Drive-By Pharming In the Wild

← Back to Stories (view on slashdot.org)

Drive-By Pharming In the Wild

Posted by kdawson on Tuesday January 22, 2008 @11:08AM from the just-change-the-default-password-already dept.

An anonymous reader writes "Symantec reported Tuesday that the first case of drive-by pharming, in which a hacker changes the DNS settings on a customer's broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: 'It's associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,' says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it."

205 comments

Min score:

Reason:

Sort:

Pfft by Kalriath · 2008-01-22 11:14 · Score: 4, Insightful

So, I suppose this "hack" fails entirely on any router which... well, either has a default password or (like any high end router) doesn't use HTTP basic authentication? No worries for me, my 3com is safe as houses.

--
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
1. Re:Pfft by Kalriath · 2008-01-22 11:16 · Score: 0, Redundant
  
  Um, yeah. "Has a default password" should read "has a changed default password". I've been drinking recently, and have a bit of a headache, so sue me.
  
  Not literally, you crazy US folks.
  
  (Seriously Slashdot, it requires pretty much the same fucking processing power to tell me "slow down cowboy" as to just write the fucking comment to the DB... your comment wait time is a complete waste of resources)
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
2. Re:Pfft by Anonymous Coward · 2008-01-22 11:24 · Score: 0, Offtopic
  
  It's to prevent crapflooding, not to save resources.
3. Re:Pfft by cheater512 · 2008-01-22 11:31 · Score: 2, Insightful
  
  My AMD X2 'router' is also immune.
  
  Having a real workhorse as your router improves security dramatically as well as allowing you to do some really cool things. :)
4. Re:Pfft by Ajehals · 2008-01-22 11:36 · Score: 1
  
  If that's a dedicated router then its overkill.
5. Re:Pfft by Buelldozer · 2008-01-22 11:36 · Score: 1
  
  I use a SonicWall TS5 wireless at home. It is also completely immune.
  
  Once again, cheap consumer junk FTL!
6. Re:Pfft by repvik · 2008-01-22 11:54 · Score: 1, Offtopic
  
  It's freaking annoying though. It should start as a low delay and grow instead. That way they can prevent crapflooding *and* annoy less users...
7. Re:Pfft by cheater512 · 2008-01-22 11:57 · Score: 1
  
  lol. Of course it would be overkill if that was all it did.
  Its a home server with TV card, terrabyte raid array, etc...
8. Re:Pfft by WhatAmIDoingHere · 2008-01-22 12:03 · Score: 2, Funny
  
  So your router contains stuff you don't ever want to lose? Not quite the best idea.
  
  Also, the A in RAID stands for Array. RAID Array is like ATM Machine or PIN Number.
  
  --
  Not a Twitter sockpuppet... but I wish I was.
9. Re:Pfft by gaboalonso · 2008-01-22 12:22 · Score: 1
  
  But 2Wire routers come with the serial number being the default password... thus it's impossible for the hacker to know the password of every 2wire router.
10. Re:Pfft by timeOday · 2008-01-22 12:23 · Score: 1
  
  Routers shouldn't be trusted anyways, since you'll never have control over all the upstream routers.
  You'd think that a bank would have a certificate signed by a big certification authority, like Verisign, whose public key comes hard-coded into the browser. In that case, the entire attack should fail.
11. Re:Pfft by Anonymous Coward · 2008-01-22 12:44 · Score: 0
  
  Where's the P for Pedantic?
12. Re:Pfft by Anonymous Coward · 2008-01-22 12:49 · Score: 0
  
  "...RAID Array is like ATM Machine or PIN Number.
  
  Where did you get that idea?
  Well, I don't know if you need a PIN Number to access it but you certainly can't get money out of RAID Array like you can an ATM Machine.
  Some people and their lack of technological understanding...
  Do you work for the BBC corporation or something?
13. Re:Pfft by webmaster404 · 2008-01-22 12:53 · Score: 1
  
  No, cheap firmware. Even simple routers can be quite secure with decent fimware however most ship with really a really bad OS.
  
  --
  There is no "disagree" moderation, and troll, flamebait and overrated are not valid substitutes
14. Re:Pfft by graphicsguy · 2008-01-22 12:57 · Score: 1
  
  I have one of these as well. But perhaps the serial numbers are easy to crack.
15. Re:Pfft by MadnessASAP · 2008-01-22 13:21 · Score: 0
  
  So you go around saying "RID Array", "AT Machine" and "PI Number"?
  
  --
  I may agree with what you say, but I will defend to the death your right to face the consequences of saying it.
16. Re:Pfft by Architect_sasyr · 2008-01-22 13:27 · Score: 1
  
  Agreed, my cheap-ass WRT54GL is quite secure. The firmware is, of course, DD-WRT and not the default crap-ware they try to leave me with.
  
  For something that only cost me around $150 AU it is rock solid, secure, and with the linux based firmware, allows me to do some cool stuff (like run kismet-server on it and - so I am told - run packet injection off it).
  
  --
  Me failed English...
  FreeBSD over Linux. If my comments seem odd, this may explain...
17. Re:Pfft by Ajehals · 2008-01-22 13:34 · Score: 2, Informative
  
  Hmm, personally I prefer my routers not to have too many potential vulnerabilities, yours sounds like a nightmare from that perspective. What you are telling me is that a box on the edge of your network, a box that presumably is very open to abuse also happens to hold a huge volume of data, not too bright, even if it is just TV shows. Personally I'd grab a modest piece of hardware suited to the role and ensure it was locked down as tightly as possible.
  
  Just out of interest, what OS is this monster router running?
18. Re:Pfft by amRadioHed · 2008-01-22 13:39 · Score: 1
  
  Worse. Apparently the problem is that the password can be changed by a simple HTML request without knowing the current password.
  
  --
  We hope your rules and wisdom choke you / Now we are one in everlasting peace
19. Re:Pfft by epsalon · 2008-01-22 13:39 · Score: 1
  
  Actually, I have found a backdoor in a router that lets you issue arbitrary commands to the busybox shell without any password though a simple HTTP GET request. That router could be easily exploited with an IMG tag in a browser.
  
  My solution BTW was not to assign an IP address for the router (used only as a modem) and to firewall non PPPoE traffic.
  
  --
  
  Make even shorter URLs - 8LN.org
20. Re:Pfft by Buelldozer · 2008-01-22 13:40 · Score: 1
  
  You know I'd like to make some really witty and pithy retort and redeem myself but unfortunately, you're right. It's not the hardware, it's the code running it.
21. Re:Pfft by cheater512 · 2008-01-22 13:45 · Score: 1
  
  It runs Gentoo.
  
  Its locked down pretty well so the only way in is via a vulnerability in SSHD, Apache, etc... which is unlikely.
  Especially with Gentoo's quick reaction times when it comes to new versions.
  I'd consider it a lot more secure than your off the shelf router. Also the data would be far less secure if it was stored on a windows box.
  
  Its all about degrees of security.
  Sure putting large amounts of data on the border of your network isnt the best idea but its acceptable when you dont have enough spare computers.
22. Re:Pfft by Anonymous Coward · 2008-01-22 13:49 · Score: 0
  
  How does it prevent crapflooding exactly? A crapflood delayed by 20 seconds is still a crapflood.
23. Re:Pfft by Ajehals · 2008-01-22 14:08 · Score: 1
  
  It is all about degree's of security, I would feel rather uncomfortable putting large amounts of data on the border of any network, the cost of not doing so is minimal (in terms of hardware and power utilisation) and the decrease in risk is, in my opinion, significant.
24. Re:Pfft by compro01 · 2008-01-22 14:14 · Score: 1
  
  hmm. all 2wire stuff I've dealt with use a separate pseudo-random numeric string as the default password (also as the default WEP/WPA key). the number is right next to the serial number though.
  
  --
  upon the advice of my lawyer, i have no sig at this time
25. Re:Pfft by spinkham · 2008-01-22 14:15 · Score: 2, Informative
  
  Not necessarily..
  It is also possible to change settings on a router using UPnP using a malicious flash script...
  See http://www.gnucitizen.org/blog/flash-upnp-attack-faq for details.
  Most home routers have UPnP turned on, so you're not safe just because you have a good password.
  I would assume that most 3com gear does not have UPnP, so it is quite likely that you specifically are safe.
  Of course, anyone with a security clue has been saying UPnP is a BAD idea for a long time, but it used to be client side malware people were worried about, not well formed flash on any webpage...
  
  --
  Blessed are the pessimists, for they have made backups.
26. Re:Pfft by Anonymous Coward · 2008-01-22 14:24 · Score: 0
  
  'go around' is a stretch. Why, posting pedantic paroxysms isn't a part-time profession!
27. Re:Pfft by Anonymous Coward · 2008-01-22 14:46 · Score: 0
  
  Well I can't answer for him, but personally I go around saying RAID, ATM, and PIN. Instead of being a redundant dumbass.
28. Re:Pfft by Anonymous Coward · 2008-01-22 15:55 · Score: 0
  
  It should actually read just "has a changed password". The default password stays the same, the password the router is currently using to authenticate is what is changed.
29. Re:Pfft by Al+Dimond · 2008-01-22 17:02 · Score: 1
  
  Source? TFA doesn't mention this, but then again TFA is fluffy crap.
30. Re:Pfft by TooMuchToDo · 2008-01-22 17:44 · Score: 0, Offtopic
  
  Or base it off of karma. User with high karma? No wait to post. I hate having tons of comments sitting in Firefox tabs, and going through one by one hitting submit every few minutes.
31. Re:Pfft by TooMuchToDo · 2008-01-22 17:47 · Score: 1
  
  Something I would love to do with DD-WRT that I haven't played with yet is locking down the wireless so only my TiVo, laptop, etc have access to my whole house network, but anyone within range with a T-Mobile HotSpot@Home phone can use the WiFi for free calls (the phone tunnels the call using GSM-over-IP). Is this possible?
32. Re:Pfft by Cato · 2008-01-22 18:38 · Score: 1
  
  There's no really secure way to do this - DD-WRT v24 is supposed to enable multiple simultaneous SSIDs, some locked (WPA) and some not, but unfortunately it's still quite unstable. Since I discovered that WDS on DD-WRT v23 is really quite unstable, I've been considering moving to another Linux-based firmware (maybe Tomato or OpenWRT with add-on GUI), but currently I don't need WDS since I bought a 9 dBi omnidirectional antenna for $25. I'd recommend such antennas to anyone before wasting time with 802.11n, WDS, 802.11g+MIMO, etc - I now have coverage of a large house with 2 foot thick stone walls from a single WRT54G at recommended max power of 84 mW. I now use the WDS router as a spare.
33. Re:Pfft by Architect_sasyr · 2008-01-22 18:38 · Score: 1
  
  Oddly enough I begin researching this next week as part of a corporate roll up to DD-WRT for our hotspots, but for now my suggestion would be to do it purely in iptables. You can do Mac based restrictions there as well as IP based ones. More specifically, restrict everyone back to the GSM-over-IP networks/protocols (I'm not familiar) and then allow your boxes further access. That's, IMHO, the beauty of having a Linux box for my router... within certain size restrictions I can do most anything I would be able to do with a full blown server-box.
  
