Networking

Security 101 - Remedial Edition: Use strong passwords

More than 100,000 hosts have been infected with a new worm called psyb0t. This worm appears to present a serious threat to home networks everywhere, if you believe the trade press reports. There may be reasons to disbelieve them in this case, though.

More than 100,000 hosts have been infected with a new worm called psyb0t. This worm appears to present a serious threat to home networks everywhere:

  • It infects consumer grade router appliances.
  • It can be used to carry out DDoS attacks, which also affect the infected host's available bandwidth while helping consume that of the target.
  • It may be able to perform deep packet inspection to harvest user names and passwords from unencrypted traffic.

Researchers at DroneBL, "a realtime monitor of abusable IPs, which has the goal of stopping abuse of infected machines," in its own words, say of psyb0t:

This technique is one to be extremely concerned about because most end users will not know their network has been hacked, or that their router is exploited. This means that in the future, this could be an attack vector for the theft of personally identifying information. This technique will certainly not be going away.

It is certainly something to be concerned about in the aggregate, because there are sure to be many more people whose networking appliances will be compromised by this worm and descendants yet to come. DroneBL also says:

You are only vulnerable if:

  • Your device is a mipsel device.
  • Your device has telnet, SSH or web-based interfaces available to the WAN
  • Your username and password combinations are weak, OR the daemons that your firmware uses are exploitable.

If you've been paying attention so far, something should jump out at you right away. Specifically, you should notice that you probably aren't vulnerable to this. It took some digging for me to get to that point, because the first couple sources I found online describing the worm and its effects didn't include DroneBL's page about the subject. What I found instead is what the guys at DroneBL describe thusly:

Many articles described this as a "end of the world, all routers are vulnerable" thing. This is simply not the case. We would prefer if you contact us if you do not understand fully now.

The reason you probably aren't vulnerable is that this is a worm that only affects home network appliances running on MIPS hardware with a particular Linux-derivative OS, and even then only if the device is running telnet, SSH, or a Web-based interface available to the Internet, and even then only if you use weak passwords or vulnerable firmware.

In short, if you're vulnerable, it's your own damned fault, and the proper fix is to stop being a security idiot. Don't provide telnet, SSH, or Web-based configuration interface access on the Internet-facing side of your router, and for the love of all you hold holy, don't use weak passwords. In the words of DroneBL:

90% of the routers and modems participating in this botnet are participating due to user-error (the user themselves or otherwise). Unfortunately, it seems that some of the people covering this botnet do not understand this point, and it is making us look like a bunch of idiots.

  • Stop making people look like idiots by poor reporting.
  • Stop using unencrypted connections to log in to critical resources across the Internet.
  • Stop making yourself vulnerable by using weak passwords or leaving unnecessary services running (which I warned against in 10 security tips for all general-purpose OSes).

If you're not doing any of those three things, you should be fine.

This concludes today's Security 101, Remedial Edition lesson. For more reminders of what you should already know, see Security 101, Remedial Edition: obscurity is not security.

If you just want to know more about psyb0t, read about it at the DroneBL page about this threat, rather than relying on clueless reporters who get it wrong.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

28 comments
Neon Samurai
Neon Samurai

It's not something blatantly weak but I can rainbow table it pretty quickly. I'd be concerned if I also didn't pay attention to logs and connection attempts. ;)

Michael Kassner
Michael Kassner

If I may humbly add those two popular TPV firmwares are affected by this exploit.

Slayer_
Slayer_

My router doesn't have a password, however I have WAN access turned off, am I safe from this? I DO have a webserver inside my network however. It is not a Nix machine however.

apotheon
apotheon

If you're one of those reporters who got it wrong, perhaps you should have another look at my Advice for reading about security.

Michael Kassner
Michael Kassner

For that. Still I won't as I'm sure you would be able to give it to me as well. Just disable all public-side exposure.

Neon Samurai
Neon Samurai

I guess it would be as it allows telnet, ssh and http connections from the WAN interface. It's one of the first things I disable. If config backup was not limited too http, I wouldn't need to enable that again at all after the initial flash. hm.. time to keep a closer eye on the website for the next v24 sp.

apotheon
apotheon

Whether you're at risk from this specific threat depends on what "WAN access turned off" means in the case of your specific router, and whether your router is running a vulnerable firmware version. There's also the fact that, if your router doesn't require any kind of authentication, it might be vulnerable through other means (such as via wireless access or a potential infection of your Webserver that may then target the router).

rkuhn040172
rkuhn040172

There is absolutely no excuse for being vulnerable to this exploit other than having a huge "I'm a moron" painted on your forehead.

Sterling chip Camden
Sterling chip Camden

... disable all public-side exposure, I mean. I can do all the web testing I need inside my firewall, and deny all incoming at the perimeter. Not even port 80 is open.

davidt
davidt

....that the "100,000" routers that are said to already be infected must be running with the default factory password. I have seen that so many times in my work, I'm surprised it's not 1,000,000 of 'em. And anybody who has ever set up routers knows what every manufacturers default password is.

Neon Samurai
Neon Samurai

About mid last week I took Cain to all my machines at home having discovered that it read ophcrack rainbow tables. Now it's a matter of regular guest machines slowly getting the updated passphrase. Definately not anything open to the outside on my routers though. I may reflash it tonight just for fun though. The ports that do listen on the WAN device forward to a hardened Debian back end so I've been watching the port scans and login attempts through snort and psad.. Muwahahahahaa..

Michael Kassner
Michael Kassner

Chad mentioned in the article that this particular version was vulnerable. I know that many members are using some version of WRT firmware, that's why I thought it would be important to mention that specifically. I have to believe that your password is bullet-proof. Right??

Slayer_
Slayer_

Like you can enter the public Ip address of the router and get to its config page. This is turned off. It doesn't require authentication, however from Wireless my wireless is secured, both guest and actual logins are both secured.

Sterling chip Camden
Sterling chip Camden

... even temporary demos. Maybe my geek quotient gets decremented a bit for not self-hosting, but I'd rather not take on the responsibility for securing any public sites.

Neon Samurai
Neon Samurai

Things like DeICE and DVL that I'm going to leave booted up for a while get blocked at the router; no internet traffic in or out to those nodes. The other nodes are hardened so it'd be an issue for someone to break my workstation then use that to bridge into one of the trainer systems. If they have my workstation, why would they bother with the weak machines anyhow? My NAS gets the same treatment; no reason for it to talk to the outside world so it get's blocked. My one or two open ports are for me to use within known subnets so that limits the sources for attempts. I have had to open up port 80 and 443 though for remote clients looking at sites or server builds on my dev box. That's a temporary thing within an even more limited source scope though. ;)

Neon Samurai
Neon Samurai

With ssh, scp and sftp, my machine is all but beside me when not at home. Cloud-shmoud, I have all those benefits already and without involving a third party storage provider. Firewall rules limit where connection attempts can be made from. Failed attempts have to come from an IP within three local ISP subnets so emailing "abuse@" is possible for anyone that shows too much interest in my systems. Any other ports are forwarded on a temporary need basis; that pretty much only means opening 80 and 443 on occasion when needing a remote user to test something off my inhouse dev server. I figure it's no worse than having WPA2 broadcasting. In both cases, someone would have to bruteforce a stupid long passphrase. Each time I manage to break into my own network, passwords change to something that won't break under my dictionary lists, rainbow tables and reasonable bruteforce times. But, my paranoia is always open to peer review and suggestions. ;)

Michael Kassner
Michael Kassner

OK, what are you forwarding? That in of itself is an opening. Still most exploits are using ports that are wide open to begin with.

Neon Samurai
Neon Samurai

20 char random character generated out of KeepassX.. They're not getting dictionaried or bruteforced any time soon. My current rainbows don't crack client or admin passphrase either but we'll see when the 34 gig big rainbow table finishes downloading.

NickNielsen
NickNielsen

Not being there to see what's happening limits us to pure speculation. But I've had problems in the past where some wireless equipment won't take the configuration completely until I run through the process two or three times (resetting each time, of course) before the settings will stick.

Michael Kassner
Michael Kassner

I suspect the member is referring to the fact that the user name can't be changed. I suspect that the password can.

Neon Samurai
Neon Samurai

With SSH, any GUI apps I run on my workstation display locally. I limit router administration to wired local connections then run the browser through SSH if I'm not at the machine.

