[X4U] security

Stroller macmonster at myrealbox.com
Mon Mar 5 16:53:43 PST 2007 

On 28 Feb 2007, at 15:24, David Ledger wrote:
>> ...
>> It allow someone to alter your router so that your browser will
>> direct you to a web site of their choice and not what you type into
>> the browser address box.
>
> I havn't heard of the threat myself yet. Such an attack would  
> involve getting your system to use their DNS server to convert  
> domain names to IP addresses rather than a real one. This has been  
> known to be a possible problem since DNS was proposed. Your router  
> will know the IP addresses of a couple or three DNS servers to use.  
> It gets these either from the ISP they connect to at connection  
> time or by you entering them manually.
>
> Some routers _may_ allow their configuration to be changed from  
> outside world. My Netgear router and the SMC I had before that will  
> not accept an admin login from the WAN side, only the LAN (your)  
> side unless it is specifically enabled. The Netgear will allow you  
> to set up an IP address (or range of IP addresses) on the Internet  
> side from which you can log in (to the router). Even if you leave  
> the router admin password at the default you can't log in to it  
> from the outside world without allowing it.

This is exactly the scenario proposed in the BBC article (I think I  
read it on the BBC website).

This vulnerability can mostly be taken advantage of in routers with  
no wireless encryption enabled. I think that on balance that this is  
really only a theoretical attack, or one which will only ever be  
applied to specific targets - there are fewer open APs these days  
than there were only a year or two ago (although WEP-cracking does  
increase the number of vulnerable targets), and although many of  
those that are configured in ignorance are wide-open, an attacker  
would have to war-drive in order to find them.

I think that phishing for bank details would only be viable for a  
well-organised gang in a metropolitan area (such as London), and  
probably even then there are easier ways to earn a buck. I suppose  
that transfers to an IBAN in $COUNTRY may be untraceable, but does  
your bank allow you to dispose of funds so anonymously?

Stroller.

More information about the X4U mailing list