Saturday, May 26, 2018

Trump in Palm Beach: President takes “unscheduled” morning golf getaway | P

Trump in Palm Beach: President takes unscheduled morning golf getaway | Post on Politics

Unscheduled my ass. Js 

Trump in Palm Beach: President takes unscheduled morning golf getaway

President Donald J. Trump's motorcade leaves Trump International Golf Club in West Palm Beach after an unscheduled round of golf Saturday in West Palm Beach. (Allen Eyestone / The Palm Beach Post)

President Donald J. Trump's motorcade leaves Trump International Golf Club in West Palm Beach after an unscheduled round of golf Saturday in West Palm Beach. (Allen Eyestone / The Palm Beach Post)

PALM BEACH — As he spends the weekend at his Mar-a-Lago estate, President Donald Trump's official schedule is open for most of today.

Trump has a 4:15 p.m. phone call with Italian Prime Minister Paolo Gentiloni and a 4:45 p.m. call with Ukrainian President Petro Poroshenko.

Trump made an unannounced trip across the Intracoastal to his Trump International Golf Club outside West Palm Beach this morning, arriving at 9:33 a.m.

No word yet on who Trump might be golfing with. He was joined by Tiger Woods in December.

UPDATE: Trump's motorcade left the golf club at 2:05 p.m. and returned to Mar-a-Lago.



Friday, May 25, 2018

Hackers are exploiting a new zero-day flaw in GPON routers

Even after being aware of various active cyber attacks against the GPON Wi-Fi routers, if you haven't yet taken them off the Internet, then be careful—because a new botnet has joined the GPON party, which is exploiting an undisclosed zero-day vulnerability in the wild. Security researchers from Qihoo 360 Netlab have warned of at least one botnet operator exploiting a new zero-day

/ed70

Educrap From an Educrat: Elyssa Durant's "Harangue" 📚

Just me, e. ELyssaD™: Educrap From an Educrat: Elyssa Durant's "Harangue" 📚


Fan Mail for Elyssa D'Educrat 📰

EDUCRAP FROM AN EDUCRAT

After reading Elyssa Durant's antf-standardized testing harangue in the Nashville City Paper ("Equity in Education," Aug. 21), I was not at all surprised to learn that the author is a product of a graduate-level education program. Schools of education have long taught future teacher - and other members of the education establishment - to blame everyone but themselves for children not being able to read, write, and do simple math.

The assertion that the ACT and SAT are racially biased is pure poppycock. A student's score on the ACT or SAT is an excellent measure of his or her ability to do college-level math, science, and writing. If a student cannot solve a simple algebraic equation, or if the same student has but a rudimentary grasp of the rules of grammar, the test that points out the student's shortcoming should not be impugned. Instead, the parents, teachers, and educrats who allow students to march toward graduation without receiving a proper education are the ones who deserve derision.

Furthermore, Durant's contention that standardized tests "do not accurately predict academic performance at the college level" is in desperate need of qualification. Some 40 percent of college freshmen require remedial courses in reading, writing or mathematics. These courses, according to Harvard education professor Bridget Terry Long, intended to address acadennc deficiencies and to prepare students for subsequent college success." Thus, high school students who a generation ago would have been forced into the workforce are given a fifth year to complete their high school coursework. And let's be clear: remedial classes may be, well, remedial classes; but students enrolled in such classes are expected to learn the material or face the consequences, i.e., a quick and inglorious end to their college experience. For many - nay, most - remedial students, it is the first time in their academic careers that they are forced to learn.

Jottin' Django ®

📰 Woo hoo! Made you look!

This was my first public lashing in the news. Definitely not the last.

I stand by my the original article and think this guy has a clear agenda. Long live Harvard, you elitist snob.

^ed



Elyssa D. Durant 
Research & Policy Analyst
Columbia University, New York

HHS Official Says Agency Lost Track of Nearly 1,500 Unaccompanied Minors | Trafficked in America | FRONTLINE | PBS | Official Site

HHS Official Says Agency Lost Track of Nearly 1,500 Unaccompanied Minors | Trafficked in America | FRONTLINE | PBS | Official Site
More: 

HHS Official Says Agency Lost Track of Nearly 1,500 Unaccompanied Minors

In this Aug. 11, 2017, photo U.S. Customs and Border Patrol agents pick up immigrants suspected of crossing into the United States illegally along the Rio Grande near Granjeno, Texas. (AP Photo/Eric Gay)

A top official from the Department of Health and Human Services came under fire during congressional testimony on Thursday over how the agency tracks unaccompanied minors after they are released to family or other sponsors inside the United States.

Steven Wagner, the acting assistant secretary of the agency's Administration for Children and Families, faced a barrage of questions from senators on the Permanent Subcommittee on Investigations over why HHS does not track unaccompanied minors who fail to appear at their immigration court hearings. The agency has faced increased scrutiny following a scathing 2016 report from the committee that found it failed to protect unaccompanied minors from traffickers and other abuses.

"It's just a system that has so many gaps, so many opportunities for these children to fall between the cracks, that we just don't know what's going on — how much trafficking or abuse or simply immigration law violations are occurring," said the committee's Republican chairman, Sen. Rob Portman.

In 2014, at least 10 trafficking victims, including eight minors, were discovered during a raid by federal and local law enforcement in Portman's home state of Ohio. As FRONTLINE examined in the recent documentary Trafficked in America, HHS had released several minors to the traffickers. The committee said the case was due to policies and procedures that were "inadequate to protect the children in the agency's care."

After unaccompanied minors arrive in the United States, often to reunite with family members or to flee violence or poverty in their home countries, they are typically transferred from border patrol or customs officers to the custody of HHS, which often reunites the minors with a relative or another sponsor. The department is supposed to place check-in phone calls 30 days after a minor's placement, but during the hearing, Wagner acknowledged gaps in that system.

Between October 2016 and December 2017, he said, the agency was unable to locate almost 1,500 out of the 7,635  minors that it attempted to reach — or about 19 percent. Over two dozen had run away, according to Wagner, who said the agency did not have the capacity to track them down.

Sponsors are meant to ensure that minors show up at their immigration hearings. Sen. Claire McCaskill (D-Mo.) pressed Wagner on why more than half of unaccompanied minors in 2017 did not show up to their immigration hearings. When asked how HHS tracks the missing children, Wagner said that finding out whether children have attended their immigration hearing is not part of its protocol.

"We do not know who is showing up and who isn't," he said. "We don't know those kids … We don't follow up to ensure they go to the hearing."

Wagner told the committee that since February 2016, HHS has gone to greater lengths to verify the identity of potential sponsors of unaccompanied minors, and worked to crack down on the ability of sponsors to use fraudulent documents during the placement process. A new agreement reached this month between HHS and the Department of Homeland Security establishes policies for the agencies to better share information to help screen potential sponsors.

Senators also expressed concern that state and local officials are not usually notified when unaccompanied minors are placed in their jurisdiction. Wagner said that it was an "issue of practicality" that would require contacting a substantial list of local agencies.

"If a child is being, for instance, kept at home and abused by a sponsor, and a local school doesn't even know the child is supposed to be going there, then some of the usual triggers that we have for protecting children can't be triggered," Sen. Maggie Hassan (D-N.H.) said.

Wagner agreed to look into notifying states and localities, as did James McCament, the deputy under secretary for the Office of Strategy, Policy and Plans at the Department of Homeland Security.

Throughout the session, senators grew frustrated that more than a year had passed since the two agencies had agreed to deliver a joint memo outlining their roles in protecting minors.

"It has been protracted, absolutely," said McCament.

"Get this done," Senator Thomas Carper (D-Del.) told officials from both agencies. "Way too much time has passed."

In an interview with FRONTLINE for Trafficked in America, Portman said that HHS cannot ignore its responsibility for unaccompanied minors.

"We've got these kids," he said. "They're here. They're living on our soil. And for us to just, you know, assume someone else is going to take care of them and throw them to the wolves, which is what HHS was doing, is flat-out wrong. I don't care what you think about immigration policy, it's wrong."



Elyssa D. Durant 
Research & Policy Analyst
Columbia University, New York

Neglect & Abuse of Unaccompanied Children by U.S. Customs and Border Protection - ACLU of San Diego and Imperial Counties

Neglect & Abuse of Unaccompanied Children by U.S. Customs and Border Protection - ACLU of San Diego and Imperial Counties
The Report via ACLU 

Neglect & Abuse of Unaccompanied Children by U.S. Customs and Border Protection

The Department of Homeland Security (DHS) Office for Civil Rights and Civil Liberties ("CRCL") is the agency within DHS that is, according to its own website, responsible for "promoting respect for civil rights and civil liberties in policy creation and implementation," and for "investigating and resolving civil rights and civil liberties complaints filed by the public."

In response to our FOIA request, CRCL released approximately 4,600 pages of records, consisting of complaints submitted by legal service providers and immigrants' rights advocates on behalf of migrant children detailing various forms of abuse. The CRCL records also consist of internal agency records documenting the limited investigations it undertook.

The International Human Rights Clinic at the University of Chicago School of Law has written a report highlighting the experiences of migrant children (often asylum-seekers) who suffered verbal, physical, or sexual abuse from CBP officials. The appendix contains all of the original records cited in the report.