Slayer_
Slayer_

So far its best router I've ever had, I don't want to mess with it. Rebooting it will occasionally make it forget the password. It doesn't forget anything else though so It's no big deal to me. Disabling admin of wireless would probably be frustrating anyways since I do most my admin stuff over wireless.

Neon Samurai
Neon Samurai

To reboot, you should simply need to unplug the power for a minute or two then plug it back in. The reset button could definitely be the reason for it loosing the password unless it is time for an upgrade.

Neon Samurai
Neon Samurai

At least it means getting into your wireless passphrase before getting into your admin forms. What is the router type? You may want to consider Tommato or ddWRT firmware if it's supported. Based on your current firmware not retaining a password or allowing you to disable admin over wireless anyhow. With your SSID broadcast, your wireless devices can listen for it and know when to try and connect which should avoid them calling out constantly when not at home. Any new OS platforms your mucking with can pull your wireless SSID out of an "available networks" scan provided they have the correct passphrase of course. I forward my port ssh from the outside similar to your webserver setup. It's fun watching the attempts hit my snort and firewall.

NickNielsen
NickNielsen

[i]I still have no admin password just cause the damn thing removes the password every time it restarts the router...[/i] If you lose settings when you restart your wireless router, the router may be resetting instead of restarting. You should be able to set an admin password different from the default. If you can't, it's probably time to replace the router.

Slayer_
Slayer_

And a fancy passphrase that should be unguessable. I still have no admin password just cause the damn thing removes the password every time it restarts the router (wtf lol). I still have broadcasting turned on, but I am unsure how my laptop is going to deal with it, since it probably asumes it has to ask for the connection. I believe I am not on channel 6, I think I changed the default channel as my first config option. Saddly I cannot disable admin from wireless unless I also disable access to network drives from wireless, which is not helpful as I often use my Laptop as a netbook, where all my apps are stored on a desktop and just run over the wireless network. It's slow but, it works just fine and it saves space on its somewhat small HDD. It doesnt support SSH or telnet config, and HTTP config is turned off since accessing my IP address on port 80 takes you to my webserver, so it would be counter productive for it to take you to my router config page (and dangerous).

Neon Samurai
Neon Samurai

You mentioned WEP2 in another post. Are you using WEP encryption on your wireless or WPA/WPA2? It should be WPA2 unless there is specific hardware limiting you to WPA. If specific hardware limits you to WEP, consider replacing the hardware or not having it on the wireless network. WEP is about two minutes from discovery to connection for anyone that chooses to break into your network. Apoth probably covered it all but encase I hit something: - change your wireless channel away from default (probably 6) to something with less noise on it. - change your SSID to something meaningful without being directly identifiable (eg. "roses" instead of "142mapledrive") - broadcast your SSID. anyone breaking in will be able to see a hidden SSID. The only effect not broadcasting it has is to end up with more people on your channel. - use WPA or WPA2 (preferably WPA2) and set a good strong passphrase for clients to connect with. A home network shouldn't have enough machines being added or removed for it to be an issue - disable administration from wireless - disable administration from WAN (internet) - disable admin through http and only connect through https for changing router settings - if possible, change your admin username - choose a good strong admin password - consider MAC address filtering (allow only). This is not really a security feature but will reduce the amount of noise your router cares about as it won't try to process network traffic from unknown MAC addresses. Again, on a small network it's not an issue to add in a MAC for regular guests. My first night in a new building was spent without internet so I had a look-see at the wireless noise. I actually stumbled onto someone's network being broken into; when I looked at the traffice it was flooding the air with re-authentications (the magic packets). I haven't the hardware to identify where the network or the attacker are located so there's no helping that network. Hopefully, the network owner will notice my secondary router broadcasting SSID "WEP is unsafe, use WPA, this means you XYZ"

apotheon
apotheon

You should really protect access to the administrative interface with a password, if you're currently running it without a password (or with the default password). Also, you might consider making the admin interface inaccessible from wireless connections, if that's an option with your router. If your router supports remote connections (from the WAN) via Telnet or SSH to access the admin interface, that provides as much a vulnerability as the Web interface, as pointed out in the DroneBL information page.

Editor's Picks