dslreports logo
 
    All Forums Hot Topics Gallery
spc
view:
topics flat nest 
Comments on news posted 2009-10-21 08:13:09: A vulnerability in a Time Warner combination Wi-Fi router and cable modem could allow a hacker to remotely access the device's administrative menu over the internet, according to blogger David Chen. ..


baineschile
2600 ways to live
Premium Member
join:2008-05-10
Sterling Heights, MI

baineschile

Premium Member

Eh

If a competant hacker knew what he was doing, basic security that all wireless uses can be accessed.

Sabre
Di relung hatiku bernyanyi bidadari
join:2005-05-17

Sabre

Member

said by baineschile:

If a competant hacker knew what he was doing, basic security that all wireless uses can be accessed.
Fair enough, but I think this is less about "hackability" than it is about incredibly poor network security management by TW. If they set the system up this way, leaving a customer-end unit so exposed is stupid and dangerous. If this was left in this configuration by SMC or by a third party programmer, then they are similarly negligent and one could point a finger at TW for allowing it to happen.

It'll be interesting to hear if there's more to this story.

crazyk4952
Premium Member
join:2002-02-04
united state
Ubiquiti EdgeRouter Lite
Ubiquiti UniFi AP-LR
Polycom VVX300

crazyk4952

Premium Member

A drop in the bucket

They also note that the unit, made by SMC, only comprises a small portion of their 14 million customer base.
Well I guess that just makes it OK then, doesn't it? After all, that's only 0.005% of their customers. Such a small number, right?

I sure would hate to be one of the people affected by this issue since we can see Charter's attitude about this...

jester121
Premium Member
join:2003-08-09
Lake Zurich, IL

jester121 to baineschile

Premium Member

to baineschile

Re: Eh

But wireless security is only vulnerability when you're in range of the radio -- this vulnerability is accessible from anywhere.
amungus
Premium Member
join:2004-11-26
America

1 recommendation

amungus

Premium Member

Throw 'em out!

Who on earth leaves web admin access open on a router? Is this not disabled by default on all of them?

If TW isn't responsible, I'd say the manufacturer is negligent here. Incredibly lame.

One more reason to buy your own equipment, understand it, or at least have a friend/family member help set it up somewhat securely.

WEP aside, leaving web admin access on is just totally pointless for 99% of users, not to mention a much worse thing to leave enabled in comparison. Might as well plug your computer straight in to a modem with no firewall at all...

I'd be buying a modem, and a router, and sending TW the bill until they figure out their equipment.
k1ll3rdr4g0n
join:2005-03-19
Homer Glen, IL

k1ll3rdr4g0n

Member

said by amungus:

Who on earth leaves web admin access open on a router? Is this not disabled by default on all of them?

If TW isn't responsible, I'd say the manufacturer is negligent here. Incredibly lame.

One more reason to buy your own equipment, understand it, or at least have a friend/family member help set it up somewhat securely.

WEP aside, leaving web admin access on is just totally pointless for 99% of users, not to mention a much worse thing to leave enabled in comparison. Might as well plug your computer straight in to a modem with no firewall at all...

I'd be buying a modem, and a router, and sending TW the bill until they figure out their equipment.
HAHA OH MAN DSLR members make me laugh so hard.

You want Customers to actually understand how their equipment works? Priceless.
I think first we should make everyone take "Phishing 101" or at least "Basic computer troubleshooting 101".

I actually had someone call an ethernet cable, no joke, the "internet cable". Take your laptop out down the street in your neighborhood and see how many open wifi APs there are, and how many of those have a default admin username/password. People are so ignorant to computers. In fact me and a friend went around the neighborhood to try to get people alerted to the fact they have an open wifi - no one called us. There is only so much you can do for other people.

maartena
Elmo
Premium Member
join:2002-05-10
Orange, CA

maartena to baineschile

Premium Member

to baineschile

Re: Eh

said by baineschile:

If a competant hacker knew what he was doing, basic security that all wireless uses can be accessed.
Yeah but this is the kind of hacking anyone with a little computer experience can do. It doesn't take a rocket scientists to disable java scripts in a browser to see what that does.

And although a small percentage, 65.000 users could equal hundreds of online bank accounts and credit cards, IF someone indeed is able to abuse the unit to GAIN access to anything, which I don't know is the case. But if the admin side can be accessed from the internet side, you bet someone is finding out some way of exploiting it.

Best thing that TWC could do is give SMC two weeks to come up with a firmware that fixes this issue and then roll it out to the affected users. If that can't be done, contact the users in question and replace the modems. 65.000 is country wide, which would probably translate into a few thousand per division, which is oversee-able.

Sabre
Di relung hatiku bernyanyi bidadari
join:2005-05-17

Sabre to k1ll3rdr4g0n

Member

to k1ll3rdr4g0n

Re: Throw 'em out!

Yes, most people are hopelessly ignorant. That doesn't change the fact that people should be more knowledgeable about what they own.

Owning a computer has, frankly, become so widespread that the need to know, really know, how to use one has been overlooked. Like most everything else, it's not a fundamental right, and just buying a computer won't bring you into the modern day or make you tech-savvy. If anything this is an argument that a whole lot fewer people should be owning computers than currently do.