  Otherwise I hear good things about Tomato, and Chilispot (which doesn't quite fit your guidelines but could be useful).
  
  --
  Me failed English...
  FreeBSD over Linux. If my comments seem odd, this may explain...
34. Re:Pfft by TooMuchToDo · 2008-01-22 18:43 · Score: 1
  
  You have a model or part number for the antenna? I'd be interested in picking a couple up (one for home, one for our office, etc).
35. Re:Pfft by Anonymous Coward · 2008-01-22 19:03 · Score: 0
  
  holy fucking shit people. :/ why not do something more useful like tag images -> http://images.google.com/imagelabeler/
36. Re:Pfft by Cato · 2008-01-22 19:08 · Score: 1
  
  I used the one from Allendale in the UK: http://www.wifi-antennas.co.uk/index.php?target=products&product_id=15 - not sure of part no. but you could ask them. They have some great FAQs and guides, but fundamentally the best thing to do is buy a 9 dBi antenna and see if it works for you, as it costs very little. Be sure to check your router's antenna connection and note that the very latest (crap) WRT54G version doesn't have a removable antenna...
37. Re:Pfft by amRadioHed · 2008-01-22 20:54 · Score: 1
  
  I got that from this thread on AT&T's U-Verse forum a few days ago. Their U-Verse package uses one of the apparently vulnerable (and, IMHO, otherwise fairly shitty) 2wire access points.
  
  Disclaimer, I haven't yet done any verification of these claims on my own. I probably will if I get some free time sometime soon.
  
  --
  We hope your rules and wisdom choke you / Now we are one in everlasting peace
38. Re:Pfft by pgillan · 2008-01-22 22:45 · Score: 0
  
  Neat.
39. Re:Pfft by Anonymous Coward · 2008-01-23 01:16 · Score: 0
  
  ba dum pshhhh
40. Re:Pfft by edittard · 2008-01-23 01:35 · Score: 2, Funny
  
  If that's the delay between posts, it's more of a craptrickle.
  
  --
  At the bottom of the /. main page it says 'Yesterday's News'. Well they got that right.
41. Re:Pfft by The+Spoonman · 2008-01-23 03:02 · Score: 1
  
  Which is good, because it leaves a lot more time for you to be a real dumbass. It may have been syntactically incorrect, but did you understand what he meant by "RAID array"? Then, the language did its job. Grammar nazis like you need to grok that language isn't about sentences and structure, it's about communication. As long as the idea is communicated properly, it doesn't matter if it's "formatted" EXACTLY right. If he had said he had a "RAID array of TV tuners", THEN he would be an idiot.
  
  --
  Which is more painful? Going to work or gouging your eye out with a spoon? Find out!
  http://www.workorspoon.com
42. Re:Pfft by d3ac0n · 2008-01-23 03:06 · Score: 1
  
  Maybe he's using Virtualization?
  
  IE: 3 NIC's, and 2 VM's in one box. One running as his server through an "internal network only" NIC, and the other as a virtual router appliance running through an "external network only" NIC, a firewalled connection to an "Internal" NIC and a Virtual network connection to the server V-Machine.
  
  I've been planning on doing this myself to reduce my power consumption levels. I just need to get the hot swappable RAID 5 setup going so I can have full redundancy (currently running on multiple non-redundant RAID 0 arrays) and I'm ready to roll.
  
  --
  Official Heretic from the "Church of Global Warming". Proven right thanks to whistle blowers. AGW = Flat Earth Theory
43. Re:Pfft by operagost · 2008-01-23 04:46 · Score: 1
  
  I use a redundant RAID array of disks.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
44. Re:Pfft by WhatAmIDoingHere · 2008-01-23 07:13 · Score: 1
  
  When I was in High School, the head of IT called NICs "Network NIC Cards."
  
  --
  Not a Twitter sockpuppet... but I wish I was.
45. Re:Pfft by Zibri · 2008-01-23 07:29 · Score: 1
  
  Unless vad gp means is to change the firmware, containing the default password.
46. Re:Pfft by clarkcox3 · 2008-01-23 10:14 · Score: 1
  
  Are they inexpensive? or independent?
  
  --
  There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
47. Re:Pfft by Kalriath · 2008-01-23 10:52 · Score: 1
  
  That would be the case, except that I do not have a BusyBox based router (neither 3Com nor Sonicwall use open source in the higher grade routers to my knowledge). I also don't use PPPoE (our country uses PPPoA)
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
48. Re:Pfft by Cato · 2008-01-23 20:51 · Score: 1
  
  See http://it.slashdot.org/comments.pl?sid=426748&cid=22150290 for pointers on the antenna I used.
49. Re:Pfft by darkonc · 2008-01-24 18:16 · Score: 1
  
  They were inexpensive until they became independent. Now he has to pay for their external housing unit.
  
  --
  Sometimes boldness is in fashion. Sometimes only the brave will be bold.
50. Re:Pfft by Stephen+Samuel · 2008-01-24 18:24 · Score: 1
  
  Find someone who's giving away an old P2 laptop. Get a second network card for it and put JUST the routing software on it. That way you have something that's small, low power and quiet running your border Then you can dedicate your larger box to it's real task and not have to worry about making gigabytes of storage available to the first hacker to find a hole in your setup.
  
  --
  Free Software: Like love, it grows best when given away.
51. Re:Pfft by Ajehals · 2008-01-24 21:27 · Score: 1
  
  Well done, a far saner solution IMHO - for home use anyway.
Let me guess... L: "admin" P: "admin" by Zymergy · 2008-01-22 11:20 · Score: 2, Insightful

Was it a Linksys with default settings?
http://www.google.com/search?hl=en&q=default+router+passwords&btnG=Google+Search
1. Re:Let me guess... L: "admin" P: "admin" by Gideon+Fubar · 2008-01-22 12:18 · Score: 3, Informative
  
  There are 3 major combinations of default username/password comnbinations that cover the vast majority of home routers. They are U:admin P:admin, U:admin P:password and U:admin P: (that's right.. NO password.) This is true of Linksys, Dlink, Netgear, etc. With a bit of searching, you can even find this out from their very own websites.
  
  --
  http://www.xkcd.com/354/
2. Re:Let me guess... L: "admin" P: "admin" by Loconut1389 · 2008-01-22 14:00 · Score: 1
  
  don't forget root/admin
3. Re:Let me guess... L: "admin" P: "admin" by Gideon+Fubar · 2008-01-22 14:43 · Score: 1
  
  true.
  
  the most interesting combination i've ever seen as a default was U:r0ot P:U53r.. This was on an Open Networks ADSL router. It still fails the strength test (too short, and derived from a known string), but at least it's better than Admin/Password
  
  --
  http://www.xkcd.com/354/
4. Re:Let me guess... L: "admin" P: "admin" by TheThiefMaster · 2008-01-22 23:44 · Score: 1
  
  My parents' new BT "home hub" router comes with a default wireless password set and unique to the router, and an admin password set to the router's serial number.
  
  I was surprised, I was expecting it to be completely unsecured, like every other home router.
5. Re:Let me guess... L: "admin" P: "admin" by Poromenos1 · 2008-01-23 00:41 · Score: 1
  
  Most linksys are U: , P: admin. Default passwords are meant to be as stupid as possible so people are scared into changing them, HW manufacturers have it right in that respect.
  
  --
  Send email from the afterlife! Write your e-will at Dead Man's Switch.
6. Re:Let me guess... L: "admin" P: "admin" by dargaud · 2008-01-23 00:59 · Score: 1
  
  On my ADSL router, there are 3 accounts. One I cannot access/modify. One I have full control (including password change) but it's a useless account (hardly any control). One I can control the router, but the password changes don't stick... Apparently they don't allow password changes so that they can remotely update the firmware (which happens regularly). Gee, I wait for the day when a hacked firmware will be pushed to N million subscribers. And it's basically undetectable even by careful users since it won't affect your PC. The Morris worm will pale in comparison.
  
  --
  Non-Linux Penguins ?
7. Re:Let me guess... L: "admin" P: "admin" by Gideon+Fubar · 2008-01-23 08:55 · Score: 1
  
  Of course. The (known and widely discussed problem) is that end users don't know a thing about security, and so the SSID, account names and passwords don't get changed.
  
  it's not even a hacker's delight.. this stuff takes absolutely no skill.
  
