Return-Path: <sentto-279987-3151-1003501954-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 19 Oct 2001 07:34:16 -0700 (PDT) Received: (qmail 4643 invoked by uid 510); 19 Oct 2001 14:32:10 -0000 Received: from n33.groups.yahoo.com (216.115.96.83) by 204.181.12.215 with SMTP; 19 Oct 2001 14:32:10 -0000 X-eGroups-Return: sentto-279987-3151-1003501954-fc=all.net@returns.onelist.com Received: from [10.1.4.52] by n33.groups.yahoo.com with NNFMP; 19 Oct 2001 14:32:34 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 19 Oct 2001 14:32:34 -0000 Received: (qmail 15163 invoked from network); 19 Oct 2001 14:32:33 -0000 Received: from unknown (10.1.10.26) by m8.onelist.org with QMQP; 19 Oct 2001 14:32:33 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1 with SMTP; 19 Oct 2001 14:32:33 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9JEWZ411069 for iwar@onelist.com; Fri, 19 Oct 2001 07:32:35 -0700 Message-Id: <200110191432.f9JEWZ411069@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 19 Oct 2001 07:32:35 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Harvesting.passwords.from.DSL.routers] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 8bit Harvesting passwords from DSL routers By Kevin Poulsen, The Register, 10/19/2001 <a href="http://www.theregister.co.uk/content/55/22353.html">http://www.theregister.co.uk/content/55/22353.html> Hackers have developed a trick for pilfering DSL account names and passwords right from subscriber's routers, a technique that provides hackers with untraceable Internet access, and potentially exposes subscriber email to interception. The method targets Cayman Systems' popular 3220-H DSL router, a combination modem, router and hub that allows DSL subscribers to share their Internet connections among multiple computers. The 3220-H is sold retail, and is distributed by Cayman's channel partners-- notably SBC Communications, which provides the devices to thousands of "Enhanced DSL" subscribers through subsidiaries Pacific Bell, Southwestern Bell and Ameritech. Like other DSL routers, the Cayman 3220-H allows users to easily configure their settings through a Web browser interface. But the router makes that interface accessible, not just from the user's local area network, but also from the 'WAN port' that connects to the Internet. The device is protected from unauthorized reprogramming by an administrative password set by the owner. But unless the subscriber also sets a separate 'user password', the router's configuration settings can be viewed, though not changed, through the browser interface. There, the 'PPPoE' password used to log onto the DSL service is masked as a series of asterisks, but it is plainly visible in the HTML source code of the page. Hackers can use the purloined password to download the subscriber's email from SBC servers, or view and edit portions of their account information. But sources say the vulnerability has found its greatest utility in the computer underground as a wellspring of free, anonymous Internet access. Because the same password works on SBC's dial-ups, without interfering with the subscriber's DSL use, the purloined passwords help hackers cover their tracks by borrowing other people's ISP accounts, according to 20-year-old Internet hacker Adrian Lamo. "Most of the people that I know of use them as disposal dial-up accounts," says Lamo, who discovered the hole over a year ago. "Looking at something in page source is not a tremendous technological effort." Privacy Problems An SBC spokesperson acknowledged the password theft vulnerability, and said it drove the company to begin disabling all Internet access to the router's configuration settings as part of its standard installation routine. "Cayman and other companies have a factory setting where the WAN port is disabled," says spokesperson Fletcher Cook. "Our technicians are trained to disable this themselves." But subscribers who received their routers over a year ago, before SBC enacted the more secure policy, may remain vulnerable, Cook admits. Newer subscribers are at risk only if they explicitly enable administrative access to the router's WAN port. He adds that the company educates users about security issues through its Web sites. Lamo says his scanning has turned up thousands of vulnerable routers in homes and small offices throughout Chicago, Los Angeles, San Francisco, Houston, Saint Louis, San Diego, and other cities. The problem has privacy implications for DSL subscribers. The same password that provides Internet access, is also used to control access to subscriber email. The passwords can also be used to access some account information over SBC's public customer service Web sites; a cyber snoop could learn a given subscriber's name and phone number, or change their billing address. In some circumstances, the sites also reveal one digit of the subscriber's confidential three-digit telephone account "customer code," Lamo notes. A spokesman for California-based Netopia, Inc., which acquired Cayman Systems last week, said the company is considering releasing a patch for the password revelation hole. In the meantime, customers should disable access from the WAN port, or set a separate 'user password,' on top of the administrative password, to block access to the configuration screens. "[Cayman has] been concerned about network security for some time," says Evan Solley, Netopia's vice president of product marketing. "But there has been back pressure from the channels about solutions, because it makes things more difficult for deployment." The issue is not the first for the Cayman router. In March of last year, security experts revealed that the 3220-H's administrative password was left blank by default, potentially allowing attackers to reconfigure or reprogram the devices remotely. In response, SBC technicians began setting that password manually upon installation. © 2001 SecurityFocus.com, all rights reserved. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more! http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:56 PST