If you own a wireless router....

[thewayne]

PLEASE CHANGE THE DEFAULT ADMINISTRATOR PASSWORD if you haven't already. There's a new attack going around where, if you go to a corrupt page, it launches a malicious script on your PC that tries to identify your wireless router and change the administrator password. If it succeeds, it then becomes a base layer for phishing attacks by redirecting your attempts to access financial accounts to servers under the attacker's control. In such cases, if the cloned sites are done well (and with the amount of work that this attack requires, they'll probably be done well), you may not know that you're not on your bank's web site.

There are two obvious solutions. First, make sure that your administrator password isn't the default factory setting. Second, don't go to such web sites that these attacks are launched from. Unfortunately it's not easy knowing where such sites might be lurking. I think that part of the reason that I've been virus-free for so long is that I don't go where angels fear to tread and I'm not constantly downloading programs and toolbars. But maybe I'm just lucky.

---

OK, I mis-read the article. This is a proof-of-concept, i.e., someone created this attack and proved it viable. This does not mean that it exists in the wild. Still, you should change the default password on your wireless router.

Comments

[annaonthemoon.livejournal.com]

that was the first thing I did when I set up my router. "password" seemed like such a stupid password.

[thewayne.livejournal.com]

I've seen sites where they've listed the manufacturer, model, admin name, and default password. Most were SOOO STOOOPID, it boggled the mind.

I once worked with a Motorola DSL gateway/wireless router. On initial power-up, it required you to enter what would become the admin password, thus, the unit DID NOT have a default password. I rather liked that.

Cisco routers, the business-kind, also don't have default passwords because they don't have any initial configuration! But we're talking a whole different kind of beast there.

[annaonthemoon.livejournal.com]

Linksys, at least the one I have that's at SAs house, didn't have a password. of course, we had to google to find this out when we reset it and couldn't log into the damn thing to change the password.

[thewayne.livejournal.com]

LOL! The wireless that we have here is very secure, not quite to the level of MAC filtering. So I bought the same model router, configured it the same, then set it up at my dad's house. Whenever we're in Phoenix, our laptops never notice the difference! And no one at my dad's house (well, until this trip) uses wireless, so no big.

I was in Phoenix last weekend, and my nieces came over for the night. They had a nice shiny new Dell laptop that their dad gave them. I called my sister and asked if I could configure it to give them internet access at my dad's, she said fine, dad didn't care, so I did it. I don't think they can get the WPA password out of the config, but really it's no biggie if they can. And if they ever come up here.... ;-)

[annaonthemoon.livejournal.com]

heh.

I leave my network open, but I also live in the middle of amish land and old people land, though my biggest reason for this was because my mom is so clueless about everything I wasn't going to try to explain passwords and such to her. I'm lucky she can re-boot things if I'm not home....and she has a hard enough time understnding why her computer keeps telling her she's connected to "green gables"

[thewayne.livejournal.com]

My intent is to set up a second, much more sophisticated wireless router at some point. The intent is that both routers will be connected to an additional router that comes straight out of the DSL router. One router would be an open router, the other very locked down, including MAC filtering. The first router would be utterly blocked by the second, so it would have no access to my internal network, just to the internet.

But that'll wait until I'm a little more flush. I don't mind providing some free bandwidth, but not at the cost of jeopardizing my personal equipment.

[annaonthemoon.livejournal.com]

*nods* but really, in my neighbourhood, there's only a handful of people with computers, let alone broadband/wireless.

And it's helpful for when my friends visit with their laptops.

plus, i've had to hard reset the router way to many times. I'm lucky i change the admin password and SSID.

[thewayne.livejournal.com]

I should add that when I have been able to connect to wireless routers that show default SSIDs, such as Linksys, I have frequently been able to get into their configuration because of people not changing their admin passwords. I have been nice enough not to change anything because technically in doing so I was trespassing/hacking. They were at the total factory default configuration, not a pretty sight.

