Discussions

Hack lets intruders sneak into home routers

+
0 Votes
Locked

Hack lets intruders sneak into home routers

DanLM
http://news.com.com/Hack+lets+intruders+sneak+into+home+routers/2100-7349_3-6159938.html?tag=nefd.top

Change the default password, christ. I can't beleive people still don't do that.

Dan does a benny hill slap on the head of every person that does not change default passwords.

Dan
  • +
    0 Votes
    stephanbarr.lists

    Here's how I setup access points;
    1. Give the device a static IP and move it near the top (above .200)of your range. If possible don't use the DHCP server function. Let some other device or server do that.
    2. Change the password to something with numbers and letters.
    3. Change the default device name to something you'll recognize. Do not use the default name.
    4. Don't use WEP or WPA.
    5. Use the MAC address access list that way only devices you explicitly add will gain access to you network.

    Cheers.

    +
    0 Votes
    deepsand

    Without stupid users, quite a few of your brethren would be otherwise employed!

    +
    0 Votes
    BIGMACattack420

    We are all vulnerable even with a router that is hard wire
    only,
    if your on the net then your making yourself a target and I
    don't care if you have every firewall out their, if you got
    the
    know how and the software and know how to run a virtual
    machine then you can get past any routers
    password,/w.e.p,/w.e.p 2 it's all in how much you know.
    My
    advice to you if is if you want to be secure as can be GO
    BUY
    A MACINTOSH AND LAY THAT LAME *** P.C. CRAP TO
    REST.

    +
    0 Votes
    The Listed 'G MAN'

    does a mac change the firewall & wireless router that I am running exactly?

    The same firewall and router that would be used for the PC.

    If I am to believe you then the end result would still be exposure to the hackers, no matter what system I run behind them.

    +
    0 Votes
    WoW > Work

    "Buy a Mac! Buy a Mac!"
    That's all Mac users do, complain about PCs and push their Mac-ology onto people like a "religious right". The Pat Robertsons of the computing world.

    Sadly, it's worse than the Ford/Chevy arguement you hear at NASCAR races.

    Anyway, and back to the article at hand: It's ashame that companies don't build in an auto-force password change on routers the first time you log in. Joe User don't always think about things like the router password. They think just think Router=Security, not the actual settings.

    +
    0 Votes
    Jaqui

    here, use my bat, it has pennies super glued to it to knock some "cents" into them ]:)

    +
    0 Votes
    TechExec2

    .
    Taking advantage of some ignorant person's insecure home router is not nice! That's right up there with taking candy from a baby, taking a retarded child's lunch money, or kicking a dog. There must be a special place in **** for these depraved people.

    Changing the DNS to redirect to a phisher website is scary. If the phishers make the front door look and act like the real one, and wire up a fake SSL certificate, all it has to do is suck up the user IDs and passwords and then display some kind of "We're sorry, database temporarily offline, try again later" page. Insidious!

    What to do? If you ever see this kind of odd website behavior from a major financial site, assume you're exposed and do something to change your password immediately. Call the bank. Or, immediately use an alternate Internet connection (a dial-up modem will do), sign on to the real website, and change the password. Of course, this plan fails if the redirection is being done in your hosts file, or in the Internet somewhere.

    Some financial websites are effectively countering this threat with things like "Site ID" (e.g. Bank of America). The website presents you with something known only to you (a photo and a passphrase) after you enter your user ID but BEFORE you enter your password. You are instructed to not enter your password if you don't see the correct picture and passphrase. This is a clever, and patented, sequence that is very effective.


    A True Story - A "perfect" phisher website

    Some months ago, I got an outstandingly realistic phisher e-mail from "PayPal" (most of them are poor). The only dead giveaway was the lack of personal information (my name, etc), and the hidden website URL on the "Click Here" link. I was curious so I went to the "PayPal" website to check this one out. That fake page was absolutely flawless. Every single link worked and went to the real website. It even had the current promotional advertising that was on the real PayPal website. Only two things were different: 1. The URL was not "paypal.com", but was close enough to fool a lot of people, and 2. The destination on the HTML form tag was not "paypal.com". Someone put a huge amount of work into this. Spooky.


    Wireless Home Router Best Practices:

    - Change the router admin password. Use a strong password (no dictionary words, uppercase, lowercase, numbers).
    - Change the router name.
    - Change the router wireless SSID.
    - Don't broadcast the SSID.
    - Use WPA/PSK with a strong password (no dictionary words, uppercase, lowercase, numbers) for wireless. Change the password every month.
    - Use the MAC address filter list to provide some additional obfuscation and restriction.
    - Put the router in "stealth" mode so it does not respond to any anonymous requests from the Internet. Make it "invisible" on the Internet.
    - Run Firefox and the NoScript extension so only web sites that you explicitly choose to trust are allowed to run JavaScript in your browser.

    Any other best practices? Is there any other browser that has the ability to control JavaScript execution as effectively as Firefox with NoScript? (Jaqui: ...without turning it off entirely... :-) ).


    ----------------

    Best Practices For Securing A Wireless Network
    [this page is a bit old and says to enable WEP...use WPA/PSK instead]
    http://www.its.niu.edu/its/ess/security/wireless_best.shtml

    WEP: Dead Again, Part 1
    http://www.securityfocus.com/infocus/1814

    WEP: Dead Again, Part 2
    http://www.securityfocus.com/infocus/1824

    Wi-Fi security ? WEP, WPA and WPA2
    http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf

    +
    0 Votes
    DanLM

    When you have sys admins not changing defulat passwords to cisco routers, how can we expect the untrainined/uninformed to know to do it.