(/rant)
jac74
join:2004-11-14
Orlando, FL

jac74 to crazyk4952

Member

to crazyk4952

Re: A drop in the bucket

this small percentage equals the number of users that have been educated on TWC's metered billing "benefits" plan...

rit56
join:2000-12-01
New York, NY

rit56

Member

College Kids

My router was locked with what I thought a decent password. One of my two computers expired due to age in April and I didn't bother replacing it. An old desktop. I shut down my router and I hard wired my lap top directly to the modem and noticed immediately dramatically improved download speeds. Within 2 weeks two of my neighbors ( I live in an apartment building with 20 units), 2 separate apartments, college kids came to my apartment and asked if they could pay me 10 or 20 dollars a month to piggy back off my internet as they didn't, I presume, want to incur the full cost of an install and monthly service. I declined both of them but I realized that they both and their roommates were using my internet for months. One of them told me there is software available on the internet that allows you to easily hack someones router. I never held it against either of them and as beautiful as they both were, lovely young ladies, I still said no. They can get their own. SO if they're downloading movies and music it must have appeared as if I was quite a hog.. I'm not a router fan.
ElJay
join:2004-03-17
Portland, ME
Ubiquiti EdgeRouter Lite
Ubiquiti Unifi UAP-AC-LITE

1 edit

ElJay

Member

Hack the router? Sounds like you had a wireless access point in the router that was either unsecured or poorly secured (WEP). There is no "hacking" a WPA2-secured wireless network that has a strong key.

How did the other tenants know it was yours? I'd highly recommend using a SSID (network name) that is generic to your name or location.

bent
and Inga
Premium Member
join:2004-10-04
Loveland, CO

1 recommendation

bent to rit56

Premium Member

to rit56
said by rit56:

I never held it against either of them and as beautiful as they both were, lovely young ladies, I still said no.
I would have held something against them in exchange for free internet.

rit56
join:2000-12-01
New York, NY

rit56 to ElJay

Member

to ElJay
I used my first name as the name of the router. go ahead and laugh. it was my first time setting one up and I named it after myself. so it was pretty easy to figure out where it originated. I'm not slamming routers I just had a bad experience. Same with bluetooth. Dell blows. This is my last PC by the way. I'm over it. I have a keyboard and mouse that connects with blue tooth and when the battery gets weak it loses it's link and when I put in new batteries it shows the keyboard but it doesn't work, won't link up. It then takes me a day sometimes many days to re-sync. It has made me wary of bluetooth technology. Oh when it does link up it shows all my neighbors devices and asks me if I want to link up to their equipment. I had a bad experience with this PC and it's glitchy things which I no longer want to tolerate. Microsoft products are not good. sorry for ranting.

Bill Neilson
Premium Member
join:2009-07-08
Alexandria, VA

Bill Neilson to Sabre

Premium Member

to Sabre

Re: Throw 'em out!

What exactly should be learn? Exactly that is....is there some book about what specifically should be learned?

I am interested about what SPECIFICALLY should be made mandatory and what shouldn't

antdude
Matrix Ant
Premium Member
join:2001-03-25
US

antdude

Premium Member

Ambit/Ubee U10C018 cable modem...

Now if I could add my own password to Ambit/Ubee U10C018 cable modem (not a router). :P

tshirt
Premium Member
join:2004-07-11
Snohomish, WA

tshirt to ElJay

Premium Member

to ElJay

Re: College Kids

said by ElJay:

There is no "hacking" a WPA2-secured wireless network that has a strong key.

YET.
WPA2 AES is Probably (as far as we know) the best choice AFTER wired. But once upon a time, wpa-tkip was good, before that WEP was......
Broadcast it and they will come........
tshirt

tshirt

Premium Member

BTW

BTW anyone who uses a SMC8014WG (or similar) should be aware this is a FIRMWARE problem, and it MAY effect ANYONE using this model (family) on ANY provider.
patcat88
join:2002-04-05
Jamaica, NY

patcat88 to amungus

Member

to amungus

Re: Throw 'em out!

said by amungus:

WEP aside, leaving web admin access on is just totally pointless for 99% of users, not to mention a much worse thing to leave enabled in comparison. Might as well plug your computer straight in to a modem with no firewall at all...
Maybe someone wants to the change port forwarding remotely so they can VNC into a particular machine on their LAN. Admin screen is obviously passworded.

dvd536
as Mr. Pink as they come
Premium Member
join:2001-04-27
Phoenix, AZ

dvd536

Premium Member

Theres nothing they can do. . . . .

With pay per byte coming they don't want to lock down a lucrative way to overages. hacker plays, sub pays.
k1ll3rdr4g0n
join:2005-03-19
Homer Glen, IL

k1ll3rdr4g0n to Bill Neilson

Member

to Bill Neilson

Re: Throw 'em out!

said by Bill Neilson:

What exactly should be learn? Exactly that is....is there some book about what specifically should be learned?

I am interested about what SPECIFICALLY should be made mandatory and what shouldn't
Lets see for starters:
How to identify a phising email
Basic computer troubleshooting - including BIOS beep codes, Using Windows safe mode, command line intro for both Linux and Windows
Differences and similarities between Linux, Unix, Windows, and Mac.
Intro to the Internet 101
Basic programming

I know you asked for specifics, but I wont write the lesson plans for you - you can get a good enough idea from my list.

One may say "Why did you include X?" I felt that those subjects are the most important that came to the top of my head. "Why didn't you include X?" no specific reason, I probably didn't even think about it.

One of my professors, has to get help to change the input on the projector. And they have a doctorate. I mean t's just fundamental subjects like that should be pounded into peoples heads.
Should we state a double standard and say that I should learn the basics in their field? Not necessarily. We use technology on a day-to-day basis do we not? Should we not at least have basic comprehension of the tools that we use in our day-to-day lives? I ask you this.