quick security/router observation and question

PattiMichelle · January 5, 2014, 11:32pm

I have vrizn fis and it has a supplied router to translate between the fis and rj45/IP. I noticed when I logged onto my vrizn account in my browser that they had unrestricted access to my router (well, their router, actually) including my WPA2 SSID and passphrase. Anyone who could gain access to vrizn’s records has full access to my wifi/LAN. I’m not terribly savvy, so this has got to be only the tip of a huge iceberg.

So I bought another router, made it’s local IP something other than 192.168.., left DHCP on the V router (still at 192.168..), and now I have a new private LAN. Rebooting OP 12.3 x64 seemed to pick this up. I port-forwarded HTTP and HTTPS on the V router. I guess that’s all I need (are there separate ports for curl and that other linux network “get” program - is it wget?) - does this seem a reasonable way to secure my network?

The russian issue is big: Malware RATs can steal your data and your money, your privacy too _ ESET ThreatBlog.mp4
…but again, probably only the tip of an iceberg or three. (that’s just the only one I know about)

Suggestions please - should I turn these on?
Block Anonymous Internet Requests
Filter Multicast
Filter Internet NAT Redirection

I don’t plan on doing any remote administration, just wget/curl, HTTP, FTP, HTTPS, and maybe a game (UT2004 in Windows xp) so I should block all ports, drop all pings, yes?

TIA!!! Patricia

ab · January 6, 2014, 12:02am

On 01/05/2014 03:36 PM, PattiMichelle wrote:
>
> I have vrizn fis and it has a supplied router to translate between
> the fis and rj45/IP. I noticed when I logged onto my vrizn account
> in my browser that they had unrestricted access to my router (well,
> their router, actually) including my WPA2 SSID and passphrase. Anyone
> who could gain access to vrizn’s records has full access to my
> wifi/LAN. I’m not terribly savvy, so this has got to be only the tip
> of a huge iceberg.

Scum… I hate that, but a big part of the reason the ISPs probably set
this up is to help those without any technological ability in
configuring/troubleshooting. Still, stupid. There are better ways, far
more secure ways, of doing exactly that.

> So I bought another router, made it’s local IP something other than
> 192.168.., left DHCP on the V router (still at 192.168..), and now I
> have a new private LAN. Rebooting OP 12.3 x64 seemed to pick this up.
> I port-forwarded HTTP and HTTPS on the V router. I guess that’s all I
> need (are there separate ports for curl and that other linux network
> “get” program - is it wget?) - does this seem a reasonable way to
> secure my network?

You shouldn’t need to enable any kind of “forwarding” unless you are
running a server at home that you want exposed to the Internet. If so,
sure, that’s fine, but if not, don’t enable any forwarding or other
inbound stuff. You should be able to do just about anything online from
within you private network (which is within your private network provided
by the Verizon hardware) without doing much more than connecting to your
network.

> Suggestions please - should I turn these on?
> Block Anonymous Internet Requests

I would.

> Filter Multicast

Inbound? Yes. If this is for outbound you MAY, but probably will not,
find it useful.

> Filter Internet NAT Redirection

Probably leave disabled. I’m guessing since it’s a configurable option
that this is for inbound stuff, but more details would help confirm that.

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

PattiMichelle · January 6, 2014, 12:32am

Holy RouterTraces, Batman, it works!
So, Port Forwarding is only for unsolicited inbound connections, then?
Thanks.

I know some other companies who have opened up their entire networks internally - as a cost-cutting measure (i.e., remote - or even outsourced - administration). Viruses, trojans, and bots love to see open internal networks! I should change my screenname to LovesRouters. Are all routers more or less equal in protecting a LAN from intrusion?

Happy New Year!
Patricia

nrickert · January 6, 2014, 2:16am

Yes.

By the way AT&T does the same thing with u-verse. So I have my own router behind theirs. It works well.

Yes, pretty much. Most of the protection is due to the NAT functionality.

Some day, real soon now, we will have IPv6. And there won’t be NAT. So there will be a lot more variability between how much protection the routers provide.

PattiMichelle · January 7, 2014, 8:28pm

What REALLY bothers me here is that vrizn had a secret, unknown, fully-open back door to my private home network. Is this even legal? maybe it’s buried in the terms of service somewhere… Any disgruntled (or overly ambitious) employee(s) of vrizn could easily start a black market operation with some “associates” who drive around installing malware rats in people’s wifi networks. It would be pretty much untraceable. Makes me want to throw up.

jonte1 · January 9, 2014, 9:42pm

Your private… Up to you. -It has reported earlier, A+B and E. Have a secret(yearly 1970’s or in Europe) You have write before and gain knowledge. Please don’t trow up. UK University have it’s points. Good.
Regards (Swedish).