    Chuckle Jaqui, I like that. A hat with pennies superglued... Yea, that would work.... But, then I would nock them out... They would claim innocence to leaving the password open because they were not of the right mind. Ehhhh, they claimed that argument already anyway.... Give me the hat.

    Dan

  • +
    0 Votes
    stephanbarr.lists

    Here's how I setup access points;
    1. Give the device a static IP and move it near the top (above .200)of your range. If possible don't use the DHCP server function. Let some other device or server do that.
    2. Change the password to something with numbers and letters.
    3. Change the default device name to something you'll recognize. Do not use the default name.
    4. Don't use WEP or WPA.
    5. Use the MAC address access list that way only devices you explicitly add will gain access to you network.

    Cheers.

    +
    0 Votes
    deepsand

    Without stupid users, quite a few of your brethren would be otherwise employed!

    +
    0 Votes
    BIGMACattack420

    We are all vulnerable even with a router that is hard wire
    only,
    if your on the net then your making yourself a target and I
    don't care if you have every firewall out their, if you got
    the
    know how and the software and know how to run a virtual
    machine then you can get past any routers
    password,/w.e.p,/w.e.p 2 it's all in how much you know.
    My
    advice to you if is if you want to be secure as can be GO
    BUY
    A MACINTOSH AND LAY THAT LAME *** P.C. CRAP TO
    REST.

    +
    0 Votes
    The Listed 'G MAN'

    does a mac change the firewall & wireless router that I am running exactly?

    The same firewall and router that would be used for the PC.

    If I am to believe you then the end result would still be exposure to the hackers, no matter what system I run behind them.

    +
    0 Votes
    WoW > Work

    "Buy a Mac! Buy a Mac!"
    That's all Mac users do, complain about PCs and push their Mac-ology onto people like a "religious right". The Pat Robertsons of the computing world.

    Sadly, it's worse than the Ford/Chevy arguement you hear at NASCAR races.

    Anyway, and back to the article at hand: It's ashame that companies don't build in an auto-force password change on routers the first time you log in. Joe User don't always think about things like the router password. They think just think Router=Security, not the actual settings.

    +
    0 Votes
    Jaqui

    here, use my bat, it has pennies super glued to it to knock some "cents" into them ]:)

    +
    0 Votes
    TechExec2

    .
    Taking advantage of some ignorant person's insecure home router is not nice! That's right up there with taking candy from a baby, taking a retarded child's lunch money, or kicking a dog. There must be a special place in **** for these depraved people.

    Changing the DNS to redirect to a phisher website is scary. If the phishers make the front door look and act like the real one, and wire up a fake SSL certificate, all it has to do is suck up the user IDs and passwords and then display some kind of "We're sorry, database temporarily offline, try again later" page. Insidious!

    What to do? If you ever see this kind of odd website behavior from a major financial site, assume you're exposed and do something to change your password immediately. Call the bank. Or, immediately use an alternate Internet connection (a dial-up modem will do), sign on to the real website, and change the password. Of course, this plan fails if the redirection is being done in your hosts file, or in the Internet somewhere.

    Some financial websites are effectively countering this threat with things like "Site ID" (e.g. Bank of America). The website presents you with something known only to you (a photo and a passphrase) after you enter your user ID but BEFORE you enter your password. You are instructed to not enter your password if you don't see the correct picture and passphrase. This is a clever, and patented, sequence that is very effective.


    A True Story - A "perfect" phisher website

    Some months ago, I got an outstandingly realistic phisher e-mail from "PayPal" (most of them are poor). The only dead giveaway was the lack of personal information (my name, etc), and the hidden website URL on the "Click Here" link. I was curious so I went to the "PayPal" website to check this one out. That fake page was absolutely flawless. Every single link worked and went to the real website. It even had the current promotional advertising that was on the real PayPal website. Only two things were different: 1. The URL was not "paypal.com", but was close enough to fool a lot of people, and 2. The destination on the HTML form tag was not "paypal.com". Someone put a huge amount of work into this. Spooky.


    Wireless Home Router Best Practices:

    - Change the router admin password. Use a strong password (no dictionary words, uppercase, lowercase, numbers).
    - Change the router name.
    - Change the router wireless SSID.
    - Don't broadcast the SSID.
    - Use WPA/PSK with a strong password (no dictionary words, uppercase, lowercase, numbers) for wireless. Change the password every month.
    - Use the MAC address filter list to provide some additional obfuscation and restriction.
    - Put the router in "stealth" mode so it does not respond to any anonymous requests from the Internet. Make it "invisible" on the Internet.
    - Run Firefox and the NoScript extension so only web sites that you explicitly choose to trust are allowed to run JavaScript in your browser.

    Any other best practices? Is there any other browser that has the ability to control JavaScript execution as effectively as Firefox with NoScript? (Jaqui: ...without turning it off entirely... :-) ).


    ----------------

    Best Practices For Securing A Wireless Network
    [this page is a bit old and says to enable WEP...use WPA/PSK instead]
    http://www.its.niu.edu/its/ess/security/wireless_best.shtml

    WEP: Dead Again, Part 1
    http://www.securityfocus.com/infocus/1814

    WEP: Dead Again, Part 2
    http://www.securityfocus.com/infocus/1824

    Wi-Fi security ? WEP, WPA and WPA2
    http://www.hsc.fr/ressources/articles/hakin9_wifi/hakin9_wifi_EN.pdf

    +
    0 Votes
    DanLM

    When you have sys admins not changing defulat passwords to cisco routers, how can we expect the untrainined/uninformed to know to do it.

    Chuckle Jaqui, I like that. A hat with pennies superglued... Yea, that would work.... But, then I would nock them out... They would claim innocence to leaving the password open because they were not of the right mind. Ehhhh, they claimed that argument already anyway.... Give me the hat.

    Dan