Drive-By Pharming In the Wild

An anonymous reader writes "Symantec reported Tuesday that the first case of drive-by pharming, in which a hacker changes the DNS settings on a customer's broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: 'It's associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,' says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it."

Pfft

[Kalriath]

So, I suppose this "hack" fails entirely on any router which... well, either has a default password or (like any high end router) doesn't use HTTP basic authentication? No worries for me, my 3com is safe as houses.

Re:

[cheater512]

My AMD X2 'router' is also immune.

Having a real workhorse as your router improves security dramatically as well as allowing you to do some really cool things. :)

Re:

[Ajehals]

If that's a dedicated router then its overkill.

Re:

[cheater512]

lol. Of course it would be overkill if that was all it did.
Its a home server with TV card, terrabyte raid array, etc...

Re:

[WhatAmIDoingHere]

So your router contains stuff you don't ever want to lose? Not quite the best idea.

Also, the A in RAID stands for Array. RAID Array is like ATM Machine or PIN Number.

Re:

[Ajehals]

Hmm, personally I prefer my routers not to have too many potential vulnerabilities, yours sounds like a nightmare from that perspective. What you are telling me is that a box on the edge of your network, a box that presumably is very open to abuse also happens to hold a huge volume of data, not too bright, even if it is just TV shows. Personally I'd grab a modest piece of hardware suited to the role and ensure it was locked down as tightly as possible.

Just out of interest, what OS is this monster router

Re:

[cheater512]

It runs Gentoo.

Its locked down pretty well so the only way in is via a vulnerability in SSHD, Apache, etc... which is unlikely.
Especially with Gentoo's quick reaction times when it comes to new versions.
I'd consider it a lot more secure than your off the shelf router. Also the data would be far less secure if it was stored on a windows box.

Its all about degrees of security.
Sure putting large amounts of data on the border of your network isnt the best idea but its acceptable when you dont have enough spare c

Re:

[Ajehals]

It is all about degree's of security, I would feel rather uncomfortable putting large amounts of data on the border of any network, the cost of not doing so is minimal (in terms of hardware and power utilisation) and the decrease in risk is, in my opinion, significant.

Re:

[Buelldozer]

I use a SonicWall TS5 wireless at home. It is also completely immune.

Once again, cheap consumer junk FTL!

Re:

[webmaster404]

No, cheap firmware. Even simple routers can be quite secure with decent fimware however most ship with really a really bad OS.

Re:

[Architect_sasyr]

Agreed, my cheap-ass WRT54GL is quite secure. The firmware is, of course, DD-WRT and not the default crap-ware they try to leave me with.

For something that only cost me around $150 AU it is rock solid, secure, and with the linux based firmware, allows me to do some cool stuff (like run kismet-server on it and - so I am told - run packet injection off it).

Re:

[TooMuchToDo]

Something I would love to do with DD-WRT that I haven't played with yet is locking down the wireless so only my TiVo, laptop, etc have access to my whole house network, but anyone within range with a T-Mobile HotSpot@Home phone can use the WiFi for free calls (the phone tunnels the call using GSM-over-IP). Is this possible?

Re:

[Cato]

There's no really secure way to do this - DD-WRT v24 is supposed to enable multiple simultaneous SSIDs, some locked (WPA) and some not, but unfortunately it's still quite unstable. Since I discovered that WDS on DD-WRT v23 is really quite unstable, I've been considering moving to another Linux-based firmware (maybe Tomato or OpenWRT with add-on GUI), but currently I don't need WDS since I bought a 9 dBi omnidirectional antenna for $25. I'd recommend such antennas to anyone before wasting time with 802.11n

Re:

[TooMuchToDo]

You have a model or part number for the antenna? I'd be interested in picking a couple up (one for home, one for our office, etc).

