A security researcher says he has observed criminals using a new form of attack that causes victims to visit spoofed banking pages by secretly making changes to their high-speed home routers. According to Symantec researcher Zulfikar Ramzan, the attack changes a router's settings controlling the domain name system server that …
Would not knowing the password make a difference? I think 99% of people I know have the default settings up.
admin/admin = win.
No I think it bypasses password using uPNP. Why this is not passworded i don't know!
I went home and my internet wasn't working - looked like a DNS problem.
Went into my router (NOT the default password!) and realised uPNP was on. Turned it off and magically my connection started working again.
Belt, suspenders and a piece of string
I saw (or imagined) something like this coming a year or so ago and took precautions. Since I was already a linux user, I edited my hosts file so as to contain the IP addresses of all my critical sites, therefore I avoid doing DNS lookups for those sites at all. Not that I'd be silly enough to enable uPNP anyway, or not use a very strong password on my router, or not change the web port, or not restrict access addresses, or not use a gateway/IPS, or not tailor all my firewalls, or not have an unique e-mail address for each critical function, or ....
OK, so I'm a bit paranoid, but I plan on NEVER getting phished, pharmed, vished, hacked or cracked.
*It really shouldn't have to be this hard, should it?!*
"Since I was already a linux user, I edited my hosts file"
Actually windows has a hosts file as well, this is probably a good idea for sites that you need to be secure, like paypal, the bank, ebay, amazon (One click shopping has a price).
I guess you need admin privileges to change the hosts file on windows as well?
>Not that I'd be silly enough to enable uPNP anyway
I got caught out by this, since I didn't really know what used it, and it was defaulted on.
I seem to have survived however...
pop3 emails only?
So as its mainly email based, will it work on people that use their ISP's web mail login to read their daily spam?
I only use the online googlemail, I have all my email addresses redirected to it, and read it all online, from wherever I am.
Re: Belt, suspenders and a piece of string
I assume you mean the American way of saying braces when you refer to suspenders. Not some kinky sex game.
Next Growth Product?
DNS Checker 2009 - compares results from a number of DNS servers using hard coded ip addresses. Also reports changes in IP of commonly used sites - coming soon to Norton, Sophos, Kaspersky and other suites...
@Re: Belt, suspenders and a piece of string:
You play your game, and I'll play mine :)
I'm assuming the average Linux user knows how to do this (or ask someone), but the average Windows user will be completely lost.
What I'd like to see is a customer going into a bank and getting a CD-ROM which will setup their hosts file with any necessary addresses and configure any other common apps such as adding bookmarks to their browser. Perhaps it could even conduct a basic PC security audit. I suppose there'd be some liability questions the bank may be shy of, though.
Why O Why O Why
do router manufacturers use default passwords ? Surely it's not rocket science to have a system to generate a random code and print it on a label to put in the box ?
Maybe they're advised by the same team who implemented the locks on the 1970s Ford Escorts ......
Paris Hilton because of a very weak connection to a town bicycle
.... (just had another thought) ....
Maybe the bank just gives you a LiveCD that you boot from, with everything on it you need to securely access their bank site. That ought to defeat most malware.
"Since I was already a linux user, I edited my hosts file"
Actually, you'd be better off editing your /etc/resolv.conf instead.
Several months ago, I upgraded the firmware on my Netgear router, and then discovered that the router was now advertising itself as a DNS proxy server to all of the connected machines instead of telling them to talk directly to my ISP's DNS servers.
Because of crappy coding by someone at Netgear, every DNS lookup took several seconds, and no addresses were cached by the router, so web browsing was as slow as if I had a 28kbps dialup connection.
Fortunately, I run Linux, so I simply edited /etc/resolv.conf to replace the router's IP address with those of my ISP's DNS servers.
Oh, and I disabled UPnP when I first set up the router.
Well well well...
... That's a new one. Although - Step 1 for me when I set up a new router is to change the admin password and hard-reboot the device.
And thankfully my device does not support uPnP, so I'm safe either way.
.. and I'm sure the banks would like to re-direct competitor web sites to their own or magically clean competitor bookmarks in the same CD-ROM update!!!!!
changing admin password
Changing the admin password won't help you at all if you have your browser set to remember the username and password of your router...
Its as simple as putting a meta refresh to some 192.168.1.1 page in an external internet page, and boom, you'd be exploited.
I don't think so. How long before we get reports of fake CDs being posted to people ... "due to a security upgrade you will need to log in and verify your account. Please load the enclose CD and follow the instructions ...."
er....what's all this about uPNP?
If Linux was truly user friendly, you wouldn't have to know what a host file was in the first place, but it's not, you have to be a geek to use it.
