Slashdot Mirror
Drive-By Pharming Attack Could Hit Home Networks
Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks.
Last time I checked, it's stupid to leave anything with a default password.
If you had all your personal papers in a safe, would you leave it set to the factory combination?
I'm sorry, I was thinking about from the wrong way. That wouldn't work. But perhaps something along those lines could be implemented.
1. When a registrar uploads data to root DNS servers, it also puts some hash of the numbers in a lookup table.
2. Browsers are modified to lookup these hashes in #1 to determine if the DNS servers it is talking to are ok.
A simpler solution would be for the manufactures of these routers to have them refuse to act as routers with any of the default settings. i.e. with the default settings you could connect to it for configuration, but no Internet access until the password, SSID, etc had been changed.
[YOU] "Do you have a [brand] router?'
[NEIGHBOR] "Yes, I do."
[YOU] "My computer keeps detecting it, thinking it can log on - did you set a password, WEP ect.?"
[NEIGHBOR] "What's that?"
[YOU] "It how you keep anyone other than yourself from being able to access your internet connection,
if it's not secure, anyone within your routers range can log in....I can help you if you'd like"
A goal is a dream with a deadline
If you're going that route, the manufacturer had better explain that in the documentation so the user knows what's going on. Otherwise, they'll be getting hundreds of calls from irate users screaming, "Why can't I use this piece of junk to connect to the internet tubes! Dammit, I paid for this and now I can't use it! What kind of piece of crap are you people selling?!!!"
I know, I know. The people who write the manuals don't actually use the products they talk about* so the manufacturer will have to make a concerted effort to put this notice on the three pieces of paper that come with products nowadays.
*In helping my parents configure their new tv a few years back, the manufacturer left an important part in how to save your settings when blocking out unused channels. If you followed the directions, blocking channels would not have worked. The crucial step of selecting the channel in question was left out of the instructions. It was only because of having used similar menu arrangements on other devices that I knew to not follow the directions as written.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
I'm so sick of phishing, vishing, pharming, pheering, etc.
The security community is completely pathetic, the #1 motivation of all of this crap are consultants who want to go around and say that they coined the phrase "pharming", or were able to drum up panic over every obscure flaw in Powerpoint 97.
Conformity is the jailer of freedom and enemy of growth. -JFK
It's not for nothing that we have this old saying: He who controls DNS, controls the Internet. It's scary what you can do to someone if you can tell them, authoritatively, that (for instance) the IP address for "www.google.co.uk" is 66.230.165.157. And that's exactly the sort of thing you can do, if you have control of a machine running BIND. If you were very, very careful what you subverted, you could snarf a lot of information. I'm sure it's possible to reverse-profile people by the "targeted adverts" they get sent in return for supplying personal information (but see here for advice). If you're serving up the fake pages from your own machine (and you might as well, because Apache is as much part of every Linux distro as BIND) then you have all you need to be The Man In The Middle -- you can pass on a (munged) version of their request to the intended target server and offer up the reply. If you're within wireless range of their router, you can even do it via that. Change back the DNS settings afterward and nobody need ever be any the wiser.
In my street, there are at least three wireless networks with default passwords. When my friends come around with their wireless laptops, they get a good connection. It most definitely isn't through mine, because my LAN is all wired (in fact, it's still got one length of co-ax in it!) On two of them, the network name was the model of the router. One quick Google later and I had the default password. And it worked -- I had the configuration page up! I almost changed their network name to "uRpWn3d" and setting a new password, just for a laugh and maybe to teach them a lesson, but decided against it; there are ways of pointing out something loose that look less like vandalism than breaking it off.
The real, long-term solution is for routers to be designed not to route packets as long as the password is set to the factory default -- if the password hasn't been changed, then the router should not allow you to connect to anything except its own configuration page. If you do a full factory reset and find yourself able to connect to web sites straight away without deliberately changing the password, then that must mean one of your machines has already been compromised. Then it's better that you stay off the Net until your computers are fixed.
Je fume. Tu fumes. Nous fûmes!
printing up a quick wireless security tutorial on a printer not linkable to me
you mean like for example *their* printer?
I did that to some AF guys once. I printed a page with orders to call me in giant letters. They were pretty good natured about it and actually appreciated that I was helping them.
I'm not sure that's relevent. I can't speak for Danish law, but there are a lot of laws in Britain you can break with no ill-intent or action on your part. As a general rule, you are responsible for your Internet connection there and the laws are worded such that you're responsible on the basis of the end result and chain of responsibility, not bad faith actions on your part.
I've heard of people (as in my mother is a lawyer and has assisted them, this is not friend-of-a-friend stuff) being arrested after complaining to the police that someone has emailed them child pornography. They were, technically, bang to rights. The laws concerning the issue were not concerned with whether he solicited that content, merely whether he possessed it. Did he possess it? Yes, the content was on his computer, he admitted it, therefore as the law was written he was 100% guilty. Beyond a reasonable doubt.
(FWIW, before anyone thinks a massive injustice was done, it was more a minor injustice - they dropped the charges. Britain's legal authorities tend to recognise that many of the laws they enforce are deliberately over the top to reduce the number of "loopholes" that a truly guilty person could wiggle out of; and as such tend, though not always, to use their discretion when enforcing them. That is, of course, a dangerous situation, and in many cases entirely innocent people do get caught up in draconian laws that should never have applied to them. Britain's judges also seem less willing as a matter of principle than American ones to refuse to find fault with someone who has caused no harm and didn't intend to in the first place, though there are occasional exceptions, some of which are hilarious.)
Oh, and this situation gets worse when it comes to civil law.
You are not alone. This is not normal. None of this is normal.