Re: Don't click that link - it may re-program your router?

[Jordan Wiens <numatrix () ufl edu>]

It doesn't have anything to do with it in the sense that a 1x1 image in 
a page is able to reprogram your router as easily as clicking a link.

However, maybe they mean to avoid suspicious links as in, "be careful 
about what websites you visit"?  Which isn't bad advice, but wouldn't 
really solve the problem when you consider defacements, permanent XSS, 
AD hijacking, etc.

Disabling javascript helps prevent evildoers from re-programming your 
router in the first place.  Embedding urls to change the password in 
image requests isn't nearly as functional compared to methods using 
scripting.  Of course, you need to block flash and java too since they 
can be as useful to a badguy or even more so compared to javascript.

My guess?  Well, as a bad guy, why bother?  Do it enough and security 
folks will find your central DNS servers and shut them down, causing all 
those routers to go dead until the folks at home hit the reset button 
and are back in business and un-pharmed.  Don't do it enough and what's 
the point?  You might as well just get the users to infect themselves 
since that's apparently easy enough.  Until there's any real incentive 
to stop using the existing techniques that are working so well and 
browser exploits to infect the hosts, drive-by-pharming isn't all that 
great of an option.

Still, it's easy enough to implement that it might become part of the 
package of standard web-based 'sploit-the-client kits floating around.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061


Gary Funck wrote:
> What does clicking on a "suspicious link" have to
> do with being pharmed (or is that getting pharmed)?  And if
> someone has re-programmed my router, how will disabling
> Javascript save me?
>
> And I must ask ... is this a real present threat,
> or a security software vendor FUD campaign?
>
> http://news.yahoo.com/s/nf/20070219/tc_nf/50150
>
> Millions Vulnerable to New Hack Attack Elizabeth Millard, newsfactor.com
> Mon Feb 19, 1:25 PM ET
>
> Security firm Symantec and the Indiana University School of Informatics have
> discovered a new type of security threat that could leave up to 50 percent
> of home broadband users susceptible to attack. 
>
> Called "drive-by pharming," the threat is focused on home routers, which can
> be reconfigured and directed to a malicious Web site if default settings and
> passwords are being used. 
> [...]
> Symantec recommends that users should change their default passwords and=
> employ a multilayered security strategy consisting of an Internet security
> program that combines antivirus, firewall, intrusion detection, and
> vulnerability protection. Also important, the research team noted, is
> avoiding clicking on links that seem suspicious. 
>
> But the main issue, according to Sophos senior technology consultant Graham
> Cluley, is that many users either do not change settings or use the password
> supplied by the manufacturer. Many devices are given obvious passwords for
> shipping and setup, such as "administrator" or "password," which Cluley
> noted are very easy for hackers to guess. 
> [...]
> "More prominent warnings that passwords have not been changed from their
> default might help encourage users to take this relatively simple step," he
> said. An additional line of defense is to disable JavaScript on untrusted
> Web sites, he added.
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.