REPORT: Neglect & Abuse of Unaccompanied Children by U.S. Customs and Border Protection

Appendix: CRCL documents discussed in Report

1-Pager Summary: English & Spanish

For the full set of CRCL documents, please visit http://bit.ly/cpbclcrdox




Parents, children ensnared in 'zero-tolerance' border prosecutions | Local news | tucson.com

Parents, children ensnared in 'zero-tolerance' border prosecutions | Local news | tucson.com

Parents, children ensnared in 'zero-tolerance' border prosecutions

top story

A Mexican woman alters her pants at Casa Alitas after being released by Immigration and Customs Enforcement and fitted with an ankle monitoring bracelet. Perla Trevizo / Arizona Daily Star

An immigrant woman colors a heart with the Guatemalan flag to thank the staff at Casa Alitas, a shelter run by Catholic Community Services to help parents traveling with children. photos by Perla Trevizo / Arizona Daily Star

A Guatemalan father who presented himself at the Nogales port of entry with his toddler daughter looks at a map at Casa Alitas, an initiative by Catholic Community Services, to see the distance between Arizona and California. Perla Trevizo / Arizona Daily Star

Alma Jacinto covered her eyes with her hands as tears streamed down her cheeks.

The 36-year-old from Guatemala was led out of the federal courtroom without an answer to the question that brought her to tears: When would she see her boys again?

Jacinto wore a yellow bracelet on her left wrist, which defense lawyers said identifies parents who are arrested with their children and prosecuted in Operation Streamline, a fast-track program for illegal border crossers.

Moments earlier, her public defender asked the magistrate judge when Jacinto would be reunited with her sons, ages 8 and 11. There was no clear answer for Jacinto, who was sentenced to time served on an illegal-entry charge after crossing the border with her sons near Lukeville on May 14.

Parents who cross the border illegally with their children may face criminal charges as federal prosecutors in Tucson follow through on a recent directive from Attorney General Jeff Sessions to prosecute all valid cases, said U.S. Attorney's Office spokesman Cosme Lopez.

U.S. Customs and Border Protection started referring families caught crossing illegally for prosecution several weeks ago, Lopez said. Those prosecutions unfold both in Streamline cases and through individual prosecutions.

On Thursday, Efrain Chun Carlos, also from Guatemala, received more information than Jacinto when he asked Magistrate Judge Lynnette C. Kimmins about his child during Streamline proceedings.

"I only wanted to ask about the whereabouts of my child in this country," Chun said.

Kimmins responded she didn't know where his child was and suggested he ask officials at the facility where he will be detained.

Christopher Lewis, the federal prosecutor at the hearing, told Kimmins that children from countries that are not contiguous to the United States will be placed in foster care with the Office of Refugee Resettlement.

"When they will be reunited, I cannot say because that's an immigration matter," Lewis said.

A spokesman for CBP did not provide information about the process for parents and children apprehended by Border Patrol and those presenting themselves at ports of entry.

It is still unclear what happens to the children of parents who are prosecuted, said Laura St. John, legal director with the Florence Immigrant and Refugee Rights Project based in Arizona. Technically, once the child is separated from the parent they are deemed an unaccompanied minor and their cases should be processed separately.

If parents are deported, they can ask that their children go with them or ask that the child be reunited with another sponsor in the U.S., which gives the child a chance to fight an immigration case on his/her own as an unaccompanied child, consulate officials and attorneys said. If the parent decides to fight the case and is released from ICE custody, they can request to be reunited outside detention.

deterrent effect

Lopez said he did not know how many prosecutions of parents with children had occurred so far. The Arizona Daily Star found nine Streamline cases last week in which defendants asked the judge about their minor children.

The parents in those cases were arrested by Border Patrol agents near Lukeville between May 12 and May 15. Eight of them were from Guatemala and one was from El Salvador. Seven were men and two were women.

In an April 6 memorandum to federal prosecutors, Sessions announced a "zero tolerance" policy for first-time illegal border crossers. On May 7, he said the Department of Homeland Security was referring 100 percent of illegal crossers for criminal prosecution in federal court.

"If you cross this border unlawfully, then we will prosecute you," Sessions said. "It's that simple."

He included parents who come with their children in his directive.

"If you are smuggling a child, then we will prosecute you and that child may be separated from you as required by law," he said.

Criminal prosecutions of parents illegally crossing with their children have unfolded in Texas for several months, as have separations of families through civil immigration measures along much of the U.S.-Mexico border, according to media reports.

Border Patrol statistics show fewer apprehensions of families in sectors in Texas so far in fiscal 2018, which began last October, compared with the same period in fiscal 2017. Meanwhile, those apprehensions rose 103 percent in the Yuma Sector and 69 percent in the Tucson Sector.

In an interview with National Public Radio, White House Chief of Staff John Kellly said family separation could be a tough deterrent, "a much faster turnaround on asylum seekers."

The children would be "put into foster care or whatever," Kelly said in response to criticism that taking a mother from her child is cruel and heartless.

"But the big point is they elected to come illegally into the United States and this is a technique that no one hopes will be used extensively or for very long," Kelly told NPR.

Border Patrol agents in the Tucson Sector apprehended 2,500 people crossing the border as families from October to the end of April, CBP records show. In the Yuma Sector, agents apprehended nearly 8,000. The borderwide total is nearly 50,000, down from 59,500 during the same period in fiscal 2017.

At Arizona's ports of entry, about 5,500 people traveling as families were deemed inadmissible from October to April. The borderwide total was 30,000, up from about 21,000 during the same period in fiscal 2017.

Casa Alitas helps some

The number of Salvadorans arriving at the border has increased about 40 percent compared to last year, said German Alvarez Oviedo, the consul in Tucson. He estimated the total is still in the dozens but didn't have final numbers yet.

"There's no policy of family separation as such," he said, "but by declaring a zero-tolerance policy and prosecuting everyone who comes in, it results in family separation."

If the parent gets sentenced to time served, which is common for first-time entrants, officials should consider keeping young children with their parents, he said.

"It's not the same to be under the care of the mother than a shelter, especially when the child is 2," Alvarez Oviedo said.

The government has struggled to handle the increase of families coming across the border — at ports of entry and between the ports — since the numbers first started to rise in 2014.

Initially, officials allowed parents with children to enter the country under humanitarian parole. They were dropped off at a bus station in Tucson with an appointment to meet with ICE at their final destination within two weeks.

Later, officials started to release them, but with an ankle bracelet to limit what critics called a catch-and-release policy, since not all parents kept their appointments. The government also increased detention space for families.

This past week, more than 100 parents and children — many of them Guatemalans — lined up at the port of entry in downtown Nogales to be processed for entry into the United States, some waiting more than a day.

In general, the parents waiting to cross at the port who have no prior immigration history are processed and released with their children in Tucson with an ankle monitor and an appointment to meet with immigration officials. In at least one case, the families said, a man with prior immigration violations was separated from his son to be prosecuted.

Some of the families the Star spoke with Monday on the Mexican side of the port of entry went to Casa Alitas, a house in Tucson opened by Catholic Community Services to avoid having families spend the night at bus stations. Families can bathe, get clean clothes and eat a warm meal while their relatives buy their bus or plane tickets.

In a written statement, ICE officials said the agency prioritizes placing families in residential centers. But if they are operating at capacity, "We can also look for temporary hotel space or consider alternatives to detention, such as supervised paroles or use of ankle placement for monitoring."

The families said customs officials at the Nogales port of entry didn't ask them many questions, besides their reasons for coming to the United States.

Extortion, domestic violence and extreme poverty were all reasons they were seeking a better future in the United States, they told the Star.

The lack of rain also was hurting their ability to survive. For coffee farmers, their fields weren't producing enough and their crops were more susceptible to plagues they had no money to treat.

Katherine Smith, site and volunteer coordinator at Casa Alitas, said few families came last fall. Then it started to pick up around Christmas, with ICE trying to find placement for 100 people in one day.

It had slowed again until recently, when ICE started to ask Casa Alitas daily if it could take 40 to 60 parents and children the agency was releasing, Smith said.

Smith doesn't know the reason for the increase, other than the normal rise in Southern Arizona right before the triple-digit heat of summer.

As of May 7, the Florence Immigrant and Refugee Rights Project had served 135 families separated by immigration authorities this year. At this rate, the group said, family separations are on pace to increase 75 percent from recent years.

Given recent announcements by federal officials, they believe the numbers will continue to rise, although it doesn't mean that all of them were prosecuted, the group said.

"A number of these families appear to have a real fear of returning to their country of origin," said St. John, the Florence Project's legal director. "Fleeing or leaving a child behind to avoid being separated by the U.S. government is not a choice any parent should have to make."

Contact reporter Curt Prendergast at 573-4224 or cprendergast@tucson.com. Twitter: @CurtTucsonStar. Contact reporter Perla Trevizo at 573-4102 or ptrevizo@tucson.com. Twitter: @Perla_Trevizo.


More from Newsweek:




North Korea Says Trump Wasn’t ‘Confident’ Enough to Meet Kim Jong Un

North Korea Says Trump Wasn't 'Confident' Enough to Meet Kim Jong Un
Art of the fail 

North Korea Says Trump Wasn't 'Confident' Enough to Meet Kim Jong Un

North Korea claimed to be surprised and "full of regret" at President Donald Trump's decision to cancel the planned meeting with North Korean leader Kim Jong Un in Singapore.

