Thursday, January 22, 2009
Free DNS and security services are being packaged with home broadband routers and gateways to offer simple controls for computers, wireless phones, and gaming systems
Home router security is getting a makeover with free security services aimed at simplifying and streamlining the protection of home users' computers, gaming, and other systems.
OpenDNS, which offers a free recursive Domain Name Service (DNS) service with Web content filtering and phishing protection, has so far teamed with Netgear and 2Wire to roll its DNS, Web filtering, and antiphishing services into the vendors' home networking devices. Netgear earlier this month announced it will offer OpenDNS for free with several of its Wireless-N router models, and 2Wire said it would do the same with its new HomePortal GEM gateways for wireless networks, cordless phone DECT base stations, home control interfaces, and intelligent home servers.
While Netgear calls the OpenDNS services it will add to its routers within the next few months Live Parental Controls because it filters unsafe or inappropriate content, the service is a combination of all of OpenDNS' services.
"When consumers want security, it's not just for their PC. They want it for all of their digital devices," at home, including gaming systems and iPhones, says David Ulevitch, founder and now CTO at OpenDNS, which plans similar arrangements with other home networking vendors.
But John Pescatore, vice president and research fellow at Gartner, says many ISPs already offer some form of parental controls, and that actual adoption of parental controls traditionally has not been not high. "But [OpenDNS] might make them easier to use," Pescatore says.
Most antiphishing or parental control offerings from ISPs to date are more blanket controls that, for instance, don't allow parents to set up different rules for their YouTube access versus their kids', says David Henry, senior director for home consumer products marketing at Netgear. And software-based controls have to be loaded on each machine, he says.
"It's very difficult to have the level of granularity between different computers in a home," he says. "We wanted to offer something to our customers that was relevant and timely for them...The average home has two to three computers now," as well as gaming systems and iPhones connected to the wireless router that need security, he says.
OpenDNS' Ulevitch says the network-based service model of OpenDNS means home users don't have to configure filtering software, but they can still customize their settings easily. "So not only is their Internet faster and more reliable, it's safer and more customizable to each individual user. It's a huge win and a dramatic change to the way people will secure their home networks, not just a single device," he says.
Home routers are notoriously vulnerable. In most cases, router vendors make security an option that requires configuration -- a step nontechnical users are less likely to take. And sometimes adding security controls to their routers inadvertently affects other electronic devices, such as gaming systems, Gartner's Pescatore says.
"I'd like to see vendors take more of a lockdown out-of-the-box approach. You'd have wizards that walk you through if you need to open things up more," Pescatore says.
But home router vendors aren't incented to do so since their devices are commodity boxes selling for around $30, he says. "They can't afford a lot of support calls [for that]," he says. "So they tend to take more of a 'leave it wide open' approach."
Ideally, these devices should come with the firewall turned on by default, port restrictions, and other standard defaults that ISPs and home networking vendors would agree on, he says.
Microsoft Corp.'s advice on disabling Windows' "Autorun" feature is flawed, the U.S. Computer Emergency Readiness Team (US-CERT) said today, and it leaves users who rely on its guidelines to protect their PCs against the fast-spreading Downadup worm open to attack.
In an alert issued on Monday, US-CERT said Microsoft's instructions on turning off Autorun are "not fully effective" and "could be considered a vulnerability."
The flaw in Microsoft's guidelines are important at the moment, because the "Downadup" worm, which has compromised more computers than any other attack in years, can spread through USB devices, such as flash drives and cameras, by taking advantage of Windows' Autorun and Autoplay features.
Autorun, the focus of the US-CERT warning, lets Windows automatically run any program specified in the "autorun.inf" on, for example, a CD or a flash drive, as soon as the disc or device is inserted or connected. By default, Windows has Autorun enabled.
The problem is that Downadup, which as of last week had infected nearly 9 million PCs worldwide, tries to spread using USB-based devices, typically flash drives. The worm creates an autorun.inf file at the root directory of any USB-based device it finds connected to the infected machine. Then, when that device is later connected to an uninfected computer, the autorun.inf file copies the worm to the machine without any action on the part of the user or the user even knowing.
The result: another PC hacked by Downadup.
Although Microsoft has not formally recommended that users disable Autorun as an anti-Downadup measure, most security companies and researchers have in light of the autorun.inf infection vector. According to US-CERT, Microsoft's advice is useless.
"The 'Autorun' and 'NoDriveTypeAutorun' registry values [specified by Microsoft] are both ineffective for fully disabling Autorun capabilities on Microsoft Windows systems," the organization said. "Setting the Autorun registry value to '0' will not prevent newly-connected devices from automatically running code specified in the Autorun.inf file. It will, however, disable Media Change Notification (MCN) messages, which may prevent Windows from detecting when a CD or DVD is changed."
Likewise, the recommended "0xFF" setting for the NoDriveTypeAutorun registry entry, which Microsoft says "disables Autoplay on all drives," won't protect users from infection if they happen to double-click on the drive's icon in Windows Explorer, said US-CERT.
Instead, users should make a different modification to the Windows registry, US-CERT said. In the alert, it gave the new value as well as instructions on how to copy it to Windows Notepad and import it into the registry.
"Once these changes have been made, all of the Autorun code-execution scenarios described above will be mitigated because Windows will no longer parse autorun.inf files to determine which actions to take," read the US-CERT warning.
One security researcher said he was surprised that Microsoft didn't catch its recommendation errors, particularly in light of the ongoing Downadup attacks. "Seems unbecoming of Microsoft not to have been the one posting this information on a blog of theirs," said Andrew Storms, director of security operations at nCircle Network Security Inc.
He also bemoaned the need to edit the registry to disable Autorun. "Not only [is] editing the registry outside the [reach] of most people, but now we have learned that the information from the source is not complete," Storms added in an exchange via instant messaging.
Microsoft did not immediately reply to a request for comment on US-CERT's alert.