WTF? The DHS wants to replace CERT now?
posted by Tell Me No Lies at 6:30 PM on January 25, 2012 [2 favorites]

I think CERT is part of DHS.
posted by Chocolate Pickle at 6:34 PM on January 25, 2012

My router is old enough to not have WPS on it. But maybe I'll try Reaver on my neighbor's router.
posted by birdherder at 6:35 PM on January 25, 2012

WTF? The DHS wants to replace CERT now?

From the About Us section of their web page:

Who runs US-CERT?
US-CERT is the operational arm of the National Cyber Security Division (NCSD) at the Department of Homeland Security (DHS).
posted by Runes at 6:35 PM on January 25, 2012 [1 favorite]

You might be thinking of this other CERT.
posted by Runes at 6:37 PM on January 25, 2012

Specifically, Linksys/Cisco routers have a setting for disabling WPS that does not work. That is, the radio button changes to disabled, but the protocol remains active. You can still be hacked, even though you think you've turned off the protocol. Presumably, updates will be out soon, f they aren't already, but if you have an old router, it's possible you may be SOL.

If your hardware will run the open source DD-WRT or Tomato firmwares, neither has this problem, as they don't support WPS. Buffalo's DD-WRT variant does support WPS, so it's vulnerable, but it turns off correctly from the control panel. You can still replace their firmware with stock DD-WRT if you like, but it's not necessary.

Oddly, Apple's wildly insecure setup method, that of bringing up a completely unsecured network and hoping you log in to change the router's settings before anyone else does, ends up being more secure than 'protected setup', once it's been locked down. Apple routers shouldn't, therefore, be vulnerable, but Apple pushed out a firmware update a few days ago, soon after this announcement, so there might indeed be some sort of problem.
posted by Malor at 6:44 PM on January 25, 2012 [3 favorites]

OhShit is a criminally underused tag.
posted by barnacles at 6:58 PM on January 25, 2012 [4 favorites]

I had thought that part of the protocol was that it had to be temporarily initiated at the router and was time-limited for that individual use?
posted by Ivan Fyodorovich at 6:59 PM on January 25, 2012 [2 favorites]

> but Apple pushed out a firmware update a few days ago

Latest one I see is November. I'd debate if it is insecure compared to booting up with a generic linksys or dlink network, atleast Apple appends the mac address of the hardware to the network ID so it is unique (and therefore not autojoined by everyone who has joined a linksys or dlink network in the past). Still not the best solution, but as with WPS has shown, the best security is still one that has you connect to some admin interface of your device and change the default settings.
posted by mrzarquon at 7:01 PM on January 25, 2012 [1 favorite]

I've always disliked WPS but omg whoever designed it I owe you a beer! You've single handedly backstabbed all those telecoms fighting municipal wifi, along with their lobbyists and bought representatives. Woo man, just wow! Epic win dude!

Btw : Georgia Bill Would Prohibit Subsidies For Municpal Broadband
posted by jeffburdges at 7:04 PM on January 25, 2012

Ivan, there are two parts to it. One is called "PUSH" and it involves pushing a button on the router, and then a button on the prospective connecting device. That one has a timeout.

The other is called "PIN" and it's where the vulnerability lies. You go to the router and log in, and use a menu to create the PIN. Then you go to the device and tell it what the number is, and it uses it over WiFi to log in. That one doesn't have a timeout.

The number is 8 digits, but the last digit is a checksum. So we're at 10 million possible numbers, right? Except that if you try to log in with an improper PIN, the response code tells you whether the first four digits are right. (Or at least it's possible to tell from the response code.)

Thus you can search just those four digits (10,000 tries) and once you get the right value, then you search for the last three (another 1,000 tries) which means that an exhaustive search is no more than 11,000 attempts.
posted by Chocolate Pickle at 7:04 PM on January 25, 2012 [5 favorites]

> I had thought that part of the protocol was that it had to be temporarily initiated at the router and was time-limited for that individual use?

I think that's SES rather than WPS.
posted by adamt at 7:05 PM on January 25, 2012

Oddly, Apple's wildly insecure setup method, that of bringing up a completely unsecured network and hoping you log in to change the router's settings before anyone else does

There's a lot to be said for the approach of putting a sticker on the unit itself with an initial passcode that's matched to the device, or even just making the serial number be the initial passcode. Then when you first connect it not letting you do anything until you change it to something else. If you forget it, you do a physical reset on the device and you're back to step one. This shit really isn't that hard.
posted by George_Spiggott at 7:22 PM on January 25, 2012 [3 favorites]

I realize that cryptography and security are really tough to get right. Like, incredibly tough. Most normal engineers implementing a crypto system are going to screw it up.

