So below I put few entries from a router security site.    The other day I noticed a weird series of actions, just a couple small things, like one of my securities cameras alerting when nothing was there to trip it.  Alone I wouldn’t be bothered by it, the cameras are set very high detection of movement and will alert on moths or spiders.   If it moves outside my home I want to know about it and have a video.    It could have been anything and the system is linked so if one alarms the rest activate.   But it bothered me.  So I went into my router and looked over my settings.  I noticed right away my UPnp setting was active / on.  That was weird because if you know anything about cyber security or home networks you know that is a way hackers get / set up an open door to use your system.    The UPNP is universal plug and play.   It lets other devices connect to the home network easier.   Things like printers, Xboxes, and other non-computer devices.   Things can still connect with it on but it takes more work, like my printer I have to hook up through the IP address instead of the computer just finding it.  

Now I want to reassure everyone that if you are hacked by the Russian or other nation states they are not after your bank account or credit card number.   That is a different level of hacker, a much lower one.   And looking at the threat maps so many computers worldwide are being used by attackers without the owners knowing they are being used.  Want to blow your mind on just how bad nation state hacking and controlling bot networks is, just google “cyber attack maps” or check out some of these.    https://www.secureworld.io/industry-news/6-live-cyber-attack-maps .    At this point it is almost a losing game for the average homeowner to play to protect themselves.   I run tight security even though my knowledge of computers is getting to be decades out of date, and they still got through to my set up.    But then I go to places where there are Russian bots and influencers are.   But if you have argued with a rando on Facebook or some other social media or downloaded a picture or other file with a political bent it could have been a bad actor looking for your IPS to get to your system.   To nation states like the Russians your internet connection with a decent computer are far more valuable to them.   With modern internet speeds (even as slow as the US speeds are compared to the other developed nations) and even the average computer today the damage that can be done when those computers are linked together is immense.   If nothing else if they get a large number of computers from an area focused on the same goal they can do everything from massive DDOS attacks to clogging up business internet access.   They can simply clog up the local internet to keep a local utility / government agency from accessing the internet.  They can direct computers to do brute force attacks against businesses or utilities, or a government agency.   Once I was up on all this stuff and what could be done and how.   That was years and years ago.   Now I only know enough to keep watch and hopefully spot it if it happens to my stuff.   This is what the last few days have brought.

I noticed a couple errors and had a disconnection of the computers that could only be cleared by restarting the router.   That was enough to clue me in.  That shouldn’t have happened.   So I went into the router and looked over the settings.  I noticed they were not as I normally have them.  One in particular caught my attention.  The UPnp was active.   That lets someone hack into the router pretending to be one of your devices and change any settings they like.   Once they are in they change the firmware of the router to block attempts to change what they set up.  I tried to set it to off.  I was shocked when the router was forced back to the sign on screen.   I signed on again and tried again to shut it off.   Same result.   Damn, then I knew there was a problem.  So I checked the firmware.  While it said the signature was fine I figured something was wrong.   So I tried to update it.  Again the machine forced it self back to the sign on page.  I tried to manually upload the firmware updates and it again forced it self back to the sign in page.   So I went setting by long lists of settings to check the router.    I was locked out of any setting that would make it harder to use the router by a remote source.  Who ever had hacked the firmware just wanted to use my internet and they did not mess with anything else.   I tried to do a normal factory reset, it seemed to work but it failed as I still had no control of those settings.   I tried the even deeper factory reset the company claimed would clear any problem but that also failed.   There was no way around the firmware lock.  I tried different things many times.    If it had not been that when they either used it or first set it up that it knocked both my computers offline, and alerted the one security camera, I wouldn’t have suspected.   I have no idea how long the hack was there; it could have been there for a month or more since I last checked the router or it could have been done the day I noticed the hiccup.  Thing is I never noticed a power drain from either computer, nor a bandwidth loss and I push my computers hard.  Ron had complained he was having trouble with his apple box and YouTube with it often not loading or being really slow.   I tested it and looked at the bandwidth monitor and did not see a problem, so I assigned it the highest priority.      He was still frustrated with it.  

