67 replies to this topic

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/2ubp3y
February 15, 2007 ~ "If you haven't changed the default password on your home router, do so now. That's what researchers at Symantec and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code... Once the router has been compromised, victims can be redirected to fraudulent Web sites, the researchers say. So instead of downloading legitimate Microsoft software updates, for example, they could be tricked into downloading malware. Instead of online banking, they could be giving up sensitive information to phishers..."

[AplusWebMaster]

More on this...

- http://news.com.com/...g=st.util.print
Feb 16, 2007 ~ "...Router makers already know of the problems with default passwords as well as other security concerns, they said. Linksys, for example, recommends that customers change the default password during the installation procedure, said Karen Sohl, a representative for the company, a division of Cisco Systems. "We are aware of this," she said. On its Web site*, Linksys warns users that miscreants are taking advantage of the default passwords. "Hackers know these defaults and will try them to access your wireless device and change your network settings. To thwart any unauthorized changes, customize the device's password so it will be hard to guess," the company states. Still, although Linksys' software recommends the password change, consumers can either plug in their router without running the installation disk or bypass the change screen, keeping the defaults. The company offers detailed information on how to change the router password on its Web site. Netgear and D-Link also recommend password changes.

Linksys:
* http://preview.tinyurl.com/2awst3

.

[AplusWebMaster]

FYI...

- http://www.us-cert.g....html#drvbphrmg
February 16, 2007
...The best defense against this type of attack is for home users to change their default password. The following links provide support resources for three of the more common home router vendors:
* D-Link - http://preview.tinyurl.com/2znuvw

* Linksys - http://preview.tinyurl.com/yqvvb4

* NETGEAR - http://preview.tinyurl.com/2njdql
...


.

Edited by AplusWebMaster, 17 January 2008 - 06:57 AM.

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/2pw3qg
February 20, 2007 ~ "...The attack involves luring users to malicious sites where a device's default password is used to redirect them to bogus sites. Once they are at those sites, their identities could be stolen or malware could be force-fed to their computers. In an advisory* posted Thursday, Cisco listed 77 vulnerable routers in the lines sold to small offices, home offices, branch offices and telecommuters. The advisory recommended that users change the default username and password required to access the router's configuration settings, and disable the device's HTTP server feature..."

* http://www.cisco.com...0215-http.shtml
Updated: Feb 15, 2007

> http://preview.tinyurl.com/yshqf

[AplusWebMaster]

FYI...

Default Passwords: A Hacker's Dream
- http://www.informati...cleID=202101781
Sept. 26, 2007 - "...Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords. "I'd say 85% of them were misconfigured routers. They had the default passwords on them," said Moore..."

[AplusWebMaster]

Ongoing focus...

Home routers 'vulnerable to remote take-over'
- http://www.channelre...ter_insecurity/
15 Jan 2008 - "...Design flaw in most home routers that allows attackers to remotely control the devices by luring an attached computer to a booby-trapped website. The weakness could allow attackers to redirect victims to fraudulent destinations that masquerade as trusted sites belonging to banks, ecommerce companies or health care organizations. The exploit works even if a user has changed the default password of the router. And it works regardless the operating system or browser the computer connected to the device is running, as long as it has a recent version of Adobe Flash installed... Routers made by Linksys, Dlink and SpeedTouch have been confirmed to be vulnerable, and other manufacturers' products are also likely susceptible to attack, the researchers said. Most routers have UPnP turned on by default. The only way to prevent the attack is to turn the feature off, something that is possible with some, but not all, devices..."

- http://www.us-cert.g..._router_exploit
January 14, 2008

- http://isc.sans.org/...ml?storyid=3848
Last Updated: 2008-01-15 16:55:01 UTC

Edited by AplusWebMaster, 22 January 2008 - 06:36 AM.

[AplusWebMaster]

FYI...

Drive-by Pharming in the Wild
- http://preview.tinyurl.com/yqutaj
January 22, 2008 (Symantec Security Response Weblog) - "In a previous blog entry* posted almost a year ago, I talked about the concept of a drive-by pharming attack. With this sort of attack, all a victim would have to do to be susceptible is simply view the attacker’s malicious HTML or JavaScript code, which could be placed on a Web page or embedded in an email. The attacker’s malicious code could change the DNS server settings on the victim’s home broadband router (whether or not it’s a wireless router). From then on, all future DNS requests would be resolved by the attacker’s DNS server, which meant that the attacker effectively could control the victim’s Internet connection. At the time we described the attack concept, it was theoretical in the sense that we had not seen an example of it “in the wild.” That’s no longer the case... In one real-life variant that we observed, the attackers embedded the malicious code inside an -email- that claimed it had an e-card waiting for you at the Web site gusanito . com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site. Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen... I would still recommend changing the default router password to something that’s more difficult to guess. For many other router models, doing so will protect you... Also, in general I’d recommend that you reset the router anyway before changing your password. This step ensures that if you have become a victim already, you can start with a clean slate..."
* http://preview.tinyurl.com/2uqwug

> http://forums.whatth...ems_t87208.html

- http://isc.sans.org/...ml?storyid=3881
Last Updated: 2008-01-24 02:11:21 UTC

Edited by AplusWebMaster, 24 January 2008 - 06:50 AM.

[AplusWebMaster]

FYI...

