox encounters a website that does not support TLS 1.2? The answer is shown below.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Restricting Firefox to TLS version 1.2 makes browsing safer

Although its common to think of a secure website as the opposite of an insecure one, the choice is not, in fact, binary. For a website to be truly secure, there are about a dozen or so ducks that all need to be lined up in a row.

Seeing HTTPS does not mean that the security is well done, secure websites exist in many shades of gray. Since web browsers don’t offer a dozen visual indicators, many sites that are not particularly secure appear, to all but the most techie nerds, to be secure nonetheless. Browser vendors have dumbed things down for non-techies.

Last September, I took Apple to task for not having all their ducks in a row, writing that some of their security oversights allowed Apple websites to leak passwords.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Are Android bug fixes worth $510 when buying a phone?

Techies are supposed to focus on the latest and greatest, the biggest and fastest. I’ve never been like that. Especially when it comes to cellphones, my computing needs are modest.

So, consider the fairly low end ASUS ZenFone 3 MAX ZC520TL phone which Asus currently sells for roughly $140.

It has a 5.2 inch IPS screen with a resolution of 1280×720. Many phones offer more pixels, but this is sufficient for me and fewer pixels should help with battery life. It has 2GB of ram, 16GB of storage, an FM radio, a 4100 mAh battery and its made of metal, not plastic.

On the downside, the Wi-Fi is limited to the 2.4GHz frequency band, it only works with AT&T and T-Mobile and the battery is not removable. Considering the price, it’s good enough for some of us, myself included. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Windows Defender does not defend Windows 7 against WannaCry

Thanks to Kaspersky, we now know that 98% of the Windows machines infected by WannaCry/WannaCrypt were running Windows 7. Since, once it gets a foothold, the malware can infect an entire network, most of the attention was focused on LAN based attacks. My previous blog was about using the Windows firewall as a defensive measure.

But any malware can spread in multiple ways so there is always a need for anti-malware software on Windows PCs. The May 12th blog post, Customer Guidance for WannaCrypt attacks, in which Microsoft announced the release of a bug fix for Windows XP, mentioned that 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

The Windows firewall is the overlooked defense against WannaCry and Adylkuzz

Despite all the attention currently focused on Windows computers being infected with WannaCry ransomware, a defensive strategy has been overlooked. This being a Defensive Computing blog, I feel the need to point it out.

The story being told everywhere else is simplistic and incomplete. Basically, the story is that Windows computers without the appropriate bug fix are getting infected over the network by WannaCry ransomware and the Adylkuzz cryptocurrency miner. 

We are accustomed to this story. Bugs in software need patches. WannaCry exploits a bug in Windows, so we need to install the patch. For a couple days, I too, ascribed to this knee-jerk theme. But there is a gap in this simplistic take on the issue. Let me explain. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Patching Windows XP against WannaCry ransomware

Microsoft just released a patch for Windows XP that fixes a file sharing flaw being exploited by the WannaCry ransomware. Here’s how to install it. 

You can download some versions of the patch using links at the bottom of this May 12th  Microsoft article: Customer Guidance for WannaCrypt attacks. The full list of patch variants, including languages other than English, is in the Windows Catalog, just search for KB4012598. Windows Update does not work on XP.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Third party antivirus programs interfere with Windows Defender critical patch

Like others running Windows, I have been dutifully updating Window Defender the last few days with a fix for a critical bug. The update procedure is simple. Open the Control Panel, click on Windows Defender, and then check for updates.

The only thing out of the ordinary, on Windows 7, is that the update check is hidden behind a downward pointing triangle just to the right of a white question mark (this is not true in Windows 8 or 10). The “about” panel is also here. If the Engine Version is less than 1.1.13704.0 then it needs to be updated immediately.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

7 mistakes Google made updating my Google Wifi router

Many of the new mesh router systems self-update their firmware (router operating system). While this is a big step forward from the bad old days, where the task fell to the router owner, it’s only a first step.

On my Router Security site, I go into the difference between self-updating firmware done right and done wrong. With that in mind, here is what went wrong when my Google Wifi router updated its firmware. 

Scheduling

My first gripe is that the software update was a surprise. There was no warning ahead of time, either that an update was available, or that it was about to be installed. In contrast, the Eero app tells you that a firmware update is available well before the update is automatically installed. The screen shot below shows the Google iOS app informing me after the fact that it had updated the router software (the screen shot was taken May 6th).

