Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Attack Hijacks DNS Traffic From 300,000 Routers

Unknown Lamer posted about 5 months ago | from the something-had-to-replace-windows dept.

Security 105

nk497 writes "Florida-based security firm Team Cymru said it was examining a widespread compromise"of 300,000 consumer and small office/home office (SOHO) routers in Europe and Asia. The DNS server settings were changed to a pair of IP addresses, which correspond to Dutch machines that are registered to a company that lists its address in central London. The attack highlights the flaws in router firmware, the researchers said. 'It's not new as an issue to the InfoSec community but this is one of the biggest we've seen recently as it's quite insidious,' Cymru's Steve Santorelli said, adding the hack could let the attackers conduct man in the middle attacks, impersonating your bank, for example."

cancel ×

105 comments

The report (-1, Redundant)

Anonymous Coward | about 5 months ago | (#46394081)

Direct link to the SOHO Pharming Report (PDF) [team-cymru.com] published by Team Cymru.

Re:The report (0)

innocent_white_lamb (151825) | about 5 months ago | (#46394165)

That exact same link is in the summary.

You were in such a hurry to get first post that you didn't read the summary.

Re:The report (-1)

Anonymous Coward | about 5 months ago | (#46394231)

You're right. I'm sorry.

Re:The report (1, Funny)

Anonymous Coward | about 5 months ago | (#46394449)

No I'm not!

Re:The report (-1)

Anonymous Coward | about 5 months ago | (#46394985)

Yes you are.

Impersonating a bank is easy (0)

JoeyRox (2711699) | about 5 months ago | (#46394119)

All you need is a knack for numbers, misanthropy, and a total lack of conscience.

Re:Impersonating a bank is easy (4, Funny)

rebelwarlock (1319465) | about 5 months ago | (#46394179)

That's forming a bank, not impersonating one.

So how to impersonate a bank ? (1)

Taco Cowboy (5327) | about 5 months ago | (#46395171)

That's forming a bank, not impersonating one

Alright wiseguy, share with us details on how to impersonate a bank then ...

Re:So how to impersonate a bank ? (5, Funny)

Anonymous Coward | about 5 months ago | (#46395313)

Alright wiseguy, share with us details on how to impersonate a bank then ...

https://www.mtgox.com/ [mtgox.com]

Exploit, or dumb users? (3, Interesting)

DigiShaman (671371) | about 5 months ago | (#46394213)

And just how are these 300,000+ routers being reprogrammed to use alternate malicious DNS settings? Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?

Re:Exploit, or dumb users? (4, Interesting)

EmperorArthur (1113223) | about 5 months ago | (#46394243)

And just how are these 300,000+ routers being reprogrammed to use alternate malicious DNS settings? Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?

Either is quite possible, though default password issues require that a PC on the LAN already be infected.

Newer routers, especially the router/modem combo units, seem to have a randomly generated password that's printed on the device label. They also tend to come with WPA2 turned on with another randomly generated password that's also on the label. Proof that you can make devices more secure by default.

Re:Exploit, or dumb users? (1)

dalias (1978986) | about 5 months ago | (#46394339)

I wonder if these default passwords printed on labels are generated securely, or if they're a hash of the MAC address or something like that. The latter would be a lot cheaper to implement since there would be no need to install the securely generated passwords on the routers at the factory (they could just generate the password from their MAC on the first boot) and no need to tie this in with the label-printing system.

Re:Exploit, or dumb users? (1)

Charliemopps (1157495) | about 5 months ago | (#46397553)

Yes, but even then, it would be orders of magnitude more difficult to hack the modems than if the passwords were all just "Admin" A targeted attack would still be plausible but the mass hacking of hundreds of thousands of routers would be a lot more difficult.

Re:Exploit, or dumb users? (2, Insightful)

DigiShaman (671371) | about 5 months ago | (#46394355)

Take SonicWALL for example. A business class router that forces you to create an admin password upon first setup. I'm guess other home routers also offer this ability in addition to the examples you've mentioned?

At the risk of sounding arrogant and condescending (not trying to be), but most people should just let their ISP provide and manage firmware updates for them. That, or go with Apple Airport where firmware updates occur along with standard Apple updates. Point being, rather than the user having to hunt for the updates themselves, they should either be prompted to perform an easy update, or just let someone else manage the device for them. Normally if someone shits on their own machine, I could care less. But if their negligence causes them to shit all over the internet with malware, well that just isn't right.

Re:Exploit, or dumb users? (0, Insightful)

Anonymous Coward | about 5 months ago | (#46394995)

most people should just let their ISP provide and manage firmware updates for them

Right. Because ISPs have such stellar security track records. Not to mention the staggering amount of work it would be for an ISP to support whatever weird router the client might want to use. Unless, of course, you're proposing we'd only be able to run ISP approved hardware. Now that would splendid, indeed! Oh, wait, no it wouldn't.

Re:Exploit, or dumb users? (1)

AmiMoJo (196126) | about 5 months ago | (#46395525)

I'd be happy with silent automatic updates for routers, with an option in the menus to turn them off. Most users would just keep it on and be protected. Windows is like that, automatic updates on by default and more or less silent.

