Millions of Home Routers Are Hackable 179
Julie188 writes "Craig Heffner, a researcher with Maryland-based security consultancy Seismic, plans to release a software tool at the Black Hat conference later this month that he says could be used on about half the existing models of home routers, including most Linksys, Dell, and Verizon FiOS or DSL versions. The tool apparently exploits the routers through DNS rebinding. While this technique has been discussed for 15 years or more, Heffner says, 'It just hasn't been put together like this before.'" Notebooks.com has a list of routers tested and some advice on securing vulnerable routers.
You mean besides using default admin/password... (Score:3, Insightful)
Re:You mean besides using default admin/password.. (Score:5, Funny)
The tool apparently exploits the routers through DNS rebinding. Wjhile this technique has been discussed for 15 years or more, Heffner says 'It just hasn't been put together like this before.'"
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
Re:You mean besides using default admin/password.. (Score:5, Insightful)
In any exploitation scenario where the router login page isn't simply sitting on the WAN side, happily accepting all comers to try their luck, the hypothetical attacker would probably use a list of default username/password pairs for common router brands, or a list of known exploits for common router models.
Even the most trivial password change would save you entirely from the former, and no password change available would save you from the latter. A password brute-force attack system, written in javascript and injected via the method described, is conceivable; but it would only have until you close the browser window, and it would be subject to any rate-limiting imposed by the router's login page or the browser's JS engine, so it would probably be pretty tepid.
Obviously, if you are going to change your password, change it right; but the difference between default password and bad password is likely a good deal greater than the difference between bad password and good password, when it comes to crackability...
Re:You mean besides using default admin/password.. (Score:4, Interesting)
Just serve up a web page that looks exactly like your router's settings menu. They'll log in with admin / admin and THINK they're in. In reality they're just playing with widgets that aren't bound to anything at all.
Re:You mean besides using default admin/password.. (Score:4, Funny)
Then they click submit and BAM you hit 'em with tubgirl.
Re:You mean besides using default admin/password.. (Score:5, Funny)
Ha Ha! I changed my default username to "adjminstrator" and password to "passjword"! Good luck hjackers!
Wouldn't stop them if they're Swedish!
And yes, I'm an insensitive Cljod!
Re: (Score:2)
For years, I've used the serial number on the bottom of the router written backwards as the admin password. If you have physical access to the box, you have access a la reset button, and there's nothing obvious about the router that says "Here's my password", and the password is thereafter never forgotten.
Re:You mean besides using default admin/password.. (Score:5, Interesting)
Re: (Score:2)
Re: (Score:2, Interesting)
The attack relies on the attacker being able to guess the victim router's internal IP address, and to associate a host name of their choice with that internal address. Most routers will use their manufacturers' default addresses which are easy to guess. Since DNS rebinding relies on chance, forcing the attacker to make more incorrect guesses lowers the success rate of the attack. Therefore, attackers are unlikely to attempt to guess all of 10/8 or 192.168/16 etc. (tens of thousands of possibilities) when th
Re: (Score:2, Informative)
Re: (Score:2)
blah blah luggage blah blah
Re: (Score:2, Insightful)
I've never heard of that manufacturer, but that's just plain bad, not sad. Telnet was useful back in the days when the internet was so small, many of us users actually knew each other, but I can't think of a single legitimate reason (excuse) to allow it to run now.
"List of routers affected" is just a picture (Score:2, Interesting)
Re:"List of routers affected" is just a picture (Score:5, Informative)
Re:"List of routers affected" is just a picture (Score:5, Informative)
Here's a direct link to the spreadsheet of routers, without the IFRAME so it's easier to read: https://spreadsheets.google.com/pub?key=0Aupu_01ythaUdGZINXQ5Vi16X3hXb3VPYkszNXM0YXc&hl=en&output=html&widget=true [google.com]
Re: (Score:2)
Wow, the Linksys WRT-54G series is in there as well. That makes for a HUGE amount of routers, because this baby is still going strong after eight years, even if it's not the complete WRT-54G series that's vulnerable.
Re: (Score:2)
Thanks, this is what bugs me:
OpenWRT N/A N/A Kamikaze r16206 YES
Now how to thwart the new dns prebinding attack part? (I've a strong pass.)
Re:"List of routers affected" is just a picture (Score:5, Insightful)
"One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network."
So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.
Who published this article? Oh, hey kdawson. Glad to see you're still on form. Seriously, let me filter this shit out of the RSS feed.
Re: (Score:2)
My problem with it is that it was published in Greedhead Magazine, AKA "Forbes". I would rather have read an article from a tech publication.
So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited.
It's still of interest, though. This would allow you to use the router to gain access to the PC, circumventing the PC's software firewall (even though I would trust a hardware firewall before I trusted a software firewall)
Re: (Score:2)
My problem with it is that it was published in Greedhead Magazine, AKA "Forbes".
If the information is accurate, then what's the problem? Would you have the same objections if it was published in Mother Jones or The Nation?
Re: (Score:2)
All the routers I've seen in the past couple of years have a sticker at the bottom which displays the default password. It's usually a randomly generated set of letters and numbers - such as "rt2ey67dh6qg8".
In other words, a router left with the default admin password is pretty sec
Re: (Score:2)
Unfortunately every now and then there are security flaws found in the CGI or AJAX scripts that run on the router. (Think admin pages that don not properly sanitize input.) And if you're running such an affected version, then even with a random default password an attacker can be malicious.
Re: (Score:2)
So, this is a problem if you've left your router with its default admin password, or there's a vulnerability in the firmware which can be exploited. The same as every other possible exploit of consumer^h^h^h^h^h^h^h^hall hardware.
Fortunately there aren't millions of routers out there with known vulnerabilities allowing you to reprogram them without a password, often just using a simple URL you can put in an image tag. Oh, hang on, there are: the router my ISP ships was exploited a year or two back in some Central American country to reprogram its DNS server to redirect banking accesses to a phishing site.
But I agree, I don't really see what this attack adds over just using an image tag going to http://router/powned [router].
Re:"List of routers affected" is just a picture (Score:4, Informative)
ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES
ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES
ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES
ActionTec GT701-WG E 3.60.2.0.6.3 YES
Asus WL-520gU N/A N/A YES
Belkin F5D7230-4 2000 4.05.03 YES
Belkin F5D7230-4 6000 N/A NO
Belkin F5D7234-4 N/A 5.00.12 NO
Belkin F5D8233-4v3 3000 3.01.10 NO
Belkin F5D6231-4 1 2.00.002 NO
D-Link DI-524 C1 3.23 NO
D-Link DI-624 N/A 2.50DDM NO
D-Link DIR-628 A2 1.22NA NO
D-Link DIR-320 A1 1 NO
D-Link DIR-655 A1 1.30EA NO
DD-WRT N/A N/A v24 YES
Dell TrueMobile 2300 N/A 5.1.1.6 YES
Linksys BEFW11S4 1 1.37.2 YES
Linksys BEFSR41 4.3 2.00.02 YES
Linksys WRT54G3G-ST N/A N/A YES
Linksys WRT54G2 N/A N/A NO
Linksys WRT160N 1.1 1.02.2 YES
Linksys WRT54G 3 3.03.9 YES
Linksys WRT54G 5 1.00.4 NO
Linksys WRT54GL N/A N/A YES
Netgear WGR614 9 N/A NO
Netgear WNR834B 2 2.1.13_2.1.13NA NO
OpenWRT N/A N/A Kamikaze r16206 YES
PFSense N/A N/A 1.2.3-RC3 YES
Thomson ST585 6sl 6.2.2.29.2 YES
Re:"List of routers affected" is just a picture (Score:5, Informative)
Here ya go:
Vendor Model H/W Version F/W Version Successful
ActionTec MI424-WR Rev. C 4.0.16.1.56.0.10.11.6 YES
ActionTec MI424-WR Rev. D 4.0.16.1.56.0.10.11.6 YES
ActionTec GT704-WG N/A 3.20.3.3.5.0.9.2.9 YES
ActionTec GT701-WG E 3.60.2.0.6.3 YES
Asus WL-520gU N/A N/A YES
Belkin F5D7230-4 2000 4.05.03 YES
Belkin F5D7230-4 6000 N/A NO
Belkin F5D7234-4 N/A 5.00.12 NO
Belkin F5D8233-4v3 3000 3.01.10 NO
Belkin F5D6231-4 1 2.00.002 NO
D-Link DI-524 C1 3.23 NO
D-Link DI-624 N/A 2.50DDM NO
D-Link DIR-628 A2 1.22NA NO
D-Link DIR-320 A1 1 NO
D-Link DIR-655 A1 1.30EA NO
DD-WRT N/A N/A v24 YES
Dell TrueMobile 2300 N/A 5.1.1.6 YES
Linksys BEFW11S4 1 1.37.2 YES
Linksys BEFSR41 4.3 2.00.02 YES
Linksys WRT54G3G-ST N/A N/A YES
Linksys WRT54G2 N/A N/A NO
Linksys WRT160N 1.1 1.02.2 YES
Linksys WRT54G 3 3.03.9 YES
Linksys WRT54G 5 1.00.4 NO
Linksys WRT54GL N/A N/A YES
Netgear WGR614 9 N/A NO
Netgear WNR834B 2 2.1.13_2.1.13NA NO
OpenWRT N/A N/A Kamikaze r16206 YES
PFSense N/A N/A 1.2.3-RC3 YES
Thomson ST585 6sl 6.2.2.29.2 YES
Re: (Score:2)
Re: (Score:2)
If you can run a script within the network, you don't need to compromise the router. There's a bunch of unprotected windows boxes inside that network you can easily compromise.
Re: (Score:2)
So informative, thank you Sir! Do you have a list of IP's that match said routers? :-)
Re: (Score:2)
I can believe it... (Score:5, Interesting)
When the run was finished, all the real computers in the house had passed, with the exception of a few informational messages(Hey! this computer is running an SSH server, did you do that or should you be freaking out right now?). On the other hand, I had to physically reset over half of the assorted little-bitty-embedded-plastic-boxes-of-various-network-functions to get them working again.
And that was with the "safe" tests.
Based on the version and vulnerability information being reported(for devices that I do, in fact, update vendor firmwares on, when those are available) the state of consumer embedded devices is absolutely fucking pathetic. Blatantly outdated and known-vulnerable services listening merrily away in the latest vendor firmwares for products less than a year old...
Re: (Score:2)
Hmm, I like the looks of OpenVAS, I'll have to try it out. Thanks for the tip!
Re: (Score:3, Insightful)
Re:I can believe it... (Score:4, Interesting)
Indeed. I found a bug in a D-Link DIR-655 and was completely unable to report it to them. I couldn't even log into their support system because according to them I don't own my own router (serial already in use) and couldn't find a more technical or security contact at the company.
The product still contains the bug - it is also using the latest firmware.
Re:I can believe it... (Score:5, Insightful)
Re:I can believe it... (Score:4, Insightful)
And yet to be topical, the article is complete bullshit.
In order to be compromised, you must first be compromised! Well, no shit! The author then goes on to explain that this is easy because most people don't change their router's password.
So to summarize the story, if your system is easily compromised, expect to be further compromised. If your system is not compromised, then nothing has changed. In other words, people who don't lock their door in high crime areas experience higher rates of property theft. News at 11.
I personally don't find this interesting, let alone news worthy.
Re: (Score:2)
Yes, it still needs to be coupled with an actual exploit; but it is something of a big deal because, while the WAN side security of routers is at least OKish(your vendor has to be really crap to be running the web interface, telnet, or anything of that nature on the outside), the LAN side security is somewhere betwee
Re: (Score:2)
but it is something of a big deal because
Its actually not. If you already have access to the router, which absolutely is required, you can already do pretty much anything you want. For example, you could redirect all DNS requests to the "hacker's" DNS server and achieve exactly the same result. Or hell, you could install your own custom router firmware which forwards all LAN side http and ssh requests (transparent proxy) to the "hacker's" own proxies.
Basically, by the time this hack ever becomes relevant, you've likely already been seriously compr
Maybe I missed it... (Score:2)
"In order to be compromised, you must first be compromised! Well, no shit! The author then goes on to explain that this is easy because most people don't change their router's password."
