Category archives: Tech Advice

Linksys WRT54GL Cross Site Request Forgery (CSRF) Vulnerability

26Jan08

The quite common Linksys WRT54GL v4.x has a serious vulnerability that can be exploited by hackers remotely (i.e., from across the Internet). The vulnerability is Cross Site Request Forgery (CSRF). This is possibly the second most common web vulnerability (second only to Cross Site Scripting aka XSS). Despite its prevalence, CSRF is not well known or understood by many people. I thought about writing a short explanation of CSRF but I don’t have my head around it well enough to feel comfortable explaining it to you. So, I’ve done the next best thing–I’ve located an excellent article by CSO magazine titled “Threat Watch: Cross Site Request Forgery (CSRF) Why a little-known web application vulnerability could cause big problems.”

As far as I know, this vulnerability is unpatched by Linksys which means there is update to fix this problem if you want to keep running the standard Linksys firmware. However, you can fix this vulnerability and gain additional features by upgrading to an open source firmware such as DD-WRT or Tomato. I happen to own a Linksys WRT54GL version 1.1 and have flashed it with the DD-WRT firmware. Because flashing a router’s firmware is not for the faint of heart, I have composed very detailed how-to instructions for those who are interested.

Another mitigation method I almost forgot to mention is to actually quite simple. Do not visit other websites while logged in to administer the Linksys WRT54GL. [via Secunia]

Filed under DD-WRT, Tech Advice, WRT54GL| | 3 Comments

More Secure OpenID

03Jan08

OpenID is a very cool authentication idea. It allows you to have single sign-on (i.e., login once using one user name and password for multiple websites/applications) for sites that support OpenID. The ability to only login to one site and then only provide your OpenID URL to other sites you would like to authenticate to (prove that you are who you say you are) is very nice. For one, it alleviates the problem of having to remember multiple user names and passwords (I hope you use different passwords for different sites…at the very least different passwords for financial sites). For two, it saves time. Unfortunately, every site I use does not yet support OpenID so I still end up having to deal with multiple user names and passwords.

Like all things with computer security, OpenID is not without its fair share of problems. One of the biggest problems is a result of OpenID’s main benefit, single sign-on. Single sign-on is great as long as no one is able to compromise your user name and password. However, if someone manages to compromise your user name and password then they’ve compromised every site for which that single sign-on is used. Therefore, it is imperative that your OpenID account has a very strong (read long, random, mixed case, numbers, and special characters) password.

It is also important that you don’t fall victim to a phishing attack that tricks you into thinking your logging in to your OpenID account when you’re not. Otherwise, it doesn’t matter how strong your password is if you simply give it away to a fake site. In order to ensure the OpenID provider site you’re logging into is legitimate you should examine the SSL certificate to make sure it belongs to your OpenID provider and has been signed by a trustworthy certificate authority (e.g., Verisign, Thawte, etc.).

Another concern with OpenID that I won’t cover in this article because its out of scope is privacy. The jest of the issue is that your OpenID provider can basically track every site you use your OpenID account with. A few other concerns with OpenID exist. I recommend that you checkout Security Now episode 111 if your interested in learning more about OpenID concerns.

Wouldn’t it be great if there was a way to easily and effectively reduce some of the risk with OpenID? Two-factor authentication provides the solution. For those of you who are not familiar with what two-factor authentication is, I’ll give a brief explanation. Two-factor authentication is when you provide more than one form of evidence that you are who you say you are. Generally, people just provide a password which is something you know. However, two other common factors of authentication exist—something you are (biometrics) and something you have (security token/fob, smart card, etc.).

Two-factor authentication is a great solution because it ensures someone can’t easily steal your account by guessing, cracking, or stealing your OpenID password. The second factor means that would need to possess your security token as well. Security tokens work by providing a random string of typically six digits periodically (most tokens do so every thirty seconds). The current six digits being displayed by the token (which only you have) must be appended to the password (which hopefully only you know). Additionally, a two-factor authentication mitigates the risk of falling victim to a phishing site because the password the phisher stole is only good for thirty seconds.

Luckily for all of us Verisign is a free OpenID provider which offers support for two-factor authentication. They call their service Personal Identity Provider (PIP). To take advantage of their service you need to have a supported security token (i.e., a little key-chain device which provides a random number every thirty seconds). Luckily, you can buy one of these devices through PayPal for only $5. As an added benefit, this security token works not only with PIP but also with PayPal and eBay.

A Firefox extension, SeatBelt, automatically fills in your OpenID URL in websites with the appropriate form field. The extension also provides some useful security and OpenID management capabilities.

In conclusion, OpenID is a great solution for trivial sites like blogs and forums as long as you are aware of the dangerous that exist and take the necessary precautions. I still wouldn’t recommend OpenID for financial and medical sites but for pretty much everything else it is great. I know I can’t wait till more of the sites I use start to take advantage of it.

In case your wondering, I’m not getting paid anything to write this post nor do I make any money if you sign up for an account or buy a security key. I just think Verisign is offering a really good, secure OpenID solution that not many people know about. I just wanted my readers to know that this is an available solution. Plus, if enough people start using OpenID more sites are likely to offer it is an login option. Before I forget, you can find a list of OpenID enabled sites at the OpenID directory.

Filed under Security, Tech Advice| | 5 Comments

Securing Your Wireless Network

21Apr07

I’ve been on a bit of a security kick lately…more than usual anyway. I’ve always been a bit of a security fanatic but lately I’ve been learning a whole lot more. Working as an IT auditor by day and just naturally being attracted to technology, security is of great interest to me. I’m also becoming a huge fan of the open source DD-WRT firmware as I start to use more and more of its features on my home network.

A lot of security topics exists that I’d love to write about sometime, but securing your wireless network is one that should be useful to most of my blog readers. Plus, this is a natural progression from my recent post about How to Flash the WRT54GL with DD-WRT Firmware. This post will not cover the intricate details of the hows and whys of wireless security nor will provide a ton of details on how to circumvent (i.e., crack) common security settings. Maybe I’ll cover those topics at a later date. For now, I just want to tell you about what security settings you should use on your home or small business wireless network to ensure no one is able to sniff (see what your doing on your wireless connection) or use your wireless connection without your permission. Continue reading

Filed under DD-WRT, Security, Tech Advice| | 41 Comments