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Asus router warnings on privacy and security

I ran across a most unusual router review today, by Daniel Aleksandersen.

For one thing, it was not a review of a specific model (though the author uses an Asus RT-AC87U), instead it reviewed ASUSWRT, the stock firmware (router operating system) used in Asus routers. Think of it as a review of General Motors rather than the Buick Regal. As such, there was none of the usual focus on Wi-Fi speed and range.

And, while most reviews are written after a brief testing period, it was obvious that Aleksandersen has lived with his router for a long time.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

How seven mesh routers deal with Wi-Fi Protected Setup (WPS)

The recent wave of new mesh router systems has brought with it changes besides the obvious increase in Wi-Fi range. For example, these mesh routers are more likely to insist on WPA2-AES encryption, as many have dropped support for the less secure WEP and WPA options. Not all of them, but many.

Here I take a look at another insecure router technology, WPS (Wi-Fi protected setup) and how these new mesh routers deal with it. 

WPS is an alternate way of gaining access to a Wi-Fi network that does away with having to know the SSID (network name) and password. Much of what you read about WPS is incomplete, as it supports at least four different modes of operation.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

The Netgear router flaw post mortem — plenty of blame to go around

In the recent Netgear router flaw, it’s easy to blame Netgear for ignoring the initial report of the vulnerability. They have since admitted that it fell through the cracks. But there is plenty of blame to go around.

While Netgear owners are indebted to someone who goes by Acew0rm for finding the flaw, he appears to have dropped the ball. After notifying Netgear of the vulnerability on August 25, 2016 he walked away from the issue. His total effort in getting Netgear to acknowledge the problem was a single email message. I think he could have done more. When an email is not acknowledged, it’s not much work to re-send it a second or, if needed, a third time. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Updates and more on the Netgear router vulnerability

On December 9, 2016 we first learned of a command injection vulnerability in some Netgear routers. In the worst case, simply viewing a malicious web page could result in your router being hacked. What follows is a recap and expansion of the issue, along with the latest developments. Then, some Defensive Computing suggestions for protecting a router.

Netgear is communicating via their Security Advisory for VU 582384. It has been updated many times since it was initially published and should have the latest information. 

To date, the company has confirmed that 11 router models are vulnerable. You might think that enough time has passed for this list to be final, but the advisory still says “NETGEAR is continuing to review our entire portfolio for other routers that might be affected by this vulnerability.”

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Easily exploited Netgear router flaw discovered

At least two Netgear routers, the R6400 and R7000 are vulnerable to a command injection flaw that is easy to exploit and could lead to the total takeover of the routers. This was disclosed yesterday, December 9th, and there has, as yet, been no response from Netgear.

netgear.routers

Netgear routers

Documentation on the flaw, so far, has been poor. Most importantly, it’s not clear, to me at least, whether the vulnerability can be exploited remotely, from the LAN side of the router or both. If it is locally exploitable, then using a non-standard IP address for the router should offer some defense. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Getting started with the Ubiquiti AmpliFi mesh router

The Ubiquiti AmpliFi router is one of the recent wave of consumer friendly mesh router systems. You can think of these mesh systems as routers that come with pre-matched, easy to use, Wi-Fi extenders.

AmpliFi competes with Eero, Luma, the Netgear Orbi and the soon-to-be-released Google Wi-Fi. Google’s previous OnHub routers were a single device. I recently griped that AmpliFi does not support remote access, but it has other things going for it.

One is price, AmpliFi starts at $200 for a three unit system, making it the cheapest mesh option. Another is privacy. Eero, Luma and Google routers (at least the OnHub) require you to have an account with the company. AmpliFi and the Netgear Orbi let you be anonymous. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Bloomberg says Apple is getting out of the router business

Bloomberg reported today that Apple is getting out of the router business. I have never owned an Apple router, but based on my research, I tried to steer people away from them on my RouterSecurity.org site.

One reason I offered was that Apple has not updated their routers since 2013. Not just the hardware, the software too. Last December, Glenn Fleishman wrote that the cheapest Apple router, the AirPort Express, was last updated in 2012. Apple routers felt abandoned long before Bloomberg reported that they really were abandoned.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Another HNAP flaw in D-Link routers

CERT recently issued an advisory about a flaw in D-Link routers, specifically, in the parsing of HNAP messages. The advisory warns that “A remote, unauthenticated attacker may be able to execute arbitrary code with root privileges.” That’s as bad as it gets. 

