| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 4 Feb 2005 14:08:53 +0100 From: Radoslav Dejanović <radoslav.dejanovic@...us.hr> To: "bugtraq-securityfocus.com" <bugtraq@...urityfocus.com> Subject: Wireless networks/Default Admin username security problem in Croatia There are two quite common practices used in Croatia that have left huge number of users wide open to attacks. I presume that, if you look around, you might find one or both in your general vicinity. First one is the fact that computer "manufacturers" in Croatia always chose one of dozen default usernames while installing Microsoft Windows for their customers. They rarely, if at all, change the username, so lot of people get their boxes with the same Administrator login. To make things worse, all of those accounts have blank password, and automatic log-in so the end user doesn't have to think about it. Real plug-and-play technology, isn't it? Note that some of them ship Linux as well, and the same story goes for the root user, making Linux box just as secure as it's Windows neighbor. While we might think that Linux box will either be replaced with pirated Windows installation or have an user that know a little bit about security, we just don't know how many open Linux boxes there are. But, given the growing popularity of Linux among ordinary people, it is wise to presume that this might not be an insignificant number. Windows users en-masse don't care about the security stuff, they just power up the computer and start working. So we have a whole lot of Windows boxes and probably a big pile of Linux boxes really easy prey for 0wn4ge. There's no easy remedy for that - "manufacturers" don't really care about this, so it is up to the end user to protect herself. And we all know that everyone is security aware, don't we? Second problem is that largest Croatian telecom company, T-Com (used to be Croatian Telecom until our politicians sold majority of shares to Deutsche Telekom), is advertising their aDSL/WiFi combo, in fact an ordinary DSL line with wireless router at the user's premises. The trouble here is that T-Com does nothing more than to connect the hardware and make sure it is working, leaving end-user with a wireless network that happily broadcasts over an unsecured channel. Now, let's put these two together: we have a whole lot of users in Croatia that bought their PC from a "manufacturer", never bothered to change administrator password let alone the username, hooked on wireless network that is both unencrypted and open to access to anyone who is in radio range and knows the mysteriously secret default SSID "ConnectionPoint" that is being broadcasted by hundreds of AP-s just in capital city of Zagreb. So, what we have here is a lot of clueless people that might have problem with any or all of these: - anyone in range can connect to the WiFi network and surf (probably unnoticed), to the very surprise of the poor user who get's the DSL bill at the end of the month (and our DSL rates are HUGE) - affects both Windows and Linux users because it's got nothing to do with PC, but with AP; - since there's just a dozen of default administrator usernames and none of them has a password associated with it, it is a child's play to hook on the wireless network and connect to user's computer (that DOES include Linux guys who didn't bother to change password) and wreak havoc - steal banking info, stored PINs and passwords, delete or modify data, etc. - affects both Windows and Linux; - intruder can inject a virus on user's computer, effectively hiding his point of entry - the one that goes to jail would be poor uneducated user - affects Windows and theoretically Linux as well, given the number of Linux viruses spotted in the wild (but does make an excellent petri dish for Linux viruses, due to the fact that it is so easy to get root permissions); - intruder can use the network or computer to spam around, to his own enjoyment and the horror and huge DSL bill of the user; oh, and wrath of the spammed will be felt by the user, of course... :-) - affects Windows and Linux; - last, but not least, it is possible to war-drive around and seed clients to be used as DDoS drones later. In fact, it can be scripted, so you just have to drive around, and the script will discover the network, log on it, try all of those dozen default administrator usernames for you and if successful, seed the drone then go on searching for next victim. In that case, user might never discover that he's hosting a parasite - affects mostly Windows but Linux is not invulnerable to this neither. We have released a security advisory (18.1.2005.) regarding this issues, as well as step-by-step description on how to protect yourself by changing administrator password and securing WiFi network. http://www.opsus.hr/index.php?folder=69&article=78 We have sent a message to Croatian "Office for e-Croatia" as well, for this vulnerabilities might severely interfere with their project of having 100.000 broadband users in Croatia by the end of this year (note: Croatia has just about 4.5 million citizens and transition - anyone who is living in a country in transition will understand my point). So far we haven't heard back from them. T-Com has issued a warning to all their WiFi customers at the beginning of February as well, providing them with the advisory on how to protect their network http://www.t-com.hr/privatni/internet/pristup/wlan/sigurnost.asp# that looks a lot like our own advisory. However, their advisory is slightly flawed - their advice is to let AP get all the MAC addresses it can see, while our advice is to enter MAC addresses one by one, for if you use the automatic collection and there's already someone piggybacked on your network, and you don't really know what you're doing (we're talking about Hrvoje Average here, remember), it is easy to enter attacker's MAC address in a list as well. Taking the PC Card out of it's slot and reading the MAC address from the back of the card is more work, but much much more secure in this case. Not to mention that ordinary household will have just one or two computers. One note: T-Com does provide end user with a manual for their WiFi network that has all this security staff inside, but their mistake was to count on end-user to take care of security, which is, as you all know, a dream. It is hard to find a remedy in this case. It is almost impossible to force "manufacturers" to stop using the same administrator login/blank password in production because it takes a little bit longer to put up a computer and might increase problem with the customers who forget their passwords, so it cuts into their profit margin. It might be possible for T-Com to take more care about security while installing WiFi hardware for the end user (and we did advice Office for e-Croatia to try to push T-Com to do security for the end-user), but this cuts into their profit margin as well, but since they earn about 1.000.000$ each day from their GSM service (honestly!), a few thousand bucks more spent on having end-user secured immediately after the installation of WiFi hardware is both good for the company image (they should really work on it, given their popularity) and is of extreme importance for growing IT infrastructure in Croatia. The last option is to have people educated. The government is doing something about it, but it is too little, too late. We're still struggling with having majority of people understand why they get all sorts of adware and dialers, this might be overkill for them. However, the only real solution is to educate people. Slim chances. -- Radoslav Dejanović Operacijski sustavi d.o.o. http://www.opsus.hr
Powered by blists - more mailing lists