So what's all this "uPNP==pwn3d by bad guys" message people are alluding to?
Until someone ships you a dodgy CD.
The LiveCD idea
I already recommend that route to anyone who has had malware issues in Windows - it's not worth the risk of hoping the often-most-useful removal utils (i.e. those supported and recommended by sites like CastleCops - and usually written by mere mortals for free distribution) are 100% effective, given the speed at which new variants can update themselves.
That said, it's a great idea - and for the small cost of knocking out a few discs sounds like a winner to me !
Question is - which do they use, and how well supported is the hardware across the distribs... Ubuntu is fairly good, but I suspect Knoppix (especially the DVD release) has better support for hardware - but then you have the issue of crap USB modem drivers rearing its' ugly head.
Perhaps all the UK banks could get together and split the cost, putting their IP addresses in - but it may then highlight any deficiencies in their own websites which may (or may not) fail under linux due to bad coding or reliance on unsafe / non-standard IE extensions (did I hear Barclays had issues recently, possibly with Safari ?)
Never paid much attention to uPNP, but that would explain why when I installed a beta of Vista my router settings suddenly got destroyed altered, I lost connection and no other devices could connect to my wireless network - even though it was password protected. Luckily, I had a suspision about it at the time and turned uPNP off - but I always thought I was just being paranoid.... obviously not! lol
M$ infects through many ways
So I caved and got my kids an xbox 360 for Christmas. And oldest son has an older xbox as well. So what happens next is an example of why you shouldn't trust your kids like I do^H^Hdid.
- Son #1 (on college break) says, "hey, what did you change the router password to?"
- I tell him.
- A couple of days later I hop on the router. I *know* I had UPnP disabled.
- Surprise! UPnP is enabled.
- Ayup: he did it to enable the xbox Live feature.
So - not knowing exactly what this particular spawn of Redmond needs to work, I do the requisite search. "xbox 360 upnp router configure" and go to two different but promising-looking links:
This site basically says, "just enable UPnP, stupid."
This site says, "make sure UPnP is OFF" and then tells you what you need to port-forward for xbox live.
A third site I looked at was in between:
It lists three options, but (unfortunately) #1 is to enable UPnP. #2 is to set up port-forwarding, and #3 is to plop your xbox into the router's DMZ if it can do that.
Two out of three giving bum dope. A shame. All in the name of the Gaming Experience(sm). Kudos to the one that tries to get it right.
RE: Why O Why O Why
Using the serial number as the default password would seem the way to go, to me. It's unique, somewhat random and unknowable to a remote attacker. More importantly it's printed on the device (not just the box), so you can't possibly lose it. Naturally an alphanumeric serial numbering scheme would be preferred.
Yes OK, someone looking at your router could potentially compromise it, but if they have physical access to your router then the breaching of same is the least of your concerns.
Re: Live CD's.
Be a bit of a pain wouldn't it though? CD for each bank, paypal, ebay, amazon, dabs etc.. with a reboot each time?
And you'd have to explain your network configuration to the CD every boot.
They should have put a magnetic layer in CD's so that you have a small amount of writable storage, would've been useful.
I wonder how all those unsecured wireless routers cope with upnp attacks....
BTW You can put fixed DNS addreses into windows as well, probably easier than linux for that.
"Its as simple as putting a meta refresh to some 192.168.1.1 page in an external internet page, and boom, you'd be exploited."
It's a bit harder if you also change your home network IP range, NAT all addresses in your firewall, and hard code the MAC addresses into your DHCP server license.
Personally, I don't do internet banking over WiFi.
Paris Hilton because of the "it's a bit harder" statement at the beginning.
nsswitch.conf, resolv.conf and host.conf are the files to watch in Linux - resolv.conf points to your nominated nameserver (it's what you tell it during setup) and typically, nsswitch.conf and host.conf point to 'files' (i.e. /etc/hosts) first *then* dns; in a default desktop setup they don't need editing. To get this to work, you do need to edit you hosts file .... but checking config files won't hurt.
Plenty of software installs bookmarks - just about every game I know and many major application suites - they're usually in the appropriate start menu group - why would this be any different - I've not seen any problems yet. I thought I was supposed to be the paranoid one?
@AC '@Reply2' (both of you):
Who mentioned CDs in the post? I said *go into the bank* for a reason. Any branch will do.
Would like to see that demonstrated - it would be interesting. But even if you do save passwords (I don't, I think it's a bad idea) isn't a master password supposed to stop that?
@AC 'If Linux was truly user friendly...'