[annaonthemoon.livejournal.com]

actually, that reminds me..when i was at SA's at the beginning of the month, we were trying to configure the linksys, and kept getting to rhe admin/pass for a linksys wit hthe default SSID and it wouldn't let us in. I finally discovered the problem, when I realized it was showing the wrong model number at the log in prompt....we had been trying to log into the neighbor's network! (and this happened before we realized we didn't need a password, so it's possible we could have logged into the router by not putting in a password)

[thewayne.livejournal.com]

LOL! That's really funny! I've seen it, for example, my nieces had accessed the internet at my parent's, but in reality they were accessing an unsecured neighbor's house as my dad's router cloaks the SSID, not to mention the WPA passphrase.

[annaonthemoon.livejournal.com]

Oh, whenever I'm in AA, my wireless goes CRAZY picking up a whole slew of networks. Most have a low signal so I can't connect to them, but occasionally I can get on them.

And there's a restaurant in my hometown that leaves their router open, and my friends and I are prone to hanging out there late at night, and suddenly, we get online.

Although the best was when I needed internet access once, so I pulled into a hotel parking lot. I literally sat in the lot and accessed their network.

[thewayne.livejournal.com]

Our school has wireless all over campus, but it isn't open to non-students/employees. Wendy's used to have wireless as did Quizno's (but Q had an equipment failure, I don't know if they ever got that fixed.) The city library has wireless, but you have to have a library card; they also did a bad job selecting channels and have an overlap (only use channels 1, 6, and 11). The oddest was finding open wireless IN THE MALL! I don't know if it's still there and open as I haven't taken my laptop in there in quite a while and my Palm TX, which has 802.11g, has been dead for a while.

[annaonthemoon.livejournal.com]

oh i found wifi in the mall once, too. It was an accident. I had my laptop and was working on something while i waited for afriend,and my wireless auto detected and connected!

in Ann Arbor, there's free wifi access points all over the place except on campus, where you have to be a student. The library will even issue you a temporary password to use if you don't have a library card.

they even have wifi at some of the rest areas on the turnpike!

[thewayne.livejournal.com]

Ooooh - VERY dangerous having your machine configured to auto-connect! Your basic problem is that you don't know what you're talking to. Yes, it's a WAP, but it is trivial to put a key logger behind it. They have also demonstrated that if your PC is not properly defended, once you're connected, it's not difficult to compromise your computer!

If you do use public WAPs that you don't know who is running them, NEVER do anything that requires a password, ESPECIALLY banking!

I'm not too concerned, personally, because I use Zone Alarm Pro and am always fully updated (yes, I could get caught by a theoretical zero day exploit) and my wife uses a Mac, which is much stronger security-wise. But NEVER do financial or other important stuff over open WAPs that you don't personally know!

[annaonthemoon.livejournal.com]

It was on my old laptop,which long story short, someone had put one of those lojack for laptops things on it to know where I wasat all times - while I thought they were helping me by fixing my laptop. Ah, the things you find out.

[silveradept]

Good security says that you change default passwords wherever possible. Just because, as defaults, everybody knows what they are. This does create for annoyances when you suspect the network admin has not set the router up properly, and you can't get the password to go look because of paranoia. But I'd rather be annoyed behind a secure set than being haxxored behind an open one.

[thewayne.livejournal.com]

Absolutely agreed, always change default passwords in any device, as long as you can change the password. Case in point: a worm went through SQL Server installations a few years ago (Nimbda?) The only servers that it affected were ones that had blank SA account passwords (System Administrator account).

The sad thing is that it would take such little software work to change the configuration process to: (1) Insert CD to configure router. (2) Software tells you to set the password, it isn't the book telling you what the default password is.

[silveradept]

Wouldn't take much at all to force the CD installer to actually connect to the router and then go through all the setup procedures from a wizard, now would it? That way, not only can you get the router set up properly, you can get it secured properly, all off the install CD.

That's for those using CDs, mind you. I'm pretty sure that routers can be set up without needing those CDs, unless my ability to do so was a fluke rather than a norm.

[annaonthemoon.livejournal.com]

You can. I think the CDs are a but pointless to be honest.