Re:

[Cato]

I used the one from Allendale in the UK: http://www.wifi-antennas.co.uk/index.php?target=products&product_id=15 [wifi-antennas.co.uk] - not sure of part no. but you could ask them. They have some great FAQs and guides, but fundamentally the best thing to do is buy a 9 dBi antenna and see if it works for you, as it costs very little. Be sure to check your router's antenna connection and note that the very latest (crap) WRT54G version doesn't have a removable antenna...

Re:

[Architect_sasyr]

Oddly enough I begin researching this next week as part of a corporate roll up to DD-WRT for our hotspots, but for now my suggestion would be to do it purely in iptables. You can do Mac based restrictions there as well as IP based ones. More specifically, restrict everyone back to the GSM-over-IP networks/protocols (I'm not familiar) and then allow your boxes further access. That's, IMHO, the beauty of having a Linux box for my router... within certain size restrictions I can do most anything I would be abl

Re:

[Buelldozer]

You know I'd like to make some really witty and pithy retort and redeem myself but unfortunately, you're right. It's not the hardware, it's the code running it.

Most Pooter owners too dumb to own one

[Anonymous Coward]

If you have a home network, there are several ways to secure it. Every router that I have ever owned have several characteristics. Look for the 'reset' key, make sure it is there and not like Asante where you have to short terminals 3 and 8 on the serial port...showin my age there folks. Make sure it is a real router and not a windows appendage. Do NOT use a PCI modem that you cannot disconnect fast. Use an external modem on a SERIAL port. Do not use a combination cable modem/router. This is foisted on many users, and as a default feature sets up remote administration from the outside. That remote admin 'feature' is 'supposed to allow customer engineers to help......' you out of all your money. Don't surf as administrator if microsoftintheheady or as root if a linux penguin. Thats just askin to get hosed. Yeah, I'm a ramblin old fart, but all these things I have picked up from experience. Definitely change the default password, 'admin' or whatever on the router to something realllly strange and long. Write that password down and put it in your wallet, your wife's ring box, or whatever. Do not even try to memorize it as you will forget it when you need it. Don't use 'DHCP' that routers and network vendors want you to do. This means that all home networks are on 192.168.1.0 or some predictable net address that all hackers try first. Use a REAL network with a real address like 192.168.205.89 or something. This forces hackers to really fail many many times in guessing your network setup. With a real network, hand out your own addresses and make them random in the third and fourth hex digits so that hackers will have to guess out each and every terminal on your net. Now add MAC security to your router so that the hacker not only has to correctly guess from a crore of non standard addresses to address it, but only those with the right computer NIC can even be qualified to guess the password! Having a switch available to shut down suspects in a hurry helps too. I could go on, but if you have followed all this rambling, print it out and do it.

Re:

[Kalriath]

Woah, might want to invest in an enter key there dude.

But anyway, those are really good ideas. However, I don't see it necessary to turn off DHCP, though I would encourage layering your network and only the inner box has DHCP, and then only on the LAN interface.

How I do it is a 3COM OfficeConnect on the outside, which is a 4-port ADSL Router. I don't have a modem because ADSL technically can't have MODEMs (ADSL lacks modulating AND demodulating) - even though I can't get Blizzard support to understand thi

Re:

[ThinkingInBinary]

ADSL lacks modulating AND demodulating

Er, what are you talking about? I was under the impression that ADSL signals were modulated and demodulated, otherwise (as raw DC voltages carrying serial data?) they would be destroyed by the phone equipment at any transformer.

Depends on your definition of "MODEM"

[DrYak]

ADSL doesn't use the normal voice band, but uses an independent higher frequency band.

What was classically called a Modem in home computers was a specific device that did modulates digital data into sound that could be subsequently carried over phone lines, radio links or more exotic means.

In this perspective the GP poster is right : ADSL is NOT such a modem because it modulates using a different frequency band thus enabling the concurrent use of both voice AND internet (or voice/data and internet if the ph

The AC has it right!

[SMS_Design]

Because "hackers" can't run a packet sniffer and have all of that info in 30 seconds.

Security by obscurity. Great policy.

Re:Most Pooter owners too dumb to own one

[adolf]

Good advice.

But you forgot something: When a friend brings their PC/PSP/PS3/Wii/Xbox/iPhone/iPod over, and wants to use it with teh Intarwebs, go ahead and set it up and give them the passphrase and IP assignment, but make sure you destroy your friend before they leave.

You can't allow any chance of your uber-obscurity leaking outside, right? Eventually, you'll eliminate all of your friends, but that has the nice benefit of eliminating the potential leaks.

Naw, better to keep it simple. Don't run as root/admin. Set an unusual password (something other than your SO or child's name is adequate). Set a different, unusual, and lengthy, WAP passphrase. Use the strongest encryption you can with the devices on your network (AES, AES / TKIP, or just TKIP, in order of preference).

Done.

MAC filtering? Disabling DHCP? IP address range hide and seek?

Bullshit. All that does is make it harder for you and the people you trust to use the network. And if I, the creepy dude in the van across the street, get to a point where any of those stupid tricks will start to matter, they won't make any difference at all. If I'm clever enough to get past WAP, then I'm clever enough to clone a MAC address while sniffing past the rest of your security-through-obscurity features.

[And what's all that talk about serial ports? Are we still in 2008, or did we just jump back 10 years?]

DHCP is fine, use a less obvious IP range

[Cato]

You are confusing static addressing (which doesn't help) with choosing a less obvious IP range (which does). It's fine to use DHCP, just change the address you use to something non-default - anything in 192.168.0.0/24 or 172.x or 10.x ranges (check RFC1918) is good. That way the malware on a PC will have to scan first to know what to attack, which raises the bar slightly, although at Ethernet speeds it wouldn't take very long to scan the whole 192.168.x address range.

BTW the 'third and fourth hex digits'

Re:

[operagost]

With a real network, hand out your own addresses and make them random in the third and fourth hex digits so that hackers will have to guess out each and every terminal on your net.

Sounds like someone doesn't understand how DHCP and subnetting work. You can change the DHCP addressing range on your router so that it gives out, say, 192.168.100.0/24. There is no need to use manual addressing unless you have untrusted people able to physically plug into your LAN. Also, IP v4 addresses can be expressed in

Re:

[timeOday]

Routers shouldn't be trusted anyways, since you'll never have control over all the upstream routers.

You'd think that a bank would have a certificate signed by a big certification authority, like Verisign, whose public key comes hard-coded into the browser. In that case, the entire attack should fail.

Re:

[epsalon]

Actually, I have found a backdoor in a router that lets you issue arbitrary commands to the busybox shell without any password though a simple HTTP GET request. That router could be easily exploited with an IMG tag in a browser.

My solution BTW was not to assign an IP address for the router (used only as a modem) and to firewall non PPPoE traffic.

Re:

[spinkham]

Not necessarily..
It is also possible to change settings on a router using UPnP using a malicious flash script...
See http://www.gnucitizen.org/blog/flash-upnp-attack-faq [gnucitizen.org] for details.
Most home routers have UPnP turned on, so you're not safe just because you have a good password.
I would assume that most 3com gear does not have UPnP, so it is quite likely that you specifically are safe.
Of course, anyone with a security clue has been saying UPnP is a BAD idea for a long time, but it used to be client side malwar

Re:

[repvik]

It's freaking annoying though. It should start as a low delay and grow instead. That way they can prevent crapflooding *and* annoy less users...

Re:

[graphicsguy]

I have one of these as well. But perhaps the serial numbers are easy to crack.

Re:

[amRadioHed]

Worse. Apparently the problem is that the password can be changed by a simple HTML request without knowing the current password.

Re:

[Al Dimond]

Source? TFA doesn't mention this, but then again TFA is fluffy crap.

Re:

[compro01]

hmm. all 2wire stuff I've dealt with use a separate pseudo-random numeric string as the default password (also as the default WEP/WPA key). the number is right next to the serial number though.