Oh, not that again! I'm just using Linux as *my* example and am suggesting a similar process could be automated (for the great majority of OS's).
Some of you chaps are just making stuff up, I swear. :)
"Who mentioned CDs in the post? I said *go into the bank* for a reason. Any branch will do."
my point still stands. Some numpty will get a CD in the post, with a lovely covering letter saying " ... in order to maximise the ease and convenience with which BastardBank customers may manage their online accounts, we have decided to post CDs to our customers to save them the trouble of having to visit a bank in working hours.
In order to celebate this improvement in our services, the 1000th person to connect to their account using their CD will win a cash prize ....."
A meta refresh wouldn't do anything...
So, what's the difference between that and *any* postal scam? Anyway - easy to solve - just use serialized correspondence - my bank already does. First visit is in person, everything else is serialized correspondence. Heck, you could even add a "shared secret".
"BTW You can put fixed DNS addreses into windows as well, probably easier than linux for that."
Probably not. One command from CLI.
print "nameserver 192.168.1.1" > resolv.conf
Where 192.168.1.1 is the name server you wish to define, change as your network requires. (Use official name servers from your ISP, not your default router else you gain nothing from this exercise.)
And to think I moved to a router
because a Linux box to do the sharing seemed a lot more hassle (as required with BT's old green frog ADSL modems)
@ Why O Why O Why
Um, they put in default passwords because life would suck if they didn't.
I don't know how many times I've walked in..."We need you to fix the network" "No problem I say, what's the router password." "No one knows and the person who set it up has left."
Well, the only thing to do is a hard reset, use the default password and start over at that point. Thank God for default passwords. Just change the blooming password when you set it up, but do NOT take away my defualt passwords.
C'mon guys, using a hosts file (and not trusting DNS) is not the solution to this problem. We have this little thing called SSL which was designed years ago to prevent problems exactly like this. The key is education - users need to know in broad terms what SSL is and why they need to get worried if the browser issues a warning to them. I often hear arguments about average users "not understanding this stuff". If they want to use the technology and not get ripped off they are going to have to understand it.
@Reply 3 and "M$ infects through many ways"
"Who mentioned CDs in the post? I said *go into the bank* for a reason."
They should get you on to the credit cards..
"- Son #1 (on college break) says, "hey, what did you change the
router password to?"
- I tell him."
You didn't ask why?
One way to secure routers would be to only allow config from a directly attached machine on a serial port. You'd attach your PC to that port to configure the device and then log out and remove the cable. Now nothing can play with the router settings whatever it tries.
Wireless and net connections can only see some reports on the router or just route through it. Maybe a small bit of config could be allowed on the LAN side via SSH but only a small subset and nothing that would fundamentally change the router's behaviour.
Can't see that working with the great unwashed though.
RE: Why O Why O Why
I believe BT did something like use a random password and print it on the Home Hub box, but they've had to change it I think because it was flawed in some way. Can't remember the details. Might have been the WEP key though.
Of course using WEP is flawed anyway, but you know the reason why? Because WPA would cause too many costly support issues. That's probably the reason why most manufacturers just use the default passwords too. Simplifies support as they know most people don't change them.
As for UPnP, when it was announced, I knew it was asking for trouble. Again a nice idea in theory to make networking "easy" for idiots, and maybe it is, but it also invites hackers. Basically if you make it easy for anyone to use, it's insecure. Make it difficult, it's secure but also almost impossible for idiots to use. Maybe idiots should just be banned from the Internet!
Joe Sixpack vs. Ease of use
in my 20 years in systems and support, it has become obvious to me that the vast majority of Windows users (and most users in general, for Mac, Linux/UNIX, and most other platforms) have absolutely no idea how, why, when or where to change system values in the OS (any version). this is why TweakUI was created, for allegedly easy-to-use Windows, back in the day.
hell, most of them don't even know how to change settings on their mobile phones (much like their VCR/DVD/HDDisc players, that always blink 1200).
for the AC who said that Linux is not user-friendly, you made a completely meaningless statement. our hero, Joe Sixpack (he of the default router subnet, default password, and enabled UPnP), has never seen the admin page of his router, doesn't know it exists, how to use it, or why it matters. he also doesn't know that [insert windows root directory here]\system32\drivers\etc\hosts exists, how to use it, and why, or even what to edit it with (no extension, so Windows will ask what app to open). if you try to explain it to him, he will glaze over in under 5 seconds (i timed it), and will urgently need a beer to revive him.
given any sequence more involved than clicking on icons, 99% of the population is instantly lost (the ones who know enough to be dangerous, are usually the worst). in this respect, UNIX is no different than Windows for the IT-ignorant user (which describes most people): it is black magic, and geeks are its priesthood.