Doesn't work. (0)

Anonymous Coward | about 5 months ago | (#46396001)

At the risk of sounding arrogant and condescending (not trying to be), but most people should just let their ISP provide and manage firmware updates for them.

Verizon set thousands of home routers to the same password (which was "Password" plus a single digit number, BTW) when they rolled out FIOS in my area. A year later a worm ripped through them all and most of them are still compromised today.

Think about it; ISPs aren't any more likely to do a good job than a generic idiot who has a bank account at stake.

Re:Exploit, or dumb users? (1)

klui (457783) | about 5 months ago | (#46397163)

I just saw a new AT&T subscriber where its Motorola 3347 router allowed it to be managed via the WAN port. But it does have the password set to a number on the label. Most routers today are capable of TR-069 so the ISPs are more than capable enough to do this management. But do they?

Re:Exploit, or dumb users? (1)

Cenan (1892902) | about 5 months ago | (#46394841)

Either is quite possible, though default password issues require that a PC on the LAN already be infected.

No. This guy mapped the entire IPv4 Internet using a bot-net running inside routers only linky link [sophos.com] . Apparently he just used the default root:root or admin:admin to build the bot-net. Point being, he never used the infrastructure behind the routers, only the routers themselves.

From there it's not hard to imagine how you would go about changing the DNS settings on the router, and you could expand the bot-net if you know the algorithm the default passwords on newer routers are created with.

Re:Exploit, or dumb users? (4, Informative)

Todd Knarr (15451) | about 5 months ago | (#46394265)

Some had the management UI accessible from the Internet, letting botnets probe routers and try common passwords directly (consumer routers have poor intrusion-reporting capabilities so the attempts are likely to go unnoticed).The majority, though, had URLs that can be accessed to change settings without requiring authentication. So the bad guys set up a site that exploits cross-site scripting bugs to cause your browser to access those URLs on the router when visiting the web site. That let them change the DNS servers without needing to crack the password, and the technique works no matter how strong a password you've set. The only way to avoid it's to avoid any router whose firmware's vulnerable. If you've got a vulnerable router that's supported by DD-WRT or OpenWRT, flashing the router with them's an option. The worst case is you brick the router and have to buy a new one, which is what you'd have to do if you didn't re-flash it.

Re:Exploit, or dumb users? (1)

dalias (1978986) | about 5 months ago | (#46394333)

The XSS, etc. only work if the machine you use for browsing is logged in to the router, which is generally a bad idea (for this exact reason). Accessing the router control panel via incognito/private/porn browsing mode when you need it is a good workaround, but of course replacing the firmware with OpenWRT is even better.

Re:Exploit, or dumb users? (4, Interesting)

Todd Knarr (15451) | about 5 months ago | (#46394351)

No, as noted in the article they did not need to be logged into the router since the URLs used didn't require credentials. Yes, it's a horribly huge hole in security. Yes, it was left in undoubtably because "the only way to get to those pages is through the login page so it's secure". Yaright.

Re: Exploit, or dumb users? (1)

DigiShaman (671371) | about 5 months ago | (#46397031)

Uh oh! Last night I performed a firmware update to DD-WRT from a previous build. When it rebooted (watched LED status on the box), I could press "ok" on the page and it automatically let me in the configuration page. It didn't prompt me for credentials. It should after a reboot, right? I mean, a full reboot effectively drops and forgets the session; or so I would think. And no, I don't cache/save passwords in my browser.

Re: Exploit, or dumb users? (1)

almitydave (2452422) | about 5 months ago | (#46399745)

Could have been an authentication cookie set by the router's web server when you first logged in. If the router accepted that cookie as valid after the reboot, you wouldn't need to log in. I'd think a well-designed router would invalidate authentication cookies on a reboot.

Re: Exploit, or dumb users? (1)

operagost (62405) | about 5 months ago | (#46400665)

DD-WRT has some issue with sessions and cookies. That's why you can sometimes get error messages when making changes after the router reboots, but you didn't exit your browser session.

Re: Exploit, or dumb users? (1)

Todd Knarr (15451) | about 5 months ago | (#46406101)

You don't have to save passwords. DD-WRT uses HTTP Basic authentication, so once you've logged in once the browser will continue to send the authentication header with every request for a path that the router's said requires authentication. The router doesn't need to remember any sessions for this to work, once you've entered the credentials for a given authentication realm and path the browser will retain them until you completely close and re-open the browser or clear the active logins data or until the router rejects your password and demands reauthentication.

Re:Exploit, or dumb users? (1)

ledow (319597) | about 5 months ago | (#46394751)

"The only way to avoid it's to avoid any router whose firmware's vulnerable."

Or, to never rely on a "router" that costs less than £100/$200 except as nothing more than a modem to your real setup.

I realise home guys can't necessarily set that up but, really, it's not the "only" way to avoid it. Just don't rely on some cheap piece of junk - that's designed so that Jim doesn't have to hear modem screeches - to get on the net and be your only barrier against it.

Haven't yet seen a router that doesn't have DMZ settings or that you couldn't "double-NAT" through it to make it work like a modem. It's the config that anyone with a brain uses, and with things like Virgin Media UK's Superhub and/or BT's hub, it's the only sensible way to do things (unless you WANT it to offer out your wireless to people who have paid BT money, or whatever).

It's not "the only way". And people on here should really have the knowledge to secure their networks that does not rely on some cheap piece of foreign junk where they spend longer designing the case to look snazzy in your living room than they did writing the firmware containing the firewall.

Re:Exploit, or dumb users? (0)

Anonymous Coward | about 5 months ago | (#46394855)

Proposing double NAT means you automatically lose any argument. Extra security at the expense of adequate functionality is useless. (And, when security types actually understand this instead of jumping on their theoretical high horses, perhaps there'll be a lot fewer exploits in the real world.)

Re:Exploit, or dumb users? (1)

ledow (319597) | about 5 months ago | (#46398305)

Please show me where I say that double-NAT adds any security whatsoever.

I'm proposing the idea that you don't even need to use DMZ and/or forwarding in order to send packets to a REAL router that can do the job better. Literally let a "proper" router have its "external" IP be picked up from the cheap-piece-of-crap "internal" DHCP range. Double-NAT, but means you have a secure internal network behind a real-router.

The fact that growing numbers of people ARE behind double-NAT (carrier NAT and then their router's NAT) tells you that you don't lose functionality and don't need to change settings on your router at all in order to "trial" a proper router.

I'm not seriously suggesting it as a complete alternative to a decent setup, but if you have things like the Virgin SuperHub (which can go flaky in modem mode with some firmware revisions), then you can still operate a real router to isolate your network without having to play with potentially router-killing options on your existing cheap router.

Re:Exploit, or dumb users? (1)

TWX (665546) | about 5 months ago | (#46395911)

It's not "the only way". And people on here should really have the knowledge to secure their networks that does not rely on some cheap piece of foreign junk where they spend longer designing the case to look snazzy in your living room than they did writing the firmware containing the firewall.

You know, I tried a commercial-grade NAT-capable router, designed with two WAN ports with the ability to do routing to different networks, or failover, or load balancing, and the thing had a firmware programming error that made it fail to handle full-motion video streaming correctly. By contrast, the "piece of junk" that I still use has no problem with routing-through any content that I choose to download.

Re:Exploit, or dumb users? (0)

Anonymous Coward | about 5 months ago | (#46396217)

I just use a machine running the latest stable debian as my router.

Re:Exploit, or dumb users? (0)

Anonymous Coward | about 5 months ago | (#46394393)

The linked pdf shows that in some cases, there was no firmware exploit, already compromised machines or default passwords in place.
The process to switch dns servers on the router seems to be:
1) Browser loads malicious website
2) Malicious website sends request to the router to change dns (from the local network), using passwords stored in the browser (or default password for the router).

So if you don't store your routers access details in your browser, you'd probably be immune.
 

You make some intelligent observations there (0)

Anonymous Coward | about 5 months ago | (#46394539)

Great questions. Both happen to be answered in the .pdf linked.

Re:Exploit, or dumb users? (2, Funny)

TubeSteak (669689) | about 5 months ago | (#46394543)

Is this conducted via some common firmware exploit, or dumb users leaving default admin password in place?

FTFS: The attack highlights the flaws in router firmware

I'll admit, I'm a weirdo.
I read more than the headline before I comment.

Re: Exploit, or dumb users? (1)

DigiShaman (671371) | about 5 months ago | (#46397093)

I was trying to quantify "flaws". Was it a zero-day exploit, or just a poor security im

Re: Exploit, or dumb users? (1)

DigiShaman (671371) | about 5 months ago | (#46397125)

...implementation that could have been avoided with proper end user precautions; such as changing the default password.

-sorry for the broken post. Posting from iPhone with the return button in the way.

Bank account hijacking is impossible (2)

WaffleMonster (969671) | about 5 months ago | (#46394255)

My bank is secure!!1!!!!

Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.

Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was ... drumroll... it is posted to a secure site so the credentials are encrypted and can't be compromised.

There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.

Re: Bank account hijacking is impossible (1)

Anonymous Coward | about 5 months ago | (#46394441)

The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.

Re: Bank account hijacking is impossible (1)

ttucker (2884057) | about 5 months ago | (#46394605)

The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.

If the original form is not delivered with SSL, you can not know that the server who sent the form is authentic. The form could be a modified version that posts anywhere, and SSL will have done nothing to protect you. Remember that it is not just encryption, but also a system to establish trust.

Re: Bank account hijacking is impossible (0)

Anonymous Coward | about 5 months ago | (#46399869)

The form could be a modified version that posts anywhere

Look at the page source. Find something like this: >form method="POST" action="HTTPS URL goes here"<. That means your form submission is safe. Now find the submit button and make sure it's not bypassing the form submit process. Good: >input type="submit"<. Bad: >input type="button" onclick="javascript:DoSomethingThatBypassesTheFormActionWithAJAX(); value="Submit"<. Beware that jQuery makes that last part easier to hide.

And don't just rely on the page source. Every browser has available tools to display the DOM tree. Make sure nothing has attached events to the form or submit button. The form has, not just the action and the built-in submit process, but also the ability to set up "onsubmit" observers (event handlers). That one is probably the worst one to detect, and gives away the presence of either 1) a phishing form, or 2) a web application so poorly made that you shouldn't trust it in the first place.