Let me guess... L: "admin" P: "admin"

[Zymergy]

Was it a Linksys with default settings?
http://www.google.com/search?hl=en&q=default+router+passwords&btnG=Google+Search [google.com]

Re:Let me guess... L: "admin" P: "admin"

[Gideon Fubar]

There are 3 major combinations of default username/password comnbinations that cover the vast majority of home routers. They are U:admin P:admin, U:admin P:password and U:admin P: (that's right.. NO password.) This is true of Linksys, Dlink, Netgear, etc. With a bit of searching, you can even find this out from their very own websites.

Re:

[Poromenos1]

Most linksys are U: , P: admin. Default passwords are meant to be as stupid as possible so people are scared into changing them, HW manufacturers have it right in that respect.

Re:

[dargaud]

On my ADSL router, there are 3 accounts. One I cannot access/modify. One I have full control (including password change) but it's a useless account (hardly any control). One I can control the router, but the password changes don't stick... Apparently they don't allow password changes so that they can remotely update the firmware (which happens regularly). Gee, I wait for the day when a hacked firmware will be pushed to N million subscribers. And it's basically undetectable even by careful users since it won

Re:

[Gideon Fubar]

true.

the most interesting combination i've ever seen as a default was U:r0ot P:U53r.. This was on an Open Networks ADSL router. It still fails the strength test (too short, and derived from a known string), but at least it's better than Admin/Password

Re:

[TheThiefMaster]

My parents' new BT "home hub" router comes with a default wireless password set and unique to the router, and an admin password set to the router's serial number.

I was surprised, I was expecting it to be completely unsecured, like every other home router.

Captcha?

[tedhiltonhead]

It sounds like a simple captcha image on the router's login page would thwart this.

Re:

[wizardforce]

except that they could just spoof the captcha like they did with porn websites.
captcha page => spoof captcha page so user solves captcha for program => "hack" succeeds.

Re:

[Jesus_666]

Solution: Add a bar to the captcha image that contains a message like "NETSYS ROUTER CONFIGURATION LOGIN". Redirecting captchas is feasible, but cutting off part of the imag is pretty involved for something contained within an <img> tag.

Re:

[Cato]

Which reminds me, Netgear routers seem to redirect 192.168.0.1 to 'routerlogin.com' (owned by Netgear, but actually maps to your router normally). A somewhat dodgy design decision really as it serves to obfuscate what's happening when newbies log on to their router, which can't help them to learn more about security.

Re:Captcha?

[cheater512]

Or maybe force users to change the password.

Which one makes more sense? :P

Re:

[mrcaseyj]

Or better still, users should be educated by their bank to check for the lock symbol and the correct domain name so they know who they're connecting to. The advantage of this is that it addresses this and a whole lot more vulnerabilities. And banks should stop using domain names that have no obvious relation to their trademark. For example I know one bank that uses accountonline.com for its domain name. Even if I get the lock symbol I don't know if maybe the crooks just got themselves a domain name and an

Re:

[cheater512]

Once a attacker has control over someone's DNS, I wouldnt trust the lock icon at all.
Too easy for the attacker to add a new root certificate.

Re:

[Bender0x7D1]

Sorry, but I have to go with the Captcha.

If the user is forced to change the password, customer service is forced to deal with everyone that forgot their password.

Re:

[cheater512]

The reset button is pretty obvious.

Anyway tech support already has to deal with the people who cannot read what the initial ip is, what the default password is, etc...
The added work load would be minimal.

Re:

[pimpimpim]

The only reason not to change password is the fact that you will inevitably forget it. I found writing it down on a post-it and pasting that on the bottom of the machine a pretty reasonable solution. That problem solved, routers should just not route any traffic at all before the password is changed. Not much of a programming effort, I would guess.

Re:

[merreborn]

It sounds like a simple captcha image on the router's login page would thwart this.

If you happen to leave yourself logged in to your router, captcha wouldn't even cut it -- I'm pretty sure this is a CSRF attack, so any credentials your browser session has are applied. You'd have to put a captcha on every single page -- clearly the wrong solution.

There are some better solutions, though:
http://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention [wikipedia.org] ...And of course, remembering to log out once you're don

Biggest Mexican Bank?

[xtracto]

2Wire DSL routers to point the user's Web browser to a fraudulent bank site that mimics the site of one of the largest Mexican banks.

There is not much space to guess here, it is either Banamex or Bancomer...

Re:Biggest Mexican Bank?

[nesmex]

Well yes is Banamex. This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389 [nist.gov]
Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/ [trendmicro.com]
The UNAM-CERT, also has the "Gusanito" exploit documented (spanish only) at http://www.seguridad.unam.mx/doc/?ap=articulo&id=196 [seguridad.unam.mx]
The attack overrides the modem's password...

Re:

[moco]

It was banamex, and the worm modified the target PCs hosts file. It wasn't even sophisticated enough to hack the broadband router... just a .exe file posing to be a greeting card.

Definition?

[WarJolt]

What does "drive-by" have to do with this kind of hack? Oh sure we've all logged into neighbors wireless routers and snickered because they've left the default password. Somehow I think "drive-by" part was coined by a guy who thought of exploiting unsecured wireless routers and changing DNS settings. Am I the only one who doesn't think "drive-by" applies to this kind of attack?

Re:

[Itninja]

For that matter, neither does "hack". Though the pure meaning of "hack" will be debated infinitely, I doubt that anyone would define it was 'using a broadly published default setting to change a config setting on a piece of hardware'. Generally it involves at least a little bit of skill. Now if they were writing a script to automatically find, mis-configure, and report any devices....that might be considered a notable hack.

Re:

[Vyse of Arcadia]

I dunno about anyone else, but to me it conjures up images of 90s-era Hollywood hackers. Suave guy in the driver's seat of a red car, his short, befreckled and bespectacled companion laboriously typing on a laptop while muttering things about "This is UNIX" and "His serving RAM is so unprocessed."

British Telecom Home Hub

[ddrichardson]

Anyone else notice that BT are taking this seriously - log on to the router's home page and it tells you they have changed the default admin password (well it will when you enter the unit's serial number as the admin password.

And Sky...sort of

[IBBoard]

Sky do the same. Kind of.

They give you a Netgear router, and it doesn't use admin:password. Hurrah for security improvements! Instead it uses admin:sky...

Yes, it really was that basic a change! As far as I've found they don't even let normal users know how to log in and change it, I just guessed it. They also leave their SSID as one that screams "I'm a sky box" so anyone scanning for networks can even see that your password will probably be "sky".

Enough with the default passwords.

[GreggBz]

If Bioware can sell $30 software with unique CD-Keys printed on the inside of each jewel case, why can't Linksys sell $40 routers with unique admin passwords printed on each manual. Or better yet, make the default password the last 6 digits of the LAN side MAC address, that can't be terribly hard to manufacture.

Seriously, you could even honestly market them as "more secure."

Re:Enough with the default passwords.

[moderatorrater]

Several reasons. First, it's easier to change what gets stamped into a cd than what gets set into the silicon. Second, the cd key isn't actually unique to the CD, it just conforms to an algorithm that determines whether or not the cd key fits the criteria for the software and then, when on the network, checks to make sure that the cd key was actually sold and that it's unique.

Re:

[corsec67]

Except that each router already has a unique MAC address in it, which is already used by the system. Actually there are usually three of them: LAN interface, WAN interface, and wireless interface.

It would be trivial to use the LAN MAC address as the default password.

Re:Enough with the default passwords.

[Compholio]

It would be trivial to use the LAN MAC address as the default password.

It would also be trivial for someone to run "arp" while connected to your access point. I agree that they need to use a random default password, but the MAC address would not be sufficient.

Re:

[TheThiefMaster]

I've already made this comment elsewhere in this article's comments, but it's relevant here too.

BT's newest "home hub" routers come with their wireless password set unique to the router (not sure what it's generated from) and admin password set to the router's serial number.

I wish more home routers defaulted to this.

Re:

[IdeaMan]

Using the LAN MAC address as the admin password is almost as stupid as using admin as the password.
LAN MAC address is burned into an EEProm at time of manufacture. It is also reset to "Factory Default" when you reset the box. It should be trivial to burn a randomized default password at the same time, store it in a database and print it on the manual.
If the customer calls up with an unresponsive router, customer service can read them the password out of the db.

Re:Enough with the default passwords.

[crymeph0]

It's easier to change what gets stamped into a cd than what gets set into the silicon

Nope. I do embedded software, and write the test suite all those devices go through before being shipped to the customer. It's pretty standard to set custom stuff at that time, including the MAC ID for the unit. It would be just as easy to change the password at that time.

Your comment about the CD key, however, is right on.

Re:

[zippthorne]

You can change what gets burned to a CD easily. But by definition if you're stamping CDs, a large number of them are going to have exactly the same data, and you're going to have to go through all the effort to remaster the die if you want to change anything.

And as for the silicon, if you can make encrypted cordless phones with unique, hardwired keys for $50, you can make a router with an unique hardwired "default" key, too. And you can stamp that in a metal plate on the bottom, so the users can always fi

Re:

[Alioth]

Actually, it's not. Each device must be already programmed, and the flash memory will undoubtedly be in system programmable - that's probably how they get the MAC address on it in the first place. It would be just one additional value to write to have some kind of random ID and password. The firmware isn't an ASIC, it's bog standard trivially reprogrammable flash these days.

Re:

[Zironic]

the software doesn't check for the unique key it just checks that the key fulfills some criteria that makes a random guess at a key unlikely to succeed. It's the reason CD key generators work.

Gamers are used to it...

[msimm]

Linksys would have to write in the cost of supporting all those users who have lost/misplaced the passwords or their technical support.

$1 too much

[bill_mcgonigle]

LAN side MAC address, that can't be terribly hard to manufacture.

My guess: it would cost $50K in R&D, $200K in equipment costs, $0.40 in parts and $0.60 in labor/time for each unit to make this happen.

A beancounter somewhere would see that $1 as "cost we could get out of the unit".

Seriously, you could even honestly market them as "more secure."

Yes, but beancounters are called that because they can't see the big picture. Many times CEO's fit this bill.

Re:Enough with the default passwords.

[blair1q]

Because software can pop up a box on your screen saying "go look for the sticker on the box and type the letters and numbers (and maybe the dashes or maybe not, your guess is as good as ours) you see there into this box here then click the button that says 'OK'".

Hardware says "blink"..."blink"..."blink"... and user calls customer support, adding $10 to the cost of every sale.

Last two routers I bought fixed this

[patio11]

They came with a big piece of yellow tape over the power terminal and the LAN cable ports, which said "STOP. Put the CD in first, and follow the instructions on the screen."

The instructions on the screen were, predictably, written so that you could understand them if you were six. One of them was "Pick a username and password". Presto-changeo, no need for a factory default.

I don't remember the makes and models of the routers, though. They're a commodity -- I went into Best Buy and, for the first time in

Re:

[fm6]

Why get so complicated? Simply design the router software so that you have to change the default password before you can start using it.

Re:

[Lumpy]

How about simpler... the router will NOT function until you set a username and password. It routes no traffic and redirects all web requests to the "Hey stupid user, pick a username and password, no you cant use linksys, router, admin, or password."

that way the same binary image can be used on every router. Out of the box they do not work, they requre the user to have at last 35 brain cells to get it to work and in the process will be safe from this crap.

Re:

[seifried]

because then people plug it in and it "doesn't work" which results in bad word of mouth and tech support phone calls and emails.

Re:

[theeddie55]

Or better yet, make the default password the last 6 digits of the LAN side MAC address, that can't be terribly hard to manufacture.

that wouldn't really help, drive-by attacks access the router from the lan side anyway, so would already have access to the lan side mac address.

Cold War Redux

[explosivejared]

Only this time it's between Mexican scammers and Nigerian ones. For years Nigerian scammers have exercised hegemony in the arena, but now Mexican scammers have upped the ante with this "pharming gap." This can only lead to a scams arms race with other nations as proxies and victims of the complex maneuvering of the two camps. As a helpless American I don't know how long I can stand being the play thing of two foreign powers duking it out for hegemony.

By the way I'm rooting for the Nigerians in this grand campaign, at least their scams provide a laugh once and awhile.

Gusanito??

[Roadmaster]

Dude, gusanito means literally "little worm"; I personally would never open an email saying "hey, you got a postcard from a little worm!". I don't know who would...

Fankly, I'm suprised

[Itninja]

...that this doesn't happen more often. I can drive through Seattle (and presumably any large city) with my laptop running a wireless network sniffer. After about 10 blocks, I could easily get into no less than 25 wireless routers. They are all configured with the default credentials. Of course, I don't. Sometimes, when it's a law firm, government agency, or some other organization with tons of [other peoples] personal information, I will even call them up and let them know about it, as a courtesy. They usually tell me to take a hike. Then I can show up at their door offering my services as a 'security consultant' (for $200/hr). 'Look here' I say. 'Look how I am easily changing the settings in your router.'. That's usually about the time they wet their $400 slacks and write me a check.

Re:Fankly, I'm suprised

[Anonymous Coward]

I presume you're being funny. What you're doing there is just as likely to land you in the hoosegow as a suspected terrorist or something of that nature as it is to make you money. This is not a time in U.S. history where being a Good Samaritan is even remotely a good idea.

"Samaritan" huh?

[NotQuiteReal]

We don't cotton to no foreigners 'round these parts.

Re:Fankly, I'm suprised

[canUbeleiveIT]

...that this doesn't happen more often. I can drive through Seattle (and presumably any large city) with my laptop running a wireless network sniffer. After about 10 blocks, I could easily get into no less than 25 wireless routers. They are all configured with the default credentials. Of course, I don't. Sometimes, when it's a law firm, government agency, or some other organization with tons of [other peoples] personal information, I will even call them up and let them know about it, as a courtesy. They usually tell me to take a hike. Then I can show up at their door offering my services as a 'security consultant' (for $200/hr). 'Look here' I say. 'Look how I am easily changing the settings in your router.'. That's usually about the time they wet their $400 slacks and write me a check.
--

"It's a simple question, doctor.
Would you eat the moon if it was made of ribs, or not?"

CORRECTION: Would you eat the moon if it were made of ribs, or not?

In this case, the verb "to be" is in the subjunctive mood, which is used to indicate a situation that is hypothetical, conditional or somehow not certain.

Now, this correction is just a courtesy. However, if you tell me to take a hike, I will show up at your door with A Writer's Reference by Diana Hacker, and you can scratch me out a check. Sorry, I don't know how much you paid for your pants.

Re:

[canUbeleiveIT]

That would be clever if it 'were/was not' the case that "was" has actually become an acceptable substitute for the subjunctive form "were".

You're right, it's quite acceptable among those who live in the trailer parks around here. I often hear these people say things like "if I wuz you..." However, educated people use the subjunctive mood because it more accurately conveys information and it's better form. Plus they like not sounding like a dumbass.

Re:

[canUbeleiveIT]

Yes, you're right--they're interchangeable among the members of the Spears family and other poorly educated people. It doesn't have anything to do with how I feel about myself. But hey, whatever makes you feel better about yourself.

Re:Fankly, I'm suprised

[canUbeleiveIT]

You don't correct the grammar of a quote, douchebag.

You do if the quote [imdb.com] is quoted incorrectly with poor grammar, douchebag.

Idiots with default passwords get pwnd, news at 11

[Anonymous Coward]

nothing to see here... move along, folks

I gotta wonder..

[QuantumG]

who manages to get a home router to work out of the box with no configuration? And if you're doing configuration to get your router to work, why are you not setting the password to something other than the default? Seriously, some people need a good kick in the head before they realize they shouldn't stand behind the horse.

