Wait, am I getting this right? The router isn't simply configured via web, telnet, ssh, or a simple proprietary tool that talks its own protocol with the router, but actually a proprietary tool that downloads and executes code from the router that you're trying to configure? If so, why on earth would you design anything like this? What were they thinking? I mean, apparently those DLLs aren't even signed or anything.
Winbox has a couple of nice features over the web interface:
- the ability to connect over raw ethernet (rather than IP) which is useful if you've misconfigured the firewall or routing tables
- the ability to broadcast packets to discover new, unconfigured Mikrotik devices
Winbox has previously downloaded components from the router to enable the UI to update the available options based on the firmware on the device. These components are part of the firmware update provided by Mikrotik, which is itself signed and verified before the firmware update is applied. But yes, they were missing a follow up check between Winbox and the router itself, to ensure the router itself was not tampered with.
These routers essentially never get updated.
Pretty much anything using Qualcomm 802.11a/b/g/n/ac chips usually has OpenWRT/LEDE/DDWRT builds available, and more recent fullmac Broadcom chips are seeing more support.
Quantenna and Mediatek can still be difficult to get working, but they have a far smaller market share.
If you want a good, open-source friendly, router manufacturer for the home stick to NetGear. They've got an entire community called MyOpenRouter where people provide customised builds of the official firmware, as well as versions of DD-WRT and NetGear themselves often have a version of OpenWRT available.
I've been running LEDE (OpenWRT) on a Netgear R7800 in my home for the past year and it's been rock steady, is nicer to administer than the stock firmware and I can strip out anything that I don't want running on there very easily with a custom build.
It's also useful to get fine-grained control of the firewall for parental controls - tag the mac addresses of the kids devices as having to use OpenDNS websafe DNS resolvers, then block any other DNS traffic on the firewall and enforce time limits on internet usage.
I've got a small NAS connected to it as well to serve as backup repository for all computers in the house (which is then synced off to a cloud backup storage provider) and media server.
Crap router for $20, no updates. Microtik or other well supported router for >$100, I've done about 20 updates since I got it years ago.
We could if updating router firmware were an easy and prolific practice.
The reason that it isn't is that it can't be done on most routers, especially the cheaper or ISP-provided ones that most people use.
What we really can't rely on is "security by obscurity". Let's drop the notion that software is more secure simply because you don't release the source.
Unfortunately the IOT market is in a bad situation because products are advertised as not requiring any maintenance but they aren't reliable enough to live up to that.
People defragmenting their NTFS filesystems used to be a prolific practice, but I think we're better off now with filesystems that require dramatically less maintenance.
My point is that the only thing holding us back is politics: manufacturers think that it is in their best interest to sell routers with proprietary firmware, even though it really isn't.
Does that mean that it has the 4g radio built in as well?
Can I trust that chip and hte software that runs on it?
The 4G card is an option on the Turris. You could always use a Quectel card and then run Linux on that, too!
The abilities and willingness of certain nation states to wage cyber warfare and make it appear like someone else are so great at this point, that only solid forensic evidence, and usually not even that, can be indicative.
It could be Russian, it could be not. What is really important that only the Kaspersky reported it.
First, you're innocent. What would you do over time to try to survive the accusations and suspicion?
Next, you're implicated in past bad acts. Maybe you were forced to stick malicious code in a past version, or maybe you had a rogue employee. What would you do to try to move on?
Finally, you're an active part of the state intelligence apparatus. What would you do to try to appear like one of the other hypotheticals?
There are other possibilities; people get themselves in all sorts of weird situations, but most of them are some shade of the above.
I am just wondering if this level of unstoppable infection is just going to be it, or are we at the pre-cellular structure of life point in the internet?
It's a quite fascinating re-imagination of the Internet, solving many of its problems (and probably introducing a whole slew of new ones).
Even now as it is it's worse than it should be: I can't control which pairs of (address,certificate) will be allowed to be accepted for specific sites. Instead, every browser vendor allows any "man in the middle" with the access to any CA (and CA's are known to be very bad(1)) to insert itself between my own server and my own client.
1) Read and weep: https://arstechnica.com/information-technology/2018/03/23000...
This should be a basically available scenario for the secure connection, just like what we have in SSH. Don't believe "the users are too stupid" excuse. It's just an excuse:
We simply shouldn't have to have the "trust in every crooked CA" when we connect to the servers we directly know.
That way a website owner can whitelist only a very specific CA for their certificates.
Ideally with DNSSEC we could also get DANE and issue our own certificates and CA's would only be necessary as cosigner for OV, EV and similar.
I don't think it would help with the initial compromise of the router either. Buffer overflows (for example) can be exploited over https just as well as http, and that would be similar for other cryptographic strategies.
Different vectors have different advantages but I wonder if there will be a push towards more hardware based anti-malware/vulnerability detection devices.
all you can do is implement controls that manage that risk based on how valuable the data is.
certain controls like mandatory 2FA give a very good bang-for-buck, highly recommend it for an organization of any size
Really? Then why is it so surprising lol
Of all infections, this is the type an administrator should be most worried about. Its rare, but exceptionally damaging. Most A/V tools aren't going to catch it, so unless you are monitoring all IP activity from your computer and doing offline filesystem checks, a virus like this could compromise your systems for years.
Usually something this sophisticated is used to target specific individuals/organizations as they aren't generic botnet/bitcoin mining operations.
They might be after specific info and after they get it, they might even wipe their tracks as it's better to have a tool that nobody knows to look for than one that can get on as many computers as possible.
I have to assume that's absolutely the case here. I didn't read this as "100 random individuals" being infected.
So leaders of industry or government, etc..
There's nothing impressive about hiding on these governments networks for years.