Slashdot Mirror
Drive-By Pharming Attack Could Hit Home Networks
Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.
We'll chase off the Pharmers with our phlaming torches and pitchphorks!
The original generic sig.
I don't know which I'm more appalled at:
A. You bought a *wireless* doorbell.
B. You refer to double-stick taping it to your wall as "installing".
C. You left it at the default settings...
Exactly. The first thing I did on my router was change the password. A few months later, my forgotten password now locks me out. Does anyone have a safety pin?
Always someone has power over you. The thing to consider is this: Is the power good, or bad?
Who are you? A Doorbell Administrator? A Doorbell Security consultant?
President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?
Dark Helmet: 1 2 3 4 5.
President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!
Dark Helmet: Yes, sir!
President Skroob: And change the combination on my luggage!
A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.
1 9242
Dude, ATM machines don't even have futuristic features like that. Come back to reality.
http://it.slashdot.org/article.pl?sid=06/09/21/18
f you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"
Aha, aha, ahahaha. If you DO put it in the documentation, on the top of every page, in red 24 point bold all caps, you will get hundreds of calls from irate users. If you DON'T, the number will be approximately 99% of whatever your userbase actually is. The other 1% will, as usual, stick their tounge in the wall socket to see if it's live before plugging in the device, somehow poke both their own eyes out with the ethernet cable, or eat the packet that says "DO NOT EAT."
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
(Later)
[NEIGHBOR]
[COP] Sadly, this is what happens when you invite someone you hardly know into your house and put them in charge of configuring your security. How could you possibly have imagined that would be a good idea? But the people who sold you the router are just as much to blame. Nice work, selling a router that the customer then has to ask potentially untrustworthy third parties to configure because the defaults don't work and are hard to change.
[NEIGHBOR] An idiot is me.
[COP] Yes. Yes, an idiot is you.
Whence? Hence. Whither? Thither.
Yet, if your car failed to start if you weren't buckled up, people would go ballistic.
If they aren't buckled up, they are going ballistic anyways...it's just a matter of time.