  --
  http://www.xkcd.com/354/
8. Re:Let me guess... L: "admin" P: "admin" by dwye · 2008-01-25 11:40 · Score: 1
  
  the most interesting combination i've ever seen as a default was U:r0ot P:U53r.. This was on an Open Networks ADSL router. It still fails the strength test (too short, and derived from a known string), but at least it's better than Admin/Password
  
  No, Admin/Password is better because you should guess that something that generic should be changed, whereas U53r might mislead you into thinking that it was good. Personally, I think the default password should be something like ChangeMe or IsAFool, so that it it obvious what needs done. Of course, the companies could probably just set their "wizards" to require it to be changed, but I have never used one - logging in to the router via the browser has always been too easy.
Captcha? by tedhiltonhead · 2008-01-22 11:21 · Score: 5, Informative

It sounds like a simple captcha image on the router's login page would thwart this.
1. Re:Captcha? by wizardforce · 2008-01-22 11:26 · Score: 1
  
  except that they could just spoof the captcha like they did with porn websites.
  captcha page => spoof captcha page so user solves captcha for program => "hack" succeeds.
  
  --
  Sigs are too short to say anything truly profound so read the above post instead.
2. Re:Captcha? by cheater512 · 2008-01-22 11:28 · Score: 4, Insightful
  
  Or maybe force users to change the password.
  
  Which one makes more sense? :P
3. Re:Captcha? by Jesus_666 · 2008-01-22 12:56 · Score: 1
  
  Solution: Add a bar to the captcha image that contains a message like "NETSYS ROUTER CONFIGURATION LOGIN". Redirecting captchas is feasible, but cutting off part of the imag is pretty involved for something contained within an tag.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
4. Re:Captcha? by merreborn · 2008-01-22 13:46 · Score: 1
  
  It sounds like a simple captcha image on the router's login page would thwart this.
  If you happen to leave yourself logged in to your router, captcha wouldn't even cut it -- I'm pretty sure this is a CSRF attack, so any credentials your browser session has are applied. You'd have to put a captcha on every single page -- clearly the wrong solution.
  
  There are some better solutions, though:
  http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention ...And of course, remembering to log out once you're done configuring your router also works.
5. Re:Captcha? by mrcaseyj · 2008-01-22 14:36 · Score: 1
  
  Or better still, users should be educated by their bank to check for the lock symbol and the correct domain name so they know who they're connecting to. The advantage of this is that it addresses this and a whole lot more vulnerabilities. And banks should stop using domain names that have no obvious relation to their trademark. For example I know one bank that uses accountonline.com for its domain name. Even if I get the lock symbol I don't know if maybe the crooks just got themselves a domain name and an ssl certificate for it, unless I examine the certificate. And even if I examine the cert. I'm still not sure. But if they use an obvious domain name like citibank.com then I know no scammer could have gotten a certificate for that domain. I suppose all this certificate stuff is probably too much for a lot of customers though.
6. Re:Captcha? by cheater512 · 2008-01-22 14:46 · Score: 1
  
  Once a attacker has control over someone's DNS, I wouldnt trust the lock icon at all.
  Too easy for the attacker to add a new root certificate.
7. Re:Captcha? by Bender0x7D1 · 2008-01-22 14:53 · Score: 1
  
  Sorry, but I have to go with the Captcha.
  
  If the user is forced to change the password, customer service is forced to deal with everyone that forgot their password.
  
  --
  Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
8. Re:Captcha? by cheater512 · 2008-01-22 15:01 · Score: 1
  
  The reset button is pretty obvious.
  
  Anyway tech support already has to deal with the people who cannot read what the initial ip is, what the default password is, etc...
  The added work load would be minimal.
9. Re:Captcha? by Cato · 2008-01-22 18:55 · Score: 2, Informative
  
  Which reminds me, Netgear routers seem to redirect 192.168.0.1 to 'routerlogin.com' (owned by Netgear, but actually maps to your router normally). A somewhat dodgy design decision really as it serves to obfuscate what's happening when newbies log on to their router, which can't help them to learn more about security.
10. Re:Captcha? by Anonymous Coward · 2008-01-22 21:40 · Score: 0
  
  users should be educated
  Come on, these are Mexicans. They're not much smarter than niggers.
11. Re:Captcha? by pimpimpim · 2008-01-22 22:35 · Score: 1
  
  The only reason not to change password is the fact that you will inevitably forget it. I found writing it down on a post-it and pasting that on the bottom of the machine a pretty reasonable solution. That problem solved, routers should just not route any traffic at all before the password is changed. Not much of a programming effort, I would guess.
  
  --
  molmod.com - computing tips from a molecular modeling
12. Re:Captcha? by mrcaseyj · 2008-01-25 21:00 · Score: 1
  
  In basic terms, how would an attacker go about adding a new root certificate so he could impersonate a domain like citibank.com? It is my understanding that the whole idea of SSL is to ensure the identity of the server (and to provide privacy) even against a man in the middle attack. The two obvious ways to accomplish such an attack are to trick a trusted certificate authority into signing the attacker's certificate, or to get a compromised certificate authority into the browser's trusted authorities list. Since those are the two obvious attacks at the core of the protocol, certificate authorities and browser distributors presumably make such compromises difficult.
13. Re:Captcha? by cheater512 · 2008-01-26 19:50 · Score: 1
  
  When you control someone's DNS, there are many ways to trick them in to accepting a fake CA.
  
  Hell they could even skip the social engineering techniques and just impersonate Windows Update.
  A security 'patch' which installs it without the user ever knowing.
Biggest Mexican Bank? by xtracto · 2008-01-22 11:22 · Score: 5, Informative

2Wire DSL routers to point the user's Web browser to a fraudulent bank site that mimics the site of one of the largest Mexican banks.

There is not much space to guess here, it is either Banamex or Bancomer...

--
Ubuntu is an African word meaning 'I can't configure Debian'
1. Re:Biggest Mexican Bank? by nesmex · 2008-01-22 13:05 · Score: 4, Informative
  
  Well yes is Banamex. This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389
  Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
  The UNAM-CERT, also has the "Gusanito" exploit documented (spanish only) at http://www.seguridad.unam.mx/doc/?ap=articulo&id=196
  The attack overrides the modem's password...
2. Re:Biggest Mexican Bank? by moco · 2008-01-22 13:56 · Score: 2, Interesting
  
  It was banamex, and the worm modified the target PCs hosts file. It wasn't even sophisticated enough to hack the broadband router... just a .exe file posing to be a greeting card.
  
  --
  moi
Definition? by WarJolt · 2008-01-22 11:23 · Score: 5, Interesting

What does "drive-by" have to do with this kind of hack? Oh sure we've all logged into neighbors wireless routers and snickered because they've left the default password. Somehow I think "drive-by" part was coined by a guy who thought of exploiting unsecured wireless routers and changing DNS settings. Am I the only one who doesn't think "drive-by" applies to this kind of attack?
1. Re:Definition? by Itninja · 2008-01-22 11:55 · Score: 1
  
  For that matter, neither does "hack". Though the pure meaning of "hack" will be debated infinitely, I doubt that anyone would define it was 'using a broadly published default setting to change a config setting on a piece of hardware'. Generally it involves at least a little bit of skill. Now if they were writing a script to automatically find, mis-configure, and report any devices....that might be considered a notable hack.
  
  --
  I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
2. Re:Definition? by Anonymous Coward · 2008-01-22 11:58 · Score: 0
  
  Oh sure we've all logged into neighbors wireless routers and snickered because they've left the default password.
  Really? Just because you have no ethics doesn't mean that's the standard.
3. Re:Definition? by WarJolt · 2008-01-22 12:14 · Score: 1
  
  Didn't say I changed anything I've got more ethics than that. Calm down bro and change your router password before someone who really has no ethics gets ya. ;-)
4. Re:Definition? by WarJolt · 2008-01-22 12:31 · Score: 1
  
  I'd assume the guy who would exploit such things would at least need to be able to set up his own DNS as well. Fair amount of knowledge is required. Lets use the term "exploit" because that is a term that is slightly easier to debate.
  
  With the advent of uPnP type stuff for routers it is easy to write those scripts.
  Heck once you have access to those routers why not just install some customer firmware and give yourself a backdoor?
  You know openwrt runs on a lot of routers now a days.
  
  How far from a hack is it really?
  Now if they were writing a script to automatically find, mis-configure, and report any devices....that might be considered a notable hack. Mis-configured routers are less common than unconfigured routers. Most people buy them plug them in and assume they are safe. It's a shame.
5. Re:Definition? by Vyse+of+Arcadia · 2008-01-22 13:13 · Score: 3, Funny
  
  I dunno about anyone else, but to me it conjures up images of 90s-era Hollywood hackers. Suave guy in the driver's seat of a red car, his short, befreckled and bespectacled companion laboriously typing on a laptop while muttering things about "This is UNIX" and "His serving RAM is so unprocessed."
6. Re:Definition? by jberryman · 2008-01-22 13:46 · Score: 1
  
  I was confused by that too. If someone were actually 'driving by' and came upon an unsecured WAP they could do a hell of a lot more than divert requests to a website. Hell, you could re-flash the router with a linux-based firmware like OpenWRT and basically own their intern3tz. e.g. run a sniffer that logs all interesting traffic to a remote SSH filesystem.
7. Re:Definition? by timhillu03 · 2008-01-22 17:01 · Score: 1
  
  The Drive-By part comes from the fact that you can "drive by" a website and be attacked. See the original paper http://www.symantec.com/avcenter/reference/Driveby_Pharming.pdf.
8. Re:Definition? by flaterates · 2008-01-23 01:33 · Score: 1
  
  Read the Symantic press release http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html It's an email exploit, and takes advantage of a vuln in the routers, the payload does it's business without logging in. No password required.
9. Re:Definition? by Anonymous Coward · 2008-01-23 03:49 · Score: 1, Funny
  
  I've got more ethics than that. Calm down bro
  I'd guess that the chances of someone having developed a strong sense of ethics and also using the word bro are pretty small.
10. Re:Definition? by parnasus · 2008-01-23 07:27 · Score: 1
  
  Am I the only one who doesn't think "drive-by" applies to this kind of attack?
  
  I think drive-by is appropriate in this case because the user only has to visit a site containing the malicious image to initiate the attack. "During the course of web-surfing..." has been my working definition of a drive-by, as opposed to a user-initiated attack (having to open an email). The distinction becomes gray when you combine attack vectors, such as a link in an email requiring the user to navigate to the site containing the malicious image or using SQL injection to upload the image onto the website of a reputable company, so my opinion is no better than another's.
  
  --
  --If you code for the exceptions, the rules fall into place
British Telecom Home Hub by ddrichardson · 2008-01-22 11:24 · Score: 4, Interesting

Anyone else notice that BT are taking this seriously - log on to the router's home page and it tells you they have changed the default admin password (well it will when you enter the unit's serial number as the admin password.

--
A thistle is a fat salad for an ass's mouth...
Enough with the default passwords. by GreggBz · 2008-01-22 11:26 · Score: 4, Insightful

If Bioware can sell $30 software with unique CD-Keys printed on the inside of each jewel case, why can't Linksys sell $40 routers with unique admin passwords printed on each manual. Or better yet, make the default password the last 6 digits of the LAN side MAC address, that can't be terribly hard to manufacture.

Seriously, you could even honestly market them as "more secure."
1. Re:Enough with the default passwords. by moderatorrater · 2008-01-22 11:43 · Score: 4, Informative
  
  Several reasons. First, it's easier to change what gets stamped into a cd than what gets set into the silicon. Second, the cd key isn't actually unique to the CD, it just conforms to an algorithm that determines whether or not the cd key fits the criteria for the software and then, when on the network, checks to make sure that the cd key was actually sold and that it's unique.
2. Re:Enough with the default passwords. by Zironic · 2008-01-22 11:43 · Score: 1
  
  the software doesn't check for the unique key it just checks that the key fulfills some criteria that makes a random guess at a key unlikely to succeed. It's the reason CD key generators work.
3. Re:Enough with the default passwords. by blair1q · 2008-01-22 12:28 · Score: 3, Interesting
  
  Because software can pop up a box on your screen saying "go look for the sticker on the box and type the letters and numbers (and maybe the dashes or maybe not, your guess is as good as ours) you see there into this box here then click the button that says 'OK'".
  
  Hardware says "blink"..."blink"..."blink"... and user calls customer support, adding $10 to the cost of every sale.
4. Re:Enough with the default passwords. by corsec67 · 2008-01-22 12:33 · Score: 1
  
  Except that each router already has a unique MAC address in it, which is already used by the system. Actually there are usually three of them: LAN interface, WAN interface, and wireless interface.
  
  It would be trivial to use the LAN MAC address as the default password.
  
  --
  If I have nothing to hide, don't search me
5. Re:Enough with the default passwords. by Anonymous Coward · 2008-01-22 12:40 · Score: 0
  
  Actually, key generators don't work for our game (Neverwinter Nights) - at least not for online play (which is what you need the key for). They are unique keys created and stored on the master server database and yes, there is a unique key inside each box.
6. Re:Enough with the default passwords. by Compholio · 2008-01-22 12:48 · Score: 3, Insightful
  
  It would be trivial to use the LAN MAC address as the default password.
  It would also be trivial for someone to run "arp" while connected to your access point. I agree that they need to use a random default password, but the MAC address would not be sufficient.
7. Re:Enough with the default passwords. by IdeaMan · 2008-01-22 12:49 · Score: 2, Interesting
  
  Using the LAN MAC address as the admin password is almost as stupid as using admin as the password.
  LAN MAC address is burned into an EEProm at time of manufacture. It is also reset to "Factory Default" when you reset the box. It should be trivial to burn a randomized default password at the same time, store it in a database and print it on the manual.
  If the customer calls up with an unresponsive router, customer service can read them the password out of the db.
  
  --
  They ARE out to get you simply because They are in it for themselves and they don't care about you.
8. Re:Enough with the default passwords. by fm6 · 2008-01-22 13:04 · Score: 1
  
  Why get so complicated? Simply design the router software so that you have to change the default password before you can start using it.
9. Re:Enough with the default passwords. by crymeph0 · 2008-01-22 13:29 · Score: 5, Informative
  
  It's easier to change what gets stamped into a cd than what gets set into the silicon
  Nope. I do embedded software, and write the test suite all those devices go through before being shipped to the customer. It's pretty standard to set custom stuff at that time, including the MAC ID for the unit. It would be just as easy to change the password at that time.
  
  Your comment about the CD key, however, is right on.
  
  --
  It should be illegal to say that freedom of speech should be limited.
10. Re:Enough with the default passwords. by Lumpy · 2008-01-22 13:45 · Score: 2, Insightful
  
  How about simpler... the router will NOT function until you set a username and password. It routes no traffic and redirects all web requests to the "Hey stupid user, pick a username and password, no you cant use linksys, router, admin, or password."
  
  that way the same binary image can be used on every router. Out of the box they do not work, they requre the user to have at last 35 brain cells to get it to work and in the process will be safe from this crap.
  
  --
  Do not look at laser with remaining good eye.
11. Re:Enough with the default passwords. by theeddie55 · 2008-01-22 13:53 · Score: 2, Insightful
  
  Or better yet, make the default password the last 6 digits of the LAN side MAC address, that can't be terribly hard to manufacture.
  that wouldn't really help, drive-by attacks access the router from the lan side anyway, so would already have access to the lan side mac address.
  
  --
  Blazing Spiders
12. Re:Enough with the default passwords. by seifried · 2008-01-22 15:06 · Score: 1
  
  because then people plug it in and it "doesn't work" which results in bad word of mouth and tech support phone calls and emails.
13. Re:Enough with the default passwords. by zippthorne · 2008-01-22 15:09 · Score: 1
  
  You can change what gets burned to a CD easily. But by definition if you're stamping CDs, a large number of them are going to have exactly the same data, and you're going to have to go through all the effort to remaster the die if you want to change anything.
  
  And as for the silicon, if you can make encrypted cordless phones with unique, hardwired keys for $50, you can make a router with an unique hardwired "default" key, too. And you can stamp that in a metal plate on the bottom, so the users can always find it if they have to reset the router.
  
  --
  Can you be Even More Awesome?!
14. Re:Enough with the default passwords. by Dannkape · 2008-01-22 17:23 · Score: 1
  
  I have seen a few German routers that ships with a default wireless password (practically) equal to their MAC address. So it clearly is possible to do. (German laws apparently make you responsible for whatever people do using your connection, so you better not leave it open...)
15. Re:Enough with the default passwords. by TheThiefMaster · 2008-01-22 23:49 · Score: 1
  
  I've already made this comment elsewhere in this article's comments, but it's relevant here too.
  
  BT's newest "home hub" routers come with their wireless password set unique to the router (not sure what it's generated from) and admin password set to the router's serial number.
  
  I wish more home routers defaulted to this.
16. Re:Enough with the default passwords. by Alioth · 2008-01-23 01:17 · Score: 1
  
  Actually, it's not. Each device must be already programmed, and the flash memory will undoubtedly be in system programmable - that's probably how they get the MAC address on it in the first place. It would be just one additional value to write to have some kind of random ID and password. The firmware isn't an ASIC, it's bog standard trivially reprogrammable flash these days.
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
17. Re:Enough with the default passwords. by zeet · 2008-01-23 04:58 · Score: 1
  
  But they do work for LAN play! All you have to do is add nwmaster.bioware.com 127.0.0.1 to your Hosts file. Generate keys to your heart's content.
18. Re:Enough with the default passwords. by eap · 2008-01-23 11:07 · Score: 1
  
  It would also be trivial for someone to run "arp" while connected to your access point. I agree that they need to use a random default password, but the MAC address would not be sufficient.
  It is doable. The 2WIRE routers (those affected by this exploit) come with the default password set to a unique serial number. The serial number is printed on a sticker stuck to the router.
  I know for a fact that 2WIRE has developed s3kr1t unique serial number generation technology that makes this possible.
Cold War Redux by explosivejared · 2008-01-22 11:29 · Score: 2, Funny

Only this time it's between Mexican scammers and Nigerian ones. For years Nigerian scammers have exercised hegemony in the arena, but now Mexican scammers have upped the ante with this "pharming gap." This can only lead to a scams arms race with other nations as proxies and victims of the complex maneuvering of the two camps. As a helpless American I don't know how long I can stand being the play thing of two foreign powers duking it out for hegemony.

By the way I'm rooting for the Nigerians in this grand campaign, at least their scams provide a laugh once and awhile.

--
I got a catholic block.
1. Re:Cold War Redux by Malevolent+Tester · 2008-01-22 12:12 · Score: 1
  
  How do you say "the modalities are assured" in Spanish?
  
  --
  If you haven't made a developer cry, you've wasted a day.
2. Re:Cold War Redux by Anonymous Coward · 2008-01-22 17:21 · Score: 0
  
  las modalidades son ciertas
Gusanito?? by Roadmaster · 2008-01-22 11:29 · Score: 3, Funny

Dude, gusanito means literally "little worm"; I personally would never open an email saying "hey, you got a postcard from a little worm!". I don't know who would...
1. Re:Gusanito?? by Jedi+Alec · 2008-01-22 12:06 · Score: 1
  
  Greetings from the bottom of the tequila bottle?
  
  --
  
  People replying to my sig annoy me. That's why I change it all the time.
Fankly, I'm suprised by Itninja · 2008-01-22 11:32 · Score: 3, Funny

...that this doesn't happen more often. I can drive through Seattle (and presumably any large city) with my laptop running a wireless network sniffer. After about 10 blocks, I could easily get into no less than 25 wireless routers. They are all configured with the default credentials. Of course, I don't. Sometimes, when it's a law firm, government agency, or some other organization with tons of [other peoples] personal information, I will even call them up and let them know about it, as a courtesy. They usually tell me to take a hike. Then I can show up at their door offering my services as a 'security consultant' (for $200/hr). 'Look here' I say. 'Look how I am easily changing the settings in your router.'. That's usually about the time they wet their $400 slacks and write me a check.

--
I judt got a nre Kinesis keybiartf so please excusr ant egregiou typos.
1. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-22 11:55 · Score: 4, Insightful
  
  I presume you're being funny. What you're doing there is just as likely to land you in the hoosegow as a suspected terrorist or something of that nature as it is to make you money. This is not a time in U.S. history where being a Good Samaritan is even remotely a good idea.
2. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-22 12:14 · Score: 0
  
  That's great. And when said law firm gets haxored through some other means, guess which security consultant is getting sued for negligence or some other crap.
3. Re:Fankly, I'm suprised by canUbeleiveIT · 2008-01-22 12:32 · Score: 4, Funny
  
  ...that this doesn't happen more often. I can drive through Seattle (and presumably any large city) with my laptop running a wireless network sniffer. After about 10 blocks, I could easily get into no less than 25 wireless routers. They are all configured with the default credentials. Of course, I don't. Sometimes, when it's a law firm, government agency, or some other organization with tons of [other peoples] personal information, I will even call them up and let them know about it, as a courtesy. They usually tell me to take a hike. Then I can show up at their door offering my services as a 'security consultant' (for $200/hr). 'Look here' I say. 'Look how I am easily changing the settings in your router.'. That's usually about the time they wet their $400 slacks and write me a check.
  --
  
  "It's a simple question, doctor.
  Would you eat the moon if it was made of ribs, or not?"
  
  CORRECTION: Would you eat the moon if it were made of ribs, or not?
  
  In this case, the verb "to be" is in the subjunctive mood, which is used to indicate a situation that is hypothetical, conditional or somehow not certain.
  
  Now, this correction is just a courtesy. However, if you tell me to take a hike, I will show up at your door with A Writer's Reference by Diana Hacker, and you can scratch me out a check. Sorry, I don't know how much you paid for your pants.
4. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-22 12:56 · Score: 0
  
  Wow dude, you are l33t!
5. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-22 13:02 · Score: 0
  
  Not only that but he's a l33t ninja! I bet you're wetting your $400 slacks 'bout now.
6. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-22 13:21 · Score: 0
  
  You don't correct the grammar of a quote, douchebag.
7. Re:Fankly, I'm suprised by BeanThere · 2008-01-22 13:41 · Score: 0, Offtopic
  
  That would be clever if it 'were/was not' the case that "was" has actually become an acceptable substitute for the subjunctive form "were".
8. Re:Fankly, I'm suprised by canUbeleiveIT · 2008-01-22 14:16 · Score: 1
  
  That would be clever if it 'were/was not' the case that "was" has actually become an acceptable substitute for the subjunctive form "were".
  
  You're right, it's quite acceptable among those who live in the trailer parks around here. I often hear these people say things like "if I wuz you..." However, educated people use the subjunctive mood because it more accurately conveys information and it's better form. Plus they like not sounding like a dumbass.
9. Re:Fankly, I'm suprised by canUbeleiveIT · 2008-01-22 14:19 · Score: 3, Funny
  
  You don't correct the grammar of a quote, douchebag.
  
  You do if the quote is quoted incorrectly with poor grammar, douchebag.
10. Re:Fankly, I'm suprised by BeanThere · 2008-01-22 14:39 · Score: 1
  
  In the first example you "corrected", they're actually interchangeable, but hey, whatever makes you feel better about yourself.
11. Re:Fankly, I'm suprised by canUbeleiveIT · 2008-01-22 15:33 · Score: 1
  
  Yes, you're right--they're interchangeable among the members of the Spears family and other poorly educated people. It doesn't have anything to do with how I feel about myself. But hey, whatever makes you feel better about yourself.
12. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-22 17:56 · Score: 0
  
  "You don't correct the grammar of a quote, douchebag."
13. Re:Fankly, I'm suprised by BeanThere · 2008-01-23 01:25 · Score: 1
  
  OK, I don't normally feed the trolls, but you've struck on a topic that actually matters a great deal to me: Look, I'm not entirely in disagreement with you, there ARE valid and even pressing reasons to preach precision in language use, and even to make *certain* limited judgments of people based on their language use (on their diligence, not on their worth as a person - these are two different things). But classism, I'm afraid, is not one of those reasons; in fact, not only is it a terrible reason, it's harmful to the very values you are pretending to espouse. It is people who specifically purport a correlation between correct language use and elitism / supposed worth as a person, i.e. to display alleged status, who have caused the current massive cultural rise in the purposeful, nihilistic end-goal of poor language 'skillz, yo'.
  To educate yourself on the REAL reasons 'language matters' (hint, none of which have anything to do with immature displays of classism), I wholly recommend Less than Words Can Say (available online), by Richard Mitchell.
  Clearly your goal was simply to impress upon us all your supposed superiority *yawn*. Unfortunately for you, you just happened to do so incorrectly - you seriously need to educate yourself about the current state of English academia, the entire approach has changed 180 degrees since the 1800s (seriously, I work in this field); whether or not you agree doesn't matter. Honestly though, if you are actually sitting spending your free time trolling peoples' English on Slashdot (where many people aren't even mother-tongue speakers, or speak any of the thousands of dialects of English, many of which are considered far more standard than American English - after all, it's the English who speak English, and nobody else) to point out obscure semi-outdated English "rules" to prove how "educated" and superior you are, that is pathetic, and does indicate some serious underlying self-worth issues that you should get help for, because they are going to affect your quality of life later on.
  Way I see it, if you want to prove to us you're not trailer trash, rather do so by actually saying intelligent, useful things - that will go much much further than throwing a few words about that you think all us poor plebians can't understand *boo hoo hoo*.
  Having an excellent mastery of English doesn't make you a better person, being a better person makes you a better person. It's possible, as you seem to be trying hard to demonstrate, that you can speak perfect English but still be an asshole who doesn't make the world a better place and instead just pollutes it. Language use, class and value as a human are all independent; you can be a crappy person who speaks great English, a crappy person who speaks terrible English, a decent person who speaks terrible English, a decent person who speaks great English (*ahem*), and any of those combinations may or not arise from both trailer parks and leafy 'burbs with mansions.
14. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-23 05:01 · Score: 0
  
  Nooo - he was quoting Will Ferrell from a skit on SNL.
  Please don't correct that quote.
15. Re:Fankly, I'm suprised by Anonymous Coward · 2008-01-23 05:56 · Score: 0
  
  Extortion! Great idea!
Idiots with default passwords get pwnd, news at 11 by Anonymous Coward · 2008-01-22 11:41 · Score: 5, Insightful

nothing to see here... move along, folks
Re:Heath Ledger was a young male like most of us. by networkBoy · 2008-01-22 11:45 · Score: 0, Offtopic

I won't believe this till netcraft confirms it...

--
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
I gotta wonder.. by QuantumG · 2008-01-22 11:45 · Score: 1

who manages to get a home router to work out of the box with no configuration? And if you're doing configuration to get your router to work, why are you not setting the password to something other than the default? Seriously, some people need a good kick in the head before they realize they shouldn't stand behind the horse.

--
How we know is more important than what we know.
1. Re:I gotta wonder.. by Anonymous Coward · 2008-01-22 11:55 · Score: 0
  
  because they're incredibly lazy you insensitive clod!
2. Re:I gotta wonder.. by geekoid · 2008-01-22 12:10 · Score: 1
  
  Except many people don't actually mind sharing.
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
3. Re:I gotta wonder.. by QuantumG · 2008-01-22 12:11 · Score: 1
  
  We're not talking about the SSID or WPA or WEP here.. we're talking about the administration password on the router.
  
  --
  How we know is more important than what we know.
4. Re:I gotta wonder.. by Aladrin · 2008-01-22 13:52 · Score: 1
  
  You have no idea what he was talking about, obviously.
  
  Setting the admin password has nothing at all to do with WEP, WPA, or anything else used to keep people off your private WiFi.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
DNS cache poisoning by the_kanzure · 2008-01-22 11:49 · Score: 3, Informative

src

The paper shows that BIND 9 DNS queries are predictable i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. The net effect is that pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 9 releases [1], when BIND (the named daemon) is in caching DNS server configuration.
Langfeldt's DNS how-to
1. Re:DNS cache poisoning by Anonymous Coward · 2008-01-22 14:50 · Score: 0
  
  This /. article has nothing to do with DNS cache poisoning you nincompoop. According to TFA they changed the resolver settings to point to a different DNS server.
  Why is it that every time someone mentions "DNS" and "security exploit" together these days, it's automatically assumed to be a cache-poisoning problem?
  For that matter, the query-ID predictability problem mentioned in parent article is not, strictly speaking, a "cache poisoning" issue either, since it (potentially) allows spoofing of DNS responses that haven't been cached yet. Admittedly, once the bogus answer is cached, the damage is amplified, but let's get our terminology straight, ok? Hacking someone's DNS resolver settings isn't "cache poisoning", nor is spoofing a DNS response, although either of these can have the secondary effect of putting "bad" data in the cache. "Bad" is kinda like "poisoned", I guess. But not really.
what's all this about javascript? by spiffmastercow · 2008-01-22 11:52 · Score: 1

In the article about how the attack works, it says that you would need to use "malicious javascript code". I was wondering... Why is javascript so important, aside from the fact that it would be required to more closely mimic most modern web sites?
1. Re:what's all this about javascript? by ASBands · 2008-01-22 13:18 · Score: 1
  
  Not that I read TFA, but I would imagine the Javascript is embedded in the email, which loads a pop-up to "192.168.1.1" and attempts to login with "admin" as a username and "admin" as a password. Reading from the pop-up page, the Javascript wouldn't have too difficult of a time figuring out the router version and changing the DNS server. It might be doable with Ajax, which would allow this all to happen behind the scenes. Obviously, this isn't going to work for any competent user, as changing the default password would solve my more-than-likely flawed way to carry out the attack, but what percentage of users are competent?
  
  Or I could be completely wrong.
  
  --
  My UID is a prime number. Yeah, I planned that.
Most Pooter owners too dumb to own one by Anonymous Coward · 2008-01-22 11:53 · Score: 4, Informative

If you have a home network, there are several ways to secure it. Every router that I have ever owned have several characteristics. Look for the 'reset' key, make sure it is there and not like Asante where you have to short terminals 3 and 8 on the serial port...showin my age there folks. Make sure it is a real router and not a windows appendage. Do NOT use a PCI modem that you cannot disconnect fast. Use an external modem on a SERIAL port. Do not use a combination cable modem/router. This is foisted on many users, and as a default feature sets up remote administration from the outside. That remote admin 'feature' is 'supposed to allow customer engineers to help......' you out of all your money. Don't surf as administrator if microsoftintheheady or as root if a linux penguin. Thats just askin to get hosed. Yeah, I'm a ramblin old fart, but all these things I have picked up from experience. Definitely change the default password, 'admin' or whatever on the router to something realllly strange and long. Write that password down and put it in your wallet, your wife's ring box, or whatever. Do not even try to memorize it as you will forget it when you need it. Don't use 'DHCP' that routers and network vendors want you to do. This means that all home networks are on 192.168.1.0 or some predictable net address that all hackers try first. Use a REAL network with a real address like 192.168.205.89 or something. This forces hackers to really fail many many times in guessing your network setup. With a real network, hand out your own addresses and make them random in the third and fourth hex digits so that hackers will have to guess out each and every terminal on your net. Now add MAC security to your router so that the hacker not only has to correctly guess from a crore of non standard addresses to address it, but only those with the right computer NIC can even be qualified to guess the password! Having a switch available to shut down suspects in a hurry helps too. I could go on, but if you have followed all this rambling, print it out and do it.
1. Re:Most Pooter owners too dumb to own one by Kalriath · 2008-01-22 12:28 · Score: 1
  
  Woah, might want to invest in an enter key there dude.
  
  But anyway, those are really good ideas. However, I don't see it necessary to turn off DHCP, though I would encourage layering your network and only the inner box has DHCP, and then only on the LAN interface.
  
  How I do it is a 3COM OfficeConnect on the outside, which is a 4-port ADSL Router. I don't have a modem because ADSL technically can't have MODEMs (ADSL lacks modulating AND demodulating) - even though I can't get Blizzard support to understand this. One of the ports runs to the web server. Another port runs to a Sonicwall SOHO3's WAN port (old, but does the job). The Sonicwall's LAN port plugs into an 8 port switch (cheap one, but all it needs to do is allow me to plug 8 machines into one LAN port)
  
  The webserver cannot access any machines on the internal network (behind the Sonicwall), nor can any internet machine. The 3COM is on a completely different IP range (and even subnet!) from the Sonicwall's LAN machines, and the Sonicwall wont bridge them. Both of them use an HTML form to authenticate, not HTTP BASIC. They don't even have the same password.
  
  Though the 3COM only has support for MAC filtering on the WLAN interface (which I have enabled, as WLAN is only for my laptop, nothing else), no such feature that I can find offhand exists on the Sonicwall. No matter, since any clandestine devices being attached to that segment of the network need to be plugged in to the switch beside my desk anyway (good luck with that).
  
  --
  For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
2. Re:Most Pooter owners too dumb to own one by lazy_playboy · 2008-01-22 12:40 · Score: 1
  
  Poor troll.
3. Re:Most Pooter owners too dumb to own one by ThinkingInBinary · 2008-01-22 12:43 · Score: 1
  
  ADSL lacks modulating AND demodulating
  
  Er, what are you talking about? I was under the impression that ADSL signals were modulated and demodulated, otherwise (as raw DC voltages carrying serial data?) they would be destroyed by the phone equipment at any transformer.
  
  --
  ttuttle is a rankmaniac
4. Re:Most Pooter owners too dumb to own one by adolf · 2008-01-22 16:59 · Score: 3, Insightful
  
  Good advice.
  
  But you forgot something: When a friend brings their PC/PSP/PS3/Wii/Xbox/iPhone/iPod over, and wants to use it with teh Intarwebs, go ahead and set it up and give them the passphrase and IP assignment, but make sure you destroy your friend before they leave.
  
  You can't allow any chance of your uber-obscurity leaking outside, right? Eventually, you'll eliminate all of your friends, but that has the nice benefit of eliminating the potential leaks.
  
  Naw, better to keep it simple. Don't run as root/admin. Set an unusual password (something other than your SO or child's name is adequate). Set a different, unusual, and lengthy, WAP passphrase. Use the strongest encryption you can with the devices on your network (AES, AES / TKIP, or just TKIP, in order of preference).
  
  Done.
  
  MAC filtering? Disabling DHCP? IP address range hide and seek?
  
  Bullshit. All that does is make it harder for you and the people you trust to use the network. And if I, the creepy dude in the van across the street, get to a point where any of those stupid tricks will start to matter, they won't make any difference at all. If I'm clever enough to get past WAP, then I'm clever enough to clone a MAC address while sniffing past the rest of your security-through-obscurity features.
  
  [And what's all that talk about serial ports? Are we still in 2008, or did we just jump back 10 years?]
  
  --
  Kid-proof tablet..
5. Re:Most Pooter owners too dumb to own one by Novus · 2008-01-22 22:30 · Score: 1
  
  I don't have a modem because ADSL technically can't have MODEMs (ADSL lacks modulating AND demodulating)
  Wrong. See e.g. ITU-T recommendation G.992.1, sections 7.11 and 8.11.
6. Re:Most Pooter owners too dumb to own one by Jumphard · 2008-01-23 02:26 · Score: 1
  
  Mod adolf (parent) up. Seriously - the guy without the enter key doesn't know what he's talking about at all. Serial ports? Disabling DHCP? Enter-key guy read "Networks for Dummies circa 1980" and thinks he knows what he's talking about.
  
  Oh no! All local networks have a 192.168.0.1 IP address! OMG the internet is going to be haxed! He clearly doesn't have the first clue about local DHCP versus WAN IP addresses. How about he prints this off and reads it.
  
  As far as the article goes I am not certain that external websites change my routers HOSTS (DNS) table without directly logging into the router. It seems suspect that if I set a WEP and a strong password on my router, some hosted image could execute commands on my router.
7. Re:Most Pooter owners too dumb to own one by Pharmboy · 2008-01-23 03:53 · Score: 1
  
  Or setup each computer with a static local IP and static DNS server, in addition to WEP, etc. Something I have been doing for years. Not very hard to find a DNS server near you to use, such as the ISP's. You can even read it off the router's setup page if you must.
  
  And no, I am not a boy who pharms.
  
  --
  Tequila: It's not just for breakfast anymore!
8. Re:Most Pooter owners too dumb to own one by operagost · 2008-01-23 05:05 · Score: 2
  
  With a real network, hand out your own addresses and make them random in the third and fourth hex digits so that hackers will have to guess out each and every terminal on your net.
  Sounds like someone doesn't understand how DHCP and subnetting work. You can change the DHCP addressing range on your router so that it gives out, say, 192.168.100.0/24. There is no need to use manual addressing unless you have untrusted people able to physically plug into your LAN. Also, IP v4 addresses can be expressed in hex, but normally decimal is used. I assume by "third and fourth hex digits" you mean the third and fourth octets. If you want to do that, you would have to use a 16 bit subnet mask. Although addressing has been classless for many years, using the range 172.16.0.0/16 would be the safest.
  Now add MAC security to your router so that the hacker not only has to correctly guess from a crore of non standard addresses to address it,
  Small children know that this can be easily circumvented with a simple network sniffer. Unfortunately, it seems that not many small children frequent Slashdot as your post has been modded up to +4. I note that you did not even mention encryption or authentication, which are two of the most common security methods (as opposed to the obscurity methods you mentioned) that one could use on a network.
  
  You really should reeducate yourself before you start sounding like this guy.
  
  --
  
  Gamingmuseum.com: Give your 3D accelerator a rest.
Pharming??? by jez9999 · 2008-01-22 12:01 · Score: 5, Funny

Will these terrible names, which apparently attempt to draw an analogy between a computer-related misdemeanor and some agricultural pastime, never end? I'm just waiting for some guy from F-Secure to call porn 'phucking'.

--
== Jez ==
Do you miss Firefox? Try Pale Moon.
1. Re:Pharming??? by Anonymous Coward · 2008-01-22 12:13 · Score: 0
  
  I'm just waiting for some guy from F-Secure to call porn 'phucking'.
  
  Why would he do something so phoolish?
Who is the Market? by hardburn · 2008-01-22 12:03 · Score: 0, Offtopic

Somebody must be buying from these companies, or they wouldn't be trying such abusive advertisement tactics. Who are these people? Are they smart enough to breed? And if so, what argument is there against sterilizing them?

--
Not a typewriter
1. Re:Who is the Market? by Anonymous Coward · 2008-01-22 12:23 · Score: 0
  
  Somebody must be buying from these companies, or they wouldn't be trying such abusive advertisement tactics. Who are these people? Are they smart enough to breed? And if so, what argument is there against sterilizing them?
  
  Buying? We're all talking about someone setting up a fake website pretending to be the biggest bank in Mexico. There's no advertising or selling involved. This is fraud.
2. Re:Who is the Market? by SL+Baur · 2008-01-22 12:45 · Score: 1
  
  Who are these people? Are they smart enough to breed? I don't know, but I'm so happy to be typing from a Mac where I'm completely immune to this kind of stuff. As a matter of fact, hold my beer and watch th
3. Re:Who is the Market? by Anonymous Coward · 2008-01-22 12:48 · Score: 0
  
  1) fraud not ads
  2) yes, they breed MORE than more intelligent people do.
  3) politicians require a certain percentage of the population to remain slobberingly ignorant of anything around them lest the politicians get 1) voted out or 2) government overthrown
Gamers are used to it... by msimm · 2008-01-22 12:09 · Score: 1

Linksys would have to write in the cost of supporting all those users who have lost/misplaced the passwords or their technical support.

