Upgrade your dependencies!

I recently revisited and old repository on my public GitHub, and I was impressed on how good is the platform, as soon as I was on the repository, I was checking I was received by a big yellow banner alerting me on a dependency vulnerability.

One of my JS dependencies is vulnerable! but when I checked the vulnerable dependency, I was surprised by how the vulnerability is really hitting me.

It is a dependency of one of my dependencies, and then I just started wondering, how may other packages or systems can be affected by things like this! It is not just a dependency, it is a dependency I trusted because I trusted on Chart.js.

Now, ASP.NET Core is one framework I use a lot, and .NET Core is the runtime on which it runs, since it is now open source, I decided to take a look at their announcement repository, just to know if they have something where they tell everyone about a known security issue. To my surprise, they do have a tag of security, and they are continuously updating it, on the .NET repository as well in the ASP.NET repository.




So, now lets take a look at one of those issues, Elevation of Privilege is a common attack on windows systems, so having those kind of problems on a server in a cloud platform seems like a bad idea, lets take a look at the most recent Issue. And to my surprise, it is very well documented, it has all the necessary info about which software is affected and how to be safe, which versions of the runtime or packages are already patched so you can update to those ones.

Conclusion
As maintainers of our own services, we should be aware of this kind of things, not just your OS should be always up-to-date, but your runtime and dependencies, even if they are not direct dependencies, every one of us should be aware of what kind of problems can come from not having those type of cautions.

PS. I'm now watching both announcement repositories and I'll eventually get into my repository to correct and update everything, even though it is not a running system, it should be updated just in case someone eventually wants to use it.

Public Wi-Fi networks

I love visiting different places to eat, like restaurants or small business that serve great food, and beer. As part of my weekly visit to one of those places, I found that their Wi-Fi router was vulnerable to one of the most common and easy attacks, getting into the administrative panel and do what ever you want, because the password was the default!

The process
First, I got the Wi-Fi password, which was cleverly written on a whiteboard on the wall in front of me. After login in, I just checked which was my default gateway and proceed to enter the address in my browser. And I got this page:



Then I did what any person with minimum search skills could do, just searched for the default login password and username for that specific modem, which was cleverly publish on this website.

I entered those default username and password and boom! I was in, just got access to the full administrative panel of a place where they have a computer for accepting payments, where Rappi or Uber eats can place orders, and also where they use a terminal to make charges to credit and debit cards.

After that I immediately told my waiter that I needed to talk to the manager, then he showed up and I explained to him what I did, and how easy it is to find those kind of things, he completely understood the problem and fixed it by the next day with some help, and he offered me a beer for the finding, so everyone was happy at the end of the day.

Conclusion
This wasn't my first experience with a problem like this, and I also tried to reach some managers from other places with this problem, some of them seems to not be so aware of the problem it is, but this was my first experience where I was able to help someone. As one of my colleagues states in one of his blog posts, the default is usually unsafe, and even when the administrative panel of this particular router was shouting in a red color that the passwords were the default once you logged in to the device, it  never forced me to change the password once I was in, I think that this kind of things can be better done by enforcing security, but also the people must be aware of what it means to have a router in their homes, when the company staff installs the router, I think they should tell a bit about those kind of settings and the danger of leaving it as is.