Routers Becoming Juicy Targets for Hackers

Most consumers pay as much attention to routers as they do to doorknobs. That’s not the case with Net marauders. They’re finding the devices ripe targets for mischief.

“We’ve seen a big increase in malware designed for home routers,” said Incapsula researcher Ofer Gayer.

“Every week, we see a new vulnerability in a vendor’s routers,” he told TechNewsWorld. “They’re low-hanging fruit if you’re a hacker. They’re a very soft target.”

Home routers are the soft underbelly of the Internet, observed Andrew Conway, a threat researcher at Cloudmark.

“They were never designed to be high security components, and once they are installed, they are typically never updated,” he told TechNewsWorld.

“Even when vulnerabilities are discovered, a vendor may not patch their firmware — and if they do, the patches are rarely applied,” Conway said.

Cross-Site Shenanigans

As soft a target as routers may be, they have been protected by a restriction on how their settings can be altered. Typically, you have to be on a network locally before you can access and change those settings. That’s not always the case, though, as Incapsula recently pointed out.

Incapsula discovered one router maker had installed what was essentially a backdoor in its products to make it easier to service the routers. