 Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | Home DSL Routers At Risk Of CSRF Attack Researcher demonstrates ease of hacking home routers with insidious cross-site request forgery (CSRF) attack
said by DarkReading :
A deadly attack typically associated with Websites can also be used on LAN/WAN devices, such as DSL routers, according to a researcher who this week demonstrated cross-site request forgery (CSRF)vulnerabilities in devices used for AT&T's DSL service.
Nathan Hamiel, a consultant and founder of security think-tank Hexagon Security Group, discovered a CSRF vulnerability in the Motorola/Netopia 2210 DSL modem that, among other things, could let an attacker insert malware onto the victim's computer or recruit it as a bot for a botnet. "CSRF is one of the only vulnerabilities that can be either completely innocuous or completely devastating," Hamiel says.
The vulnerability isn't isolated to Motorola/Netopia DSL modems. It affects most DSL modems because they don't require authentication to access their configuration menu, he says. "I can take over Motorola/Netopia DSL modems with one request, and I can do it from MySpace and other social networks," Hamiel says. The attack uses HTTP POST and GET commands on the modems, he says.
CSRF vulnerabilities are nothing new; they are pervasive on many Websites and in many devices. "CSRF, in general, is a very old issue," says Hamiel, who blogged about the hack this week. "Most of the vulns found today are old. That's the point: Nobody seems to learn lessons anymore."
A CSRF attack on a DSL router could be launched from a social networking site, Hamiel says, using an image tag on a MySpace page, for example. "Everyone who viewed my MySpace page with AT&T DSL and the Motorola/Netopia DSL modem would be owned," he says.
What can users do? "This could be mitigated if the user just enters a password for the device, which, nobody does," Hamiel says. Source/full article: »www.darkreading.com/security/vul···12201777
--
Win free security software licenses until Sunday 21st December 2008 »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/ |
|
| A regular here had posted about this more than a few months ago.
And again about 3 months ago.
If users do not even read the directions to their routers, (which last I checked bolded the statement regarding passwords), then, well, they deserve whatever happens. |
|
Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4
1 edit | Article date: dec 03, 2008
Published on several other sites also, all articles dated 03-04 dec.2008 |
|
|
|
mysecPremium
join:2005-11-29
kudos:4
1 edit | reply to Smokey Bear
said by DarkReading :
...among other things, could let an attacker insert malware onto the victim's computer or recruit it as a bot for a botnet.
Sorry, but not necessarily so.
This method is no different than any other remote code execution method which insert malware -- such as i-frame, .ani vulnerability -- and thus can be easily blocked, as can all such methods.
This is not to downplay the fact that many don't secure their modem, but the examples and language used to assume the inevitable are a bit alarmist.
----
rich |
|
Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | said by mysec:This is not to downplay the fact that many don't secure their modem, but the examples and language used to assume the inevitable are a bit alarmist. Can be that the article sound to alarmist, OTOH it make us (again) very clear there are multiple reasons to secure your router/modem, especially because the absolute majority haven't performed such. "Funny": we are bringing down our beloved PCs to the knees with an army of security programs in our (many times paranoid) efforts to secure it, and ignore entirely the fact we have also a modem to secure. Therefore, see the article as a reminder. 
--
Win free security software licenses until Sunday 21st December 2008 »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/ |
|
 Doctor OldsI Need A Remedy For What's Ailing Me.Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18 | reply to Smokey Bear
Don't know about the Netopia, but the Speedstreams are easy to fix that from being an issue.
|
|
 NetFixerFreedom is NOT freePremium
join:2004-06-24
The 'Boro
 ·Vonage
 ·Cingular Wireless
 ·Comcast
 ·AT&T Southeast
1 edit | The AT&T supplied Motorola/Netopia 2210 can also be password protected, but the factory/ISP default is a null password.
--
A well-regulated militia, being necessary to the security of a free State, the right of the people to keep and bear arms shall not be infringed.