But the continual finding of weaknesses in WiFi systems, from WEP to TKIP to WPS now strikes me as awfully damn suspicious. Like these systems have been designed with flaws from the beginning. It wouldn't be the first system designed purposefully with the flaws, and it won't be the last.

Still, Occam's Razor says it's probably just negligence.

jeffburdges covers a lot of great suggestions. If you're a little more advanced or running security for a small business, running a VPN tunnel over the WiFi connection is probably a good idea too.

Now to go find out how to disable this crap in DD-WRT.
posted by formless at 7:51 PM on January 25, 2012

So netgear has a help page regarding this issue that was published on 1/3, pretty recently. The instructions are as follows:

1. Login to the router GUI by typing www.routerlogin.net on an Internet browser's address bar. Note: Default logins are: Username = admin, Password = password. (notice no note that you should change these!)
2. Go to Advanced Setup menu and select Wireless Settings.
3. Under WPS settings, put a check mark on Disable Router's PIN box.
4. Hit Apply button to save settings

Only, on my router, these are the options (each with boxes in front of them):

Security Options:
-Disable
-WEP (Wired Equivalent Privacy)
-WPA-PSK (Wi-Fi Protected Access Pre-Shared Key)

I'm wondering how many people are going to just check the disable box...
posted by Big_B at 7:58 PM on January 25, 2012 [1 favorite]

Big_B, looks like your router doesn't support this feature. (Lucky you!)
posted by Chocolate Pickle at 8:10 PM on January 25, 2012

formless: "I realize that cryptography and security are really tough to get right. Like, incredibly tough. Most normal engineers implementing a crypto system are going to screw it up.

But the continual finding of weaknesses in WiFi systems, from WEP to TKIP to WPS now strikes me as awfully damn suspicious. Like these systems have been designed with flaws from the beginning. It wouldn't be the first system designed purposefully with the flaws, and it won't be the last.

Still, Occam's Razor says it's probably just negligence.

jeffburdges covers a lot of great suggestions. If you're a little more advanced or running security for a small business, running a VPN tunnel over the WiFi connection is probably a good idea too.

Now to go find out how to disable this crap in DD-WRT."

Well, when you consider WPS to be functionally a cryptographic shortcut, I am not surprised it was easily compromised. If you leave your house key hanging on a hook above your front door, don't be shocked to come home and find your font door unlocked.

Unfortunately, WiFi very quickly became a consumer technology, and, as always, when security runs up against ease of use, security generally suffers...
posted by Samizdata at 8:27 PM on January 25, 2012 [2 favorites]

I so should have posted this weeks ago when I first found out about it. Luckily though, the one router I would be worried about this with (my parents'), I had already disabled the feature as I never trusted it.
posted by Samizdata at 8:28 PM on January 25, 2012

PIN-based WPS has always, always struck me as a stupid idea. If I have to go to the router's setup page to get a PIN, how is that better than just going there to get the current WPA2 pre-shared key?

It's completely useless for most consumers too, because most people don't know how to find their router's setup page. The button-based, time-limited variant is OK (it's the same connection UI that wireless keyboards and mice have used without issue for years) but the PIN thing has always been ill-conceived and stupid.

Wireless routers that don't have Connect buttons should just come with WPA2 enabled, and have the factory default pre-shared key printed on the same sticker as their serial number. And that PSK should be random with at least 80 bits of entropy, formatted using letter/digit disambiguation rules in easily transcribed short groups with - separators, much as Microsoft does for Windows product key stickers. Compared to that, the WPS PIN idea is basically a case of complicator's gloves.
posted by flabdablet at 9:12 PM on January 25, 2012 [3 favorites]

You might be thinking of this other CERT.

Yes. There are many groups that use the acronym, but there is only one CERT and it is the only one I trust for security updates. To be clear, that would be Carnegie-Mellon and not the Department of Homeland Security.
posted by Tell Me No Lies at 9:33 PM on January 25, 2012

But the continual finding of weaknesses in WiFi systems, from WEP to TKIP to WPS now strikes me as awfully damn suspicious. Like these systems have been designed with flaws from the beginning. It wouldn't be the first system designed purposefully with the flaws, and it won't be the last.