Re:

[geekoid]

Except many people don't actually mind sharing.

Re:

[QuantumG]

We're not talking about the SSID or WPA or WEP here.. we're talking about the administration password on the router.

Re:

[Aladrin]

You have no idea what he was talking about, obviously.

Setting the admin password has nothing at all to do with WEP, WPA, or anything else used to keep people off your private WiFi.

DNS cache poisoning

[the_kanzure]

src [trusteer.com]

The paper shows that BIND 9 DNS queries are predictable i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. The net effect is that pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 9 releases [1], when BIND (the named daemon) is in caching DNS server configuration.

Langfeldt's DNS how-to [tldp.org]

Pharming???

[jez9999]

Will these terrible names, which apparently attempt to draw an analogy between a computer-related misdemeanor and some agricultural pastime, never end? I'm just waiting for some guy from F-Secure to call porn 'phucking'.

Mod +1 --

[Woldry]

-- for Phunny.

Worse possibilities

[Pitr]

If you change the proxy settings on routers that have them, you could wreak all kinds of havoc, as you'd have access to all traffic, not just dns requests. Or, you could update the firmware to something custom, with all kinds of sneaky badness hidden within, including blocking future clean firmware updates.

It's a little extra work, but the companies that make these things should have unique passwords per device, or at least have logging into the admin interface wirelessly off by default. In an attempt to

Appropriate name indeed

[ElMiguel]

It seems pretty appropriate that the fake e-mail appears to come from a company called Gusanito, which literally means "little worm".

Let me explain

[Pasajero]

I live in Mexico, and yes, the bank name is Banamex (owned by Citibank) and this is how the hack works:

The most prominent ISP in Mexico (Telmex) uses 2wire gateway modems, most of them wireless enabled. Security is turned on by default using serial numbers so no one from outside can login "easily".

However, there is no default security from the inside, so the gusanito.com postcard contains a malicious flash program that sends a special URL to the modem that adds a DNS entry to its local name resolution table pointing www.banamex.com to a pharming site.

Next time you open IE or any other browser and open www.banamex.com you'll get redirected to the other site.

This easily solved putting a user password on the modem configuration, but not all people care to do that.

Re:

[nesmex]

Sorry to say this but the attack overrides the modem's password, the attack from Gusanito and similar attacks (ie El Universal) probes with different common 2WIRE router addresses to get to the MDC. Fortunately it is not that elaborated... This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389 [nist.gov]
Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/target [trendmicro.com]

Look for the "https:"

[steveha]

As I understand it, even with this so-called pharming technique, the bad guys still cannot correctly spoof an "https:" page... at least not without compromising the private key used to secure the SSL connection, or compromising the private key of the certificate signing authority.

When I explain to people how to use the Web, I always tell them to look for the security indicators [oreilly.com] before doing anything involving money.

P.S. I wouldn't be surprised if the bad guys here added Javascript code to their fake bank site, to rewrite the address bar of the web browser to show the "https:". This is why I prefer to do all my online banking with Javascript disabled; thank you, NoScript [noscript.net].

steveha

Re:

[Burz]

More than that, look for:

1) The lock symbol. It should be on the address bar, preferably displayed whole without a line running through it. The presence of https: alone doesn't highlight the connection's overall level of trust/security.

2) The DOMAIN NAME. Most people, even most techies, forget this crucial part. The certificate/lock validates the domain name, and YOU must determine if that domain name is the one you really want to talk to. Ex: the site 'ebai.com' may have a perfectly valid certificate, even

Re:

[ASBands]

Not that I read TFA, but I would imagine the Javascript is embedded in the email, which loads a pop-up to "192.168.1.1" and attempts to login with "admin" as a username and "admin" as a password. Reading from the pop-up page, the Javascript wouldn't have too difficult of a time figuring out the router version and changing the DNS server. It might be doable with Ajax, which would allow this all to happen behind the scenes. Obviously, this isn't going to work for any competent