February 10, 2008   Sign In |  About ebizQ |  Contact Us |  Join ebizQ Gold Club
Peter Schooff
Peter Twenty-Four Seven Security
 Peter Schooff's blog is a daily look at what's going on in the world of computer security with an emphasis on how it affects businesses.

« Gemalto's Amol Deshmukh Discusses the Fail-safe Network Identity Manager (NIM) | Main | Podcast: SearchInform - The Path From Search to Security »

February 16, 2007
Danger Danger Default Password

It’s been a few days since my last blog, so I have a couple of things to discuss.

First thing, I think it’s extraordinary telling of our times that, with spam and e-scams the way they are, that if you got a valentine message in your inbox, you could pretty much guarantee that it was the work of a cybercriminal. And I don’t mean that cybercriminals necessarily feel more deeply and are given to pronouncements of love (yes, that’s a joke), I am just annoyed that they’ve jumped on every honest and decent thing we have and exploited it to the hilt. I guess the only comfort I can take is that scammers and spammers get inundated with spam too.

I can just imagine some mastermind spammer opening his morning inbox to check on his scams and having to sift through hundreds of crap email and then thinking, Damn you, spam! Can't you just let me get on with my spamming.

Also, a recent report at Security Fix concerns how someone who buys a brand name router and does not bother to change the default password could very quickly lose some control of that computer. One of the simplest way to take over a wireless router remotely is by using Javacript, a powerful Web programming language that can allow other web sites to manipulate a computer’s settings.

One example shows how a criminal website could use Javascript to change the default settings on the router so every time the user tried to visit a financial site they are secretly redirected to a counterfeit site that records all of the user’s critical data (this is very similar to a phishing attack and is known as ‘pharming’).

Another router type of exploit could also allow a hacker to build secret gaps into the router’s built-in firewall that allows certain types of traffic free access.

Zulfikar Ramzan, senior principal researcher at Symantec, successfully tested such scenarios using mock Web pages and some of the more popular routers on the market today, including those sold by Linksys, D-Link and Netgear. "Using the same techniques, an attacker could create a very simple Web page that when viewed by a Web browser could change the default settings on a router," he said.

The reason this can be so dangerous is that the router basically exists apart from the computer, so even if someone keeps their computer secured and updated, this could present a totally unexpected vulnerability.

Apparently, the main reason for this is the incredible power and flexibility of Javascript, but which also makes it an increasingly good target for cyber attacks. Michael Sutton, security researcher for Atlanta based SPI Dynamics, said, “People are always coming out with new tricks with Javascript, but the reality is that it's a very powerful language and if you can convince someone to run your code by visiting your site, you effectively control their actions.”

The only good news about this exploit is it is very easy to stop dead in its tracks: whether you use a wired or wireless router to split traffic on your home network, make sure you change the default password. You may also want to consider browsing the web with Mozillas’ Firefox, which is head and shoulders above Microsoft’s Internet Explorer, which to me has always been a hacker’s best friend.

Which brings me to the last thing I want to mention: Microsoft. This amounts to a Microsoft rant. As you may have noticed, I have recently delved into podcasting, which I find to be an incredibly useful information delivery system.

So, my very second podcast was set-up with Microsoft to discuss Vista, which they could only do on a very specific date and time. Fine, it’s Microsoft, so I rearranged my schedule, only to get BLOWN OFF. The first time they blew me off, they at least sent me a message, but then they rescheduled, and then I got totally BLOWN OFF.

No call, no message, nothing. Apparently, my time means nothing to Microsoft. So Microsoft has bags full of cash, that’s well known, and still holds great power in the industry, but I come from Detroit, I’ve seen huge industries reduced to rubble (Ford, GM, Chrysler) because management was too cut-off and insular.

Get with it, Microsoft, all of your riches gives you no license to operate without any professionalism or tact. Thank god for Apple.

Posted by pschooff in |Digg This|Add to del.icio.us

Trackback Pings

TrackBack URL for this entry:
http://www.ebizq.net/mt/mt-tb.cgi/1377

Comments Post a comment




Remember Me?

(you may use HTML tags for style)

We ask that you type your code (displayed below) in the text box.This code is an image that cannot be read by a machine. It prevents automated programs from submitting comments.


Code:



Most Recent ebizQ Blog Entries
ADVERTISEMENT
Subscribe
News Feed
Recent Posts
Categories
Archives
Blog Roll
Blogosphere
This Work
Accountability:The opinions expressed in this blog are solely representative of the blog's author, and not of ebizQ
Subscribe to our Newsletters
ebizQ Weekly Gold Club Update
Live Webinar Updates
Updates from ebizQ Partners
ebizQ SOA Update
ebizQ BPM Update
ebizQ Security Update
ebizQ BI Update
ebizQ Open Source Software Update
Virtual Show Newsletter
Your E-mail Address:
BAM: The Killer App for CEP
Date: Feb 12, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Event Processing Market Pulse
Date: Feb 14, 2008
Time: 12:00 PM ET
(17:00 GMT)
I WANT TO ATTEND
Archived Webinars | Upcoming Webinars

Marketing Solutions | Feedback | About ebizQ | Unsubscribe | Privacy Policy | Site Map