by

Sophos Usg



ISP Fibre ONT (VLAN10) Sophos In Sophos Out USG WAN USG LAN Unifi Switch I'd prefer to keep the connection to the ISP going through the USG first then onto Sophos if that's best. I want to include the firewall to monitor the traffic deeper and restrict websites etc as the kids get older. The original Sophos SG/XG 230 hardware (8GB memory) costs about 1800€ and can easily secure a 100 user company with a firewall throughput of 7Gbit/sec. With all activated security features (Intrusion Prevention, Advanced Threat Protection, Web Protection, Application Control, etc.) you can nearly reach 1GBit/sec.

  • Sophos Home’s mobile app and cloud dashboard is easy to use. Add more computers, perform remote scans, receive alerts, and modify security settings remotely, whenever you need to.
  • Packet Capture is the process of intercepting and logging traffic. Sophos XG Firewall’s (SF) packet capture utility capture packets that match the specified criteria.
  • Our Free Home Use XG Firewall is a fully equipped software version of the Sophos XG firewall, available at no cost for home users – no strings attached. Features full protection for your home network, including anti-malware, web security and URL filtering, application control, IPS, traffic shaping, VPN, reporting and monitoring, and much more.

A few weeks back we had a power outage at our home. Electricity was restored a few hours later and we all thought nothing of it. Everything turned back on and my home network seemed to function correctly.

About a week later, I logged in to my Ubiquiti Network Manager Controller and saw that my Ubiquiti UniFi Security Gateway (USG) was no longer sending over data to the controller software. I still thought little of this issue, since the USG was still routing and blocking unsolicited traffic.

The following weekend I decided I wanted to restore full USG functionality in the Network Manager Controller software, so I decided to simply reboot the USG. This, unknowingly, was my first mistake. After turning the USG back on, I found that the Network Manager Controller software would not hand out new IP addresses from the DHCP scope. I could only attach to the network with a physical connection and a static IP address self-assigned on the same subnet as the USG. I tried to reboot the device several times, but it was all in vain. I realized the device had a deeper issue.

I performed a factory reset on the USG a few times and the lights indicated that the resets were successful, but my connectivity issues on the LAN were not resolved.

At this point, I began researching online on how to reflash the firmware on the USG device. After putting a process together from several articles, I was able to find a viable solution. I will document the procedure below for future reference.

The first step, which led to several minutes of initial frustration, was figuring out how to get into the device. At first I thought it might pry apart, but I quickly figured out this was not the case.

  1. Remove the rubber pads from the bottom of the USG device, revealing four screws. Remove all four screws.
  1. After removing all four screws, the top piece of the unit will lift off, revealing the main board of the USG device.

Note: I had already removed the internal USB drive at the time I took this picture. Pretend it is there.

  1. Remove the USB drive, containing the potentially corrupted firmware.
  1. Plug the USB drive into a computer and verify it is actually functional. Sometimes USB drives die. If the drive is at least recognized by the computer, proceed to step 5.
  1. Download the factory-shipped image from Ubiquiti here:
    https://dl.ubnt-ut.com/cmb/USG-4_2_0-shipped.img.bz2
  1. Use your favorite image flashing utility to write the downloaded firmware onto the USB drive.

Note: I like to use balenaEtcher on macOS ($ brew cask install balenaetcher), but Rufus is a good alternative on Windows (> choco install rufus).
Attention: The firmware writing procedure can take 10+ minutes, so do not get frustrated and remove the drive mid-write.

  1. Once the factory image is flashed onto the USB drive and the image is verified, plug the USB drive back into the USG device. Turn on the device.

Sophos Usgs

Note: The initial boot process can taken several minutes, but the light in the middle of the board will come on once it is running.

  1. Reassemble the USG (and do not forget to reapply the sticky pads).

Note: Do not reattach it to the network yet.

Usg
  1. Login to the Ubiquiti Network Manager Controller and forget the old USG.
  1. Plug the USG back into the network and more than likely the Ubiquiti Network Manager Controller will automatically adopt it and reconfigure it.

Note: Make sure to apply all applicable updates to the USG, because the factory image is now out-of-date.

Once all of these steps are complete, you should be on your way to full usage of your USG product once more. I am happy they decided to make their boot medium removable and easily re-writable. If you run into any issues, feel free to drop a line in the comments below and I will see if I can assist.