--
Quack, quack.
Worse possibilities by Pitr · 2008-01-22 12:09 · Score: 2, Interesting

If you change the proxy settings on routers that have them, you could wreak all kinds of havoc, as you'd have access to all traffic, not just dns requests. Or, you could update the firmware to something custom, with all kinds of sneaky badness hidden within, including blocking future clean firmware updates.

It's a little extra work, but the companies that make these things should have unique passwords per device, or at least have logging into the admin interface wirelessly off by default. In an attempt to make things "just work" or "work right out of the box" security has suffered greatly.

Also, if people need to read one page of detailed instructions to make their new device work, it will give them at least some tiny education about security. If they can't handle that, then they can pay someone to set it up for them. There's really no excuse for openly offering up security holes this big.

--

--Not to be worried, Pitr fix.
$1 too much by bill_mcgonigle · 2008-01-22 12:20 · Score: 1

LAN side MAC address, that can't be terribly hard to manufacture.

My guess: it would cost $50K in R&D, $200K in equipment costs, $0.40 in parts and $0.60 in labor/time for each unit to make this happen.

A beancounter somewhere would see that $1 as "cost we could get out of the unit".

Seriously, you could even honestly market them as "more secure."

Yes, but beancounters are called that because they can't see the big picture. Many times CEO's fit this bill.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Appropriate name indeed by ElMiguel · 2008-01-22 12:31 · Score: 1

It seems pretty appropriate that the fake e-mail appears to come from a company called Gusanito, which literally means "little worm".
Let me explain by Pasajero · 2008-01-22 13:01 · Score: 5, Informative

I live in Mexico, and yes, the bank name is Banamex (owned by Citibank) and this is how the hack works:

The most prominent ISP in Mexico (Telmex) uses 2wire gateway modems, most of them wireless enabled. Security is turned on by default using serial numbers so no one from outside can login "easily".

However, there is no default security from the inside, so the gusanito.com postcard contains a malicious flash program that sends a special URL to the modem that adds a DNS entry to its local name resolution table pointing www.banamex.com to a pharming site.

Next time you open IE or any other browser and open www.banamex.com you'll get redirected to the other site.

This easily solved putting a user password on the modem configuration, but not all people care to do that.
1. Re:Let me explain by nesmex · 2008-01-22 13:20 · Score: 3, Informative
  
  Sorry to say this but the attack overrides the modem's password, the attack from Gusanito and similar attacks (ie El Universal) probes with different common 2WIRE router addresses to get to the MDC. Fortunately it is not that elaborated... This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389
  Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
  The UNAM-CERT, also has the "Gusanito" exploit documented (spanish only) at http://www.seguridad.unam.mx/doc/?ap=articulo&id=196
  The attack overrides the modem's password...
2. Re:Let me explain by Anonymous Coward · 2008-01-22 15:49 · Score: 0
  
  "This easily solved putting a user password on the modem configuration, but not all people care to do that."
  
  Not so fast. Even with a password set, this can ALSO override and reset the modems password, then the attack carries on to change the settings.
  
  http://www.darkclockers.com/foros/showthread.php?p=55503
  That's in spanish, if you want the google translation
  http://translate.google.com/translate?hl=en&sl=es&u=http://www.darkclockers.com/foros/showthread.php%3Fp%3D55503&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3DH04_POST%26hl%3Den%26sa%3DG
  
  It does reset the 2wire modems password and change the settings as well. Verified on my 2wire modem.
3. Re:Let me explain by Anonymous Coward · 2008-01-22 18:01 · Score: 0
  
  Well let ME explain TO YOU...
  
  Guess like everyone YOU are dont even aware of the REAL issue behind this "attack",
  This attack works because IT WILL OVERWRITE YOUR DEFAULT OR EVEN YOUR PERSONALIZED PASSWORD...
  
  So yeap, that right even if you use your big nerdy 64-digit alphanumeric + special chars or just your really huge pass phrase... it WONT matter because the bug exploits and a vulnerability inside the wizard that no password will ever asked or ever need, it just overwrite the current and put another, then after all this it will add the dns resolve routes without you even notice.
  
  So again YES, you can go watch pr0n and get owned while watching, even if you take care the normal security steps..
4. Re:Let me explain by Pasajero · 2008-01-23 17:40 · Score: 1
  
  Go easy on caffeine buddy, I have tested the hack several times and it fails to reset the password on my modem (2700HG) why? I don't care. So at least in my experience, having a password seems to work just fine.
what's your range? B, G, A, or N by Maarek · 2008-01-22 13:36 · Score: 1

The attack can only be made within the range of the router. The infiltrator will log into the router with the default password that was NEVER changed and than setup the default location of what the user might look for. In other words, this is a planned attack, and the packet sniffing will need to watch where the user goes for online banking, shopping, or bill paying. From there, they would need to reconstruct ALL the pages just to collect the necessary data to "steal" their identity. For someone who does view the online shops frequently will notice any difference to the web pages.

Is this a new type of threat? Yes, where is it more likely to happen? In a city or dense community.
Look for the "https:" by steveha · 2008-01-22 13:38 · Score: 4, Informative

As I understand it, even with this so-called pharming technique, the bad guys still cannot correctly spoof an "https:" page... at least not without compromising the private key used to secure the SSL connection, or compromising the private key of the certificate signing authority.

When I explain to people how to use the Web, I always tell them to look for the security indicators before doing anything involving money.

P.S. I wouldn't be surprised if the bad guys here added Javascript code to their fake bank site, to rewrite the address bar of the web browser to show the "https:". This is why I prefer to do all my online banking with Javascript disabled; thank you, NoScript.

steveha

--
lf(1): it's like ls(1) but sorts filenames by extension, tersely
1. Re:Look for the "https:" by CoolVC · 2008-01-22 13:56 · Score: 1
  
  Why would javascript allow someone to change the address bar? Might as well just let a web page run random binary code on my computer while we're at it.
2. Re:Look for the "https:" by Anonymous Coward · 2008-01-22 14:33 · Score: 0
  
  As I understand it, even with this so-called pharming technique, the bad guys still cannot correctly spoof an "https:" page... at least not without compromising the private key used to secure the SSL connection, or compromising the private key of the certificate signing authority.
  
  As long as people know not to agree to bad keys, sadly, I'm force to agree to one of these at least once a month, just to surf some website that doesn't require even need https. Sure, I'm smart enough to only agree to keep the key for a session and would never agree for one where security mattered, but the public doesn't understand this stuff and we don't seem to be able to make it simple enough.
3. Re:Look for the "https:" by Anonymous Coward · 2008-01-22 14:59 · Score: 0
  
  There are phishing sites in the wild that do spoof the address bar. The URL below explains a couple of the tricks used. I guess they aren't changing the actual bar, they are just spoofing it, but that's enough to fool most users.
  
  It's why Firefox added the feature where the actual web site is displayed in a standard location, one that is not accessible with Javascript.
  
  http://www.fraudwatchinternational.com/phishing-fraud/phishing-web-site-methods/
4. Re:Look for the "https:" by ckdavid · 2008-01-22 15:36 · Score: 1
  
  interesting
5. Re:Look for the "https:" by timhillu03 · 2008-01-22 17:07 · Score: 1
  
  But how many people know what certificate warnings are really for? If somebody doesn't care enough to change the default password on their router, the odds that they care about certificate warnings are pretty low as well.
6. Re:Look for the "https:" by CoolVC · 2008-01-22 19:15 · Score: 1
  
  I'll admit that is a clever solution for spoofing the address bar.
  I had what I considered to be a legitimate reason a while back to spoof an address bar, and was disappointed that it wasn't trivial to do. Never considered spoofing it like that.
  
  (The legitimate reason being that a site is changing links inside frames, so the location bar never changes, and I wanted the user to be able to bookmark any page)
7. Re:Look for the "https:" by Burz · 2008-01-23 00:46 · Score: 1
  
  More than that, look for:
  
  1) The lock symbol. It should be on the address bar, preferably displayed whole without a line running through it. The presence of https: alone doesn't highlight the connection's overall level of trust/security.
  
  2) The DOMAIN NAME. Most people, even most techies, forget this crucial part. The certificate/lock validates the domain name, and YOU must determine if that domain name is the one you really want to talk to. Ex: the site 'ebai.com' may have a perfectly valid certificate, even if you meant to go to 'ebay.com' instead... so you must check the spelling of WHO you are connected to. The certificate ensures that the domain hasn't been hijacked to a server that isn't registered for that domain name (i.e. what your address bar says you're accessing really is the right server).
  
  Beyond that, it is (or ought to be) up to each user to decide whether they trust the outfit with which they are browsing.
8. Re:Look for the "https:" by Switche · 2008-01-23 06:02 · Score: 1
  
  Please prove me wrong on this one if you are able, but to all my knowledge, changing the address bar with JavaScript is impossible. JavaScript can read the URI, and can write a new URI via the "window.opener.parent.location" object, but cannot change the address bar without changing the URI (thus executing the new request). This would have to be accomplished via URL rewriting software or modules on the Web server, which the attacker has control over, but I'm not 100% sure (as in, I have not done so myself) if you can change the protocol using rewrites, though it's been suggested via documentation that you can. Even if you could, I don't see why any modern browser wouldn't still verify the existence/validity of an SSL Certificate, even with a rewritten URL. That's just faith-based, though :).
  
  I've worked with WebApp security for a few years now, and the worst I've seen JavaScript capable of in this time has been XSS, which is not exactly a vulnerability of JavaScript. I'd also love someone to provide some examples if JS is indeed so vulnerable.
  
