I'd suggest installing pfSense at a home location for benefits that pfSense provides. The ability for you to see what is going on on your network is much greater than with any of the consumer routers.
If you get a little Netgate SBC, you can have a ofSense router with the same size and power specs. as a Netgear, Linksys, Buffalo, etc HW router. Also, there is a chance that your pfSense will be more secure as it is a active project that takes security seriously. I've seen too many problems with cheapo HW routers to trust them... Walter On Wed, Sep 4, 2013 at 5:33 PM, Robert Guerra <[email protected]>wrote: > > Curious on people's comments on types of routers, firewalls and other > appliances that might be affected as well as mitigation strategies. Would > installing a pfsense and/or other open source firewall be helpful in anyway > at a home net location? > > > > > > > -- > R. Guerra > Phone/Cell: +1 202-905-2081 > Twitter: twitter.com/netfreedom > Email: [email protected] > > On 2013-09-04, at 4:12 PM, Eugen Leitl wrote: > > > > > http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/ > > > > NSA Laughs at PCs, Prefers Hacking Routers and Switches > > > > BY KIM ZETTER09.04.136:30 AM > > > > Photo: Santiago Cabezas/Flickr > > > > The NSA runs a massive, full-time hacking operation targeting foreign > > systems, the latest leaks from Edward Snowden show. But unlike > conventional > > cybercriminals, the agency is less interested in hacking PCs and Macs. > > Instead, America’s spooks have their eyes on the internet routers and > > switches that form the basic infrastructure of the net, and are largely > > overlooked as security vulnerabilities. > > > > Under a $652-million program codenamed “Genie,” U.S. intel agencies have > > hacked into foreign computers and networks to monitor communications > crossing > > them and to establish control over them, according to a secret black > budget > > document leaked to the Washington Post. U.S. intelligence agencies > conducted > > 231 offensive cyber operations in 2011 to penetrate the computer > networks of > > targets abroad. > > > > This included not only installing covert “implants” in foreign desktop > > computers but also on routers and firewalls — tens of thousands of > machines > > every year in all. According to the Post, the government planned to > expand > > the program to cover millions of additional foreign machines in the > future > > and preferred hacking routers to individual PCs because it gave agencies > > access to data from entire networks of computers instead of just > individual > > machines. > > > > Most of the hacks targeted the systems and communications of top > adversaries > > like China, Russia, Iran and North Korea and included activities around > > nuclear proliferation. > > > > The NSA’s focus on routers highlights an often-overlooked attack vector > with > > huge advantages for the intruder, says Marc Maiffret, chief technology > > officer at security firm Beyond Trust. Hacking routers is an ideal way > for an > > intelligence or military agency to maintain a persistent hold on network > > traffic because the systems aren’t updated with new software very often > or > > patched in the way that Windows and Linux systems are. > > > > “No one updates their routers,” he says. “If you think people are bad > about > > patching Windows and Linux (which they are) then they are … horrible > about > > updating their networking gear because it is too critical, and usually > they > > don’t have redundancy to be able to do it properly.” > > > > He also notes that routers don’t have security software that can help > detect > > a breach. > > > > “The challenge [with desktop systems] is that while antivirus don’t work > well > > on your desktop, they at least do something [to detect attacks],” he > says. > > “But you don’t even have an integrity check for the most part on routers > and > > other such devices like IP cameras.” > > > > Hijacking routers and switches could allow the NSA to do more than just > > eavesdrop on all the communications crossing that equipment. It would > also > > let them bring down networks or prevent certain communication, such as > > military orders, from getting through, though the Post story doesn’t > report > > any such activities. With control of routers, the NSA could re-route > traffic > > to a different location, or intelligence agencies could alter it for > > disinformation campaigns, such as planting information that would have a > > detrimental political effect or altering orders to re-route troops or > > supplies in a military operation. > > > > According to the budget document, the CIA’s Tailored Access Programs and > > NSA’s software engineers possess “templates” for breaking into common > brands > > and models of routers, switches and firewalls. > > > > The article doesn’t say it, but this would likely involve pre-written > scripts > > or backdoor tools and root kits for attacking known but unpatched > > vulnerabilities in these systems, as well as for attacking zero-day > > vulnerabilities that are yet unknown to the vendor and customers. > > > > “[Router software is] just an operating system and can be hacked just as > > Windows or Linux would be hacked,” Maiffret says. “They’ve tried to > harden > > them a little bit more [than these other systems], but for folks at a > place > > like the NSA or any other major government intelligence agency, it’s > pretty > > standard fare of having a ready-to-go backdoor for your [off-the-shelf] > Cisco > > or Juniper models.” > > > > Not all of the activity mentioned in the budget document involved remote > > hacking. In some cases, according to the document, the operations > involved > > clandestine activity by the CIA or military intelligence units to > “physically > > place hardware implants or software modifications” to aid the spying. > > > > “Much more often, an implant is coded entirely in software by an NSA > group > > called Tailored Access Operations (TAO),” the Post writes in its story > about > > the document. “As its name suggests, TAO builds attack tools that are > > custom-fitted to their targets.” > > > > A handful of security researchers have