The main problem in the wireless market is that rushing new crap out to market has taken precedence over everything else since pretty much day one, with half-arsed psuedo-standards and shunting stuff out when it's still in the pre-approval stages for IEEE. It's wildly unsurprising to me that this generates security flaws.
posted by rodgerd at 10:02 PM on January 25, 2012

the WPS PIN idea is basically a case of complicator's gloves.

Gotta protect those handwaves somehow.
posted by not_that_epiphanius at 11:03 PM on January 25, 2012

mrzarquon: Huh, yeah, you're right, Apple did not just push out an update. Rather, my computer just finally noticed the update a few days ago. I don't use my laptop on my home wireless network that much, and I guess it just randomly happened to notice the outdated firmware at the same time that this stuff was hitting the wires.

Sorry for the misinformation, if anyone was worried.
posted by Malor at 11:10 PM on January 25, 2012

So netgear has a help page regarding this issue that was published on 1/3, pretty recently. The instructions are as follows:

1. Login to the router GUI by typing www.routerlogin.net on an Internet browser's address bar. Note: Default logins are: Username = admin, Password = password. (notice no note that you should change these!)
2. Go to Advanced Setup menu and select Wireless Settings.
3. Under WPS settings, put a check mark on Disable Router's PIN box.
4. Hit Apply button to save settings


I found it on mine, first click the advanced tab up top, and then advanced setup rather than setup, and then wireless settings. You should see the WPS option there.

Yeah, it has a regular setup and an advanced setup under a page labeled advanced. :|
posted by furiousxgeorge at 11:23 PM on January 25, 2012

US-CERT is a licensed affiliate of the "main" CERT at CMU, which runs the CERT/CC (Coordination Center) that draws on information that flows to it from the affiliates among other sources. (It all came out of DARPA originally, after all, and the CERT/CC is DoD funded.) Officially, each national agency is a National Computer Security Incident Response Team, and must pursue a vetting process with CERT.

The astute observer will note that some of the cert.org and cert.gov subdomains point to the same location or are otherwise cross-linked, e.g. this US-CERT Vulnerability Notes Database that is hosted under the cert.org domain. I would be surprised if it made a substantial difference which resource you started with, or reported to; these organizations are pretty much joined at the hip.
posted by dhartung at 11:25 PM on January 25, 2012

"Yes. There are many groups that use the acronym, but there is only one CERT and it is the only one I trust for security updates. To be clear, that would be Carnegie-Mellon and not the Department of Homeland Security."

CERT is great. In the late nineties, I had the somewhat interesting job, as part of my myriad responsibilities by being attached to three distinct groups working in unrelated areas, to take the CERT advisories every day and translate them into IBM-ese for some portion of the corporation. I mean, I have no idea exactly who relied upon what I did because working at IBM was like Brazil or something. One of the groups I worked in developed software that was used exclusively in-house...and we had a competitor in the form of competing software doing the same thing produced by a group at IBM France. No shit. That AIX software group had intended me to be a developer, but the group leader was too busy to train me, or even bother to tell me what my title was within the group, for three months. And the security group for which I was doing this CERT stuff was new and that was about the extent of the actual productive work we were doing because what we were actually spending our time doing was having meetings about documenting our process for determining what we would be doing. The third group I did support stuff for, which I mostly avoided like the plague.

So, you know, after about three months of this, I was like, hey, I'm taking that great job with the company that's about to IPO, see ya.

Anyway, all this is to say, that CERT stuff was pretty much the one thing I enjoyed during my short time at IBM. Which is possibly a little perverse, I don't know.
posted by Ivan Fyodorovich at 11:33 PM on January 25, 2012

While we're on a minor derail about CERT, I was amused by this recent advisory about Anonymous' Low Orbit Ion Cannon. I'm guessing someone finally hit something important with the LOIC; it's been in use for years, and this is the first time I can recall ever seeing anything from CERT about it.
posted by radwolf76 at 1:54 AM on January 26, 2012

A stupid question about brute-force attacks: Why are they even possible?

Most desktop OS's I log in to only respond to an incorrect password after a delay of 2-3 seconds. Short enough for a human to not be inconvenienced, but long enough that iterating through e.g. 1,000,000 possible passwords would take about a year. OK, here the search space is much smaller than that, but it's still 11,000. Surely after 3,965 consecutive failed login attempts, the software should notice that something a bit fishy is going on and e.g. tell and admin and drastically increase the time delay between attempts?
posted by metaBugs at 4:11 AM on January 26, 2012

If your hardware will run the open source DD-WRT or Tomato firmwares, neither has this problem, as they don't support WPS.

