Friday, February 16, 2007

Hackers targeting your home LAN router / firewall

This applies to any platform that runs Java, be it Mac, PC Windows or PC Linux. This also applies to any browser that supports Javascript, including all versions of IE, Firefox and Safari.

If you own or buy a Linksys, DLink or Netgear wired or wireless router/firewall box to allow you to share your broadband throughout your household, make sure you change the administrator password on that unit from the factory default. It doesn't matter if your router does not accept administrative connections from the outside - this attack comes from the inside of your network. (Most routers now ship with external admin access turned off, although you can turn it on if you need to get to your router remotely . . . but again, make sure you set a STRONG admin password if you turn that option on for any reason.)

A new exploit uses JavaScript and can access the routers settings from inside your network when you allow that script to run on your computer. The malicious code can be embedded within Javascript that you might want to trust, like - for example - a game applet. Simply surfing a compromised site and allowing Java to run in your browser is enough to get hacked. It may not trigger your browsers security settings, as it never attempts to access or change local files on your computer.

In the background, out of your sight, the script looks up your networks internal gateway address. It then attempts to logon to your routers admin panel using that IP. It can guess the password from one of about five typical login combinations that are widely used by almost all home router manufacturers as their factory setting. It takes advantage of the fact that many owners never change that password.

Once it has control, it changes the DNS settings on your router to point at a hackers "poisoned" DNS server. The idea is that when you browse to your bank (for example) using the correct URL or bookmark, the router looks at the compromised DNS server and sends you off to a phishing site that could look exactly like your banks login site. From there they capture your user ID, password, and of course your bank account.

Simply logging into your routers panel and changing the Admin password to your own unique password will stop this attack.



1) Open your network settings, and look at the Status of your LAN connection. In Windows click on the Support tab. (Not sure how to get this on a Mac, anyone that knows feel free to chime in.) You should see a gateway IP address listed.

2) Enter that IP address into the URL field in any web browser. That's the address for your routers administration panel.

3) You will see a request to login. Try these combinations (or refer to your routers owners manual):

User: (blank)
Password: password

User: (blank)
Password: admin

User: (blank)
Password: (blank)

User: admin
Password: password

User: admin
Password: admin

Once you log in successfully, you will see your routers control panel.

4) Refer to your owners manual, or surf the control panel (usually under Setup, or Password, or Administrative Settings) for the Administrators Password reset. Enter in the old password (factory default) in the first field, and your new password twice in the second and third fields, then save or apply your settings.

5) Close your browser, and re-open it to the same gateway IP address, and test the login with your new password. Do NOT check any box that offers the option to remember your password.

Voila, you will not be vulnerable to this particular attack.