There is a list of D-Link routers known to be vulnerable (DIR-823, DIR-822, DIR-818L, DIR-895L, DIR-890L, DIR-885L, DIR-880L, DIR-868L), but Pedro Ribeiro, of Agile Information Security, who found the flaw, warned that “there might be other affected devices.”

And, Marshall Honorof points out that “D-Link gives these models alternate names meant to sound sexier to consumers. For example, the DIR-895L is also known as the AC5300 Ultra Wi-Fi Router. You’ll want to Google the model name, check your router’s administrative login page, or just flip the physical device over to check for the model number.”

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Windows Update on Windows 7 is fast again

We’re back. Windows 7 users can finally return to the normal world, where operating system bug fixes are installed in a reasonable amount of time.

A few days ago, Woody Leonhard wrote about an improved version of Windows Update for Windows 7, one that installs bug fixes in mere minutes rather than hours or days. I have tried it on three Windows 7 machines, and it works fine, bug fixes install faster than a speeding bullet.

This updated Windows Update is only for those in the know, but reading this blog makes you one of the privileged few. Spread the word. 

To read this article in full or to leave a comment, please click here

Read more 0 Comments

The continuing slowness of Windows Update on Windows 7

Like millions of Microsoft customers , I like Windows 7. It seems we like it more than Microsoft does. I say this because, for months now, it has taken hours and hours and hours to install patches.

Woody Leonhard’s November 4th article “How to speed up Windows 7 Update scans—forever” has the gory details on how Windows 7 users can get sub-calendar response time when installing bug fixes.

Woody points out that Microsoft has an improved version of Windows Update, one that takes a reasonable amount of time to run, but it is not installed by default. Of course it isn’t. Even knowing about it, seems to be restricted to those who read the Woody on Windows column in InfoWorld.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Testing for vulnerable IoT devices

Brian Krebs has lately been writing a lot about DVRs and cameras made by XiongMai Technologies. He reports that they are terribly insecure and many have been hacked and herded into botnets where they participate in Distributed Denial of Service (DDoS) attacks such as the one that brought down his site.

Poor security is standard practice with IoT, but these devices are especially bad. Even if their web interface is used to change the default password, the devices have hard coded Telnet and SSH passwords that can not be changed. 

Part of yesterdays DDoS attack against DYN came from the Mirai botnet, composed of assorted hacked devices that were using default passwords.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Tweaking WSH helps defend Windows PCs from malicious email attachments

Bad guys are always looking to abuse overlooked components of a system. On PCs, the Windows Script Host (WSH) was one such, often overlooked, component, but it’s becoming more popular.

WSH can execute scripts written in many programming languages. Out of the box, it does JScript and VBScript but other languages, such as Perl and Python, can also be installed. 

JScript is Microsoft’s version of JavaScript. Unlike the JavaScript that runs inside a web browser, JScript runs inside Windows and, compared to browser-based JavaScript, has additional, potentially dangerous, features.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

Kim Komando offers flawed advice on router security

An article in yesterday’s USA Today by Kim Komando, How to keep hackers out of your router, claims that updating the firmware in a router will keep out hackers. This is not even close to being true and, in another context, would be considered malpractice.

I’ll illustrate how flawed her premise is with an analogy. Suppose you went to a doctor seeking advice on being as healthy as possible and were told that simply taking a vitamin pill is all that’s necessary to live to 100. Obviously, there’s more to it. 

kimkomando.usa.today620

The article as it appears on USAtoday.com

To read this article in full or to leave a comment, please click here

Read more 0 Comments

What the Ubiquiti AmpliFi mesh router is missing

Among the new crop of mesh routers, the Ubiquiti AmpliFi seemed the most promising. So, when a client was having Wi-Fi problems, yet again, I thought that perhaps this might be the time to set them up with a mesh network with a single Wi-Fi password. 

The AmpliFi routers are very new, and normally, I would wait until there is more feedback, but I was willing to make an exception because Ubiquiti is a well-known networking company.

But first, I checked the User Guide looking for the one feature every techie needs when setting up a network for someone else – remote access (a.k.a Remote Administration). Typical articles on router security say to disable Remote Administration, but that’s an overly simplistic view, common among the art history majors that write so many tech articles.

To read this article in full or to leave a comment, please click here

Read more 0 Comments

The Social Security website is now secure

Read more 0 Comments