If the form and submit button are both clean (and you can verify this yourself), you should be good to go.

Re: Bank account hijacking is impossible (2)

FireFury03 (653718) | about 5 months ago | (#46394737)

The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.

A non-HTTPS login page could be modified to submit the data to a different server instead of the bank's - by the time you realise, its too late. Or some JS could be embedded in the page to send the data to a third party *as well* as the bank, and you'd never spot that unless you had firebug open. The latter attack can also be carried out by embedding HTTP objects in an HTTPS page, which isn't especially visible to the end user.

Re: Bank account hijacking is impossible (1)

gl4ss (559668) | about 5 months ago | (#46394849)

The encrypted tunnel is created on submit, that is, you can have a login form on an http page and still submit encrypted via SSL if the forms action sends data via https.

but that's not the point.

the point is that the page you're typing on them might actually be any friggin bozo and consequently the javascript on that page might be sending it wherever whoever MITM'd the page load wants..

Re:Bank account hijacking is impossible (1)

FireFury03 (653718) | about 5 months ago | (#46394731)

My bank is secure!!1!!!!

Between generous application of padlock gif's designed to make me feel safe and account specific image letting me know I'm logging into my bank and not some imposter bank... it would be impossible to get hacked. They even say so on their web site.

Remember years ago feeling board and actually getting ahold of one of their "IT" guys informing him of the dangers of requesting credentials directly from a home page loaded via HTTP... His response was ... drumroll... it is posted to a secure site so the credentials are encrypted and can't be compromised.

There is no arguing with stupid or those who willfully subvert browser security features for marketing and or checking off security boxes on the compliance chart even if you (should) know better.

Meanwhile I was reasonably impressed by HSBC, who fixed their website in about a day when I told them they were including HTTP objects in the HTTPS login page. That said, they still include some objects from third party servers, over HTTPS (notably, Google advertising). IMHO the browser should warn you if thre are any objects on an HTTPS page that aren't covered by the certificate displayed in the address bar.

wrong (1)

slashmydots (2189826) | about 5 months ago | (#46394313)

Excuse me? Not my bank. My bank brings up a secure photo from one server and a secure message from another while logging in. If I do not see on the login screen the image and the text, it's not my real banking page no matter what the URL says in the address bar. It'd have to be such an unbelievably targeted attack to intercept the real page and replace it after the fact that it's not likely.

Re: wrong (1)

Anonymous Coward | about 5 months ago | (#46394483)

That is trivially broken.

You need out of band preshared secrets, like a physical OTP dongle, or a paper slip with OTP keys. Otherwise you are just deluding yourself.

Re: wrong (1)

jonwil (467024) | about 5 months ago | (#46394649)

By far the best security measures I have seen for banks are:
1.Devices that look like the machines you see at retailers that you use to pay with credit/debit/bank cards (but connect via USB or bluetooth to a PC or phone) and that take your card and PIN and securely encrypt it all before sending it to the bank, meaning even a compromised local PC/phone wont give an attacker any ability to steal money
and 2.A device that looks like a calculator where you input the account number and transaction amount for the transaction and it mixes that with a unique stored-only-in-the-device key and then gives you a number you key into the transaction form alongside the transaction details. If the special number doesn't match what the bank calculates at its end, the transaction is denied. Again, basically completly resistant to attacks via a compromised local PC/phone (as the secret value never leaves the device)

Re: wrong (4, Interesting)

emilv (847905) | about 5 months ago | (#46394733)

The system used by most Swedish banks:

* The bank website gives you a random number as a challenge
* You input the number to a device together with your PIN (some banks also require you to insert your card into the device)
* You get a new number from the device that you input on a web page

The web pages are obviously encrypted with HTTPS using an EV-SSL certificate.

It used to be that the challenge was an account number or an amount but that is no longer the case due to the possibility of a replay attack.

Re: wrong (0)

Anonymous Coward | about 5 months ago | (#46394877)

You missed "a local exploit silently ignores your request to transfer $100 to the electric company, because it has instead made a request to transfer $1000 to an unnamed foreign account, and uses the challenge to authorize this".

Re: wrong (0)

Anonymous Coward | about 5 months ago | (#46394927)

You missed "a local exploit silently ignores your request to transfer $100 to the electric company, because it has instead made a request to transfer $1000 to an unnamed foreign account, and uses the challenge to authorize this".

...except that the ability to make transfers to international accounts is switched off by default. You need to contact the bank (phone or in person) and request them to enable the feature. To do this, you are required to be able to identify yourself.

Re: wrong (0)

Anonymous Coward | about 5 months ago | (#46394963)

In the Netherlands Rabobank uses this system, but the above attack is countered by requesting you to enter the total amount into the equation and for unknown bank accounts the account number is also entered into the equation.

So no fidling woth the amount or with the recepient.by man-in-the-middle tricks.

The next generation device coming uses a camera and onscreen QR-codes as well, so less numbers to enter into the not-connected device.

