TP-LINK Modem / Router (ADSL2+) Security and Vulnerabilities

I really hope this blog post starts a small trend when it comes to the security of home-based routers. I started searching online for home routers (SOHO) and wanted to compare them based on how secure they are, up to a reasonable price for a household. I have seen all these different makes that have been found in the recent years to contain hard-coded credentials and other known backdoors, and I wanted to investigate this a bit further. 

It is very hard to find security related information about routers before deciding which one to buy. Also, it is really annoying to see that manufacturer only care and promote the features and functionality of a router, and do not consider security at all.

From where I stand, when a company sells a router, should be in their best interest that router to have no security vulnerabilities. Otherwise, it is like having a company that wants to sell bulletproof vests that doesn't stop bullets, other than those fired from Airsoft BB guns.

I do understand that most people might choose a router based on its cost, colour, shape and if it is shiny. However, from my experience, these people just want to get online and want to simply replace the really bad modem/router their ISP provided for "free". Most of the time the real reason behind that decision is because when more than two devices are connected to those "free" devices, the Internet experience becomes annoying, to say the least. For such use, it is not hard to find a replacement for these "free" routers at a very reasonable price, and 90% of the time, it is totally worth it.

in-flight entertainment vs avionics

For those of you who have had the opportunity to see one of my presentations "Can you really hack an airplane: Myths & Truths", you are already familiar with what is really happening and the confusion between in-flight entertainment systems and avionics (https://en.wikipedia.org/wiki/Avionics). I was asked to put this article up by a number of friends in the security industry to highlight a few very important points. The purpose of this article is to provide food for thought. Especially, when you hear someone saying that "hacked" an airplane, or made it fly "sideways" by tampering with its systems through the in-flight entertainment system. Consider the following points and come to your own conclusions. 

Anyone who is trying to "generalise" and claim that during an actual flight, for example through the in-flight entertainment system, managed to take control of the plane and/or that it is possible to actually fly an aircraft like this, should first read what the law has to say about this. (Tokyo Convention 1963). 
Do you really want someone with the excuse of being a "security researcher" tampering with the airplane's systems while you are on an actual flight, because he/she decided that has nothing better to do? I am sorry, but from where I stand, we (security researchers) respect the law, and make sure we have permission to conduct any security assessments & penetration testing, in a safe and approved environment. 

IRISSCON 2016 - 8th IRISSCERT Cyber Crime Conference

IRISSCON 2016 - The 8th #IRISSCERT Cyber Crime Conference
Ireland's first CERT (Computer Emergency Response Team)

This year, my talk was all about Cyber Resilience. The talk provided the opportunity to participants to familiarise and understand what the term really means, and why it should not be considered as another buzzword used in the industry.  

"Threats constantly evolve based on the way our defences counter-evolve, and this cycle is something that is going to happen no matter what. What matters the most, is in what way we act upon, and how our decisions need to be part of a bigger forward looking strategy that does not treat security in an ad-hoc manner, especially when it is too late"

IRISSCON 2016 - IRISSCERT

The 8th IRISSCERT Cyber Crime Conference will be held this year on Thursday the 24th of November 2016 in the Ballsbridge, Pembroke Road, Dublin. www.iriss.ie 

This all day conference, focuses on providing attendees with an overview of the current cyber-threats throughout the world and focuses especially on threats that affect businesses in Ireland, and what should be the best course of action when it comes to defending against these threats. You can find my recap blog post for last year's event here.

Like every year, professionals that work in cybersecurity and tackle cybercrime / cyber threats on a daily basis, will be sharing their thoughts and experiences, while attendees have a unique opportunity to ask questions,discuss cybersecurity strategies, and most importantly will meet and network with likeminded individuals allowing them to share their views and opinions.

I am honoured to be invited to speak at this event and get to share my thoughts and views on cybersecurity and most importantly, on cyber resilience, which is also reflected by my talk's title: "All aboard, next stop; Cyber Resilience". 

The abstract for my talk can be found below and I do hope you find it interesting. If you find yourselves in Dublin during the conference, I strongly suggest getting a ticket on time and join us at IRISSCON, and please come and say hi. It is always a pleasure to meet people who are passionate about information security and cybersecurity, and want to discuss/share their thoughts and opinions. Looking forwards to seeing you all there.

BruCON 2016 (0x08) - Speaking about POS, POI & VT (the undisclosed talk)

It was a great honour for me to present this year at a hacking conference like BruCON (brucon.org). 

As many of you already know, I started this because I wanted to know how the payment process works behind the scenes (Payment Card Industry - PCI) and how secure these systems are, which we take for granted on a daily basis. 

After researching Point-of-Sales (POS), Point-of-Interaction (POI) devices and Virtual Terminals (VT) for almost 4 years, it was about time to do a presentation that wouldn't be behind closed doors as I usually do. I talked with a number of acquires, issuers, payments processors and POI OS manufacturers and let them know about my findings way before this talk.