There are many reasons to re-flash your home router with a different OS than the one the manufacturer has cobbled together, the Misfortune Cookie attack (US-CERT) is just one of them, Having been involved in the testing of a number of domestic xDSL routers, I have a rather low opinion on the amount of care put into the default security levels of consumer devices (but that is not what this post is about).
I have chosen to utilise OpenWrt on one of my internal wireless access points, and – during a reconfiguration of the network, I managed to bork the settings by not paying attention. With an out-of-the-box device, there is usually a ‘Reset’ button you can hold in while powering up the device which will clear all settings and return you to the initial un-configured state. This is not quite the case with OpenWrt, but it is still a fairly easy process to return your router to a known state, and begin the configuration process again.
Disconnect WAN cable
Unplug power to router
Set your computers IP address to:
IPv4 Address: 192.168.1.2
Re-power your router, pressing the ‘reset’ button when the status light begin blinking (fast)
Using PuTTY (or your favourite *TELNET* client), connect to 192.168.1.1 and you should see the OpenWrt prompt. Type the commands below (in red) to reset the router to it’s initial, preconfigured state:
jffs2 is ready
jffs2 is ready
switching to overlay
This will erase all settings and remove any installed packages. Are you sure? [N/y]
/dev/mtdblock3 is mounted as /overlay, only erasing files
root@(none):/# reboot –f
Unset your static IP and have fun reconfiguring your router.
I have a couple of Open Mesh Indoor Access Points that I’ve used for various projects, the most recent of which being the provision of WiFi for our Teenage Subnet.
These devices have a very cool history. Originally created under the banner of Meraki(since sold to Cisco and thenceforth diverging from its open source roots), the Open Mesh has a really strong community behind it both in the development and the after-market support camps.
Long story short, one of the nodes decided to pack a sad and nothing I could do from the control panel would get the dang thing to talk to the network again.. so that’s when I rolled out the big guns.
It was to these guys that I turned my web browser, and true to form was soon rewarded with this very good HOWTO explaining the step by step of reflashing an open mesh device.
While I have archived a copy of the article in case the original gets moved, I would caution the visiting reader to seek their fortunes in the community forums updated documentation should you stumble across this page at any great length time after it is initially published.
The one edit I would make would be to ensure that, in Windows, you open the command prompt as an Administrator. For me, the flash program would not detect any interfaces until I did this.
So, a friend* of mine asked me yesterday, (following my posting of an article), what I thought of a particular password manager – I obviously wanted to answer her question. I then decided that since I was in for a penny, I might as well be in for a pound and here we are, (hopefully) fixing my response, and posting it in a more readable format.
TLDR; No. I don’t especially like the look of it. You have to trust a company who is making money out of (hoping) their product is secure. I personally like KeePass ( http://keepass.info ) which works on all my devices and, coupled with a internet sync service (that also leaves you comfortable with the level of security offered), works on all my devices.
While the GIMP (the GNU Image Manipulation Program, not the one from Pulp Fiction) is a marvelously capable (and freely available) graphics tool, it has a complete meltdown when asked to perform a simple task like saving a multi-page PDF.
GIMP will import a multi-page PDF fine:
One of the concerning requests of Xbox Live connectivity, is to enable UPnP or ‘Universal Plug and Play’ on your home router.
The UPnP protocol has a long standing history of security problems, not the least of which being that it allows unauthenticated devices to connect to and through your home network. In the past, I have advocated for this to be switched off by default in consumer grade routers and I explain the UPnP threat in another post.
Getting back on track, my security conscious view for our home network does nothing for a teenage boy who received an Xbox Live subscription for his birthday and, while some aspects of the Live subscription work, others – such as game sharing will fail. With this in mind, we need to setup port forwarding, rather than implement UPnP, to connect said teenager to his gaming buddies and keep our network free of the risks introduced by enabling UPnP.
The UPnP protocol has a long standing history of security problems, not the least of which being that it allows unauthenticated devices to connect to and through your home network.
TLDR; UPnP is a flawed protocol which has been leveraged numerous times to conduct widespread attacks via large numbers of insecure devices. Do not enable UPnP on your network. Or do, but understand the potential consequences of your decision.
Koha is a fully featured, scalable library management system.
So, I thought I’d set up Koha on a virtual machine to have a bit of a play, and maybe use it to manage our library at home.
Create the virtual machine
I’m using VirtualBox as my VM manager, so – first off we create a new machine, give it a name and set the type to ‘Linux, Debian (64-bit)’ as Koha is most often deployed on Debian servers.
The default settings (512MB RAM, 1 Processor, 8GB HDD) are fine, and we will set the network card to be a bridged adapter (which will give it its own IP address on our local network). For now so all that remains is to point the CD to the latest Debian installation image. I am using the network install as this machine will only be built with what Koha needs and thus I don’t need to pull down local copies of a bunch of things we won’t install. So, let’s start the VM and get on with the installation.
Now that pfSense is connecting through your home LAN and serving addresses to the ‘Teenage Subnet’, we need to do some further tweaking to make sure we can keep our semi-hostile network safe as well as keeping an eye on our network traffic usage and what our users are accessing.
So, with another major collection of user credentials being uncovered (and reported in the mainstream media), there is a slight increase in interest in people, their data, and the credentials they use.
It’s anyone’s guess as to how long this breach will remain in the news cycle, so I thought I’d throw out an article quickly as New Zealand is currently in the throws of pre-election posturing and I imagine some political hopeful will say something controversial and the media will swing away to cover that within the next day.
For those who may not yet have caught up with the news (or those reading this in the future and wondering which massive credential theft I’m referring to), this is the uncovering of the work done by ‘Cyber Vor’ who managed to snare around 1.2 billion (yes, with a B) unique user credentials.