Re: wrong (0)

Anonymous Coward | about 5 months ago | (#46396175)

Re: refer to an earlier arguement, the QR code, is rendered how onto a screen, and gee, isn't there already gif/jpeg exploits, plus there are readback exploits, and government exploits, etc. Now how will the processes create a more secure transaction when the change can come hours after the injection.
You do not need real time t exploit, if you are going to rob, do you do it when you can be identified or when you are hidden. These exploits just require a recorder, send back home or to a honeypot, from there they can be analysed over time. Remember they have all the "needed information now" and they have patterns, all they have to do correlate. Plus you don't have time to adjust, when they have to adjust an attack, they just know, this one didn't work, move on to the next one. There are no records of bad attacks, just good ones.

Re: wrong (0)

Anonymous Coward | about 5 months ago | (#46395031)

After having logged in, securely, if I want to transfer money away from my own accounts (for payments or whatever) I get another challenge for the specific purpose that I have to acknowledge. In it, the details of the transaction are presented.

If I want to transfer money between my own accounts, no additional challenge happens.

Thus, even if someone knocks me on the head after I have logged in, they *still* cannot transfer money away from me without my active participation in the corresponding second challenge.

(This is another Swedish bank. I have accounts in two. The procedures are very similar for both, and as far as I can tell quite secure. I have a background in information security. My opinions are based on that. There may still be flaws that I haven't identified. There's always someone smarter out there.)

Re: wrong (1)

K. S. Kyosuke (729550) | about 5 months ago | (#46395329)

What if I have a device that besides the challenge requires the transferred sum, the target account and the payment codes to calculate the proper response?

Re: wrong (1)

L4t3r4lu5 (1216702) | about 5 months ago | (#46395027)

I want this kind of system everywhere. Online shopping, bank authentication, retail establishments... I to enter a vendor ID and amount into my own, bank-provided device. I enter my card and pin, the device does does $math with the date and time (synch'd with bank servers at home while setting up internet banking), and the device gives me a code to enter into the merchant's terminal.

Re: wrong (0)

Anonymous Coward | about 5 months ago | (#46395503)

I want this kind of system everywhere. Online shopping, bank authentication, retail establishments...

Car, house, fridge, chastity lock... Now imagine a MITM attack!

Re: wrong (1)

Mashiki (184564) | about 5 months ago | (#46395099)

Want to know what's funny? The majority of banks worldwide don't have that method of security, most don't even use or supply some form of key code challenge using a keypass generator. But, you take a look at a whole pile of MMO's out on the market, and in Blizzard's case their entire gaming front-end and you have a remote authenticator.

What does that say about the general security of banking? Not much. Especially when a company like Blizzard effectively gives their authenticators away and you pay for shipping. You'd think, that the banks would dip into all those profits and do the same. But I have a feeling it's going to take a major(in the 500m+ range) before this changes.

Re: wrong (1)

grahamm (8844) | about 5 months ago | (#46394655)

Even that does not help. These mechanisms only authenticate you to the bank, not the bank to you. A spoof bank site could still request the OTP password or output from the dongle and accepr whatever response you give.

Re:wrong (1)

Anonymous Coward | about 5 months ago | (#46394547)

If by unbelievably targeted attack you mean any of the lowest common denominator of malware that is so fucking frequent it's even routinely used in corporate security....

- basic memory scanning... that'll work, used by antivirus
- setting a proxy in your browser and adding a single extra CA to the list... that'll work... used by network scanners
- dns hijacking + extra CA... that'll work (yes, your router is easy to jack the DNS of, and your computer probably is poisonable).. used by network scanners
- https stripping... yeap, that'll work on most banks I've ever looked at -- offensive attack, not so corp
- a software key logger... yeap... that'll work...

And of course, by the time we've got almost any of that shit but https stripping or namejacking running, we're probably on your desktop anyway. Which means fuck it all, I can steal your damned session cookie and proxy through your desktop.

What, you think you've got antivirus that's good? Screw you and your fancy AV, we've got the admin password to your router and your belkin is now an L2TP exit point for me to impersonate your home IP (and probably break into your phone and ipad). I own your DNS settings, your network traffic routes, the source of every single javascript file you download, and the *first* http request without htst set and I'll have every piece of content on your page that you send, receive, or type. Also I'll have the list of common websites you visit in about a minute from browser a:visited tags.

The ONLY thing your photo protects you from is a rudimentary phishing attack if you're a total idiot.

If by 'unbelievably targeted attack' you mean "industry standard if you aren't a shit tier nigerian scammer", I guess you're right...

Malware's been more sophisticated than what you describe for over 15 years, and probably longer...

As for 'intercept the real page and replace it' -- I recommend you learn about this thing called a "proxy". Given a common utility called ssh, you can have one up and running in about 20 keystrokes.

Re:wrong (1)

ttucker (2884057) | about 5 months ago | (#46394617)

I thought that the OP was being sarcastic at first, but maybe he really is that naive.

Re:wrong (1)

mrclisdue (1321513) | about 5 months ago | (#46395021)

Why isn't parent +5 informative?

Why mostly EU & Asia? (1)

willoughby (1367773) | about 5 months ago | (#46394329)

Could it be the chances of grabbing a really fast internet connection are better there than in the US?

In any case, my thanks to the OpenWrt folks!

