Dear El Reg
When writing articles like this, a list of affected equipment would be a boon so we know whos particular equipment and what variant is vunerable.
A cybercrime vigilante known as Kafeine says criminals are hitting thousands of victims with a hacking tool that targets more than 40 router models. The well-known hacker says the novel attacks use cross-site request forgery and exploits against new and old bugs to change router DNS settings. This bypasses the need to target …
But honestly, I don't trust any of them anymore. I don't see why anyone else should either.
Use alternative firmware, or build your own firewall box. Then you have all the pieces, you patch your own stuff, and you know exactly where you stand with the next stupid CSRF (non-)bug like this.
It's not quite as convenient or robust though, especially the lower-power-PC route. Anyone know of hardware specifically designed for DIY firewall appliances? I'd rather handle the bits myself instead of using a firmware package.
This post has been deleted by its author
This post has been deleted by its author
This post has been deleted by its author
It would also be useful if a suggested method of status checking was confirmed so that users could easily verify that their router as still using the right DNS settings. I assume that verifying that the DNS settings are as previously wanted/set will suffice to confirm the status of the router.
"it shows the DNS addresses at the bottom."
In many cases it will just point to the router . I usually embed my normal DNS server addresses in the nm settings for my access point.
At the moment I'm still looking for a reasonably simple explanation of how this exploit works and indeed how it is triggered.
If it's a cross site forgery then it's visiting a sote which opens a frame to the router's DNS admin page via some exploit and changing the settings from there.
A simple way of stopping the attack would be to change the router's IP address to something else other than the default so it can't be targetted as a hard-coded value. And changing the default admin password too, although most of the commentards here should have done that already.
The router's IP can be determined simply by doing some kind of internal ping on the client. The rules of DHCP and so on usually mean the weak-link client is on the same subnet as the router. And since the router's usually the hub of the home network (and therefore almost always device .1), Bob's your uncle.
Then I think the attack bypasses the authentication done on the device, making passwords useless.
Please inform us if this is not the case, as I've been unable to obtain particulars on this attack (or even if the CSRF is applied against the device's web-facing side directly, meaning no user intervention required).
Go a step further. We're tech.. we're supposed to know. Yeah, right... But how the hell does "Joe I-have-a-router-at-home" know about these updates? Does "Joe" even care until suddenly he's hacked and takes his computer into the shiop? Would the tech in shop even ask "Joe" about his router.
It seems that information on these router issues isn't very well disseminated.
I have a fair degree of faith in some upcoming commercial brands, more than I do in the big box-badged names.
I have run various IP-Cop, Smoothwall, M0n0wall, PFsense etc. but consider the gradual addition of features just increased atack surface, in that respect why do people mention "BigNameOpenSource" more than X or Y which are smaller but less well featured? We quickly think (for example) "oh this can handle printers too, I could use that!", not "this has a print queque bolted on, shame".
Consider something like the Mikrotik 109-8G-1S-2HnD-IN (wifi-stock.co.uk) solid platform number of gig ports for the cost of some low-middling big name, about a third of the cost of the itx hardware in the comments. Sure the Wifi is 2.4G but see it as a free extra not the main reason for purchase.
Anon becasue I don't like to say "my name is Erik and I run a DP-CiscoLink 1234, please use the correct exploits when you call"