  Regardless of the SSL Certificate issue you brought up, though an entirely valid point, I could think of many social engineering methods around the need to technically "break" SSL here. For example, they've already connected to my Web server via my localized DNS attack, and I simply need the "secure" login page to be hosted on a domain which I have authority over. As those of us who work with SSL know too well, you only need to own a domain name to register a certificate to it. If the attacker is concerned with people not accepting the site due to a bad certificate (which the majority of users still will not understand as a breach), they simply change the login page to a valid SSL domain, fooling the majority of the remaining users who simply look for validated SSL. Many banks do not use trademarked domain names for login pages, so I myself have a hard time verifying the validity of some SSL sites I end up on.
  
  I was shocked to hear this attack had never been witness "in the wild." Of course it has been theorized for a long time, but I gave our blackhat counterparts a little more credit than that.
9. Re:Look for the "https:" by Anonymous Coward · 2008-01-23 06:31 · Score: 0
  
  There are phishing sites in the wild that do spoof the address bar. The URL below explains a couple of the tricks used. I guess they aren't changing the actual bar, they are just spoofing it, but that's enough to fool most users.
  
  It's why Firefox added the feature where the actual web site is displayed in a standard location, one that is not accessible with Javascript.
  
  http://www.fraudwatchinternational.com/phishing-fraud/phishing-web-site-methods/
Re:Sad news by Anonymous Coward · 2008-01-22 14:01 · Score: 0

He was Australian, you insensitive clod!
Frankly, you're an extortionist. by Train0987 · 2008-01-22 14:02 · Score: 1

"Then I can show up at their door offering my services as a 'security consultant' (for $200/hr). 'Look here' I say. 'Look how I am easily changing the settings in your router.'. That's usually about the time they wet their $400 slacks and write me a check."

So you're gonna make 'em an offer they can't refuse, huh? That's called extortion.

Gangsta-geek?
"Samaritan" huh? by NotQuiteReal · 2008-01-22 14:02 · Score: 1

We don't cotton to no foreigners 'round these parts.

--
This issue is a bit more complicated than you think.
Last two routers I bought fixed this by patio11 · 2008-01-22 14:24 · Score: 2, Insightful

They came with a big piece of yellow tape over the power terminal and the LAN cable ports, which said "STOP. Put the CD in first, and follow the instructions on the screen."

The instructions on the screen were, predictably, written so that you could understand them if you were six. One of them was "Pick a username and password". Presto-changeo, no need for a factory default.

I don't remember the makes and models of the routers, though. They're a commodity -- I went into Best Buy and, for the first time in my life, the magically appearing salesman was actually useful. "I need a wireless router." "Size of the house?" "Small." "Here." "Thanks. My, that was easy." Commodity appliances for the win.

--
Help poke pirates in the eyepatch, arr.
1. Re:Last two routers I bought fixed this by CSMatt · 2008-01-22 15:47 · Score: 1
  
  My WRT54GL came with the same instructions. I would have followed them if I weren't already desensitized by the last few times I was told to run the CD first when I bought new hardware - times in which I found out that not only was the CD completely unnecessary, but it only served to try and install junk software onto my computer. Considering that my last router was a router/modem combo that came from my ISP and the included CD was exactly like this, I pretty much assumed a similar situation.
Hey, I am an insensitive clod by Anonymous Coward · 2008-01-22 14:40 · Score: 0

you insensitive clod!
The AC has it right! by SMS_Design · 2008-01-22 14:50 · Score: 2, Insightful

Because "hackers" can't run a packet sniffer and have all of that info in 30 seconds.

Security by obscurity. Great policy.
1. Re:The AC has it right! by Anonymous Coward · 2008-01-22 16:53 · Score: 0
  
  Once you've established excellent security adding obscurity is fun and obnoxious. It's not there to do anything and you never depend on it. It's there to piss off and delay an attacker for a millisecond or three. Every delay is gold. I mean what is not to love about dumping a meg from urandom on a telnet port in response to a probe? Just one time then having that port be quiet for a time. How about having 'sendmail' dump what looks to be classified documents? Or ...
  
  Best evar is honey pots. Really. Unlimited hilarity. If you've ever heard of Hunt the Wumpus, consider something similar but more fractal to lead an attacker a merry chase.
This happened while interviewing at Encore.com by Anonymous Coward · 2008-01-22 15:54 · Score: 0

But I think they jacked it the old fashion way not with these newfangled drive-bys
need help! by Anonymous Coward · 2008-01-22 16:09 · Score: 0

Sorry for posting this here but I don't know where else to go. I'm 13 and i need some advice. I know it's full of guys here and my parents would kill me if I go on sex sites D:

I have embarassing erections all the time! I get them waking up and going to bed and all the time at school like i was talking to this girl i like the other day and i got one and i think she may have noticed! What do i do slashdot? Help!!!!
ADSL = fancy modem by Anonymous Coward · 2008-01-22 16:41 · Score: 0

http://en.wikipedia.org/wiki/Asymmetric_Digital_Subscriber_Line
Mod +1 -- by Woldry · 2008-01-22 17:03 · Score: 1

-- for Phunny.

--
How can a post be modded "overrated" or "underrated" when it hasn't been rated yet?
Clever name... by alleycat0 · 2008-01-22 17:33 · Score: 1

...as 'gusanito' is Spanish for "little worm".

--
I am not a number - I am a free man!
First reported case? by Anonymous Coward · 2008-01-22 17:54 · Score: 0

Symantec needs to widen it's searching.
DHCP is fine, use a less obvious IP range by Cato · 2008-01-22 18:51 · Score: 1

You are confusing static addressing (which doesn't help) with choosing a less obvious IP range (which does). It's fine to use DHCP, just change the address you use to something non-default - anything in 192.168.0.0/24 or 172.x or 10.x ranges (check RFC1918) is good. That way the malware on a PC will have to scan first to know what to attack, which raises the bar slightly, although at Ethernet speeds it wouldn't take very long to scan the whole 192.168.x address range.

BTW the 'third and fourth hex digits' doesn't make sense - I guess you mean the third and fourth octets e.g. 205 and 89 in your example IP address, or the lower 16 bits of the IPv4 address.

Incidentally, IPv6 will be more secure in this respect since it uses the MAC address (or a random number) for the lowest 64 bits of the 128 bit address.

Having said all that, I just did a test of "ping 192.168.x.255" for my home LAN, and I got a nice response from only one device - the home router (DD-WRT on WRT54G)... My Ubuntu box and a Windows box didn't respond, interestingly - apparently Windows never responds to broadcast pings. Pinging 192.168.255.255 proved only that my home router and ISP don't do bogon filtering as it reached the ISP's router. Oh well...

Since broadcast pings work fine, the only question becomes how to write malware that can do a ping for this simple network discovery - the answer is a signed ActiveX control or Java applet, which is how most spyware gets installed, so that isn't too hard.
And Sky...sort of by IBBoard · 2008-01-22 21:18 · Score: 1

Sky do the same. Kind of.

They give you a Netgear router, and it doesn't use admin:password. Hurrah for security improvements! Instead it uses admin:sky...

Yes, it really was that basic a change! As far as I've found they don't even let normal users know how to log in and change it, I just guessed it. They also leave their SSID as one that screams "I'm a sky box" so anyone scanning for networks can even see that your password will probably be "sky".
Re:Sad news by E.J.Thribb · 2008-01-22 22:46 · Score: 0

So.

Farewell then, Heath Ledger.
Seems you were
quite
popular
down under.

I mean that
you are or were
Australian.

But the other thing is
also true.

Topically, your name was an anagram
of
Death Helger
except Helger is not a word
unless you are Swedish
and
a girl.

--
(Age 17 1/2)
Depends on your definition of "MODEM" by DrYak · 2008-01-23 00:48 · Score: 1

ADSL doesn't use the normal voice band, but uses an independent higher frequency band.

What was classically called a Modem in home computers was a specific device that did modulates digital data into sound that could be subsequently carried over phone lines, radio links or more exotic means.

In this perspective the GP poster is right : ADSL is NOT such a modem because it modulates using a different frequency band thus enabling the concurrent use of both voice AND internet (or voice/data and internet if the phoneline is an IDSN one)

Otherwise by your definition (MODEM = anything that modulates/demodulates), not only ADSL should be considered a modem, but also ethernet NICs with BNC connectors, Wifi antenas, DVB recievers, sound cards, tape and disk drives, etc.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Power outages... by woolio · 2008-01-23 01:22 · Score: 1

I've seen power outages reset the settings on a router. (Yes there is a backup battery, no it doesn't always work).

Problem is if people are using wired ethernet on it, they don't realize it has been reset (still works).
Gusanito by OhHellWithIt · 2008-01-23 02:09 · Score: 1

Gusanito means "little worm", or maybe "wormie". I'd have thought that was a name for a trojan download site. (I'm proud to say I learned this bit of Spanish vocabulary from the label on a bottle of tequila.)

--
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Simple solution. by t0rc · 2008-01-23 02:31 · Score: 0

The router comes with no username/password, or blank password. The router firmware can detect if it has the default password, and if so redirects all dns queries to its own admin page which is a "change your password" wizard. You don't have to configure the whole modem, but it won't operate with a default password. You can always reset if if they forget what the password is, but they won't be able to make outbound DNS queries until the password is changed.
Never accept critical changes from a GET request by bigtrike · 2008-01-23 02:54 · Score: 1

This is one of the most basic types of attacks, I can't believe people still write code with this vulnerability. NEVER accept a request to change critical information from a GET request. Better yet, never accept any data in a URL which is expected to come from a form POST instead. Check the referrer, if it's present.

The web interface of this device was obviously written by someone with absolutely no clue.
+6 Funny by Anonymous Coward · 2008-01-23 08:00 · Score: 0

Thanks for the good laugh...I needed it this afternoon.