Re:Why mostly EU & Asia? (1)

AHuxley (892839) | about 5 months ago | (#46394463)

Multinational firmware? Was started by a group for some reason in that region and it was found/spread/lost/spotted/coverted?
Gov watching dissidents, protesters and method was repurposed by others after EU based contractors work leaked?
Or just something in the easy default telco setups in that region that made something very easy?
Or a wide spread use covers very unique actions once exposed and Asia or the EU.
It could be new or old firmware that was used that made it easy to get around hard user changed passwords?
Getting to your router vs the exchange or cabinet legally via a telco does solve a lot of legal issues for the security services too :)

niGga (-1)

Anonymous Coward | about 5 months ago | (#46394343)

It's bEst to try spot when done For

use opendns (2)

invictusvoyd (3546069) | about 5 months ago | (#46394381)

208.67.222.222 and 208.67.220.220
and make http://www.opendns.com/welcome/ [opendns.com] your homepage .
Client settings should override router defaults
To be even safer use OpenWRT https://en.wikipedia.org/wiki/OpenWrt [wikipedia.org]

Re:use opendns (1)

unixisc (2429386) | about 5 months ago | (#46395079)

Doesn't seem to offer IPv6 gateways

Re:use opendns (0)

Anonymous Coward | about 5 months ago | (#46395133)

Google open dns gives you ipv6, and those addresses are far more easier to remember, even the ipv6 ones.

8.8.8.8

8.8.4.4

2001:4860:4860::8888

2001:4860:4860::8844

Re:use opendns (0)

Anonymous Coward | about 5 months ago | (#46395517)

Google open dns gives you ipv6, and those addresses are far more easier to remember, even the ipv6 ones.

Yeah and then complain about privacy!

Re:use opendns (1)

joebagodonuts (561066) | about 5 months ago | (#46395537)

They do have ipv6 gateways, [opendns.com] so it isn't completely ignored.

FWIW, the also offer a way to use encryption [opendns.com] with their infrastructure

Windows, Mac & Linux clients are available

Re:use opendns (1)

unixisc (2429386) | about 5 months ago | (#46400153)

Okay, thanks for showing it - it's so well hidden - if one goes to their IP addresses page [opendns.com] , one will see none of that. As a result, who would know that they have IPv6 gateways?

Re:use opendns (0)

Anonymous Coward | about 5 months ago | (#46395155)

Given that this attack works by changing your DNS settings (and there's nothing to stop the new DNS servers either from mirroring OpenDNS or pointing at a mirror of OpenDNS's site that makes it look like you're logged in), I'm not sure this is a foolproof solution. It's more of a security-by-obscurity thing.

Re:use opendns (1)

K. S. Kyosuke (729550) | about 5 months ago | (#46395505)

If one can upload a settings file from outside, isn't it possible for the same person to reflash the router with "rootkitted" firmware that effectively doesn't allow you to change anything? I.e., it may pretend to remember and honor the IP addresses of the DNS servers you entered, but in reality uses whatever was programmed in that thing. It could also easily prevent reflashing the router by similar means, or patch the binary blob to some extent as it is being uploaded into the device. I wonder if you can actually trust the device after it's compromised.

Re:use opendns (0)

Anonymous Coward | about 5 months ago | (#46395535)

The initial vector appears to be through a machine on the internal side of the router visiting a compromised website which then lauches a Cross-Site Request Forgery (CSRF) attack against the router (https://www.team-cymru.com/ReadingRoom/Whitepapers/2013/TeamCymruSOHOPharming.pdf). Assuming that some/most/many of these compromised websites are known and filtered by OpenDNS or Google, use of those DNS services would be safer.

Re:use opendns (0)

Anonymous Coward | about 5 months ago | (#46395561)

Given that this attack works by changing your DNS settings (and there's nothing to stop the new DNS servers either from mirroring OpenDNS or pointing at a mirror of OpenDNS's site that makes it look like you're logged in), I'm not sure this is a foolproof solution. It's more of a security-by-obscurity thing.

It changes the DNS of your router, not of your computer. Set OpenDNS or Google DNS or whatever in your computer config, and the router setting is ignored.

So call the police & shut them down (0)

Anonymous Coward | about 5 months ago | (#46394621)

Unless its ok for a legit company to use a multiple mailbox/remailer as a company hq and be linked with organised crime (google the ip addresses)

Using a custom hosts file protects here (-1)

Anonymous Coward | about 5 months ago | (#46394909)

Bypassing DNS entirely for your favorite site you "hardcode" into hosts (keeping them @ the TOP of the custom hosts file also makes up for indexing speeds IF you use a relatively LARGE hosts file in Windows - since Windows' local dns clientside caching service is buggy with hosts files that are relatively larger in size, forcing you to turn that service off (or play with its ttl settings, which then makes it pointless to use anyhow)).

Then, inspecting your "LOCAL CONNECTION" IPv4/v6 'advanced' section entries for DNS also is a good idea along with inspecting the DNS settings in your routers as well - others noted OpenDNS, which IS a good choice on that account for both of those also (as are ScrubIT DNS, Norton DNS, Comodo DNS, Google DNS, etc.-et al).