Defending your router, and your identity, with a password change
- http://www.cnet.com/...3.html?tag=more
March 8, 2008 - "...Every router, wired or wireless, has an internal website used to make configuration changes. Accessing this internal website requires a userid/password, something totally independent of any wireless network passwords... In brief, if your router is using the default password, your computer is vulnerable to an attack where the router is re-configured. Specifically, the dangerous configuration option is the DNS server... Malicious DNS servers can result in your visiting to a website, any website, and ending up at a phony version of the site run by bad guys. If the website is that of a bank or credit card company, and you enter a userid/password, you can kiss your identity, and money, good-bye..."

- http://www.apwg.org/
Released: 3 Mar 08 - APWG Releases Dec 2007 Phishing Trends Report
(From the report - pg. 8, "Phishing-based Trojans – Redirectors")
"...Along with phishing-based keyloggers we are seeing high increases in traffic redirectors. In particular the highest volume is in malicious code which simply modifies your DNS server settings or your hosts file to redirect either some specific DNS lookups or all DNS lookups to a fraudulent DNS server. The fraudulent server replies with “good” answers for most domains, however when they want to direct you to a fraudulent one, they simply modify their name server responses. This is particularly effective because the attackers can redirect any of the users requests at any time and the end-users have very little indication that this is happening as they could be typing in the address on their own..."

Edited by AplusWebMaster, 10 March 2008 - 05:46 AM.

[AplusWebMaster]

FYI...

Example: http://ca.com/us/sec...px?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you are aquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."

[AplusWebMaster]

FYI...

Linksys WRT54G Security Bypass vuln - updates available
- http://secunia.com/advisories/29344/
Release Date: 2008-03-21
Impact: Security Bypass
Where: From local network
Solution Status: Vendor Patch
OS: Linksys WRT54G Wireless-G Broadband Router
...The vulnerability is reported in firmware version 1.00.9. Other versions may also be affected.
Solution: Install updated firmware versions.
WRT54G v5/v6: Install version 1.02.5.
WRT54G v8: Install version 8.00.5.
WRT54G v8.2: Install version 8.2.05 ...
> http://nvd.nist.gov/...e=CVE-2008-1247
Last revised: 3/11/2008
CVSS v2 Base score: 10.0 (High)
"...allows -remote- attackers to perform arbitrary administrative actions.."

Linksys WRT54G » Downloads
- http://preview.tinyurl.com/2qykkj
WRT54G v5/v6: Install version 1.02.5. (3/03/2008)
WRT54G v8: Install version 8.00.5. (1/18/2008)
WRT54G v8.2: Install version 8.2.05 (1/18/2008) ...

[AplusWebMaster]

FYI...

D-Link router based worm?
- http://isc.sans.org/...ml?storyid=4175
Last Updated: 2008-03-21 16:44:10 UTC - "...I suspect someone is using snmp to reconfigure the router to its default password or to read it's admin password and then accessing the D-Link via telnet to modify the routers configuration or firmware. The D-Link DWL-1000AP had an snmp based password confidentiality vulnerablity reported back in 2001... I doubt this attack includes changing the firmware of the router itself to become router based self propagating worm while possible it is more difficult then compromising one of the home systems. Given control of a device like this in the network it would be relatively simple to redirect consumer's traffic to a site with client side exploits that would compromise any computer that was not fully patched..."

[AplusWebMaster]

FYI...

- http://www.techworld...amp;pagtype=all
08 April 2008 - "...The technical details of a DNS rebinding attack are complex, but essentially the attacker is taking advantage of the way the browser uses the DNS system to decide what parts of the network it can reach... On Tuesday, OpenDNS* will offer users of its free service a way to prevent this type of attack, and the company will also set up a website that will use Kaminsky's techniques to give users a way to change the passwords of vulnerable routers. The attack "underscores the need for people to be able to have more intelligence on the DNS," Ulevitch said. Although this particular attack takes advantage of the fact that routers often use default passwords that can be easily guessed by the hacker, there is no bug in the routers themselves..."
* http://www.opendns.com/

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/6yslx8
April 8, 2008 (Computerworld) - "... OpenDNS will offer users of its free service a way to prevent this type of attack, and the company will also set up a Web site* ... to give users a means of changing the passwords of vulnerable routers..."
* http://www.fixmylinksys.com/

[AplusWebMaster]

FYI... 4.10.2008

- http://www.symantec....ponse/index.jsp
(Symantec ThreatCon / Environment / Network Activity Spotlight)
"The DeepSight Threat Analyst Team is monitoring TCP port 23 and UDP port 161. These ports have both been associated with recent reports of a new bot that is exploiting and installing itself on D-Link routers.
The bot is designed to attack only D-Link routers over port 23 (Telnet) and contains functionality to scan for TCP port 23, launch IRC clone floods, and launch DDoS attacks. The author of this malicious software is charging 200 US dollars for the software, making it likely that this malware and variants of this malware will become widespread."

Edited by AplusWebMaster, 10 April 2008 - 12:21 PM.

[AplusWebMaster]

FYI...

Home Wireless AP Hardening in 5 Steps
- http://isc.sans.org/...ml?storyid=4282
Last Updated: 2008-04-11 19:58:32 UTC - "... There are dangers in all consumer network hardware that require the attention of everyone that installs these devices regardless of the vendor. Taking a device out of the box, plugging it in and letting it go can expose you to "worms" or other remote-based exploitation. This stems from a similar problem with software and operating systems, namely, these things do not ship in a secure-by-default configuration.
Here are 5 easy steps to take when you get a network device / access point to harden yourself against "easy" exploitation (and this applies to ALL hardware):
1) Change the default passwords...
2) Disable remote administration...
3) Update the firmware...
4) Disable unused services...
5) Change the default settings of the device..."

(More detail at the Internet Storm Center URL above.)