So now that I see there is a problem, Ron started reading about modems and he liked a Tp-link modem.    I did a quick look and it had the power to broadcast the distance I wanted, could handle the many (seriously seems everything in the house connects to the internet) devices I needed, and it had the bandwidth I had to have to push internet to all these devices.   I was stunned at the price.   The last router was nearly $400 dollars when I bought it back a decade ago, and this was only $164.  I figured the prices had really come down.   Good.  I double checked the security it claimed to have, remember that because that will come back to bite me.   It bragged it had some of the best security in the business.    I ordered it for next day delivery and went back to using the hacked old router.   

Sunday during the morning news shows I dumped both computers.  Simple process, one I used the return to factory condition recover commands, the other doesn’t have a recovery environment so I simply use a Windows 10 install USB to delete all disk partitions wiping out what is there and then installing a new copy of windows.   As the bios has the Windows’ license keys it doesn’t cost me anything but time.   A bunch of time.  The resets only take about 20 minutes, then I have to load all my programs while updating windows.   That takes more time every time I do it as I have more programs to install and windows has more updates to do.  I had just got a couple more security programs I like but that would cause problems on the second video computer.   Long story short the main blogging computer installed great.  Then I unpacked the router, and I was so frustrated and angry with it, I made a stupid mistake.  One thing I hated was you could connect to the router setup via wireless instead of just hard cable which is a huge security risk, and then a I found out I would have to use my phone to set up an online “in cloud” account with the company to have any control or use of the router.    I had to download an app from the company and then make an account with them setting myself up to spam from them to adjust any settings.     But the router had little in the way of user control over the security settings.    I was able to do some but the intrusion detection and the DDOS protections were an added price and had no user control.   To get them you had to accept a content filter that was not adjustable.  Think of it as parental controls put on adults.   It was $55 a year on discount.   I could have spent that on a more expensive router that had that built in security with adjustable controls.     So I signed up for it while I set up the user settings as best I could.  The plus is the router does have more broadcast power and more bandwidth than the old router but the negative but less control over security.    That day we all had issues.    The router was fighting me and James.   James got blocked from 5 legitimate sites and finally gave up on the router and opened his own hotspot.  

Then I went back to setting up the computers.   I was happy with the speed of the router as my computers are connected by ethernet cable to the router.   But it fought me on somethings it shouldn’t and on the video computer the install of some programs went badly with software seeing the router as a third party control blocking my control of those programs.   I dumped the computer again and started over.    I finished up the installs on it last night but have yet to move the over 1.5  TB of files over to its hard drives.   I started doing that on the primary blogging computer and it is still running.    I have about 1.5 Tb of files from my computers and another 600 GB of files for Ron’s computers.    After each large Windows updates I have to go back through the settings and stop the default settings from sharing everything a computer does with Microsoft.   If you doubt this go through your privacy settings for example.   Turn them all off except your camara / microphone permissions for just programs you want to have them.   And if your anti-virus / firewall program allows you to do so turn off your camera being accessed by the chrome browser when you open a site with chrome.   I use Norton 360 for one of my security programs and it has a setting for blocking programs from accessing your cameras.    But all through the settings menus you find share with … default settings turned on.  Turn them all off.   They do not change the way the computer works for you but does make it a tad bit harder for Microsoft and their types from adding more to the database they have on all of us.   

So yesterday was a wash for the roundup.   Too much going on to do any big posts, but I did get a few news stories out.   Today or tomorrow I have to go to get my new glasses.  On Friday I have to get my drivers license, so will have to find time to get it all together.   So this week the roundup will be hit and miss and maybe a bit skimpy.    Best wishes to all.

https://routersecurity.org/RouterNews.php

MARCH 2022

The Dutch do Router Security Right

Russian state hackers target Dutch routers: Volkskrant
by DutchNews.nl   March 3, 2022
The two most interesting aspects of this story to me: (1) The Dutch told victims about their routers having been hacked and (2) they advised that the hacked routers should be thrown away. Well done. A Russian hacking group known as 74455, Sandworm and BlackEnergy, has been targeting Dutch routers belonging to private individuals and small and medium sized businesses. The bad guys are part of the Russian intelligence service. It is not clear if the hacking is linked to the war in Ukraine. The number of hacked routers is not known. All this came to light due to an investigation by the Dutch military intelligence agency MIVD. The malware on the routers communicates with other Russian controlled computers in a network which is used for sabotage, spying and the spread of fake news. And, of course, routers that allow outside access are particularly vulnerable.