if you're ever sadistically bored sometime, try to explain the mechanics of DNS to non-technical friends, or, better yet, strangers (use the uninterested ones for bonus points), and see if they can edit the hosts settings effectively. the syntax of the hosts file is not user-friendly anyway, it is geek-friendly: /etc/hosts is a UNIX convention, a relic from the original Windows development team's UNIX background, which is why every Mac and Linux/UNIX box has that file, for that same purpose.
ease of use is relative to one's level of expertise. there is a large minority of the population in most industrialized nations, that is still completely ignorant, and even fearful, of computer technology. ease of use of Windows is relative, like ease of use of Mac (better interface anyway), or ease of use of the Linux/UNIX GUIs (there are many, some much easier than others).
personally, i like the AS/400 command line. given admin rights, the damage i can do is about like a UNIX box, but will usually impact the entire company.
PH icon: she is empty and meaningless, like AC's MS-type marketing FUD. happy trails.
"As it turns out, the attacks Ramzan has since witnessed were even more effective than he expected, at least when used against certain brands of routers, which were penetrated even without a password being entered (Ramzan didn't identify the specific router or vulnerability that made this possible."
Bloody scary, this one, whatever the mean to penetrate ... Also, I agree it's only a bonus to hackers, since average Joe will leave the default passwd anyway. The only way to make it better is via S/N provided of course the S/N is printed on the box, since the documentation will be lost anyway.
uPnP & BT
Hmm. My 3com router has uPnP enabled, but I don't use uPnP for anything on my network. However, turning it off stops my router connecting to BT business broadband!! It just will not connect when uPnP is disabled - doesn't even attempt to. No idea on this - not savvy enough I guess. However, I do have non-default subnet and non-default PW. Perhaps I should call BT tech support and ask them. On the other hand, don't think I can be bothered............
Yeah, you're right. :) I never thought posting credit cards was a good idea. 10 years ago, my bank didn't do that - just a letter to tell you to pick it up "from your nominated branch". Oh, for those days of certainty ...... :)
Same sh1t, different day...
Wasn't there a similar attack method like this years ago that just modified the hosts file on Windows anyway? It's essentially the same scam but a different method (attacking the router instead of the OS)
It still all comes down to education:
* Not opening unsolicited emails
* Looking for the SSL padlock in the corner for anything remotely sensitive
Without all this, even the most secure banking set-ups (2 factor auth for example) can still be exploited.
It's no use blaming router manufacturers etc - they pretty much need uPNP to let anything work (Messenger, Skype, basically anything that works as a primitive server). Most people commenting on here would know to set up port-forwards as and when required, but we make up <1% of the userbase.
...its probably already the default setting with BT routers, they are so naff the users cant get to half the settings without a hack,
But I daresay they are pretty wide open to this
The brown coat...
Having last worked as a computer consultant 20 years ago I can still set up your DEC terminal or high speed printer on a Xenix box but how can I tell if my router has uPNP? Just because it does not mention it in the config hasn't convinced me that it is not enabled by default.
Is there a list somewhere or do I have to buy yet more stuff? 2Wire 2700HG from ebay
Oh! did I say that Kubuntu rocks :)
Yes, I'm leaving now............
The Unwashed Speak
As a member of the 'great unwashed" (the 99% that is not the glorious 1% that is you), all I can say is eff-off. If everyone just refused to conduct any business on the 'net until security became automagically a non-issue, I figure it would take only a few weeks for this problem to be solved - because no business = most of you out work.
But people will carry on doing business on the net so you don't have to worry - so carry on admiring yourselves.
Solving how exactly the DNS poisioning is occurring is not the point.
As Robert Brockway and others pointed out, ...
Why are people putting their credentials into a form that their browser is surely warning has an invalid certificate (if the spoof site is emulating the SSL layer), or doesn't have the padlock (if the spoof site is not).
The fact that probably the MAJORITY of the population will freely enter their banking credentials into bogus forms ought to stop banks from setting up internet banking in the first place.