»portscan.dcs-net.net
»nature-pics.com |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:4 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| reply to Doctor Olds
SBC issued SpeedStream 4100. |
|
|
 La LunaSurvived AshrafulPremium
join:2001-07-12
Warwick, NY
kudos:3
·Vonage
·Optimum Online
| reply to Smokey Bear
As with many other vulnerabilities, the non educated user is often the victim.
How many times have we seen people here who haven't changed the default passwords for their modem or router? I can only imagine how many people don't even know a configuration access page exists. |
|
PrntRhdPremium
join:2004-11-03
Fairfield, CA Reviews:
·Comcast
| said by La Luna:As with many other vulnerabilities, the non educated user is often the victim. How many times have we seen people here who haven't changed the default passwords for their modem or router? I can only imagine how many people don't even know a configuration access page exists. I agree, I browsed the neighborhood from inside my house with a wireless laptop, found 5 WAPs, 2 secured, & 3 not. The unsecured ones were named Linksys, & Netgear. No security on their web interfaces from the wireless side, and at least two were fat connections. |
|
La LunaSurvived AshrafulPremium
join:2001-07-12
Warwick, NY
kudos:3 | Yep, I've seen that too with my laptop.  |
|
| reply to La Luna
Most home routers don't even come with instructions, and many have the password printed on the router itself. |
|
Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | reply to La Luna
said by La Luna:As with many other vulnerabilities, the non educated user is often the victim. How many times have we seen people here who haven't changed the default passwords for their modem or router? I can only imagine how many people don't even know a configuration access page exists. You are right. A lack of easy understandable information and education are fatal for "Joe the plumber". The majority of the regular visitors of boards like DSLR or my own board know about risks and how to protect themselves. Joe don't, he don't visit our boards, many times even don't know about the existance. And expressions like "CSRF Attacks" deliver him a bad headache and taste because he just don't understand.
Is this all his fault or is he stupid? No!!!! From my own daily board and security community experiences and contacts with non-knowledgable users of my board and informal contacts with "VIPs" in the community, it is my opinion we must blame ourselves.
It is a real problem and there is no easy solution. We all ("professionals and experts") should evaluate ourselves again and again and thinking about ways how to help Joe. Current practises are insufficient, dissatisfying and maybe many times even a disgrace.
--
Win free security software licenses until Sunday 21st December 2008 »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/ |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:4 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| reply to tom3032
Every router I have ever purchased came with instructions; if only a printed sheet describing how to access the manual as a .pdf document on the included CD-ROM.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | said by NormanS:Every router I have ever purchased came with instructions; if only a printed sheet describing how to access the manual as a .pdf document on the included CD-ROM. Shame on the vendors, to save some bucks today it is common practice to deliver manuals as a pdf on a CD-Rom instead of supplying their products with a printed manual.
--
Win free security software licenses until Sunday 21st December 2008 »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/ |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7
 ·AT&T U-Verse
| reply to tom3032
..., and many have the password printed on the router itself. Having the password printed on the router itself should not be a problem. Presumably the attacker isn't going to invade your house to read the label on the router. A unique password (different for each router) that is printed on a label is a pretty good practice. It's when all routers from a manufacturer come with the identical password that you have a serious risk of this kind of attack.
--
AT&T dsl; Westell 327w modem/router; openSuSE 11.0; firefox 3.0.4 |
|
mysecPremium
join:2005-11-29
kudos:4 | reply to Smokey Bear
said by Smokey Bear:A lack of easy understandable information and education are fatal for "Joe the plumber". The majority of the regular visitors of boards like DSLR or my own board know about risks and how to protect themselves. Joe don't, he don't visit our boards, many times even don't know about the existance. And expressions like "CSRF Attacks" deliver him a bad headache and taste because he just don't understand. ... It is a real problem and there is no easy solution. We all ("professionals and experts") should evaluate ourselves again and again and thinking about ways how to help Joe.
Joe doesn't have be familiar with "CSRF" and all of the other technical descriptions of attacks. All he has to do is understand the two basic attack methods by which malware installs, and this is fairly easy to do, in my opinion.
