Saturday, February 17, 2007
Undertakers and your default router password
An undertaker was the man who invented the first automatic telephone switch, and that's related to why you should change one of your default passwords.
In 1891, you made a phone call by calling a human operator at the central office who would put a wire in a patch panel to make a circuit with the person you were calling. Theoretically, a crooked operator might take a request for "Strowger's Mortuary" and connect it to a different undertaker's circuit.
Nobody knows if that was really happening, but Almon Brown Strowger ("eccentric, irascible and even mad") believed that the phone operators were diverting incoming calls from his undertaking business. So he invented a fully automatic telephone exchange.
On the Internet today, the equivalent of the correct plug to connect to somebody's phone is a numeric address, one of the things you've seen written as four numbers with dots in between. There are computers which do the job of the old phone operators, taking a request for "strowger.com" and turning it into 67.19.21.202.
What if those computers were as dishonest as the long-ago phone operators were feared to be? You could be sent to the wrong site no matter what precautions you took about using bookmarks or checking the human-readable addresses.
So it's important to talk to the right computers when you want to use a human-readable name on the Internet. For most home broadband users, the choice of what computers do that work is made by that little box plugged into your DSL or cable line. It might be from your ISP, it might have a name like D-Link, NetGear, or Linksys, it might double as your firewall, but in any event you probably ignore it most of the time.
Which leads us to the problem that security firm Symantec is publicizing now. That little DNetLinkGearSys box can be reprogrammed from your computer with a simple web interface. The reprogramming could put you in touch with computers that lie about Internet addresses. And the cap on all of it is that a hostile web page could trick your browser into going to the little box's web page and making the changes, with nothing standing in the way except the little box's password.
A password which you've never changed, in all probability. If you haven't changed it, then it's still a factory default value that is available to everyone in the world.
What happens next, if crooks are behind it, is that the next time you think you're going to yourbank.com, you get redirected to a copy of your bank's web site on the crooks's computer and the crooks record your password. If that sounds farfetched, it isn't -- crooks are playing the same game already but with different tactics.
I've got a few unanswered questions on the technical aspects of this, but the countermeasures are all good ideas anyway:
o Change the default password on your router/firewall/wireless access point. Actually, change all the default passwords.
o Install and run the NoScript extension in Firefox.
o Avoid sleazy web sites that might be the source of attacks.
|
In 1891, you made a phone call by calling a human operator at the central office who would put a wire in a patch panel to make a circuit with the person you were calling. Theoretically, a crooked operator might take a request for "Strowger's Mortuary" and connect it to a different undertaker's circuit.
Nobody knows if that was really happening, but Almon Brown Strowger ("eccentric, irascible and even mad") believed that the phone operators were diverting incoming calls from his undertaking business. So he invented a fully automatic telephone exchange.
On the Internet today, the equivalent of the correct plug to connect to somebody's phone is a numeric address, one of the things you've seen written as four numbers with dots in between. There are computers which do the job of the old phone operators, taking a request for "strowger.com" and turning it into 67.19.21.202.
What if those computers were as dishonest as the long-ago phone operators were feared to be? You could be sent to the wrong site no matter what precautions you took about using bookmarks or checking the human-readable addresses.
So it's important to talk to the right computers when you want to use a human-readable name on the Internet. For most home broadband users, the choice of what computers do that work is made by that little box plugged into your DSL or cable line. It might be from your ISP, it might have a name like D-Link, NetGear, or Linksys, it might double as your firewall, but in any event you probably ignore it most of the time.
Which leads us to the problem that security firm Symantec is publicizing now. That little DNetLinkGearSys box can be reprogrammed from your computer with a simple web interface. The reprogramming could put you in touch with computers that lie about Internet addresses. And the cap on all of it is that a hostile web page could trick your browser into going to the little box's web page and making the changes, with nothing standing in the way except the little box's password.
A password which you've never changed, in all probability. If you haven't changed it, then it's still a factory default value that is available to everyone in the world.
What happens next, if crooks are behind it, is that the next time you think you're going to yourbank.com, you get redirected to a copy of your bank's web site on the crooks's computer and the crooks record your password. If that sounds farfetched, it isn't -- crooks are playing the same game already but with different tactics.
I've got a few unanswered questions on the technical aspects of this, but the countermeasures are all good ideas anyway:
o Change the default password on your router/firewall/wireless access point. Actually, change all the default passwords.
o Install and run the NoScript extension in Firefox.
o Avoid sleazy web sites that might be the source of attacks.
# posted by Frederick @ 1:33 AM Email to a friend:
Haloscan: they provide trackback