It gets worse
See the "Trawler Phishing" attacks discovered by Sid Stamm (one of Zulfi's collaborators on the reported work) and Steve Myers. http://security.informatics.indiana.edu/research.php
Lurv the 99%
please note that i meant absolutely no disrespect to "the Unwashed", as you put it. i am equally ignorant of the finer details of agriculture (for example), as the 99% are of IT. the ignorance of the masses pays my bills.
unfortunately for the wonderful 99%, i am not the only one who profits. the cablecos and telecoms who provide these devices in wide-open configuration, offer no advice on the topic, and rarely fix the bugs, are the parties abusing the consumers in this case (elsewhere, it is usually the salespeople: "No, it's all ready to go, just plug it in, you don't need to change a thing!"). i can fix some of the issues they create, but it will cost you a bit. alternatively, it may cost you far more if you happen to be one of the tens of millions of people who are ripped off (and there are many scams, more every day).
the fact is that IT (any flavor) requires proper configuration and occasional monitoring; periodic revision, upgrades, and maintenance; and safe usage instructions for the end user. the only thing i have seen that comes close to the required appliance-like level of functionality is this:
nothing else i have seen, Mac, Windows, or Linux/UNIX, comes close to the support and administration these guys offer.
Are unfortunately a fact of life. The crazyness abounds. In my case, I take it as an advantage. My mother-in-law's condo has someone nearby that has a nice wireless router. When I went there about 1 year ago (it could be more) I opened up my laptop and found it. Nice and open. Not wanting to spoil the party, and to insure that the door STAYS propped open for me to come by next time, I found that I could access the router thru its defaults. Wonderful things these wireless routers! Just to insure that the next time (I was there last month, and it was still open) it would be wide open, I went into setup and added a password, made sure WEP was off, and set the SSID as well. I suspect that the "owners" of the router have no cares at all, as their computer works quite well (wired, or not I just don't know). I'm happy as a clam, and provided a service to those around who want a nice wireless connection.
Of course, on my router, it has a non-standard IP address (not 192.168.x.1), has uPNP off and has a password. The access is limited by the range of the wireless (minimal in a stucco house!). Haven't had a problem!
This posting on Heise Security's site about frame spoofing shows that just checking the certificate does not give you a 100% guarantee that you're sending your credentials to the right site.
This article might be a bit old now (I haven't tested the links) but the fact that it's still happening (links below) show that this attack vector hasn't gone to bed yet.
My motto is if your bank uses frames on their credentials entry page, don't use their internet service or move to another bank.
In fact this applies to any site that requests user credentials. And to access my tiscali web mail, guess what? Credentials are sent in the clear. Great!
Lock down those routers
People! Lock down your routers. Steps to follow with a router.....
I've only read about half of these comments so far. From what I've read it sounds to me like some of our fellow readers need a lesson in how to lock down a home router. You don't need Linux and you don't need a MAC, nor do you need a live CD to be safe, you just need to take some basic steps. (Oh, and before I get flamed I have an AIX box, a Linux box and a WIN 2000 box in addition to 2 WIN XP boxes connected to my home router. 3 of them using wireless.)
1. Change your admin password.
2. Even if your ISP requires DHCP hard code your DNS entries on the router.
3. Turn off DHCP.
This will require hard coded IP addresses on all of your machines connecting to your router. This in turn will require you to hard code DNS entries on those machines.
4. Change the IP address range that your router is setup for. You have 2 choices 10 dot IP addresses or 192.168 addresses. This gives you a multitude of address ranges to choose from. Don't leave it at the default of 192.168.1.0
5. If it's a wireless router set it up so that it will only accept connections from the MAC addresses that you enter.
6. Change the SSID and don't broadcast it. (Though this doesn't really have anything to do with this article.)
7. Never, never enable uPNP. In fact read up on all of the things that are enabled by default....50% of them you will not want enabled.
PNP, while convenient is a dangerous thing, kind of like autoplay being enable for CD/DVD drives.
Give me my bloody manuals back.
Something that really peeves me, is to open a box and find nothing inside but the device I purchased (modem, router, hard disk, CPU, sound card, or whatever) and a piece of paper giving me instructions on how to physically install the device and absolutely nothing else. Oh and a varying amount of advertising material.
Then when, after the usual swearing, I find (usually with more swearing as I search through a website link by link (nothing being intuitive)) and download a copy of the manual, I discover instructions only marginally more useful than the help in the average BIOS: "Select enable to enable option x. Select disable to disable option x." with no bloody clue whatsoever as to what option x actually does.
I want manuals like those of the days of yore. Manuals that would tell you what you were doing, before you did it and didn't work on the assumption that if you really want to do this, you've shelled out hundreds/thousands of quid for the appropriate Cisco, or M$ accredited course.
- 'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
- Pics Facebook's Oculus unveils 360-degree VR head tracking 'Crescent Bay' prototype
- Analysis Apple's warrant canary riddle: Cock-up, conspiracy, or anti-Google point-scoring
- Crawling from the Wreckage THE DEATH OF ECONOMICS: Aircraft design vs flat-lining financial models
- Bargain basement iPhone shoppers BEWARE! eBay exposes users to phishing vuln