The North Korean regime rejected responsibility for the summit cancellation in a statement released by the state-run Korean Central News Agency (KCNA) on Thursday and attributed to Vice Foreign Minister Kim Kye Gwan, translated and quoted in 38 North, a web journal that provides analysis and insight into North Korea.

The vice foreign minister expressed "great regret" for Trump's "sudden and unilateral" announcement, for which, he said, it was "hard to guess" the reasons. "It could be that he lacked the will for the summit or he might not have felt confident," Kim Kye Gwam suggested, poking at president's ego.

In the letter to Kim Jong Un, Trump said he thought the atmosphere was too hostile for the two of them to meet, a reference to a recent statement from North Korea's vice-foreign minister Choe Son Hui in which she called Vice-President Mike Pence "a political dummy" for comparing her country to Libya.

05_25_Kim North Korean leader Kim Jong Un speaks with South Korean President Moon Jae-in during the inter-Korean summit in the Peace House in the truce village of Panmunjom, North Korea, on April 27. President Donald Trump canceled his meeting with Kim planned in Singapore in June. Korea Summit Press Pool/AFP/Getty Images

Branding Trump's decision as "not consistent with the desire of humankind for peace and stability in the world," Kim Kye Gwam referred to his country by its official name, Democratic People's Republic of Korea (DPRK), and said Choe's statement was "just a reaction to the unbridled remarks made by the U.S. side which has long pressed the DPRK unilaterally to scrap nuclear program ahead of the DPRK-U.S. summit."

Kim Kye Gwan said North Korea had "inwardly highly appreciated" Trump's "bold" decision to meet with Kim Jong Un—indeed, a meeting with a U.S. president had long been a foreign policy goal of the North Korean regime, which saw it as an opportunity to be presented as an equal to a global power on the world stage.

Keep up with this story and more by subscribing now

North Korea vowed to continue to pursue that goal and took the opportunity to paint itself once again as a reasonable, peace-loving nation, extending an olive branch to the U.S. "We will to do everything we could for peace and stability of the Korean peninsula and humankind, and we, broad-minded and open all the time, have the willingness to offer the U.S. side time and opportunity," Kim Kye Gwam wrote.

"The first meeting would not solve all, but solving even one at a time in a phased way would make the relations get better rather than making them get worse. The U.S. should ponder over it," the vice foreign minister advised, making it known to the U.S. that North Korea remained willing to talk and "solve problem regardless of ways at any time."



Elyssa D. Durant 
Research & Policy Analyst
Columbia University, New York

Humanitarian Crisis Unfolding Under Trump’s Border Control Policies — It’s happening here;,It’s happening now

DailyDDoSe ©️ May 25, 2018

It's happening here. It's happening now. Under Trump's New Policy on Border Control, Attorney General Jeff Sessions ordered that children and parents be separated and placed into detention centers or foster care when seeking asylum or refuge in the United States of America. 


They are being forced to wear yellow bracelets reminiscent of the Yellow Stars of David Jews were forced to wear in Nazi Germany. 


Of the 9,000 children in their custody, 1475 children were lost and that's just in Arizona. 


Apparently some were sold into human trafficking. This is beyond reprehensible. ICE must be contained. 


Trump recently authorized the destruction of evidence and they are shredding documents to cover up rampant sexual and verbal abuse and deaths of detainees abused by ICE and Border Control Agents. 


Jeff Sessions and Trump authorized the destruction of records detailing the abuse and evidence of crimes by ICE and Border Control Agents detailing brutality and violence against women and children in their custody. 


This is a humanitarian crisis of global proportions and requires a global response.


Please help us. America has lost it's way. 


-Elyssa Durant 





Border Patrol Kicked, Punched Migrant Children, Threatened Some with Sexual Abuse, ACLU Alleges

Central American migrants travelling in the 'Migrant Via Crucis' caravan sleep outside 'El Chaparral' port of entry to US while waiting to be received by US authorities, in Tijuana, Baja California State, Mexico on April 30, 2018. The ACLU released a new report detailing abuse allegations minors have made against CBP officers. Photo: Guillermo Arias/AFP/Getty Images

Watch video!

Migrant children under the care of United States Customs and Border Protection (CBP) were allegedly beaten, threatened with sexual violence and repeatedly assaulted while in custody between 2009 and 2014, according to a report released Wednesday from the American Civil Liberties Union (ACLU) and the International Human Rights Clinic at the University of Chicago Law School.

Based on 30,000 pages of documents obtained through a records request, the report includes gruesome, detailed accusations of physical and mental abuse at the hands of officers. The claims were filed by unaccompanied minors, most of whom hailed from El Salvador, Guatemala, Mexico and Honduras. CBP officials have contested large swaths of the report, telling Newsweek that many of the allegations have been investigated and are "false." 

Border authorities were accused of kicking a child in the ribs and forcing a 16-year-old girl to "spread her legs" for an aggressive body search. Other children accused officers of punching a child in the head three times, running over a 17-year-old boy and denying medical care to a pregnant teen, who later had a stillbirth.

Mitra Ebadolahi, ACLU Border Litigation Project staff attorney, said the allegations describe a law enforcement system "marked by brutality and lawlessness." The organization also accused Border Protection officials of failing to "meaningfully investigate" the allegations detailed in the public records.

"All human beings deserve to be treated with dignity and respect regardless of their immigration status—and children, in particular, deserve special protection," she said. "The misconduct demonstrated in these records is breathtaking, as is the government's complete failure to hold officials who abuse their power accountable."

In a call with reporters on Wednesday, ACLU staff and researchers from the International Human Rights Clinic said that the allegations, which took place during the presidency of Barack Obama, are especially alarming now that President Donald Trump has vowed to beef up the detentions of undocumented immigrants.

"The fact that these children were already so vulnerable—most traveling alone in hopes of escaping violence and poverty in their home countries—made the unlawful and inhumane actions reflected in the documents even more distressing," Claudia Flores, faculty director of the International Human Rights Clinic at University of Chicago, said in a statement to Newsweek.

Keep up with this story and more by subscribing now


In response to the allegations, Dan Hetlage, a spokesperson for the Border Control department, accused the ACLU of presenting accusations against CBP officers as fact. The department also accused the ACLU of deliberately littering the report with vague anecdotes. Without specifics, Border Protection cannot take "reasonable steps" to examine or address the accusations, Hetlage said.

"The false accusations made by the ACLU against the previous administration are unfounded and baseless," Hetlage said. "The 'report' equates allegations with fact, flatly ignores a number of improvements made by CBP as well as oversight conducted by outside, independent agencies, including the DHS Office of Inspector General and the Office of Civil Rights and Civil Liberties over the last decade."

Katie Waldman, a spokesperson for the Department of Homeland Security, echoed Hetlage's concerns, telling Newsweek the report is "absurd." 

"They are without merit," she said. "Packaging dozens of patently baseless allegations and calling it a 'report' does not change the facts—it is just a collection of patently baseless allegations."

This story has been updated to include a comment from the Department of Homeland Security. 

Monday, May 7, 2018

The legacy of LulzSec

The legacy of LulzSec

The legacy of LulzSec

As if 2011 hasn't been interesting enough, given the sheer number of data breaches (CNET has posted a nifty chart), the next several days promise to yield even more stolen records, at least according to the latest dispatch from the hacker group LulzSec.

The collective, which has been all the talk of the security industry over the past several weeks since it launched its attack on PBS, announced later Sunday that it is hooking up with the Anonymous group, best known for its attacks on HBGary Federal, to launch "Operation Anti-Security."

The mission is to expose government and corporate corruption by way of stealing and leaking classified data.

"Together, we can defend ourselves so that our privacy is not overrun by profiteering gluttons," Lulz Security wrote. "Your hat can be white, gray or black. Your skin or race are not important. If you're aware of the corruption, expose it now, in the name of Anti-Security."

The call to arms is a testament to how unpredictable LulzSec has been. Just a few days ago, it was leaking the usernames and passwords of pornographic subscribers, was asking its followers on Twitter to call a phone number to suggest a candidate to DDoS, and was using its call center to flood the World of Warcraft support line. All for, as the group said, the lulz.

The fact that LulzSec is allying with the more established Anonymous gang, and asking for any outsiders to join in for a more principled cause, could be an indication that the group is losing some steam – especially in light of a series of alleged outings last week and over the weekend.

No matter their identities, and even if the LulzSec group was all apprehended by authorities tomorrow, one can't deny that they have changed the landscape. Members have infiltrated a number of high-profile websites, including those of Sony, the CIA and the U.S. Senate, with apparent stunning ease.

The question on some people's minds is: What impact do these "hacktivist" groups have on infosec as a whole?

There are two scenarios that may play out, as I see it.

1). Anonymous, LulzSec and whichever groups follow -- and we know there will be others -- significantly help to secure cyberspace, by catapulting data breaches into the mainstream and forcing all organizations to assess their security stance.

Tales of LulzSec conquests have escaped the traditional trade press ceiling and have found their way into the mainstream media with regularity. Surely, the budget decision-makers at various firms have seen the headlines and are well aware that they could be next.

Of course, containing these hackers is not easy. While the infiltrators, for the most part, appear to be using relatively simple means of gaining access (i.e., no customized malware), organizations are struggling to respond.

Ideally, what would result is a new way of thinking about cyber defense.

Jeffrey Carr, founder and CEO of Taia Capital, which specializes in cybersecurity countermeasures for corporate executives and government officials, wrote an interesting blog post Sunday where he challenged organizations to think like an attacker. Among his suggestions:

  • Uncertainty and randomness favor the adversary, therefore defenders must implement components of randomness and uncertainty as part of a network defense strategy.
  • Since it isn't possible to anticipate every type of attack, the defender must become a competitor to the adversary and continually attack his own system "in the hopes of finding heretofore undiscovered attacks" before the adversary does.

2). The second scenario that might play out is the government overreacting to the actions of LulzSec and, as a result, lawmakers enact stiff legislation that considerably limits the openness and freedom of the internet. Such a prospect was warned about in a paper written earlier this year by researchers at George Mason University.

Two other academics, Ronald Deibert and Rafal Rohozinski of the Munk School of Global Affairs at the University of Toronto, also addressed this possibility during a video I shot with them last week at SC Congress Canada. (We start talking about it at approximately the 3:45 mark).

LulzSec is certainly baiting the government to go this route, with its CIA and Senate infiltrations, and the latest rallying cry. And we might already be seeing the first signs of this overreaction already appearing.

**

I should also mention that the possibility exists that LulzSec is not who we think they are, but are instead, say, a government-hired band of digital assassins. Hey, the conspiracy theories are out there. And at the rate this year is going, nothing would surprise me.

In a perfect world, the legacy of 2011 and LulzSec will be that the web remained open and free, governments and corporations were held accountable when they did wrong, all organizations recognized that resilient security (and proper responses in light of a breach) are merely table stakes for doing business, and hackers who victimized the innocent were brought to justice.

A guy can dream, right?





Elyssa D. Durant 
Research & Policy Analyst
Columbia University, New York

Hacker group LulzSec targets FBI partner InfraGard

Hacker group LulzSec targets FBI partner InfraGard

Hacker group LulzSec targets FBI partner InfraGard

On the heels of successful infiltrations at PBS and Sony, a vigilante hacker collective, known as LulzSec, has compromised the website of the Atlanta chapter of InfraGard, an FBI partner organization.

The hacking group, whose tagline is "laughing at your security since 2011," said in a news release Friday that it broke into infragardatlanta.org, took "complete control," and defaced the site. Further, the group posted online the names, email addresses, usernames and cracked passwords of the site's 180 members.

The data appears to include the credentials of users from multiple cybersecurity firms, Georgia state government and educational institutions, the U.S. Army and major telecommunications companies.

LulzSec said it targeted the FBI-affiliated InfraGard, a public-private partnership that aims to share information about cyberthreats, in response to a report that the Obama administration was considering classifying hacking as an act of war.

As of Monday, the InfraGard Atlanta website was not accessible. A message on the site noted that it was "under construction." InfraGard and the FBI in Atlanta did not immediately respond to emails from SCMagazineUS.com on Monday.

LulzSec singled out InfraGard member Karim Hijazi, CEO of Unveillance, a Wilmington, Del.-based botnet monitoring service provider, in an effort to "expose the corruption of white hats," according to the group's statement.

The hacking collective said it used Hijazi's InfraGard password to access his personal and work Gmail accounts and briefly take over his firm's servers and botnet control panel.

"After doing so, we contacted Karim and told him what we did," the group said in its statement. "After a few discussions, he offered to pay us to eliminate his competitors through illegal hacking means in return for our silence."

But, in a statement released Friday, Hijazi said he was the target of an extortion attempt by LulzSec members.

"Plain and simple, I refused to comply with their demands," Hijazi said. "Because of this, they followed through in their threats – and attacked me, my business and my personal reputation."

The hacker contingent has posted its chat logs with Hijazi, along with nearly 1,000 of his personal and work emails.

LulzSec has been particularly active over the past week. Members of the group used a zero-day vulnerability in a blog software program to break into servers belonging to PBS.org. Three days later, they compromised the personal information of more than one million users of SonyPictures.com.

In addition, the group hacked a server belonging to Nintendo but didn't make off with any personal information. The group actually has expressed its appreciation of the video game giant, according to a tweet.



Elyssa D. Durant 
Research & Policy Analyst
Columbia University, New York

Router Security Checklist

Router Security Checklist

Security Checklist

 

The most expert person in the world can only make a router as secure as the firmware (router OS) allows. The following list of security features lets you judge how secure a router can potentially get. This is not a list of things to do to make a router more secure. That list includes a number of actions, like changing the default password, that are common to all routers and thus not in the list below. If you care about securing a router, look for it to have the features below. Sadly, reviews of routers never discuss any of this.

  1. WPS   (updated March 30, 2017)
    • Is WPS supported? WPS has been such a security disaster that I would not want to use any router that supports it. Since WPS is required for WiFi certification, it is widely present in consumer routers. Yet another reason, not to use a consumer router.
    • At the end of March 2017, I added a new WPS page to this site with everything you ever wanted to know about it, and more.
    • If you are using a router that supports WPS, then check to see if it can be turned off. There are two aspects to this. When the security issues with WPS first came to light at the end of 2011, some routers would not disable WPS even when told to do so - a bug. Then too, some routers, such as the D-Link DIR 890L do not let you disable WPS.
    • WPS status: To verify that WPS is disabled use a WiFi survey type application such as the excellent WiFi Analyzer on Android. On Windows, look into WiFiInfoView from Nirsoft - it is free and portable.

  2. NO DEFAULT PASSWORDS (added Nov. 21, 2015)
  3. Default passwords are a huge problem for routers and should not be allowed. Even default passwords that look random are not. Eventually, someone figures out the formula for creating that password and can often use that, combined with public information from the router, to derive the password. Thanks to Russ for this idea.
    • When initially configured, does the router force you to provide new, non-default WiFi passwords for every Wi-Fi network?
    • When initially configured, does the router force you to provide a new, non-default password for logging in to the router itself?
      One router that does is the Synology RT1900ac (User Guide, screen shot). I have read that DD-WRT also does this.

  4. LOCAL ADMINISTRATION
  5. A malicious person on your network is bad enough, but we need to prevent them from being able to modify the router. The router also needs to be protected from malicious web pages that exploit CSRF bugs.
    • Is HTTPS supported? In 2013, Independent Security Evaluators tested 13 consumer routers. Some supported HTTPS, some did not. Every router that supported it, however, had it disabled by default.
    • If HTTPS is supported, can admin access be limited exclusively to HTTPS?
    • Can admin access be limited to Ethernet only?
    • Can the TCP/IP port used for the web interface be changed?
    • Can access be restricted by LAN IP address? To really prevent local admin access, limit it to a single IP address that is both outside the DHCP range and not normally assigned.
    • Can access be restricted by MAC address? The TP-Link Archer C7 supports this. See screenshot.
    • Can router access be restricted by SSID and/or by VLAN? The Pepwave Surf SOHO can do both of these since it can assign an SSID to a VLAN (screenshot).
    • Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
    • Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.
    • Is there a CAPTCHA option for logging in? (D-Link offers this)
    • Can you logout of the web interface? You should be able to. I have seen Linksys and D-Link routers without a Logoff button.
    • Does it time out? It should, and you should be able to set the timeout period. See Cisco example.

  6. REMOTE ADMINISTRATION
    • Can it be limited to HTTPS only? To me, this is an absolute must. The Netgear Nighthawk R700, despite great reviews, only supports remote management over HTTP which means your password travels in the clear. I have seen this too with low end Asus routers, while their higher end models do offer HTTPS.
    • Can the port number be changed? (also a must)
    • Can access be restricted by source IP address or source network?
      Here is an example of this, from a Pepwave Surf SOHO router running Firmware 6.2. The "Allowed source IP subnets" is where you can set multiple IP addresses (yes, its a bit confusing) and IP subnets from which remote administration is allowed. In reference to the two previous issues, the security for remote administration can be HTTP only, HTTPS only, or both. In the screenshot, it is HTTPS only. The "Web admin port" is the port used for remote administration, in the screenshot it is 12345. The "Web admin access" can be set to LAN only or, as in the example, both LAN and WAN.
      Most of us, at home, have a dynamic IP address from our ISP which at first glance would seem to rule out using this security feature (anyone who works in an office with a static public IP address can, of course, use it). But, a couple VPN providers offer static IP addresses. One is Nord VPN, which lets an account be assigned a static IP address. TorGuard, another VPN company, also offers a static IP address ($8/month as of April 2015). If you know of another, email me.
    • Does it time out? (it should) That is, if you forget to logout from the router, eventually your session should time out, and, you should be able to set the time limit, the shorter, the more secure.
    • Is it off by default? It should be. The Linksys AC1900 (EA6900) has Remote administration enabled by default.
    • Is it limited to one logon at a time? It should be. The router should not allow multiple computers to logon at the same time using the same userid.
    • Is there some type of lockout after too many failed attempts to login to the web interface? Peplink added this in firmware 7.0.1, released June 2017.


  7. WIFI
  8. No one can hack into a network that does not exist.
    • Can the wireless network(s) be scheduled to turn off at night and then back on in the morning? Two routers that offer this feature are the Amped Wireless RTA1750 and the Synology RT1900ac.
    • Is there a WiFi on/off button? This is a rare feature. Some routers with it are the TP-Link Archer C9, D9 and C3150, the Asus RT-AC68U, The Netgear R6220 and the Synology RT1900ac. The idea is to make it easier to disable WiFi when its not needed. When this is easily done, more people will do it. The routers I have seen with a WiFi on/off button all had a very small button that was hard to reach. An exception is the NETGEAR R6400-100NAS which has the button in an easy to locate position on the top of the router. So too some FRITZ!Box routers, popular in Germany and Australia (closeup). The Synology RT2600ac has the button on the side where it should be easy to reach. Same for the Asus RT-AC1900P.

  9. WPA2
  10. Although every router offers WPA2 encryption with Pre-Shared Key (PSK) there are still things to look for:
    • Verify that the router offers WPA2 exclusively. If the only option is a combination of WPA and WPA2, then it is not as secure as WPA2.
    • After opting for WPA2 encryption, a better router will always use AES or CCMP (two terms for the same thing). Some routers offer TKIP as an option with WPA2. TKIP is not as secure. Meraki is high end wireless vendor owned by Cisco. I have seen a network running their hardware offer WPA2 with TKIP. If there is no secondary option after you select WPA2, then you will need to use a WiFi scanner app, such as WiFi Analyzer on Android, to see if it is using AES, CCMP or TKIP.

  11. GUEST NETWORKS
  12. In general, a guest network is a good thing. I blogged on this December 2015: To share or not to share - a look at Guest Wi-Fi networks. But, all guest networks are not the same.
    • Is the network defined normally or does it require a captive portal? For more on this see Warning: Guest Mode on Many Wi-Fi Routers Isn't Secure. Normal is good, captive portal is bad. For more on why this is see my blog Linksys Smart Wi-Fi makes a stupid Guest network.
    • Is WPA2 supported on the Guest network? This comes from the article linked to above which points out that Belkin and Linksys Smart WiFi routers do not support WEP, WPA or WPA2 on their Guest networks. On a related topic, Ubiquiti AmpliFi routers default to not having a password on the Guest Network.
    • Perhaps the biggest security feature of a guest network is that it keeps guest users away from the private network. When this is working properly, guest users will not be able to see anything that is Ethernet connected to the router, or, anything that is connected to a non-guest wireless network from the same router. Put another way, you want guests to see the Internet and nothing but the Internet. Sadly, this feature is assigned many different names. Asus calls it "Access Intranet". TP-LINK calls it "Allow Guests to access my local network". D-Link calls it "Internet access only". TRENDNET also calls it "Internet access only" and they explain that it "prevents guests from accessing the private LAN network".
      Verify this!
      One way to verify it is with a LAN scanner app such as Overlook Fing which runs on iOS, Android, Windows and OS X. The scan should not see any devices on the private network. Another option is, from a guest network, to try and access a NAS or a network printer or any other LAN device exposing a web interface.
    • Some routers have a configuration option for guest users being able to see each other. It is more secure if they can not, but there may be times where you want to allow this. Like the feature above, this too, may be called "isolation". TRENDNET calls it "Wireless Client Isolation" and they explain that it "isolates guests from each other". TP-LINK calls it "Allow Guests to See Each Other". If there are multiple guest networks (often one on the 2.4GHz band and another on the 5GHz band), then the question becomes whether guest users on one guest network can see guest users on another guest network.
    • NOTE: According to a March 2015 article at How-To Geek, older Netgear routers had an option to "allow guests to access my local network" and a separate option to "enable wireless isolation" which prevented guest users from seeing each other. However, the Netgear Nighthawk X6 router no longer supports two options. They were combined into a single option called "allow guests to see each other and access the local network." Not good. As the article says "There are numerous, and perfectly valid, reasons for wanting to enable one and not the other (e.g. your kids want to play network games with their friends on the guest network so network isolation must be disabled, but you don't want them to access your LAN)..."
    • Some routers let you schedule the guest network(s). It would be great if you could turn it on for X hours and then have the router de-activate it. Probably the worst thing about guest networks is leaving them on all the time. One router that can do this is the Trendnet TEW-813DRU. The company has an online emulator from which I took a screen shot.
      If the network can't be scheduled, the next best thing is making it easy to turn it off and on. To that end, a smartphone/tablet app for controlling the router may provide an easier interface.
    • Time limits: The Ubiquiti AmpliFi system can limit the life span of the Guest Network. The Norton Core router goes further, it can apply different time limits to each individual user. Five minutes before a users time is going to expire, the Norton Core can alert you, so that you can extend the time.
    • The Norton Core router is the only one I know of that can alert you whenever a new user joins the Guest Network. See the User Guide
    • A Guest user may or may not be able to login to the web interface of a router. Obviously, locking them out is more secure. A reader of this site, Sudhakar, raised this issue for the first time in Dec. 2015. I have not seen this discussed by any consumer router. The Pepwave Surf SOHO can limit router access to a single SSID, thus blocking guest users.
    • Subnets: the Guest network may share the same subnet as the private network or use a different one. I prefer different subnets. The Linksys Smart WiFi line does this.
    • Nice to have: Some routers, such as the Ubiquiti AmpliFi, let you limit the total number of concurrent guest users.
    • Nice to have: Some routers let you limit the bandwidth of guest networks. In the TP-LINK example above, it is not clear if the limit applies to the entire network as a whole or to each user individually.
    • Although not a security issue per se, some routers do not let you chose the Guest network name. The Linksys Smart WiFi line, for example, always uses the SSID of the private 2.4GHz network and appends "-guest" at the end.
    • Vouchers: The Ubiquiti UniFi system can run a Guest network based on vouchers. Users are forced to enter a voucher ID on a captive portal page. Vouchers can be single-use or multi-use. They last for a customizable amount of time and can also be linked to a bandwidth quota or bandwidth limits. You can print a sheet of codes, cut it up and give them out. The down side is that this requires Ubiquiti controller software. More here and here and here.
    • FYI: Kick the tires on how an Asus router configures Guest networks and see documentation on guest networks from TP-LINK, Netgear and Linksys.
    • Google Wifi lets guest users see devices on the main LAN, according to this April 2017 article.

  13. ROUTER USERID
    • Can the userid for the web interface be changed? Every router lets you change the password, a few let you also change the userid. This is most important when using Remote Administration. An October 2016 study of 12,000 home routers by ESET found that "admin" was the userid "in most cases."
    • Is there a read-only user? Most routers only allow for one userid, but some allow for two: one with full admin privileges and one that is only allowed to view stuff but not make changes.
    • Many users: this seems like overkill to me, but some routers let you define multiple userids. A Verizon DSL gateway, the D-Link 2750B lets you go so far as defining groups of users.

  14. ROUTER PASSWORD (updated Nov. 15, 2015)
    • How long can the router password be? In one of my favorite stories, Brian Krebs ran across a router that only supported passwords up to 16 characters long. Quoting from his article: "I helped someone set up a ... ASUS RT-N66U ... router, and ... made sure to change the default router credentials ... ... my password was fairly long. However, ASUSs stock firmware didnt tell me that it had truncated the password at 16 characters .... when I went to log in to the device later it would not let me in ... Only by working backwards on the 25-character passphrase I'd chosen - eliminating one letter at a time ... did I discover that the login page would give an "unauthorized" response if I entered anything more than that the first 16 characters of the password". I have also read of a D-Link router that limits passwords to 15 characters and also does not make this clear. So, test if your router allows a 17 character password. It should.
    • How short can the router password be? Very short passwords should not allowed.
    • Are the password rules explained? When you change the router password, does the User Interface explain the rules about acceptable passwords? That is, does it say anything about the length of the password or if any characters are not allowed?
    • Does the router allow brute force password guessing? After a certain number of wrong passwords does the router do anything to prevent further guessing?

  15. FIREWALL   (updated Nov. 25, 2017)
  16. There are three aspects to the security of a router firewall.
    • What ports are open on the WAN/Internet side? The most secure answer is none. If you are using old school Remote Administration, then this will require an open port. Every open port on the WAN side needs to be accounted for, especially if the router was provided by an ISP; they often leave themselves a back door. The Test your router page links to many websites that offer firewall tests. That said, none of them will scan all 65,535 TCP ports or all 65,535 UDP ports.
    • What ports are open on the LAN side? Expect port 53 to be open for DNS (probably UDP, maybe TCP). If the router has a web interface, then that requires an open port. The classic/standard utility for testing the LAN side firewall is nmap. There are some instructions for using nmap on the New Router Setup page. As with the WAN side, every port that is open needs to be accounted for.
    • Can the router create outgoing firewall rules? There are all sorts of attacks that can be blocked with outgoing firewall rules. Here is an example of a Peplink firewall rule that blocks access to a domain. Generally, consumer routers do not offer outbound firewall rules while business class routers do.
  17. MAC ADDRESS FILTERING
  18. I am well aware that MAC address filtering is far from perfect. That said, it does make it harder for bad guys to get on to your network. Many people say not to bother with it, both because its a big administrative hassle, and, because it wil not block a skilled attacker. The administration hassle, however, is not the same on all routers.
    • The big question with MAC address filtering is whether this feature applies to all networks created by the router, or, to all networks on the same frequency band (2.4GHz or 5GHz), or, in the best case, if there are separate MAC filtering lists for each individual network/SSID? If a router supports independent filtering lists for each SSID, then MAC address filtering can be used for the main, private SSID and not used on guest networks. This makes it a practical solution as the maintenance hassle is so low.
    • Another aspect that can make this much easier to deal with is comments. That is, instead of just maintaining a list of black- or white-listed MAC addresses, the router should also let you add a comment to each MAC address. This way you can easily check if computer X is already in the list or not. And, when tablet Y is lost, it makes it easy to remove it from the list. Of the routers I have seen, only AirOS firmware running on a Ubiquity AirRouter offered the ability to add a comment. It looked like this.

  19. UPnP (Revised Oct 9, 2016)
  20. Universal Plug and Play (UPnP) can be a security problem in two ways. It was designed to be used on a LAN where it lets devices poke a hole in the firewall. It was never meant to be used on the Internet, but some routers mistakenly enabled it there too. Most routers let you disable UPnP on the LAN side.
    • Can you disable UPnP in the router?
    • NAT-PMP is very similar to UPnP but most often found on Apple devices. If a router supports NAT-PMP, check whether it can be disabled. According to Apple, NAT-PMP is included in OS X 10.4 or later, AirPort Extreme and AirPort Express networking products, AirPort Time Capsule, and Bonjour for Windows.
    • Steve Gibson's UPnP exposure test is the only way that I know of to test for UPnP being enabled on the WAN/Internet side of a router. Start at his ShieldsUP!, then click they gray "Proceed" button. On the next page click the big orange button labeled "GRC's Instant UPnP Exposure Test". I would take any router that fails this test out of service.
    • pfSense supports both UPnP and NAT-PMP but not only does it let you disable them, it also has some extra security of its own.
    • From How To Disable the UPnP Feature On Your NETGEAR Router: "By default, NETGEAR home routers have UPnP enabled, while the business routers have it disabled."
    • The D-Link DIR-880L router does not let you disable UPnP.
    • Eero enables UPnP by default, but you can disable it.
    • According to page 7 of the User Guide the Ubiquiti AmpliFi router has UPnP enabled by default, and it can be disabled.
    • The Google OnHub routers enable UPnP by default, but you can disable it.
    • To disable UPnP and NAT-PMP on a Pepwave Surf SOHO running firmware 6.3, go to the Advanced tab -> Port Forwarding. There are checkboxes for both UPnP and NAT-PMP. Each is disabled by default.
    • Based on reading the full documentation, two lousy sentences, Luma routers were initially running UPnP and you could not disable it. As of a software update from August 2016, UPnP can be disabled.
    • If you must use UPnP, then look for a router that offers detailed status information about the state of forwarded ports, such as the app that made the UPnP request and details on the currently active port forwarding rules. Some port forwarding rules come from UPnP and some don't. It is best to use a router that clearly shows which port forwarding rules came from UPnP requests. One router that does a great job of this is the TP-LINK Archer C7 and there is an online demo of the C7 user interface. Click on Forwarding, then UPnP to see its display of UPnP information, which includes a description of the application that initiated a UPnP request, the external port that the router opened for the application, the IP address of the LAN device that initiated the UPnP request, and more. Netgear KB Article 23020 has a screen shot of the UPnP Portmap table which shows what's going on with port forwarding due to UPnP.
    • An example of the router security enemy is the UPnP PortMapper program that can be used to "manage the port mappings (port forwarding) of a UPnP enabled internet gateway device (router) ... Port mappings can be configured using the web administration interface of a router, but using the UPnP PortMapper is much more convenient". Ugh.

  21. PORT FORWARDING
    • Can it be limited by source IP address and/or source IP subnet? The secure answer is yes. For example, both Real VNC and Apple Remote Desktop listen for incoming connections on TCP port 5900. Without this feature, anyone in the world can connect to these programs on that port. Bad guys scan the Internet to find devices that are listening on port 5900. With this feature, you can limit who is allowed to talk to the software on port 5900. The official term for this, I believe, is IP Filtering.
    • Can port forwarding be scheduled? If a techie uses Real VNC or Apple Remote Desktop to help a non-techie with their computer, but only does so in the evening, then this feature lets the forwarding of port 5900 be disabled in the morning, afternoon and late night.

  22. Is HNAP supported?
    The correct answer is no. The Home Network Administration Protocol has been the basis for multiple router flaws. In April 2015 it was found to make a number of D-Link routers vulnerable. In Feb 2014 is was used as part of an attack on Linksys routers (see this for more). The Linksys firmware in their classic WRT-54G supported HNAP. In 2010 HNAP was used to hack D-Link routers. As far as I know, there is no way to disable HNAP. There are two ways to check for HNAP support. First, ask the router vendor. If nothing else, this can be a great test of technical support. If the company can't or won't answer this question, their routers are best avoided. Peplink, my preferred router vendor, does not support HNAP - I asked them. For a technical test, try to load HTTP://1.2.3.4/HNAP1/ where 1.2.3.4 is the IP address of your router. This works from inside your network using the routers internal IP address. The real danger, however, is from the outside, so have someone try it from the Internet using the public IP address of your router which you can find at many sites such as ipchicken.com or checkip.dyndns.com. For good luck, also run this test on port 8080, which would look like HTTP://1.2.3.4:8080

  23. FIRMWARE
    • Can you be passively notified (typically via email) by either the router or the company that produced it, when there is new firmware? Peplink does this. See an example from December 2015, announcing firmware version 6.3. Most routers require you to seek out firmware updates on your own.
    • For a new router: does it attempt to update the firmware as part of the initial setup process? Tests run by the Wall Street Journal in early 2016 found that 10 out of 20 routers did not.
    • For an existing router: can it automatically update the firmware on its own? If so, see the next topic. While auto-updating may be appropriate for routers owned by non-techies, it is not always a good thing. Personally, I prefer to be in charge. This lets me install bug fix releases fairly quickly but delay new versions/releases.
    • How easy is the upgrade process? Better routers can completely handle a firmware update in the web user interface. Lesser routers force you to download a file, then upload it back to the router. This harder procedure makes it less likely router owners will update the firmware. Also, being able to handle the update completely in the router web interface, means that the firmware upgrade can be done by a remote user.
    • The new firmware may reset some options. To protect against this, its a good idea to manually backup all the current settings before upgrading. The Pepwave Surf SOHO always reminds you to do this. Does your router?
    • If there is a function in the web interface to check for new firmware, does it actually work? I can personally attest that many routers do not. David Longenecker writes that "Asus is notoriously inconsistent at keeping their auto-update servers up to date..." Tests run by the Wall Street Journal in early 2016 found 2 of 20 tested routers incorrectly reported their firmware was up to date.
    • Is the firmware downloaded securely? (HTTPS, SFTP or FTPS) There are two parts to this question as the firmware may be downloaded by the router itself or by you manually from the vendors website. Good luck answering this question.
    • Is new firmware validated before it is installed? Good luck answering this too. If its not validated then a bad guy or spy agency might be able to trick you or your router into installing maliciously modified firmware. In Feb. 2014 David Longenecker examined an ASUS RT-AC66R router in detail and found that it used no security at all in checking for, and downloading, new firmware.
    • Does the router support multiple installed firmwares? This great feature lets you back out from a firmware update that causes problems and thus eliminates most of the risk that always exists when installing new software. The best company I have seen here is Peplink/Pepwave which lets you easily reboot into the prior firmware. This can also help if a configuration change causes a problem. The Linksys EA6200 can also restore a prior version of the firmware.

  24. SELF-UPDATING FIRMWARE (added Sept 29, 2016, revised Feb 15, 2017)
  25. Routers that automatically update their firmware have their own issues. A list of self-updating routers is on the Resources page.
    • Is there an audit log of each firmware update issued by the router vendor? Something along the lines of what Microsoft provides for Windows 10.
    • Is there an audit log of each firmware update installed on your router? Only by comparing these two logs can you verify that the auto-update system is working correctly. Also, if you experience network problems, it is vital to know when the last firmware was installed.
    • How often does the router check for updates? Can you control this?
    • Can you be notified of firmware updates beforehand? Afterwards? If so, what type of notification?
    • If you are notified beforehand, can you schedule the firmware installation and the necessary reboots it entails?
    • Even if you are not notified of available updates, can you set a schedule for when installation/reboots are allowed? That is, reboot at 3am but not at 3pm.
    • Can you force the router to check for new firmware?
    • Can you force the router to update to newly available firmware, or do you have to wait for its regular check-in?
    • If you do nothing, how quickly will newly released firmware be installed? Eero promises to install new firmware "within a few weeks"
    • When the router phones home looking for updates does it do so securely with TLS?
    • When the router downloads new firmware does it so securely with TLS?
    • Is newly downloaded firmware validated in any way, such as being digitally signed?
    • Does the router support multiple installed firmwares? (so you can fall back in case an update causes a problem) If not, then can you install old firmware if a new version caused a problem?
    • Is there a manual over-ride mechanism for installing new firmware in case the auto-updating system fails?
    • Does the vendor document the changes in each firmware update? If so, do they do it well?
    • Can you tell what version of the firmware is now running? If its a multi-device mesh router/system, then the question applies to each device.
    • How smart is the auto-updating system? Specifically, can it self-update within the same firmware version, but update when there is a major new firmware release? Synology offers this on their NAS boxes. You can configure the NAS to self-update from version 5.1 to 5.2 to 5.3, but not to automatically update to version 6.
    • Can you backup the router settings to a file? Pretty much any router can do this, but with auto-updating I wonder if that feature still exists.
    • In a mesh system involving multiple devices, do all the devices update their firmware at same time? If not, how is it handled?
    • In a mesh, what happens if one device gets new firmware but another device does not? Can the system run if the three devices are not on the exact same firmware release?

    As for answering these questions, my experience with self-updating routers has been minimal. However, someone from Linksys was kind enough to address these issues (Feb. 2017) for their routers. I created a new page here for Self Updating Router Firmware and hopefully I can get answers from other router vendors too.



  26. Is the router vulnerable to the Misfortune Cookie flaw? This is not something we can test for ourselves, nor is there a full list of vulnerable routers anywhere. We need to have the router manufacturer issue a statement. So this is really a test of how the router vendor handles security issues. Did they post anything on their website? If you ask them, will they intelligently respond? The bugs page on this site links to responses from Actiontec and Peplink that their routers are not vulnerable. I looked for a Netgear response and could find nothing. ZyXEL patched some of their routers but not others. If a company is not forthright about this flaw, then you know that they can't be trusted to make a secure product. And, even if they were vulnerable, but issued updated firmware, I would also be concerned as this means they shipped extremely old software.

  27. Can it block access to a modem by IP address? See my blogs on this part one and part two.

  28. LOGGING: (revised Nov. 23, 2015)
    • Is there a log file (or files)? There should be, and hopefully, the data in the log is reasonably understandable and useful. I find the log created by Asus routers all but worthless. An old Verizon DSL gateway, the D-Link 2750B, had both a System Log and a Security Log. The Pepwave Surf SOHO has a single log file. The D-Link 860L has three log files: System, Firewall & Security and Router Status.
    • Does it log unsolicited incoming connection attempts? I consider this particularly interesting as it helps to illustrate how dangerous the Internet is and why a secure router is important. Its one thing to be preached to about how dangerous the Internet is, but quite another to see evidence of computers all over the world trying to hack into your router. If you see computers from China trying to access certain ports on the router, you can research the ports, try to close them, or forward them to a non-existing local IP address. This may be asking too much of a router, that is, it may require a NGF or UTM).
    • Does it log failed logon attempts? Successful logons? Failed logons are obviously good to know about, but so too are successful logons, just in case the person in charge of the router was not the one who successfully logged in. Hopefully, the logged information includes the source IP address.
    • Is anything logged when a new device joins the LAN? It would make a great audit trail if the router logged the client MAC address every time a new device joined the network. As of Firmware 6.3, released in Jan. 2016, Peplink can optionally log each time an IP address is given out by its DHCP server. There is no option, however, to log the appearance of a new device with a static IP.
    • Can it log all Internet access by a single device? In Nov. 2015 it came to light that a Vizio Smart TV was watching you and phoning home screen shots, even when it was playing video from an external source (think Roku and DVD). This feature lets you keep a close watch any any such "smart" device. It can be used to track children online. My favorite router company, Peplink, is due to roll out this feature in Firmware version 6.3 by the end of 2015.
    • Does it log changes made to the router configuration? Peplink, does a poor job of this, their log typically just says "Changes have been applied" with no indication of what was changed. On the other hand, the D-Link 860L logs nothing at all, not even the fact that something changed. The best I have read about are some DrayTek routers that create an audit trail/log of all admin access/activity.
    • Do the log files disappear when the router is powered down? If so, it makes it that much harder to spot trends or changes. The logs on the D-Link 860L are wiped out when it is powered off. This is not true on the Pepwave Surf SOHO.

  29. EMAIL: (added Nov. 19, 2015)
  30. Can the router send an email message when something bad happens?
    • If so, what types of errors can it email about? At the least, it should be able to send an alert if one of the log files fills up.
    • This is particularly useful for multi-WAN routers, that is, routers that are connected to two or more ISPs. When one Internet connection fails, it can use another to send an alert email. Peplink is great at this.
    • Can messages be sent to only one recipient or to many?
    • I have not seen a router that can send a text message, but there are services that convert emails into texts.

  31. DDNS:
  32. Not everyone needs DDNS, it is mostly used for remote administration. If you do need it, there are some options to look for.
    • Does the router phone home to the DDNS provider using HTTP or HTTPS? Good luck trying to figure this out. The DDNS provider may have a log file that you can check or use this as a test of technical support.
    • How many DDNS providers are supported? The more the better. Also good, not being limited to Dyn.

  33. MONITORING ATTACHED DEVICES:
  34. Its nice to know who/what is connected to the router
    • A good router will offer, at a glance, a list of all the attached devices. Having them all shown on one screen makes it easy to spot anything out of the ordinary. This screen shot from a Pepwave Surf SOHO shows that it uses a space-saving single line per attached client.
    • Along with this, a great feature to have, is the ability to give friendly names (i.e. Susans iPad, Joes laptop) to the attached devices. This too, should make it easier to spot new devices. The name column of the Surf SOHO display of attached clients is editable, allowing you to enter anything that makes sense to you. The Ubiquiti AmpliFi could not do this initially, but a later firmware update added this ability.
    • I used to have a router that would only show devices with a DHCP assigned IP address. You never knew about any devices with static IPs, which stinks. In December 2014, Chris Hoffman wrote "Many routers simply provide a list of devices connected via DHCP". Hopefully this gets phased out over time.
    • Internet sessions/sockets: It can be very handy to see all the connections a LAN-resident device has to the Internet. For one, you can verify that a VPN is working the way it is supposed to, that all traffic flows over a single encrypted link to a VPN server. You can also use it to verify that an online banking app really has a secure connection to the bank. And, you can use it to check if a Smart TV is phoning home and reporting on your viewing habits. Among the routers that report on this level of detail are the D-Link DIR860L and my favorite, the Pepwave Surf SOHO. (added Nov. 17, 2015)
    • Non-security: If the router is creating multiple WiFi networks, it is nice to see which devices are connected to which network. The Pepwave Surf SOHO does this in the "Network name (SSID)" column.
    • Non-security: Its nice to be able to see the signal strength, from the routers perspective, for each attached wireless device. The Pepwave Surf SOHO does this in the "Signal" column.
    • Non-security: Another nice monitoring feature is showing the current bandwidth used by each connected device. The Pepwave Surf SOHO does this in the "Download" and "Upload" columns. It defaults to kbps but can be changed to Mbps.
    • Non-security: Its nice to have a bandwidth history. The Pepwave Surf SOHO offers a daily bandwidth summary showing total Upload and Download Megabytes. From the daily summary, you can drill down to an hourly summary. From the hourly summary, you can drill down to each specific device within that hour.
    • Hiding on the LAN: Here is an oddball case that I ran across. A device may be able to hide from the router, if it only talks to devices on the LAN and never makes a request out to the Internet. That is, if it only makes use of the switch in the router, but never the higher level functions of the device. You can test this if you have a printer or a NAS with a static IP address. Reboot your router, then, from a computer on the LAN, send an HTTP request to the device with the static IP address and get back a web page. Then check the router list of attached devices. Does the router show the printer/NAS/whatever as being on the network? Maybe not. Yet, it communicated with a device on the LAN.

  35. Can you disable the file sharing of storage devices plugged into a USB port? This came up in May 2015 with the industry-wide NetUSB flaw. Some routers let you disable the buggy file sharing, others did not. Netgear, for example, admitted there was no way to disable to flawed file sharing software. NetUSB was the second file sharing flaw that I am aware of. Asus had a bug here that exposed files plugged into a USB port to the Internet at large.
    If you must use a router to share files, then look for one that offers a way to safely disconnect the USB storage device. At least some Linksys routers have a Safely Remove Disk button. TRENDnet labels their button Safely Remove USB Device. And, just for good luck, avoid putting sensitive files on the storage device plugged into the router. My suggestion, however, is to look for a low end Synology or QNAP NAS device. As of May 2015 the cheapest Synology NAS (model DS115j) is $100 without a hard drive. QNAP seems to start around $120, also without a hard drive.

  36. Access to the web interface of a router is typically done via IP address. But dealing with IP addresses may well be too much for non-techies. Thus, to make things easier (almost always a security issue in the making) for people, some router companies offer fixed names. This lets someone on the LAN get into the router with http://something.easy rather than http://1.2.3.4. Netgear uses www.routerlogin.com and www.routerlogin.net. TP-LINK uses tplinklogin.net, Asus uses router.asus.com, Netis uses netis.cc, Edimax uses edimax.setup, Amped Wireless uses setup.ampedwireless.com, Linksys uses myrouter.local and linksyssmartwifi.com. According to RouterCheck.com (the page is both undated and un-credited) this is a security weakness. Even if you follow the advice offered on this site, and elsewhere, to use a non-standard local subnet (such as 10.11.12.x) bad guys can still find your router (most likely via CSRF in a malicious web page) using these aliases. In addition, none of the router vendor documentation indicates that any of these names support HTTPS, which should always be used when logging in to a router.

  37. SSID hiding: (added Nov. 11, 2015) Like MAC address filtering, this offers only a small increase in security and comes with a high hassle factor. It was not included here at first, because I had not run across a router that did not offer it. But, there may well be some. Some routers, like those from Google, are focused on ease of use for non-techies and thus throw many features overboard. They, and others, may well omit this feature. Not sure.

  38. Smartphone apps: (added June 12, 2016)
  39. Security when administering a router via a web browser is easily understood, but smartphone apps are different.
    • Does the app talk directly to the router or does it talk to the hardware vendor?
    • Does the app communicate with Bluetooth or WiFi?
    • If app uses WiFi, is it HTTP or HTTPS? See also, the section above on securing local admin access
    • If app uses Bluetooth, how secure is it? I am not familiar with Bluetooth security. Eero and Luma both use Bluetooth.

  40. OOBE: (added June 12, 2016) Can the router, out of the box, be configured off-line? If not, then the hardware company is interposing itself in a way that is too conducive to spying. This is a fairly new issue, I first ran across it with the new mesh router systems targeting consumers. Eero fails this test. In fact, Eero wants your phone number before the router can be configured. And, even ignoring privacy issues, this probably means that if the hardware vendor goes out of business the router is useless. The Ubiquiti AmpliFi and the Netgear Orbi mesh router systems do not require a vendor account. Luma, not only requires an account, but you can't even setup the router if location services are disabled on the device running its mobile app.

  41. NEW DEVICE NOTIFICATION: (updated Aug 9, 2017)
  42. As the administrator of a Local Area Network, I would like to be dinged every time a new device gets onto the network. The ding could be a text message, an email, perhaps even a beep sound. Something, to alert me about a device (really a MAC address) that has not been seen before. Or, maybe even a device that has been seen before.
    • Eero claims their routers will do this, but I have not seen a review that mentioned it.
    • The User Guide for the Norton Core router says it can do this for the Guest Network but its not clear if it can also do it for the main network.
    • The Aztech AIR-706P router is managed by the Aztech Smart Network mobile app. According to this Aug 9, 2017 article, it has a Wi-Fi Connect feature that can push a notification to a mobile device when something connects to the router.
    • Luma says that their router "automatically recognizes any new devices in your home, and lets you grant or deny them access with a quick swipe." Again, I have not seen a review that mentioned this feature. A Nov. 2016 article on SmallNetBuilder said "If an unknown device is found on the network, Luma can send a notification through the app, alerting the owner of the unidentified device." The article, however, was a paid ad.
    • The Users Guide for the Amped Wireless ALLY routers says "ALLY notifies you of important events on your network ... for example when a new device joins your network." It is not clear if this includes a previously seen devices logging on again to the network.
    • A company called SkyDog used to offer this feature, but they disappeared in July 2014 when Comcast bought the company.


  43. RECENT DEVICES (added August 9, 2017)
    It would be nice if a router displayed a list of devices that had recently been on the network. This makes it easier to audit for devices that should not be there. Eero and the Norton Core router do this. Peplink sort of does this. Its display of currently attached devices, includes devices that are not currently attached but were recently attached. I think devices are included in the display until the lease on their IP address expires. Peplink can also log to its Event Log every time its DHCP server gives out an IP address.

  44. Internal security: (Added Nov. 17, 2016) Many new routers are sold as a set of devices, commonly referred to as a mesh. A better term would be a router system and examples are Google Wi-Fi, Netgear Orbi, Eero, Ubiquiti AmpliFi and Luma. This begs the question, for which I have no answer, how is the communication between the two or three devices in a router system protected?

  45. Trend Micro: (Added May 4, 2017) Considering the EULA that Trend Micro requires router owners to agree to, it may be best to avoid routers that include Trend Micro software. The EULA notes that web page URLs and email message may be sent to Trend Micro. For more, see Review: ASUSWRT router firmware by Daniel Aleksandersen (May 2017) and The Asus RT-AC68U router - it's fast but it also secure? by John Dunn (July 2015).

Rare security features

It can be argued that VLAN support belongs in the list above and I may add it at some point. It's certainly a security feature and not all that rare. VLANs (Virtual LANs) let you logically divide a single LAN into isolated sections. If attackers gain access to one section of the network, the VLAN prevents access to other areas of the same network. Sony Pictures would have been well advised to employ VLANs, it would have limited the damage from their breach. Security is also much improved by isolating IoT (Internet of Things) devices as much as possible. VLANs are not in the list above because many people get close enough to the VLAN experience with Guest networks. One difference, however, is that a VLAN is a separate subnet, a feature that Guest networks are not likely to include. I use a VLAN isolated wireless network at home for assorted devices that only need Internet access and do not need to see a network printer or a NAS box, let alone the computers on the LAN. The Pepwave Surf SOHO can even prevent this network from directly accessing the router. VLANs are not just for Wi-Fi, some routers, such as the Pepwave Surf SOHO and the Ubiquiti Edge Routers, can put each Ethernet LAN port into its own VLAN.

VPNs and Tor: a router that can function as a VPN server lets you connect to it securely when traveling. To me, no big deal. A router that can function as a VPN or Tor client can provide some security to multiple devices, even those that are unable to use a VPN or Tor on their own.

The Portal router, which is expected to start shipping late Summer 2016 has an unusual take on Guest networks. Exactly what it is, however, is not clear from their documentation which says: "You never need to give out your network password, and your guests never need to remember it. Granting Guest Access is done using the Portal App, which uses Facebook credentials or email addresses. Guest Access is time and distance controlled, making it very secure. Whenever a device that has been granted Guest Access is within range of your network, Portal automatically creates a guest network with random SSID and credentials. This information is securely exchanged over Bluetooth. When the guest device leaves your network, Portal deletes the guest network and credentials." Sounds interesting, I hope to fully understand it someday.

This may be asking too much, as I have not run across it anywhere: the ability to modify the Ethernet MAC address that is used as the base of WiFi networks. This would allow a router of brand X to masquerade as brand Y. This is a common feature, but I have only seen it apply to the WAN port. It exists because some ISPs use the MAC address as part of their security. I would also like it on the LAN WiFi side of things.

Germany

October 24, 2015: The German government, concerned about poorly secured routers, is considering a security rating system for routers. Using a checklist somewhat analogous to this one, routers will be given points for features that increase security. See German Govt mulls security standards for SOHOpeless routers.

Some non-security features to look for

Wake-on-LAN. It's not a security issue, but it is nice to have. Grandmas out at a movie? Login to her router, turn on her computer remotely, install bug fixes for her and then turn it off :-) Asus routers have done this for a long time. Peplink introduced WOL in firmware version 6.3 in December 2015.

Kick the kids off the Internet at bedtime. This can be done a few ways. Perhaps the best approach is to have a dedicated network/SSID for the kids to use, keeping the passwords for other WiFi networks a secret from the children. Then, a router with scheduling ability, can disable the kiddy network at bedtime. This can also be done using a single network/SSID but then you have to deal with identifying individual devices either by their MAC address or their IP address. This takes a bit more technical skill, is a bit more of a hassle to setup and maintain and requires that a specific device is always used by the same person.

Context sensitive help. That is, rather than having to refer to a separate monolithic manual, that may or may not be kept in sync with the firmware, it is best to have help directly available in the web interface.

Speed tests: Some routers can run their own speed tests. To really know how fast your Internet connection is, requires an Ethernet connected device plugged directly into the modem, no router at all. But, a router running its own tests should be good enough.

I prefer external antennas to internal ones as they are more flexible. I also prefer removable external antennas as they can be replaced if broken. They can also be upgraded should the need arise.

Ethernet lights: When things go wrong, it can be handy to have Ethernet status lights. There are two aspects to this. The main body of some routers have indicator lights for each LAN side Ethernet port. I prefer this, the more information provided, the better. Also, the Ethernet port itself, may have two lights, indicating the link status/speed and activity. The lights on the Ethernet port often indicate the link speed (normally 100Mbps or 1,000Mbps) and, when blinking, that data is being transmitted. Plus, just their being on at all, told us something about the link.

Some routers have done away with the lights on top/front and/or the lights on the Ethernet ports. For example, the TP-LINK Archer D9 has a single Ethernet light on the front - beats me how it indicates the status of multiple Ethernet ports. Still, it is a step up from the $300 D-Link DIR 890L/R, released in February 2015 that has no Ethernet lights at all on the top. The Amped Wireless RTA1750 is unusual in that its Ethernet status lights on the front are all white. And, if you don't like them, there is a switch that turns them all off. The Asus RT-AC68U also has a button to turn off all the lights. I read that the upcoming Synology RT1900ac router (scheduled to be released some time in 2016) will let you schedule the status lights. Thus, you could have them on during the day, but off at night.

Documentation: Find the User Guide for the router. Look at the first two pages. Is there a date that the manual was written? Does it show the version/release the manual applies to? Is there a Last Update date? This offers a glimpse into the professionalism of the company that made the router. If the manuals are missing basic information, such as a date and version number, the company is running a second class amateur operation. Another give-away is the failure to update the User Guide to reflect changes in the firmware.

Apple fails this test. The latest setup guide that I could find for the AirPort Extreme router has no date and no version number. A check in June 2015 for AirPort manuals turned up no manuals from 2014 or 2015. The AirPort Extreme manual was from June 2013, the AirPort Express was from June 2012. Worse still, the only manuals Apple offers are short Setup Guides. They don't have a long User Guide.

Website blocking is arguably a security feature, but an optional one. I have only tested it on two routers but in both cases it was lame. Each router would block HTTP access to the site, but failed to block HTTPS access. And, if you use this feature, you also need to be able to carve out exceptions which may mean learning the MAC address of privileged devices or giving them a static IP address or using DHCP reservations. And, if a router blocks sites by name, then chances are that direct IP address reference to the website will not be blocked. So, I left it out of the checklist above.



Elyssa D. Durant 
Research & Policy Analyst
Columbia University, New York