A recent Ars Technica article on ASUSGATE pointed to this blog and named me as a blogger who was caught with his digital pants down. I wanted to capture some of my incident response procedures now that some time has passed and my stress levels are back to normal. As noted in the article the first thing I did was shut down all non-necessary services such as FTP and Samba. Luckily for me I never liked the idea of AiCloud so that service was already off. Next I ran a port scan on my external IP address from an server outside of my home network to make sure that no ports were left opened. My goal was to ensure that literally 0 ports were open to the outside world and my router didn’t respond to uninitiated packets sessions. I ran an nmap scan that checked ports 1-65534 and found a port in the very high ethereal range (something like 32000) and dug back through the ASUS interfaces until I found the culprit. Apparently I had forgot to turn off the VPN pass through option from my time working at Akamai. I ran the scan again focusing only on the port that was found in the previous scan and it was off.
I’m still concerned that I have a known IP address though. At the very least anyone who doesn’t like me could send a DDoS (or just a DoS with a strong enough connection) and make sure I don’t see the internet for a while. From the research I’ve done cable companies like Comcast dole out IP addresses using DHCP but the leases can be for years. The only time they change them is when the MAC address changes so my next step is to disconnect my ASUS and connect a laptop running a liveCD directly to the cable modem in hopes of getting a new IP address.
When ASUS contacted me they sent notes on the best practices they were announcing to existing customers and details of a beta patch that was rolling out. What I didn’t see was that the FTP service would explicitly not be open on the WAN interface and require authorization from the user to open up their files to the internet. Those victims that put a username/password on their FTP should not use default credentials like “admin/admin” since they are well known and, as stated above, the IP address of the router probably hasn’t changed.
Lastly I want to nitpick on the editor’s choice of describing my folly as being “caught with my pants down”. I think this was a great way to spice up the story but the analogy doesn’t work that well. I didn’t expose anything that I would be ashamed of. The image of my pants being down is my genitals are exposed and that’s something I don’t show in public and so a more apt analogy would be that my digital fly was down. Anyone in the world could get a peek into my digital pants, and it’s certainly embarrassing, but since I don’t walk around “commando style”[1] I was covered underneath that undone zipper.
[1] Military commandos who operate in the jungle often do not wear underwear because of the health issues associated with increased moisture and lack of air flow. http://en.wikipedia.org/wiki/Going_commando
Post a Comment