I came in here specifically looking for this info. I checked my tomato router last night, didn't see anything about WPS and then wasn't sure because I know pretty much nothing about wireless.
posted by DU at 4:15 AM on January 26, 2012

While we're on a minor derail about CERT, I was amused by this recent advisory about Anonymous' Low Orbit Ion Cannon.

I think it would be easier to mitigate the effects of LOIC by not pissing off Anonymous.
posted by empath at 5:40 AM on January 26, 2012

This was clearly a 4-digit protocol that they tacked the 8-digit support onto. They attached this artifice poorly. There's an ACK after correctly guessing the 4-digit sections of the 8-digit passcode. UGH. This makes breaking trivial with a 10K static passcodespace.

Some routers don't even have a 1-minute cooldown on failed attempts. You can spam them for each of the 4-digit passwords.

As always, turn this crap off immediately, get firmware updates where available, run WRT if you have to.

Assume nothing works. HEY URSORITE
posted by sydnius at 6:32 AM on January 26, 2012

How does one test that WPS is actually disabled?
posted by gjc at 6:43 AM on January 26, 2012

metaBugs: "Surely after 3,965 consecutive failed login attempts, the software should notice that something a bit fishy is going on and e.g. tell and admin and drastically increase the time delay between attempts?"

My Netgear router page does claim: "The router's PIN can be disabled temporarily when the router detects suspicious attempts to break into the router's wireless settings by using the router's PIN through WPS."

No idea how accurate that is.
posted by Chrysostom at 7:13 AM on January 26, 2012

If it's disabled in the settings page of your router then you can assume high confidence that the feature is actually disabled
Except on linksys gear!. (6th post down on the thread too..)
posted by defcom1 at 8:33 AM on January 26, 2012

I'm guessing someone finally hit something important with the LOIC; it's been in use for years, and this is the first time I can recall ever seeing anything from CERT about it.

I imagine taking down the US Dept. of Justice site got their attention.
posted by cedar at 9:02 AM on January 26, 2012

Oh Linksys, is there no aspect of router software you can't fuck up?
posted by Nelson at 9:12 AM on January 26, 2012

Glad my wi-fi network is open. I would hate for it to get hacked.

Wait, is this worse than someone else using some of our bandwidth?
posted by psycho-alchemy at 10:03 AM on January 26, 2012

Most people use their router as a firewall, too. Particularly anyone who doesn't know what "firewall" means. If someone breaks into your Wi-Fi network they have access inside the firewall to all those file shares and insecure logins in your juicy PCs.
posted by Nelson at 10:21 AM on January 26, 2012

"Wait, is this worse than someone else using some of our bandwidth?"

Yeah, that's not the issue. I'd happily provide free bandwidth if it wouldn't open me up to the possibility of someone using my internet access to do something that would get me in a shitload of trouble. Put another way, if I were to ever do anything really illegal on the net, I'm going to do it from someone's open wifi connection. (But probably not an individual's, because that would be mean. Better a business's. Er, not that I'm planning to do anything highly illegal.)

Besides that, I don't like running a firewall on my individual PCs, which means getting on my LAN is 95% of the way there to pwning me. And you could sniff my traffic, anyway.

The latter could be solved by providing a second secure (relative to my LAN) subnet for guests with another wifi router (better that, by the way, than using the separate multiple SSID function of one), as someone mentioned above, and I've considered that and would like to do it, but it wouldn't solve the first problem of random people doing stuff on the net that could get me in a lot of trouble.

"Most people use their router as a firewall, too. Particularly anyone who doesn't know what 'firewall' means."

I'm pretty old-school on this issue because, in my view, a software "firewall" running on a machine isn't a firewall. If you're at the box, you're already there, even if you're blocked by some security. The whole point of a firewall is to stop an intruder before they get to their destination. Routers acting as firewalls have been a good trend, speaking generally, in home internet connections. They could be better firewalls, but I trust them more than I trust software running on the machine I don't want anyone to reach in the first place.
posted by Ivan Fyodorovich at 1:00 PM on January 26, 2012 [1 favorite]

"Wait, is this worse than someone else using some of our bandwidth?"

HAHAHA... Come do that in lower manhattan. Just make sure you segerate public and private networks, triple secure internal resources, set bandwidth caps and click through pages.

And then watch as malicious assholes tear through all of your setup using some 0 day crap so they can torrent Asian Watersports porn...

So much fun!
posted by PissOnYourParade at 4:37 PM on January 26, 2012