Wednesday, January 23, 2008

Change your router password...and a brief word from Tom

Security...it's sexy.

Not completely sure how it was implemented, but a drive-by pharming attack observed in Mexico illustrates the severity of introducing some modicum of security for your home network.

A group of individuals (assuming it was a group) executed the attack in a 2-initiative approach: changing the DNS settings on unsecured (i.e. no security or default security) residential routers and spamming individuals with an phished email which looks normal, but the tricky-dickies changed an image tag reference in the HTML to direct the user's browser to a fake bank's site.

The 'drive-by' aspect refers to the way in which the routers were hacked: this group probably roamed residential neighborhoods scanning for networks and used the manufacturer's default admin credentials to see which hadn't had their password changed. Those that hadn't had their default DNS settings reconfigured were susceptible. If a person accessing the internet via the affected router also received and participated in the phished email, they could potentially have given the group access to their login information to their bank.

Just think, in a residential neighborhood someone sat in a car, and using a laptop or some other capable handheld broadband device silently made the reconfigurations to various routers in a given area.

Granted, there are a lot of conditions that need to be met to make this attack work, but all the group would've needed was 2 or 3 well-heeled individuals to fall for the ploy. Recently, I was on the road and needed to check email, and wasn't near a hotspot (ok, I didn't want to go into a Starbucks or MacDonald's) so I used my laptop to scan for unsecured networks in the area, found one, connected, initiated my VPN connection, checked email, then got off the system, and drove away.

I wonder how long it'll take before this becomes a serious issue, and how local law enforcement will deal with it. Will they have a special task force ('Police Operations: Residential Networks' what an awesome acronym!)? What kind of statutes and laws will need to be put in place? Or, will the marketplace come up with solutions to deal with this new criminal activity? Or, will people spend a little extra effort and change their password on their routers?

All of this applies to everyone...except Tom Cruise...because he can make people do what he wants just by furrowing his little brows, flexing his featherweight high school pugilist build, and dropping mad Scientology energy on yo' ass. I'm OT-7, bitch! Clear as a muthafuckin' bell! Whoo-hooo!!

Here he is now pontificating on his thoughts on how to eradicate anal warts while also buttressing your home network:

No comments: