Some time back I did a blog post here, on routers, router hacking, back door commands, and other interesting things. I was doing some emailing with a friend in Germany and I wanted to hunt that post down for him. Yet for some reason I can't find it. I know I didn't delete it. I have never deleted any of my blog posts, no matter what the topic or results have been. Yet .. .. .. it's gone. With that said, I'm going to post this information again, with a bit more detail and advice. :)
I've been around the block with computers. 35 (or so) years of building, supporting, and programming them does give me a little insight on how they operate. I myself am certainly not a "hacker" per say. And I don't profess to be a real security "expert". I know enough to know some of the simple things to watch for, and how to go about protecting against them, to the best of my simple abilities.
Back in the summer of 2012, I did a screen shot of a program I use called WallWatcher. This program monitors my router, and reports in real time, all of the incoming and outgoing connections, the protocols used, the remote and local IP addresses involved and port information for all of the packets sent, or attempted to be sent. It also reports attempted connections in both directions.
I was having a terrible time with internet stability, and quite often... just going to Google Dot Com, my system would freeze up. My router would at times, go into an infinite loop of cold starts, which made all forms of communications impossible. Other times, there would be a "hiccup", and some stuff would come back. I realize some of you are going "huh?" so let me explain.
Within the configuration pages of your router (most people have one of those now) are places where you can do things like port forwarding, and allowing certain ports to be open that normally would not be. If you are a gamer, you are probably aware of what I mean. :) When you make a change in one of these configurations and hit the "save" button for it, the router stores those changes and then sends out (whats refereed to as) a "warm start" command. This allows the changes to be applied, usually without affecting any other things you have going on. Kind of like plugging in a USB device with your computer system running. A cold start, is essentially the same thing as taking the power away from the router. No power, no communications.
Anyway, I checked my WallWatcher program, and took this screen shot of what happened back in June of 2012.
The entries in yellow, are the router reset commands being performed. If you notice that really long entry in the message area, you can see that it's going to some absurdly weird place at google. And immediately, it went into a cold start. I did nothing more than opening a web browser, and went to google. I did no search, entered nothing in the search area, pressed no buttons. .. .. and my router was attacked. I say "attacked" because doing a remote cold start is something restricted to higher end routers, and should by all definition of security, only be allowed by a top level system administrator that has been authorized to do those functions. My router is not "high end", and sure as hell Google is not authorized for anything of this nature.
I also use another program called PeerBlock. It's great "open source" software, that I use to stop annoying advertising, and other such things. Anyway, over several months, I have built up a list of many IP addresses that I have (painfully) encountered, of many MANY other sites that also send out weird code to cause my router to cold start. They ALL have that same form of really long weird name, and for the most part, those IP's belong to systems that are a part of "the cloud" network.
When clouds first started appearing on the internet many years back, hitting one of them would at times, bring up a pop-up box with legal terms about what a cloud is, what you are allowed to do, etc. One of the things mentioned in that agreement, was that cloud servers by default, are allowed to control ports in your computer, supposedly in order to enforce the rules of the server. And around the same time in technology, newer routers began appearing on the market, replacing older models.
Older routers had a feature where you could enable "remote logging", which allowed the router to report what it was doing, to an internal port on the system. This is the feature that WallWatcher and other log reporting software uses, to display "in english" what is going on. A super powerful thing to have, for those wanting to know whats happening. All of the newer routers have had that feature removed.
Oh sure, you can still get a log report, the manufacturers tell you. But you have to open your router configuration page, go to the report page, and open the report, which appears in a web browser. And it only shows a few things, with the information being 'static', not in real time. In order to get the current information, you have to refresh the webpage. Hell, if you refreshed the page even every 5 seconds, you could easily miss thousands of "hits". So all of the router manufacturers have essentially left you in the dark. On purpose.
Why? Well, with the cloud now being out, they didn't want to cause people any worry about their ports being accessed, and a real time log display could
If you think cloud servers are still cute, then open your router log webpage and note the information. Then go to a known cloud server webpage in a new browser window. Go back to your router configurations, change or make up some port setting changes, enable them (you can clear all this later) and save the changes. Go back to your router log file and look at the new entries. I'm betting you will find additional probing, just from sitting on a cloud server. You see, it SAW those changes made, and it was curious what the heck you were doing. Of course, much of this depends on how your router logs work. By the way, even the desktop version of TweetDeck appears to have some minor cloud association with it. I've notice a few minor probes coming from them, when I make my own router changes. ... 2 or 3 tiny queries of some kind. Where as many other sites can send out requests 20 or 30 times.
And for me... I have to say... THIS is MY computer. What I do in the way of router changes is NONE of your business! If your website or cloud server is SO poorly programmed that you "can't take a chance" on what I did, then ... grow up.
As for the "security of the cloud", well... here are my thoughts. Yes, by all means, if one server goes down, the rest of them in "the cloud" can still probably serve your internet request. Some cloud servers network within the same data center, and some network amongst other data servers in other locations, which could be 100's of miles (or more) away. After all, this is the internet. :)
One would tend to suspect that if one of those servers could be hacked (and it happens) ... just think of the huge amount of data... OR monitoring ... that could be accessed or watched over.
There are a lot of people out there, that do a lot of bad things. There is a lot of spying going on. Draw your own conclusions on who may be accessing what, and ask yourselves what about the bigger picture down the road. Will there be back door commands that will eventually allow those "big brother" types to gain access to your system?
On the plus side, all is not lost. There ARE places where you can get great 'open source' firmware to restore and upgrade your router operations. WARNING! If you choose to take this route, then search and read and re-read everything you can about exactly the steps you need to take. If you fail to do this properly, you can "brick" your router. At which point you may have to toss it. Just saying...
I recommend the DD-WRT site for the firmware and TONS of information, including forums and wiki stuff... and for an example, check out this PCWORLD article for some general information.