Linksys makes consumer grade routers, but many businesses also use them to connect to the corporate network. That may not be a problem in most cases, but a security consultant discovered 10 total bugs in more than 20 Linksys "Smart" Wi-Fi routers. Six ...

 

Over Twenty Linksys Wi-Fi Routers Have Security Holes and more...




Over Twenty Linksys Wi-Fi Routers Have Security Holes

Linksys makes consumer grade routers, but many businesses also use them to connect to the corporate network. That may not be a problem in most cases, but a security consultant discovered 10 total bugs in more than 20 Linksys "Smart" Wi-Fi routers. Six of the vulnerabilities can be exploited by an unauthenticated attacker. The vulnerable routers include:

  • EA2700
  • EA2750
  • EA3500
  • EA4500v3
  • EA6100
  • EA6200
  • EA6300
  • EA6350v2
  • EA6350v3
  • EA6400
  • EA6500
  • EA6700
  • EA6900
  • EA7300
  • EA7400
  • EA7500
  • EA8300
  • EA8500
  • EA9200
  • EA9400
  • EA9500
  • WRT1200AC
  • WRT1900AC
  • WRT1900ACS
  • WRT3200ACM

Until a fix is available, Linksys recommends enabling automatic updates, disabling Wi-Fi guest networks if they're not in use, and changing the default administrator password. Those are all things you should be doing with any device, even those without identified vulnerabilities. I would even recommend disabling the ability to remotely administer the device.

E-mail: jsimek@senseient.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com

 

Which Galaxy S8 Biometric Option is the Most Secure?

The Galaxy S8 and S8+ are now available for sale. They are beautiful devices that are very similar to the S7 Edge with curved edges that appear to blend into the back. Samsung uses the word "infinity" to describe the new screens. Besides the wonderful graphics, there are several options for unlocking the phone. As always, I recommend configuring a password as the lock code. Passwords are knowledge and most courts have determined that you don't have to give up your password. Biometrics are a different animal. You can be compelled to give up your fingerprint just like DNA. If you insist on configuring the biometric lock options for the S8, which one is the most secure?

One of the new capabilities is facial recognition, which is woefully bad. It has already been shown that the phone can be unlocked just by putting a picture of yourself in front of the sensor. Bottom line…don't use the facial recognition feature. A second biometric option is the fingerprint scanner. It is a little cumbersome to use the scanner since it is on the back of the phone right next to the camera lens. Even though it is awkward, the fingerprint scanner is way more secure than using the facial recognition feature. The third biometric option is the iris scanner. The company behind the iris-scanning tech utilized in the Galaxy S8 claims iris scanning is superior to even the FBI's fingerprint tech. That's because the iris scanning technology utilizes as many as 200 reference points per eye or up to 400 references total. In contrast, consumer fingerprint technology only uses 13 reference points.

The recommendation is to use a password as your primary unlock mechanism. If you want to use biometrics, configure both the fingerprint and iris scanners. That way, if it's pretty sunny outside and there is trouble with the iris scan, you can still use the fingerprint as a backup.

E-mail: jsimek@senseient.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com

 

Google Fixes Chrome Unicode Phishing Vulnerability – Patch Now

Last week I mentioned a Unicode vulnerability that impacted the Chrome, Opera and Firefox browsers. Google has now patched the Chrome vulnerability with version 58. You can now go to the test link and it will properly show the domain as xn--80ak6aa92e.com instead of apple.com. If Chrome doesn't update automatically, just to go 'help' and 'about Chrome' to update the browser. No word yet on when Firefox or Opera will get the fix.

E-mail: jsimek@senseient.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com

 

Google Still Pissed at Symantec

It's good advice not to kick the 800 pound gorilla. Google isn't happy with Symantec and the way it has not enforced validation of people registering security certificates from them. Google has warned Symantec that it would invoke penalties for being too lax and even borderline negligent in issuing its digital certificates. Chrome will gradually reject websites that use certificates issued by Symantec. Even websites that derive their key chain from Symantec's root will face the same rejections. Approximately 60% of Internet users use the Chrome browser so this action is a big deal. If your website(s) or server(s) are utilizing a Symantec certificate, I would consider an alternate provider.

E-mail: jsimek@senseient.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com

 

Holy Crap Batman! Our Browser is Vulnerable

Another way for the bad guys to screw with us. Users of the Chrome, Firefox and Opera browsers are vulnerable to Unicode phishing attacks. For those not familiar with Unicode, you can read the Wikipedia entry here, but basically it is a 16-bit code to determine each character. The English language doesn't need Unicode, but the Chinese language does. Unicode support in application software has only been supported over the last several years. In fact, many vendors tout Unicode support as the great differentiator. We digress.

We thought the vulnerability was fixed over ten years ago, but apparently not. One of the latest browser vulnerabilities is not properly handling Unicode URLs. It's pretty scary. You can try it for yourself by clicking here. (Don't worry. Nothing bad will happen.) If the displayed URL shows Apple.com then your browser doesn't know how to properly decode the URL. Essentially, the URL is completely valid and is crafted in a non-English language to look exactly the same as common English words. As an example, the previous test URL is really xn--80ak6aa92e.com and not apple.com. The browser is vulnerable to what is known as an internationalized domain name (IDN) homograph attack. Graham Cluley has a post that explains the attack in much more detail.

At the present time, Chrome, Firefox and Opera browsers are impacted. Fixes for Chrome are planned for the end of the month. If you use Firefox, enter about:config and set the network.IDN_show_punycode to true.

E-mail: jsimek@senseient.com Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com

 
 
   
Email subscriptions powered by FeedBlitz, LLC, 365 Boston Post Rd, Suite 123, Sudbury, MA 01776, USA.