APK

P.S.=> How to build a custom hosts file that puts your favorite sites you spend a good 90++% of your time at, as well as securing you vs. KNOWN bad hosts-domains that serve up malware or malicious script (or hijacking adbanners), + botnet C&C servers & rogue DNS servers malware makers use, as well as phishers/spammers/trackers from 12++ reputable & reliable sources in the security community?

This, courtesy of "yours truly" -> APK Hosts File Engine 9.0++ http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Enjoy: It's a portable app for Windows users in BOTH 32 &/or 64-bit builds)...

... apk

Re:Using a custom hosts file protects here (-1)

Anonymous Coward | about 5 months ago | (#46395145)

Which "registered 'luser'" are YOU (-1)

Anonymous Coward | about 5 months ago | (#46395403)

That I've SMOKED so badly before (on valid technical grounds, not ac trolling bullshit) posting by ac now?

* :)

(You trolling by ac posts ALONE shows WHO the 'coward' really is (& it's NOT me - especially since you do a "Run, Forrest:RUN!!!" every single time I challenge you to disprove my points on hosts files as I am yet again in my 'p.s.' below))...

APK

P.S.=> Additionally/Lastly - As usual: You're MORE THAN WELCOME to disprove 17++ points in favor of custom hosts files use giving users of them added speed, security, reliability, & even added anonymity (to an extent) online, enumerated here (which YOU have repeatedly been "called out on & RAN, Forrest" (lol) since you CAN'T DISPROVE THOSE POINTS) -> http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

... apk

Re:Which "registered 'luser'" are YOU (-1)

Anonymous Coward | about 5 months ago | (#46396451)

Re:Which "registered 'luser'" are YOU (-1)

Anonymous Coward | about 5 months ago | (#46396591)

why dont u disproof apks mini fine points and logics u cowward trowel. apk buttsechezes ur mum. did apk defeateds u wit logics and sciences bcuz ur a ghey homo. use the host file.

~not apk

"Rinse, Lather, & Repeat" chump (-1)

Anonymous Coward | about 5 months ago | (#46396783)

http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403

* :)

APK

P.S.=> You FAIL, as always... apk

"Re-Rinse, Lather, & Repeat" troll (-1)

Anonymous Coward | about 5 months ago | (#46409675)

http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403

* :)

APK

P.S.=> You FAIL, as always... apk

Re:"Re-Rinse, Lather, & Repeat" troll (0)

Anonymous Coward | about 5 months ago | (#46411787)

http://tech.slashdot.org/comments.pl?sid=4829029&cid=46367461

"Rinse, Lather, & Repeat" chump (-1)

Anonymous Coward | about 5 months ago | (#46397079)

LOL, & "Run, Forrest: RUN!!!" -> http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403

* :)

APK

P.S.=> It's great to see that these "ac chump trolls" have NOTHING TO SAY that can disprove my points on hosts files giving end users of them added speed, security, reliability, & even more anonymity (to an extent only on this latter count) online, as these pitiful puny trolls do their usual "Run, Forrest: RUN!!!!" from attempting to disprove & invalidate 17 points I note in favor of hosts on the grounds I just noted above, here -> http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403 since it's clearly impossible to do & for these pitiful trolls to manage it (good luck - they'd need MORE than that though - more like a miracle!).

NOW, of course, you just KNOW I've just GOTTA say it (as-is-per my own "inimitable style"), don't you? Well, here goes:

THIS? This was just "too, Too, TOO EASY - just '2ez'", & it always is, vs. off-topic illogical trolls...

... apk

Re:"Rinse, Lather, & Repeat" chump (0)

Anonymous Coward | about 5 months ago | (#46408243)

Re:"Rinse, Lather, & Repeat" chump (0)

Anonymous Coward | about 5 months ago | (#46409151)

http://it.slashdot.org/comments.pl?sid=4854243&cid=46397079

Re:"Rinse, Lather, & Repeat" chump (0)

Anonymous Coward | about 5 months ago | (#46411529)

"Re-Rinse, Lather, & Repeat" troll (-1)

Anonymous Coward | about 5 months ago | (#46409325)

LOL, & "Run, Forrest: RUN!!!" -> http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403

* :)

APK

P.S.=> It's great to see that these "ac chump trolls" have NOTHING TO SAY that can disprove my points on hosts files giving end users of them added speed, security, reliability, & even more anonymity (to an extent only on this latter count) online, as these pitiful puny trolls do their usual "Run, Forrest: RUN!!!!" from attempting to disprove & invalidate 17 points I note in favor of hosts on the grounds I just noted above, here -> http://it.slashdot.org/comments.pl?sid=4854243&cid=46395403 since it's clearly impossible to do & for these pitiful trolls to manage it (good luck - they'd need MORE than that though - more like a miracle!).

NOW, of course, you just KNOW I've just GOTTA say it (as-is-per my own "inimitable style"), don't you? Well, here goes:

THIS? This was just "too, Too, TOO EASY - just '2ez'", & it always is, vs. off-topic illogical trolls...