Yesterday morning I got a Skype message from an ex-colleague, somebody I’d not heard from in some time but was happy to reconnect with.

I say “message”, it wasn’t much of one, it was just a link. Out of the blue.

It was clearly a phish, but it caught my eye because it didn’t link to some obviously scummy or incongruous URL. It was a link to Google, and that got me wondering, how does that work?

I’ve blurred some of the URL, but the important thing is that it it looks like this:

I wasn’t interested in where the link would lead me (for the record, it redirects to a punycode encoded URL that redirects to a malicious site), but I was interested to see how a Google URL was being used to get me there.

It reminded me of a very similar Skype message I’d received a few years ago, one that abused an open redirect in Google Maps, and I wondered if there was another.

Over the years, scammers have realised that keeping things simple works for them, and the simplest message of all is like this one – nothing more than a malicious link. Of course, if all they have is a link they don’t want one that’s going to put you off.

And that’s a problem, because their domains often are off-putting. Malicious websites are destined to be block listed and don’t have a very long shelf life, so there’s no mileage for them in trustworthy-looking dot coms. Instead, they often hack into legitimate websites and use those, either to host their content or to act as intermediaries.

The resulting collection of compromised dentistry blogs and mom-and-pop travel company website domains are incongruous and not widely known.

Sophos Usg

The crooks need a way to dress them up as more trustworthy.

Stealth mode

One answer is to find an open redirect on a legitimate website – a redirection facility that can be abused to bounce users from a trustworthy website to another, less trustworthy one.

Open redirects tend to be bugs though, and they are likely to be closed sooner or later. The holy grail is a legitimate website with an open redirect function that’s a feature, not a bug.

Well, there is just such a feature, and it’s on the biggest website of them all.

In some browsers, like Firefox or Safari, Google search results don’t lead directly to the listed websites. Instead, Google links to itself. When you click on a search result link you’re bounced through another Google URL, which then redirects you to your destination. It does this so it can log which link you’ve clicked on. (If you use Chrome, or Chrome-based browsers like Brave, you aren’t redirected like this, but the same link back to Google tracks you via the rarely-seen ping parameter.)

Sophos Sg 210

The URL Google uses for redirects is https://www.google.com/url which serves, by design, as an open redirect. It will redirect you to any URL on the web, if you add an appropriate url parameter:

And that looks an awful lot like the phishing URL I received.

If you pasted the link above into a browser you’ll have noticed that you didn’t go straight to example.org. Instead, you were shown a Google web page saying “The page you were on is trying to send you to an invalid URL”.

So why doesn’t that appear when you click on Google Search results and, more to the point, why didn’t it appear when I probed the Skype phish?

The answer is that the phishing URL contained a second parameter, sa=t, and a third usg, which contains some kind of unique identifier. After a bit of cursory research I couldn’t find anyone that knows how to make a usg identifier, but crooks don’t have to make them. If a website is listed on Google Search, it has a usg, which is easily retrieved from the source code of the search results page.

It means the crooks can only use Google’s open redirect with a site that’s listed in the Google Search index. But that’s not a barrier if you’re already hijacking legitimate websites.

Google search results have worked this way for a long time, and I imagine the tactic I’ve described here has been used for almost as long. So why does Google tolerate it? Well, Google (which, whether you like the company or not, takes security very seriously) doesn’t consider open redirects to be a security issue.

Sophos Usb

It says that “improperly designed redirectors can lead to more serious flaws” and it’s happy to hear about those. So, for example, Google would consider the scam site I ended up at a security threat, but not the subterfuge the scammer used to get me there.

What to do?

Sophos Usg Free

Even if you’re familiar with the way that scammers operate there’s always a chance you’ll run in to new tactics, or (as I was) be surprised by old tactics you’ve just never seen before.

  • Don’t be taken in by the sender’s name. Whether it’s Skype, email or any other messaging system, scammers will try to use names you trust.
  • Don’t feel pressured into clicking a link. If the sender didn’t explain why you should click, you don’t have to! And if they did explain, you don’t have to act on advice you didn’t ask for and weren’t expecting.
  • Check URLs before you click. If the website you’re being sent to doesn’t look right, stay clear. Remember that scammers may try to use flaws or features in legitimate websites to hide URLs.
  • Use training and web filtering to avoid malicious sites.Sophos Phish Threat can train users to better identify scams, and the web filtering in products like XG Firewall or Sophos Home can protect them if they don’t.