Maybe I'm missing something here, but is the researcher saying that this kind of attack can bypass a router even it if has WAN-side admin access disabled? Is he remotely hijacking the browser, and then attempting to access the router from the inside via a standard address (usually 192.168.0.1)?
If that's the case then this is
Re: (Score:2)
Re: (Score:2)
Exactly what is the sploit? (Score:3, Interesting)
Just trying to understand this...
But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options.
Heffner's trick is to create a site that lists a visitor's own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address--in reality the user's own IP address--and accesses the visitor's home network, potentially hijacking their browser and gaining access to their router settings.
How does your DNS stack pick up a new IP address for a host name once it's already been resolved? I don't understand the mechanism for this part of the exploit. Anyone?
Okay, so let's say the attacker can pull this part off without a problem...
One comfort for users may be that Heffner's method still requires the attacker to compromise the victim's router after gaining access to his or her network. But that can be accomplished by using a vulnerability in the device's software or by simply trying the default login password. Only a tiny fraction of users actually change their router's login settings, says Heffner.
So, then the hacker has to rely no the browser running some javascript in the victim's browser that will actually break the security of the victim's gateway router?
Definitely your vulnerability goes up once an attacker can approach your gateway from the inside, but this isn't a free pass through everyone's home system. Seems like just changing your default password is a great first step to prevent any shenanigans.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
no password at all? try "impossible to even set a password"
on December 19th 2008 i bought a Sweex LW300 wireless router ( http://sweex.nl/lw300 [sweex.nl] ) only to discover that the damn telnet service would not require a password AT ALL if you connected from the inside network.
Even if i set a password for the web admin interface, cycled power two or three times, it was all for nothing. The telnet service was left wide open for anyone on the internal network (including wireless). Not even the passwd command was worki
Re: (Score:3, Insightful)
> in total about 10 thousand euros of lost sales for Cisco/Linksys because of that one crap router they saddled me with for Christmas 2008
So their filter against non-profitable clients has worked as expected.
Each time a human at Linksys touches a customer, the company incurs at least 5 euro in costs. Since Linksys relies on retail volume and not consultation for their consumer sales, it's to their financial advantage to never hear from customers once the sale has been made, and especially to their advant
Re:Exactly what is the sploit? (Score:4, Informative)
Going to be interesting to see what this talk is going to add to the mix though... Either way, now would be a really good time to change any easy to remember, alpha-numeric only device passwords, if you've got any.
Re:Exactly what is the sploit? (Score:5, Insightful)
It's not that big a deal. It's a headline of the type you're likely to find in the Daily Mail; Sensationalist and inaccurate. There might be more info in the future which justifies the grandeur of the statement, but right now (pre-Black Hat) it's just bullshit sensationalist speculation from Slashdot's specialist on the matter.
(Yeah, i'm getting a chip on my shoulder about this guy.)
Re: (Score:3, Insightful)
A dictionary attack using JavaScript in your own browser? Even assuming there is no lockout time for login attempts built into the router that would take fricking forever, and it would be interrupted the moment you closed your browser. This seems like it would be a vector for a firmware bug attack or for an attempt at obvious default passwords. Otherwise it would almost certainly fail.
Re: (Score:3, Funny)
Will he never cease to amaze me?!
Re: (Score:2)
My router didn't allow internet access until you changed the admin password. After that, you could change it back *if* you wanted, but it was just that way for the first time setup.
Same for the wireless. The AP on my router came disabled and required an AP password entered before it would enable. After enabling it with a password for the first time, you could remove the password and make it insecure/open.
Now I just need DD-WRT to stabilize for my router so I can use the IPv6 my ISP has.. :-|
Re:Exactly what is the sploit? (Score:4, Informative)
> How does your DNS stack pick up a new IP address for a host name once it's already been
> resolved?
It doesn't. The way you do this is to return a list of two IP addresses for the hostname when it's first resolved; the first IP is your server and the second is the user's router.
Then you serve stuff up as normal. When you want to carry out an attack, you point the browser to a url that has your hostname (probably in an iframe that's part of your page) and have your server refuse the connection. When that happens the browser will fall back to the next IP in the list and try it (that's how round-robin DNS works), and load a page from the router; if you pick the path part of your url right, this would be the login page. Now the key here is that web browser security policies are based on hostnames, not IP addresses. So the router's login page is now same-origin with yours and you can run script that does things to it. Like filling in the default admin username/password and submitting the form, for example. Or direct XMLHttpRequest access with the right Cookie headers, whatever.
Changing the default password definitely helps.
Some browsers are working on changes that would deny attempts to connect from a public IP to one on the local network, no matter what the hostnames are. That would stop this cold.
Browser Issue (Score:3, Informative)
First things first, you can block most of these attacks by setting a new router password and or changing the router's default IP. Secondly browsers could very easily solve this by disallowing mixed local (192.*, 10.*, 0.*, 127.*) and remote IP addresses from a single site. If it is a local server it won't be load balancing with something on the Internet and the reverse is equally true.
Re: (Score:2, Informative)
Re: (Score:2)
Its not very easy to do the IP address thing. For one thing, often the browser has no idea what IP addresses are involved (e.g. if it uses a third-party networking library; something that's common with browsers that are the default on their OS, since they just use the OS-default network library). For another, even if you technically know surfacing that information can be ... difficult. Firefox has this issue, for example; they're working on a patch along the lines you describe, and it requires adding a w
Re: (Score:2)
Secondly browsers could very easily solve this by disallowing mixed local (192.*, 10.*, 0.*, 127.*) and remote IP addresses from a single site.
There's sometimes a valid reason to have mixed local and remote content, even if such uses are niche. In particular, Greasemonkey-style scripts are local and act on remote pages. You may also have a local framing system that allows you to more quickly navigate through a system, and some links through the frames may eventually lead to a remote site. And also, NetVampire (now obsolete) can easily be configured to run from the local hard drive.
Also, most exploits (beside the DoS link to "c:\con\con") were cr
default configs on routers are a joke (Score:2, Insightful)
Before this step is taken, every other "security" exploit is a joke in comparison.
Re: (Score:2)
a problem we're too lazy to solve (Score:3, Interesting)
The issue is that the web servers on these little CPEs, and also lots of just general intranet websites, is that they do not inspect the Host: header of the incoming HTTP request. So when someone DNS rebinds your initial request to evil.com, your browser sends this host to the CPE, and the CPE ignores it. Unfortunately, there's no good way to match a host header on a CPE management page because who assigns DNS for their internal networks? Geeks, that's who. No one else. So when you connect by IP address to your gateway, the host isn't even set at all.
This is one of those things that SSL certificates can solve. I learned two weeks ago here on slashdot, thanks to another poster, that you can get free level 1 SSL certificates signed by startssl.com. I got mine returned in about 2 hours, and had it working with 10 minutes of work. Granted, I am not going to be able to reprogram the proprietary CPE with an SSL certificate, but hopefully a few of you find this link useful and can get your hobby website running with SSL, like I was able to do.
Even though you can change the credentials of your website (CPE, wiki, accounting system with web interface), it's still very possible for someone to brute force these credentials. Anything that can be realized with javascript is possible.
The best solution is DNS pinning... your browser locks the website to the initial IP of a round-robin A record response. This is horrible for the general health of the Internet, but not a bad solution for people who wish to avoid these styles of attacks. Me, I'll take my chances with the attacks...
Secret (Score:2)
Here's the secret fix: change the default password on your home router.
Phew! Black hats thwarted again!
Re: (Score:2)
> Phew! Black hats thwarted again!
By you and a few thousand other geeks. Hundreds of millions of "consumers" remain vulnerable.
This could have been prevented by the vendors taking the obvious step of making the router serial number the default password.
Only half? It's probably a lot more (Score:3, Interesting)
Odds are the good guys haven't found all the vulnerable ones.
Oh, if you count routers left in their default configuration + human vulnerability to social engineering attacks, the number would be well over 50% even without any actual design flaws. This assumes having a common default login isn't itself a design flaw - which I think it is.
On that note, 2-Wire does it right: They have random-looking default management passwords printed on the bottom of most of their modem-routers. There is no universal "default login" you can look up on the Interwebs.
Re: (Score:2)
They also tend to be smart enough to "n
Consumers DONT CARE (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Trying to get consumers to care about the SUPER SUPER remote chance that someone will wardrive hack their router is pretty stupid, especially when you can't convince them to stop giving their credit card number to any`one who happens to email them a bank-esque email.
Re: (Score:2)
Re: (Score:2)
Consumers don't care because they are not responsible, and because it won't fucking happen to them.
I could leave my keys in my unlocked car, leave my router open and my passwords on a sticky note on my desk and nothing would ever happen... But even if it did, my credit cards are insured, my car is insured. A bit of paperwork and a couple of days of ha
Re: (Score:2)
Re: (Score:2)
Warning! kdawson sensationalist headine alert! (Score:2)
Re: (Score:2)
Correct.
As further evidenced by the recommendations in the article:
I learned nothing new here today.
"Publish or Perish ..." (Score:3, Interesting)
Everyone knows this; and one way or another in these sicko days of ours, one simply has to make the headlines to grab attention; followed by get-rich-quick.
Fine. Let them try. I wished, though, some clever chap in Slashdot would have vetted the whole lot sufficiently, to dump it where it belongs: into the trash-bin.
Here is why: Because it actually is an attack. An attack that works for dumbos only. For people, who ought not legally be allowed to buy an access point or whatnot.
Here is the attack: assume router XYZ by default comes with username 'root' and password '12345'. The same router, as default or after reset, offers dhcp in 192.168.1.0/24, with 192.168.1.1 as gateway address. Then, following the trick, some 192.168.1.0/24-address becomes available on the outside (WAN). So when you blindly send 'root' and '12345' to 192.168.1.1 (to the box), from the outside, you're in.
As I said, yes, it is an attack. But for any sane setup it will fail miserably, because you have changed the internal network; and most of all, you changed at least the password.
I dunno, and haven't tried - because I have better things to do with my time - if any of those spoofing-filters that simply drop RFC1918-compliant addresses on the WAN-side would also fail the proposed attack, despite of default network, username and default password.
Shakespeare would probably have called this 'much ado about peanuts'. And as far as I am concerned, anyone who actually is vulnerable, should be slapped with a court order restricting him or her from touching, buying, setting up or administrating any network equipment until further notice, including home networks.
Re: (Score:2)
pfSense 2.0 has been patched (Score:2, Informative)
MOD PARENT UP (Score:2)
yay open source! I was shocked to see pfsense on that list in the first place!
now if only the newer builds after 1.2 booted on my p3 450 :( i could possibly upgrade.
Exploit used on default configurations & firmw (Score:2)
How about against 3rd party firmware, ala Tomato [polarcloud.com] for Buffalo / Linksys?
Didn't see any mention of it in the article.
Who cares? (Score:2)
Simple solution, don't use your router for DNS (Score:3, Insightful)
As someone pointed out a comment on the Forbes story, this exploit can only affect you if you are getting DNS through the router.
Simply using a static IP & DNS for your computer on your local network would make you immune to this. In situations where using a static IP is not possible (a friend's house, public wifi, etc.) just set your DNS servers statically and you should be fine.
I miss the good old days (Score:3, Insightful)
I really miss the good old days, where presentations done on security seminars were revolutionary and technical.
How the hell a mediocre presentation (more related to statistics than security) can make it into Blackhat?
Oh, I forgot that Blackhat hasn't been a conference but a business, for a long time now.
Re:Thank you Captain Obvious (Score:5, Insightful)
Lets see: Make sure you have a strong Admin password on your router
Check
and don't surf p0rn/warez sites. Thank you Captain Obvious!
Uhm - any solution that relies on you not browsing to an infected site is not a solution.
Re:Thank you Captain Obvious (Score:5, Insightful)
Apparently p0rn sites are lower risk than normal sites :P [slashdot.org]
Re: (Score:3, Funny)
Lets see: Make sure you have a strong Admin password on your router and don't surf p0rn/warez sites. Thank you Captain Obvious!
I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.
Re:Thank you Captain Obvious (Score:4, Funny)
I get more hacking attempts when I search for and try to look at Christina Hendricks images than I ever do from all the porn sits combined.
Yes but going by the "I'll know it when I see it" definition, any image of that woman in a dress qualifies as pr0n . . .
Re: (Score:2)
I believe there was an article on this very site recently about how porn sites are no more likely to infect you than "regular" sites. The fact is most infection vectors on websites are in the ads, and most most site (porn or not) have virtually no control over what advertising is plastered on their pages.
Re:Thank you Captain Obvious (Score:5, Insightful)
"Make sure you have a strong Admin password on your router..."
Which does you no good if your browser remembers your router's admin name and password - or did you miss the bit in the article where part of this hack is subverting your browser to actually do the dirty work?
"...and don't surf p0rn/warez sites."
Because advertiser sites never get hacked, nor do normal sites. Only porn and warez sites ever serve malware.
Better to turn off scripting on your browser by default, and only enable it for sites you trust, and NEVER let your browser remember passwords.
Re: (Score:3, Funny)
> ...NEVER let your browser remember passwords.
Never let it remember important passwords. There's no harm in letting it store passwords for trivial sites such as Slashdot.
Heretic (Score:3, Funny)
Slashdot is *the* most important site. For you to call it "trivial" is a most wicked sin.
Re: (Score:2, Informative)
Probably not, but you're still better off making sure you are running the latest of your choice of firmware (Tomato just released a new version a couple of weeks ago, go get it now!).
Doesn't hurt to make sure that you only allow https connections to the router's admin page (which means in Tomato that you'll get the inconvenient-but-useful "unverified certificate!" warning in Firefox that takes many ugly steps to get around, and as far as I know cannot be scripted), and setting a reasonably complex password.
Re: (Score:2)
There's a chart in TFA that shows ddWRT and OpenWRT successfully hacked. Tomato was not tested.
Re:DD-WRT+OpenDNS FTW (Score:5, Insightful)
Re: (Score:2)
Yes, DDWRT is vulnerable (as is OpenWRT). However, on the plus side, as I understand it from the article, this exploit can only take place if the attacker is able to gain admin access on the router itself***. As long as you've changed the default password to something secure and there are no unpatched exploits, then you should be safe. Someone who bothers to install DDWRT/OpenWRT almost certainly has enough sense to change the password, so it's only patching the exploits you need to worry about.
I'm not awar
Re:DD-WRT+OpenDNS FTW (Score:4, Insightful)
Just had to post that everyone should be running OpenDNS and if possible DD-WRT of Tomato (for homes). You just cant beat that combo. It's fast, secure, and offers tons of security/configuration features that no one else does.
and that no one else knows how to use. Lets face it. most uses don't even know that its possible login to their "wireless box" and change settings; let alone replace the firmware with a 3rd party distro. as far as their concerned the guy that installed the internet just plugged it in and it needs to be there or their laptop can't get internet. don't get me wrong. I love Tomato, but saying "everyone should run [insert some firmware here]" is not a solution to the problem. the problem is the idiot tech ( and in some cases, non-tech people smart enough to setup their own router) not changing the default password on the router when he installs it.
Re: (Score:2, Insightful)
And yet DD-WRT is on the list of vulnerable firmware.
Re: (Score:2)
I actually checked if my wireless router was on here.
It is, but what concerns me the most is this:
The router I have is listed as NO, but the firmware version they tested against was released 3 years ago and the firmware has had four revisions since then, the latest released in Q4 2009.
Which makes me wonder: How many of the other firmware versions are out of date, and why haven't they been tested against the latest firmware versions?
Re: (Score:2)
Why don't you just buy the best router, and if it's wireless, turn the wireless functionality off? I don't see why you need to specify 'non-wireless' as a requirement. Every router I have ever seen has an option called 'disable radio' or the like which completely turns off wireless functionality.
Re: (Score:2)
Just log into your existing router and change the password.
That is. . .
Type the following IP numbers into your address bar and hit "enter".
192.168.0.1
192.168.1.1
192.168.100.1
192.168.1.100
One of those will open your router's log-in page. When it does, just change the password from the default. Voila. Your router can no longer be "Hacked" by this method.
-FL
Re: (Score:3, Insightful)
Re: (Score:2)
That's right but here you go to www.example.com/foo.html and it contains an img tag to awdfwfrfwrfq.example.com/login?u=admin&p=123 and your DNS on the router has been poisoned to have awdfwfrfwrfq.example.com be 192.168.1.1, so the usual CSRF checks pass.