... apk

Re:"Re-Rinse, Lather, & Repeat" troll (0)

Anonymous Coward | about 5 months ago | (#46412725)

Is this the Linksys exploit? (0)

Anonymous Coward | about 5 months ago | (#46395057)

I read other places that some Linksys routers had a firmware flaw allowing control. So I wonder if this is related? The solution I believe that helps is to
manually set your DNS server addresses rather then having the DNS setting on your router set to automatically set DNS.
I generally do this anyway because I don't use Comcast DNS but Open DNS instead.

Was this attack IPv4 only or... (1)

unixisc (2429386) | about 5 months ago | (#46395069)

Was this attack done only on the IPv4 addresses of routers, or on the IPv6 addresses of dual stack routers as well? Just wondering whether that could have been averted that way.

Wondering whether this attack would have overlooked routers that were on IPv6-only networks

Use alternative DNS? (1)

ralphtheraccoon (582007) | about 5 months ago | (#46395251)

Am I right in thinking that this would be mitigated by use of openDNS, or google's 8.8.8.8 or similar?

Re:Use alternative DNS? (0)

Anonymous Coward | about 5 months ago | (#46395563)

Yes, it could be mitigated by using a DNS service that performs malicious site filtering. See http://it.slashdot.org/comments.pl?sid=4854243&cid=46395535.

It's obvious who is behind this... (0)

Anonymous Coward | about 5 months ago | (#46395423)

Thanks GCHQ. :|

Commercial SOHO routers scare me . . . (1)

Kimomaru (2579489) | about 5 months ago | (#46395523)

I'm in the process of phasing mine out and building one with Debian (working on it today). Pretty scary.

Re:Commercial SOHO routers scare me . . . (0)

Anonymous Coward | about 5 months ago | (#46396271)

Amen brother, though OpenBSD may be a better choice unless you also want to run some linux-specific services on it.

Considering the scope fo currption (1)

koan (80826) | about 5 months ago | (#46395615)

I would say it's most likely a state agency involved in this.

What to do? (1)

wcrowe (94389) | about 5 months ago | (#46397471)

Is there any way to tell if your router has been compromised?

Re:What to do? (1)

almitydave (2452422) | about 5 months ago | (#46399815)

Check your router's and your PC's DNS settings.

Hosts protect users of them here (-1)

Anonymous Coward | about 5 months ago | (#46398081)

Bypassing DNS entirely for your favorite site you "hardcode" into hosts (keeping them @ the TOP of the custom hosts file also makes up for indexing speeds IF you use a relatively LARGE hosts file in Windows - since Windows' local dns clientside caching service is buggy with hosts files that are relatively larger in size, forcing you to turn that service off (or play with its ttl settings, which then makes it pointless to use anyhow)).

Then, inspecting your "LOCAL CONNECTION" IPv4/v6 'advanced' section entries for DNS also is a good idea along with inspecting the DNS settings in your routers as well - others noted OpenDNS, which IS a good choice on that account for both of those also (as are ScrubIT DNS, Norton DNS, Comodo DNS, Google DNS, etc.-et al).

APK

P.S.=> How to build a custom hosts file that puts your favorite sites you spend a good 90++% of your time at @ the TOP of your custom hosts file (for speed vs. indexing loss + now using caching by the local kernelmode diskcaching subsystem vs. Windows' FAULTY dns clientside usermode slower cache service), THAT also securesg you vs. KNOWN bad hosts-domains that serve up malware or malicious script (or hijacking adbanners), + botnet C&C servers & rogue DNS servers malware makers use, as well as phishers/spammers/trackers from 12++ reputable & reliable sources in the security community?

This program will do it easily, courtesy of "yours truly" -> APK Hosts File Engine 9.0++ http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Enjoy: It's a portable app for Windows users in BOTH 32 &/or 64-bit builds)...

... apk

Hosts protect users vs. this (-1)

Anonymous Coward | about 5 months ago | (#46409411)

By bypassing DNS entirely for your favorite sites you "hardcode" into hosts (keeping them @ the TOP of the custom hosts file also makes up for indexing speeds IF you use a relatively LARGE hosts file in Windows - since Windows' local dns clientside caching service is buggy with hosts files that are relatively larger in size, forcing you to turn that service off (or play with its ttl settings, which then makes it pointless to use anyhow)).

Then, inspecting your "LOCAL CONNECTION" IPv4/v6 'advanced' section entries for DNS also is a good idea along with inspecting the DNS settings in your routers as well - others noted OpenDNS, which IS a good choice on that account for both of those also (as are ScrubIT DNS, Norton DNS, Comodo DNS, Google DNS, etc.-et al).

APK

P.S.=> So - How to build a custom hosts file that puts your favorite sites you spend a good 90++% of your time at @ the TOP of your custom hosts file (for speed vs. indexing loss + now using caching by the local kernelmode diskcaching subsystem vs. Windows' FAULTY dns clientside usermode slower cache service), THAT also secures you vs. KNOWN bad hosts-domains that serve up malware or malicious script (or hijacking adbanners), + botnet C&C servers & rogue DNS servers malware makers use, as well as phishers/spammers/trackers from 12++ reputable & reliable sources in the security community?

This program will do it easily, courtesy of "yours truly" -> APK Hosts File Engine 9.0++ http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

(Enjoy: It's a portable app for Windows users in BOTH 32 &/or 64-bit builds)... ... apk

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...