Drive-By Pharming In the Wild

An anonymous reader writes "Symantec reported Tuesday that the first case of drive-by pharming, in which a hacker changes the DNS settings on a customer's broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: 'It's associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,' says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it."

Pfft

[Kalriath]

So, I suppose this "hack" fails entirely on any router which... well, either has a default password or (like any high end router) doesn't use HTTP basic authentication? No worries for me, my 3com is safe as houses.

Re:Pfft

[cheater512]

My AMD X2 'router' is also immune.

Having a real workhorse as your router improves security dramatically as well as allowing you to do some really cool things. :)

Let me guess... L: "admin" P: "admin"

[Zymergy]

Was it a Linksys with default settings?
http://www.google.com/search?hl=en&q=default+router+passwords&btnG=Google+Search

Enough with the default passwords.

[GreggBz]

If Bioware can sell $30 software with unique CD-Keys printed on the inside of each jewel case, why can't Linksys sell $40 routers with unique admin passwords printed on each manual. Or better yet, make the default password the last 6 digits of the LAN side MAC address, that can't be terribly hard to manufacture.

Seriously, you could even honestly market them as "more secure."

Re:Enough with the default passwords.

[Compholio]

It would be trivial to use the LAN MAC address as the default password.

It would also be trivial for someone to run "arp" while connected to your access point. I agree that they need to use a random default password, but the MAC address would not be sufficient.

Re:Enough with the default passwords.

[Lumpy]

How about simpler... the router will NOT function until you set a username and password. It routes no traffic and redirects all web requests to the "Hey stupid user, pick a username and password, no you cant use linksys, router, admin, or password."

that way the same binary image can be used on every router. Out of the box they do not work, they requre the user to have at last 35 brain cells to get it to work and in the process will be safe from this crap.

Re:Enough with the default passwords.

[theeddie55]

Or better yet, make the default password the last 6 digits of the LAN side MAC address, that can't be terribly hard to manufacture.
that wouldn't really help, drive-by attacks access the router from the lan side anyway, so would already have access to the lan side mac address.

Re:Captcha?

[cheater512]

Or maybe force users to change the password.

Which one makes more sense? :P

Idiots with default passwords get pwnd, news at 11

nothing to see here... move along, folks

Re:Fankly, I'm suprised

I presume you're being funny. What you're doing there is just as likely to land you in the hoosegow as a suspected terrorist or something of that nature as it is to make you money. This is not a time in U.S. history where being a Good Samaritan is even remotely a good idea.

Last two routers I bought fixed this

[patio11]

They came with a big piece of yellow tape over the power terminal and the LAN cable ports, which said "STOP. Put the CD in first, and follow the instructions on the screen."

The instructions on the screen were, predictably, written so that you could understand them if you were six. One of them was "Pick a username and password". Presto-changeo, no need for a factory default.

I don't remember the makes and models of the routers, though. They're a commodity -- I went into Best Buy and, for the first time in my life, the magically appearing salesman was actually useful. "I need a wireless router." "Size of the house?" "Small." "Here." "Thanks. My, that was easy." Commodity appliances for the win.

The AC has it right!

[SMS_Design]

Because "hackers" can't run a packet sniffer and have all of that info in 30 seconds.

Security by obscurity. Great policy.

Re:Most Pooter owners too dumb to own one

[adolf]

Good advice.

But you forgot something: When a friend brings their PC/PSP/PS3/Wii/Xbox/iPhone/iPod over, and wants to use it with teh Intarwebs, go ahead and set it up and give them the passphrase and IP assignment, but make sure you destroy your friend before they leave.

You can't allow any chance of your uber-obscurity leaking outside, right? Eventually, you'll eliminate all of your friends, but that has the nice benefit of eliminating the potential leaks.

Naw, better to keep it simple. Don't run as root/admin. Set an unusual password (something other than your SO or child's name is adequate). Set a different, unusual, and lengthy, WAP passphrase. Use the strongest encryption you can with the devices on your network (AES, AES / TKIP, or just TKIP, in order of preference).

Done.

MAC filtering? Disabling DHCP? IP address range hide and seek?

Bullshit. All that does is make it harder for you and the people you trust to use the network. And if I, the creepy dude in the van across the street, get to a point where any of those stupid tricks will start to matter, they won't make any difference at all. If I'm clever enough to get past WAP, then I'm clever enough to clone a MAC address while sniffing past the rest of your security-through-obscurity features.

[And what's all that talk about serial ports? Are we still in 2008, or did we just jump back 10 years?]