FEBRUARY 2022

Wuddya Know? Routers spy on you

Your Router Is Collecting Your Data. Here’s What to Know, and What You Can Do About It
by Ry Crist of CNET   February 25, 2022
First of all, my router is not collecting any data about me. CNET lives in the fishbowl of consumer routers. There is a bigger world. Crist reviewed the privacy policies for D-Link, Netgear, Asus, TP-Link, Eero, Google Nest and Arris (really CommScope). Every one confirmed that the company in question collected personal data for the purpose of marketing. All the companies also acknowledged that they share user data with third parties for marketing purposes. Such are consumer routers, one reason to look into secure routers. Crist wasted much of the article looking into whether a router tracks web activity. There is no one answer to that question as parental controls and assorted security features require the inspection of web traffic. Points of note:
–Asus and Google Nest were the only companies that let you opt out of data collection
–D-Link refused to answer questions about privacy
–best for opting out of data collection: The Motosync app for Motorola routers (run by Minim) has a very clear option
–worse: D-Link and TP-Link, which do not offer any direct means of opting out
–worst: Eero. The only way to stop Eero devices from gathering data is to not use them.
The Asus instructions for opting out in the article are wrong. The correct path to the option is Advanced Settings -> Administration -> Privacy tab. This is what it looks like. The defensive steps in the article are incomplete. The most obvious omission is to use a VPN or Tor. Both hide activity from the router, just as they do from the ISP. Another option is to use a router with a web interface rather than a mobile app.

Watch out for WatchGuard routers

New Sandworm malware Cyclops Blink replaces VPNFilter
by UK National Cyber Security Centre   February 23, 2022
Once upon a time there was a bug in WatchGuard routers. The company fixed it in May 2021. Still un-patched routers are being infected by bad guys in Russia, specifically part of Russia’s GRU military intelligence agency. Not only have the nerds in charge of administering the boxes not installed bug fixes, they also left the buggy routers open to unrestricted remote administration without any of the available security options that WatchGuard provides for restricting remote access to the boxes. You could make a case that the techies doing defense are just as much, if not more, at fault that the Sandworm malware authors. The malware was first seen about three years ago and has been dubbed Cyclops Blink. It abuses the firmware update mechanism to allow it to remain running even if the box is re-booted. Currently only WatchGuard devices have been infected, but the NCSC warns that it could be adapted to other platforms.

• Cyclops Blink from WatchGuard
• Cyclops Blink FAQs from WatchGuard
• Russia’s most cutthroat hackers infect network devices with new botnet malware by Dan Goodin for Ars Technica Feb 23, 2022
• Russia’s Sandworm Hackers Have Built a Botnet of Firewalls by Andy Greenberg Feb 23, 2022.

JANUARY 2022

UPnProxy Follow-Up – still bad

UPnProxy: Eternal Silence
by Chad Seaman of Akamai   January 27, 2022
Discovered by Akamai, a bug called UPnProxy is still alive and well, six months after they first publicized it. When abused, it attempts to expose TCP ports 139 and 445 on devices connected to the targeted router. Out of 3,500,000 UPnP routers found online, 277,000 are vulnerable to UPnProxy, and 45,113 of them have already been infected by hackers. This is yet another reminder that consumer routers ship with UPnP enabled by default to cut down on tech support requests. Peplink and pcWRT routers ship with UPnP disabled. Many devices were found vulnerable, including some from Asus, D-Link, Belkin, DrayTek, Edimax, HP, Monoprice, Netis, Netgear, Ubiquiti, SMC, ZyXel, ZTE. Also versions of OpenWRT are vulnerable.

• UPnProxy: Blackhat Proxies via NAT Injections by Akamai. A 20 page PDF.
• Hundreds of thousands of routers exposed to Eternal Silence campaign via UPnP by Pierluigi Paganini of Security Affairs. January 31, 2022