Malware installs
1) by remote code execution - the drive-by download, if you will - evidently the exploit discussed in this thread is a good example. Another is:
Rogue DHCP servers
»isc.sans.org/diary.html?storyid=5434
The evolution went from changing local DNS servers in the operating system (for both Windows and Mac!) to changing DNS server settings in ADSL modems/routers/cable modems.
The malware described by Symantec goes a step further - it installs a rogue DHCP server on the network.
Sounds ominous. I asked the ISC handler to clarify the attack method:
The victim has to execute the trojan (or get it installed through an exploit, for example through a vulnerability in their browser).
A browser vulnerability provides an open door. A malformed PDF file provides an open door when the PDF Reader is not patched. Guessing the password of the modem provides an open door. But if there is a Guard inside this open door, nothing can intrude. In this case, security to prevent unauthorized executables from installing is the Guard.
This is not to excuse having an unpatched application, or weak/no password. But the fallback should always be security to prevent the "in case something fails" scenario. This is simple to show Joe, and thus, becomes the easiest - in my opinion - attack method to prevent.
2) The second method is where Joe is tricked into installing malware. A good example is the earlier incarnation of the rogue DCHP server, the DNSchanger exploit:
»isc.sans.org/diary.html?storyid=3595
So, let's see what really happens here. The "social engineering" part has been seen million times - an unsuspecting user visits a web site with a movie on it, however, he needs to download a new codec in order to view it. On Windows, that new codec is typically a PE executable, for Mac the bad guys prepared a DMG archive (DMG files are like ISOs). The user is then prompted to install the package and during this process he will have to supply the administrator credentials. Yep, it's game over from this point in time (and the attack is exactly the same as on Windows - keep in mind that these users *will* willingly supply these credentials.
The "social engineering" method of attack is more difficult to prevent because it requires the user to make a decision, and thus, is the weak link in any security strategy.
Drastic as it sounds, I advise Joe never to respond to a popup to update an application. Joe can go to the vendor's website directly to see if an update is needed. How much Joe really wants to watch this video will be the determining factor in this particular instance.
When the opportunity arises to help the Joes we come in contact with, these types of scenarios can be discussed and policies/procedures developed as part of a security strategy.
If they listen, we have helped in some way, and have deprived the botnets of a few more victims.
If they don't, well, we've done what we can,and we shouldn't be discouraged from continuing to help those who will listen.
----
rich |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:4 Reviews:
·SONIC.NET
·Pacific Bell - SBC
| reply to Smokey Bear
said by Smokey Bear:Shame on the vendors, to save some bucks today it is common practice to deliver manuals as a pdf on a CD-Rom instead of supplying their products with a printed manual. Is it really any more difficult to read the docs in a .pdf file on a CD-ROM than on paper? It isn't like Smith & Wesson shipping the manual to the pistol in a .pdf doc on a CD-ROM. (How many gun owners will take their laptop to the range!)
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
Smokey Bearveritas odium paritPremium
join:2008-03-15
Annie's Pub
kudos:4 | said by NormanS:said by Smokey Bear:Shame on the vendors, to save some bucks today it is common practice to deliver manuals as a pdf on a CD-Rom instead of supplying their products with a printed manual. Is it really any more difficult to read the docs in a .pdf file on a CD-ROM than on paper? It isn't like Smith & Wesson shipping the manual to the pistol in a .pdf doc on a CD-ROM. (How many gun owners will take their laptop to the range!) Reading straight from an already printed manual is easy, comfortable, and save a lot of sheets and ink.
--
Win free security software licenses until Sunday 21st December 2008 »www.smokey-services.eu/forum/
Smokey's Security Weblog »smokeys.wordpress.com/ |
|
NormanSPremium,MVM
join:2001-02-14
San Jose, CA
kudos:4 Reviews:
·SONIC.NET
·Pacific Bell - SBC
1 edit | said by Smokey Bear:Reading straight from an already printed manual is easy, comfortable, and save a lot of sheets and ink. Saves what? Just transfers the source (and cost) of those "sheets and ink"!
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