uncovered vulnerabilities in > routers > > in recent years that could be used to do the kind of hacking described > in the > > budget document. > > > > In 2005, security researcher Mike Lynn found a serious vulnerability in > Cisco > > IOS, the operating system running on millions of Cisco routers around the > > world. > > > > Lynn discovered the vulnerability after his employer, Internet Security > > Systems, asked him to reverse-engineer the Cisco operating system to see > if > > he could find security problems with it. Cisco makes the majority of the > > routers that operate the backbone of the internet as well as many company > > networks and critical infrastructure systems. The Cisco IOS is as > ubiquitous > > in the backbone as the Windows operating system is on desktops. > > > > The vulnerability Lynn found, in a new version of the operation system > that > > Cisco planned to release at the time, would have allowed someone to > create a > > router worm that would shut down every Cisco router through which it > passed, > > bringing down a nation’s critical infrastructure. It also would have > allowed > > an attacker to gain complete control of the router to sniff all traffic > > passing through a network in order to read, record or alter it, or simply > > prevent traffic from reaching its recipient. > > > > Once Lynn found the vulnerability, it took him six months to develop a > > working exploit to attack it. > > > > Lynn had planned to discuss the vulnerability at the Black Hat security > > conference in Las Vegas, until Cisco intervened and forced him to pull > the > > talk under threat of a lawsuit. > > > > But if Lynn knew about the vulnerability, there were likely others who > did as > > well — including intelligence agencies and criminal hackers. > > > > Source code for Cisco’s IOS has been stolen at least twice, either by > > entities who were interested in studying the software to gain a > competitive > > advantage or to uncover vulnerabilities that would allow someone to hack > or > > control them. > > > > Other researchers have uncovered different vulnerabilities in other Cisco > > routers that are commonly used in small businesses and home offices. > > > > Every year at computer security conferences — including the Black Hat > > conference where NSA Director Keith Alexander presented a keynote this > year — > > U.S. intelligence agencies and contractors from around the world attend > to > > discover information about new vulnerabilities that might be exploited > and to > > hire talented researchers and hackers capable of finding more > vulnerabilities > > in systems. > > > > In 2008, a researcher at Core Security Technologies developed a root kit > for > > the Cisco IOS that was designed to give an attacker a persistent > foothold on > > a Cisco router while remaining undetected. > > > > According to the Post story, the NSA designs most of the offensive tools > it > > uses in its Genie operation, but it spent $25.1 million in one year for > > “additional covert purchases of software vulnerabilities” from private > > malware vendors who operate on the grey market — closed markets that > peddle > > vulnerabilities and exploits to law enforcement and intelligence > agencies, as > > opposed to the black market that sells them to cyber criminals. > > > > The price of vulnerabilities and exploits varies, depending on a number > of > > factors. Vulnerabilities and exploits can sell for anywhere from $50,000 > to > > more than a million, depending on the exclusivity of the purchase — some > > vulnerabilities are sold to multiple parties with the understanding that > > others are using it as well — and their ubiquity. A vulnerability that > exists > > in multiple versions of an operating system is more valuable than a > > vulnerability that exists in just one version. A class of vulnerability > that > > crosses multiple browser brands is also more valuable than a single > > vulnerability that just affects the Safari browser or Chrome. > > > > The Stuxnet cyber weapon that was reportedly created by the U.S. and > Israel > > to sabotage centrifuges used in Iran’s uranium enrichment program, used > five > > zero-day exploits to spread itself among systems in Iran, including a > rare > > exploit that attacked the .LNK function in multiple versions of the > Windows > > operating system in order to spread the worm silently via infected USB > > sticks. > > > > Ubiquitous router vulnerabilities are difficult to find since there are > so > > many different configurations for routers, and an attack that works > against > > one router configuration might not work for another. But a vulnerability > that > > affects the core operating system is much more valuable since it is less > > likely to be dependent on the configuration. Maiffret says there hasn’t > been > > a lot of public research on router vulnerabilities, but whenever someone > has > > taken a look at them, they have found security holes in them. > > > > “They’re always successful in finding something,” he says. > > > > Once a vulnerability becomes known to the software maker and is patched, > it > > loses a lot of its value. But because many users and administrators do > not > > patch their systems, some vulnerabilities can be used effectively for > years, > > even after a patch is available. The Conficker worm, for example, > continued > > to infect millions of computers long after Microsoft released a patch > that > > should have stopped the worm from spreading. > > > > Routers in particular often remain unpatched because system > administrators > > don’t think they will be targeted and because administrators are > concerned > > about network outages that could occur while the patch is applied or if > the > > patch is faulty. > > > > Kim Zetter is a senior reporter at Wired covering cybercrime, privacy, > > security and civil liberties. > > > > Read more by Kim Zetter > > > > Follow @KimZetter and @ThreatLevel on Twitter. > > -- > > Liberationtech is a public list whose archives are searchable on Google. > Violations of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > [email protected]. > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
