Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Skuzzy on July 21, 2010, 08:15:42 AM
-
This could affect anyone who has a router on thier home network. Might want to check this out folks.
http://blogs.forbes.com/firewall/2010/07/13/millions-of-home-routers-vulnerable-to-web-hack/
-
No worries here. Very interesting that the guy is talking about releasing the exploit into the wild though.
-
After reading the chart I don't have the highest chance, but any chance is too much of one. I can't be exploited, apparently. This should be criminal releasing it to the public. Kinda like those new lasers that can blind and burn.
Wow, just wow.
-
Please note that for the purpose of describing this exploit, your router is considered vulnerable if the external site can use DNS rebinding to open a connection to your router. Note that once the connection to your router is open, the bad guys on the other end must still "break" the router or the router password to actually exploit it.
And if your router has open vulnerabilities, is unpatched, and/or is still set to the default password, this particular exploit is utterly moot - you are ALREADY at tremendous risk from a remote control trojan, of which there are PLENTY in the wild.
Don't let the fact that your router isn't listed on his list for this exploit give you a false sense of security that it's not exploitable - or necessarily freak out if it is. But do keep it's firmware up to date and change the password from the default to a strong password at the earliest possible stage in the initial setup of the router, and change it periodically after that, regardless.
<S>
-
It is alarming how many people do not change the default passwords on routers. It is even more alarming how many people do not change the encryption key on WiFi routers.
-
It is alarming how many people do not change the default passwords on routers. It is even more alarming how many people do not change the encryption key on WiFi routers.
Skuzzy, ever read The Cukoo's Egg (http://www.amazon.com/Cuckoos-Egg-Tracking-Computer-Espionage/dp/1416507787/ref=sr_1_1?s=books&ie=UTF8&qid=1279731839&sr=1-1)? The badguy in that story logged on to servers - at universities and companies - with factory default username/password pairs, like "guest/user" and "field/service". :O
-
Add to that windows shell vulnerability and we are set for the fun summer...
-
I have six homes within range of my wireless that are still set to default.
-
I have six homes within range of my wireless that are still set to default.
I have two.
-
Steve Gibson from GRC has some good info and utilities.
ShieldsUP - checks status of your ports
https://www.grc.com/x/ne.dll?bh0bkyd2 (https://www.grc.com/x/ne.dll?bh0bkyd2)
GRC's Perfect Passwords - completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again
https://www.grc.com/passwords.htm (https://www.grc.com/passwords.htm)
Router NAT Explained
http://www.grc.com/nat/nat.htm (http://www.grc.com/nat/nat.htm)
-
Steve Gibson makes McGyver look like a tenderfoot. :aok
-
I willingly provide free wi-fi to the entire neighborhood.. :angel: