Monthly archives: January 2008

Linksys WRT54GL Cross Site Request Forgery (CSRF) Vulnerability

26Jan08

The quite common Linksys WRT54GL v4.x has a serious vulnerability that can be exploited by hackers remotely (i.e., from across the Internet). The vulnerability is Cross Site Request Forgery (CSRF). This is possibly the second most common web vulnerability (second only to Cross Site Scripting aka XSS). Despite its prevalence, CSRF is not well known or understood by many people. I thought about writing a short explanation of CSRF but I don’t have my head around it well enough to feel comfortable explaining it to you. So, I’ve done the next best thing–I’ve located an excellent article by CSO magazine titled “Threat Watch: Cross Site Request Forgery (CSRF) Why a little-known web application vulnerability could cause big problems.”

As far as I know, this vulnerability is unpatched by Linksys which means there is update to fix this problem if you want to keep running the standard Linksys firmware. However, you can fix this vulnerability and gain additional features by upgrading to an open source firmware such as DD-WRT or Tomato. I happen to own a Linksys WRT54GL version 1.1 and have flashed it with the DD-WRT firmware. Because flashing a router’s firmware is not for the faint of heart, I have composed very detailed how-to instructions for those who are interested.

Another mitigation method I almost forgot to mention is to actually quite simple. Do not visit other websites while logged in to administer the Linksys WRT54GL. [via Secunia]

Filed under DD-WRT, Tech Advice, WRT54GL| | 3 Comments

Tomato Firmware Option for WRT54GL

19Jan08

Lifehacker has an interesting post on the Tomato custom router firmware. When a friend emailed me about the Lifehacker post, I first dismissed the article because when I was deciding on which firmware to flash my Linksys WRT54GL with, I looked at Tomato but didn’t think it was as powerful as DD-WRT or OpenWRT. However, when I read Lifehacker’s post my interest was re-sparked in Tomato. The author did admit that dd-wrt had a more robust feature set and polished admin interface. However, he also indicated that Tomato had a better layout, better Quality of Service (QOS) support, and prettier graphical charts than dd-wrt. Also, the average user probably wouldn’t use the more powerful dd-wrt features anyway.

I wish I had the time/patience to re-flash my Linksys WRT54GL with Tomato just to try it out. Its very unlikely that I will because I don’t want to risk bricking my perfectly functioning dd-wrt enabled router. I also really like dd-wrt. Too bad flashing a router is a lot more complex than just installing software.

Also, the Lifehacker article doesn’t mention OpenWRT (a couple of commenters do) but OpenWRT seems to be the hard-core geek’s choice. I’ve thought about making the switch to it but it is probably more complex than I want to deal with. I really considered OpenWRT over DD-WRT but DD-WRT’s site looked better maintained and easier to read. Plus, until recently all OpenWRT management seemed like it when through a Linux shell (i.e., command line). Now though x-wrt seems to address what some would call a short coming of OpenWRT.

If anyone wants to send me a Linksys WRT54GL so I can experiment with it and write more tutorials on firmware flashing, let me know and I can add it to my Amazon Wish List so you can send it to me easily. Also, don’t forget to check out my ever-popular “How to Flash the WRT54GL with DD-WRT Firmware” tutorial.

Filed under DD-WRT, WRT54GL| | 14 Comments

More Secure OpenID

03Jan08

OpenID is a very cool authentication idea. It allows you to have single sign-on (i.e., login once using one user name and password for multiple websites/applications) for sites that support OpenID. The ability to only login to one site and then only provide your OpenID URL to other sites you would like to authenticate to (prove that you are who you say you are) is very nice. For one, it alleviates the problem of having to remember multiple user names and passwords (I hope you use different passwords for different sites…at the very least different passwords for financial sites). For two, it saves time. Unfortunately, every site I use does not yet support OpenID so I still end up having to deal with multiple user names and passwords.

Like all things with computer security, OpenID is not without its fair share of problems. One of the biggest problems is a result of OpenID’s main benefit, single sign-on. Single sign-on is great as long as no one is able to compromise your user name and password. However, if someone manages to compromise your user name and password then they’ve compromised every site for which that single sign-on is used. Therefore, it is imperative that your OpenID account has a very strong (read long, random, mixed case, numbers, and special characters) password.

It is also important that you don’t fall victim to a phishing attack that tricks you into thinking your logging in to your OpenID account when you’re not. Otherwise, it doesn’t matter how strong your password is if you simply give it away to a fake site. In order to ensure the OpenID provider site you’re logging into is legitimate you should examine the SSL certificate to make sure it belongs to your OpenID provider and has been signed by a trustworthy certificate authority (e.g., Verisign, Thawte, etc.).

Another concern with OpenID that I won’t cover in this article because its out of scope is privacy. The jest of the issue is that your OpenID provider can basically track every site you use your OpenID account with. A few other concerns with OpenID exist. I recommend that you checkout Security Now episode 111 if your interested in learning more about OpenID concerns.

Wouldn’t it be great if there was a way to easily and effectively reduce some of the risk with OpenID? Two-factor authentication provides the solution. For those of you who are not familiar with what two-factor authentication is, I’ll give a brief explanation. Two-factor authentication is when you provide more than one form of evidence that you are who you say you are. Generally, people just provide a password which is something you know. However, two other common factors of authentication exist—something you are (biometrics) and something you have (security token/fob, smart card, etc.).

Two-factor authentication is a great solution because it ensures someone can’t easily steal your account by guessing, cracking, or stealing your OpenID password. The second factor means that would need to possess your security token as well. Security tokens work by providing a random string of typically six digits periodically (most tokens do so every thirty seconds). The current six digits being displayed by the token (which only you have) must be appended to the password (which hopefully only you know). Additionally, a two-factor authentication mitigates the risk of falling victim to a phishing site because the password the phisher stole is only good for thirty seconds.

Luckily for all of us Verisign is a free OpenID provider which offers support for two-factor authentication. They call their service Personal Identity Provider (PIP). To take advantage of their service you need to have a supported security token (i.e., a little key-chain device which provides a random number every thirty seconds). Luckily, you can buy one of these devices through PayPal for only $5. As an added benefit, this security token works not only with PIP but also with PayPal and eBay.

A Firefox extension, SeatBelt, automatically fills in your OpenID URL in websites with the appropriate form field. The extension also provides some useful security and OpenID management capabilities.

In conclusion, OpenID is a great solution for trivial sites like blogs and forums as long as you are aware of the dangerous that exist and take the necessary precautions. I still wouldn’t recommend OpenID for financial and medical sites but for pretty much everything else it is great. I know I can’t wait till more of the sites I use start to take advantage of it.

In case your wondering, I’m not getting paid anything to write this post nor do I make any money if you sign up for an account or buy a security key. I just think Verisign is offering a really good, secure OpenID solution that not many people know about. I just wanted my readers to know that this is an available solution. Plus, if enough people start using OpenID more sites are likely to offer it is an login option. Before I forget, you can find a list of OpenID enabled sites at the OpenID directory.

Filed under Security, Tech Advice| | 5 Comments