PattiMichelle · January 12, 2014, 12:32am

I have yet to ask someone (even IT folks) who knows that their FIOS company has full access to their LAN. They are always VERY surprised and go right out and buy another (second) router. What I’m really afraid of is not the government, but the black market, including little, untraceable scams by employees. There’s no evidence I’m aware of (yet) of a black market in the US - but we never do know these things beforehand. If the technical folks (like us) don’t know about this, you can just bet that the CEO’s don’t…

(but maybe we’re just not paying attention?)

Relevant: https://www.schneier.com/blog/archives/2013/10/d-link_router_b.html
http://www.linuxbsdos.com/2012/10/04/is-that-a-backdoor-or-an-administrative-password-on-your-verizon-internet-router/
http://mikegerwitz.com/2012/10/Verizon-router-backdoors
http://www.threatcore.com/verizon/

lwfinger · January 12, 2014, 4:35am

On 01/11/2014 05:36 PM, PattiMichelle wrote:
>
> I have yet to ask someone (even IT folks) who knows that their FIOS
> company has full access to their LAN. They are always VERY surprised
> and go right out and buy another (second) router. What I’m really
> afraid of is not the government, but the black market, including little,
> untraceable scams by employees. There’s no evidence I’m aware of (yet)
> of a black market in the US - but we never do know these things
> beforehand. If the technical folks (like us) don’t know about this, you
> can just bet that the CEO’s don’t…

If you are concerned, switch out the router with one running openWRT, or similar
firmware. That way you will control the firewall between the ISP and your LAN.
If you must use the FIOS unit, then chain the WAN port on the new router to one
of the LAN ports on the FIOS router. That makes life more difficult for any
services that you want to expose to the Internet, but that is the idea.

caf4926 · January 12, 2014, 4:43am

Just out of interest.
Why take a router given to you by your ISP? I never do.

nrickert · January 12, 2014, 6:29am

Sometimes you don’t have a choice.

lwfinger · January 12, 2014, 7:04am

On 01/11/2014 11:36 PM, nrickert wrote:
>
> caf4926;2615243 Wrote:
>> Just out of interest.
>> Why take a router given to you by your ISP? I never do.
>
> Sometimes you don’t have a choice.

But you can always daisy-chain a second router that you can be more certain has
no back-door openings.

caf4926 · January 12, 2014, 7:55am

I find that hard to believe

If it’s even legal, given the choice out there, it begs the question why one would choose dirtbag ISP over the goodguy ISP, metaphorically speaking.

nrickert · January 12, 2014, 5:41pm

I’m using U-verse, from AT&T. They provide me with a VDSL modem.

Apparently there is something in the modem that authenticates the connection. And that’s something that they setup. Without that, I cannot past AT&T routers.

I gather that if I purchase a VDSL modem, then I might be able to connect its output to an otherwise unused digital input port of the ISP provided modem, and have it handle the authentication that way. But it seems a bit complex, and still requires me to use the ISP provided modem (though in an unintended way).

My main alternative is to go with comcast cable ISP, and my opinion of their ethics is lower than my opinion of AT&T ethics.

kensch · January 12, 2014, 6:27pm

On 01/12/2014 11:46 AM, nrickert pecked at the keyboard and wrote:
> caf4926;2615268 Wrote:
>> I find that hard to believe
> I’m using U-verse, from AT&T. They provide me with a VDSL modem.
>
> Apparently there is something in the modem that authenticates the
> connection. And that’s something that they setup. Without that, I
> cannot past AT&T routers.

Perhaps it uses the mac address as a form of identity, you try another
modem that lets you specify th mac address presented to the ISP.

Ken

nrickert · January 12, 2014, 7:40pm

I don’t think that’s correct. The online forums have had many discussions of this issue. Simple ideas such as cloning the MAC address don’t work.

djh-novell · January 13, 2014, 4:41pm

caf4926 wrote:
> Just out of interest.
> Why take a router given to you by your ISP? I never do.

I agree with your philosophy but at the moment am running with an ISP’s
router for two related reasons:

(1) it just worked out of the box with no need to figure out a config,
and I have plenty of other things to do with my time.

(2) the ISP will support me using Linux, but being able to tell them
that its their router and it’s doing such and such makes support calls
easier.