So I was wondering if I should publish this, but I guess I have to. If you’re one of the 500,000 Unifi subscribers in Malaysia, you need to know that your stock router–is completely hackable. TM has left you literally hanging by your coat-tails with a router that can be hacked as easily as pasting a link. So I was struggling to figure out if I really should have made this post, but in the end I think it’s better for you (and everyone else) to know just how easy it is to Hack Unifi accounts–not so you can hack them, but so that you can take some precautions over the situation.

But first, some caveats–everything I’m showing here is already public knowledge, the only difference is that I’ve culled and aggregated knowledge from different streams to show you just how easy an attacker can circumvent your password protection on your Unifi Dlink DIR-615 router, which is the stock router that comes with Unifi. It’s better for you to know about it than to remain oblivious to possibility that anyone from anywhere in the world, sitting in their room with their pyjamas on, can log onto to your router and start doing some rather nasty stuff.

Second caveat, is that as a result of this, some ‘kiddy-hackers’ may see this post and now be empowered with the means to attack, that’s a risk I’m willing to take to allow for everyone to know about it, so that they can do something about it. Keeping everyone in the dark about vulnerabilities of their routers is not a good thing. Security works better when everyone has access to the same information, this is how security works, and if you don’t agree–well tough luck.

With that said, here’s how you use Shodan, and a well known exploit to hack Unifi. The final exploit which doesn’t require any knowledge of the passwords starts at 4:08

Update 22-Jun: My Apologies: YouTube have removed my video because someone reported it as being inappropriate. I am appealing..I’m not sure what about the video was inappropriate, and I have made no attempt to mis-lead anyone. Stay tuned. I’ve updated the video with a Vimeo upload instead.

Hacking Unifi Dlink routers using Shodan from Keith Rozario on Vimeo.

Details of the hack:

1. To access the password page the appendage is /model/__show_info.php?REQUIRE_FILE=/var/etc/httpasswd

2. To search for Dlink Routers on Shodan the query is Mathopd/1.5p6 country:MY

I’ve alerted TM to this much earlier, in August 2013 actually, and they promised they’d fix it by the end of the year. To be honest though, I don’t blame them, your router security is your responsibility and not TMs, so I think that TM isn’t doing anything wrong by not doing anything. A user should be responsible for the security of the router, just like how you are responsible for the security of your phone–even if you did get it free from Maxis or Digi. So anyhow, in the absence of any clear action from TM, I’ve taken it upon myself to inform you of the router vulnerability, and here’s hoping you do something to fix it.

As always–stay secure.

To address the issue check out my post on how to prevent this on your Unifi router, click on my post here.

As we approach the end of the year, and I have some free time to blog again, I thought I’d re-visit the Auditor Generals report for 2012, and focus specifically on that one project everyone is talking about, the MERS 999 project.

This wonderful project, that cost Malaysian citizens upwards of RM800 Million, was a monumental failure on behalf of the government and for all contractors and sub-contractors involved, however to be fair the blame probably lies squarely on the shoulders of those over-seeing the procurement of the service as opposed to the IT folks–but they have to take some heat as well.

As someone with years of experience delivering IT projects, I think this is an area that I comfortably call myself an expert in, so I think I’m fluent enough in IT to take a sneak peek at this particular project to find out what exactly went wrong and what could have been fixed. Unfortunately, the results aren’t that good, but if you’d like to hear a self-proclaimed expert dissect this, then please continue reading.

I don’t agree with most of Rockys opinions, but I still subscribe to his blog to ensure I have at least a different view of politics. However, a post he made on the ’new’ Perdana really sent my blood curling. Rocky was defending the proton re-badging exercise, something I felt was completely unacceptable. Proton is a company that for years has thrived under government regulations and policies that were designed specifically protect it–and part of that protection included raising the price of all other cars in the market giving proton an un-fair advantage.

Every other year, we receive fresh results from PISA or TIMSS, and every other year we see our children continue their slide to near insignificance on the global scale. I can’t phantom how the Education Ministry can remain so obtuse about such a catastrophe, and instead put on a façade of confidence, when there isn’t an iota of data to be confident about.

The education policies of this country and flawed in near every sense, and what we have are politicians continually failing and children–the same politicians who get re-elected year after year.

Satu sekolah untuk semua is destructive

Children need individualized learning, and if for what ever reason some of them prefer to learn Science and Maths in English or Malay, or Mandarin, Tamil or whatever language or dialect–then they should be encouraged to learn it in their preferred language. The parents who claim the need to learn science in the ’lingua franca’ of science are both mis-guided and mis-informed, the lingua franca of science isn’t English–it’s MATHS. Maths is the language of science, and everything else is superfluous–there are countless thousands of Malaysian children who will struggle to learn science and maths in English–why don’t we strive to make it easier for them, by teaching English in English classrooms, and science in science classrooms–in the language of their choice.

Am I embarrassed to be Malaysian?

Nope, I can never be embarrassed to be Malaysian, this is my home country. I’m not just from Malaysia–I’m from Klang.

I can however, be embarrassed about my government and the policies it seeks to implement. Like how our idea of a space program, is buying a seat on a Russian mission to the ISS, and then having the audacity to call the Orthopedic surgeon we sent to space–an Astronaut. Space tourist more like it.

I’m a big fan of the D-Link DIR 615 router, I think Telekom Malaysia made a pretty good choice selecting it as the default router for Unifi accounts. To be fair, TM have made some bad choices as well, but we won’t go into that here, overall the router isn’t top notch, but it gets the job done.

Unfortunately, D-Link as a company has come under the spotlight for some rather funky security practices. First, there was a rather questionable backdoor that D-Link installed on a couple of older versions of their routers, the router basically granted anyone access to D-Link routers by just changing the user agent string of their browser–worse still the back door carried the name of the author….it was Joel.

However, I’m here to tell you, that as a Malaysian–you want to hold off your pre-order. Now if you want to buy coin to show-off to your less tech-literate friends, then go ahead, but if you’re buying COIN thinking that it’ll simplify your wallet, you’ll be sadly mistaken.

Over the weekend, I saw the following tweet from the star, which I attributed to be either a badly timed April Fools joke, or a typo error:

Friday and Saturday are weekend rest days for Johor from Jan 1. What's your view? #Johornewweekend

— The Star (@staronline) November 23, 2013

Surely, a state like Johor that was trying to attract investment for the Iskandar region from companies like Frost and Sullivan, would not make such a catastrophic error. Alas, upon further checking, I found the information to be true.

Dear Tun,

First and foremost, let me start by telling you that I truly admire and respect your contribution to Malaysia. I remember shaking your hand when you attended my Convocation quite some many years ago. It was quite odd to see that while you were present, you didn’t give a speech, simply because you attended the function not as former Prime Minister of Malaysia, but rather as the spouse of the Chancellor–your wife Tun Dr. Siti Hasmah.

So  it saddens me deeply, that at another convocation–this time where you were giving a speech, you suggested that it is time to censor the internet to counter “distribution of pornography, questionable news and slanders”.

If I may be so bold Tun–censoring the internet is the single most destructive thing that can happen to modern day Malaysia, and something that must be opposed at every turn, even if it involves publicly correcting a senior leader such as yourself. As a citizen of Malaysia, I find it not just my right, but my duty to inform the Emperor when he has no clothes on.

Transcript:

All data stored in your computer is stored in binary digits, or bits. The word binary denotes two, just like bi-lingual, bi-weekly, or bicycle.

A binary number can have a value of either 1 or 0. Just like a switch can be on or off, or a gate can be opened or closed, but since it can only have two possible values, it doesn’t really have much capacity to store much information.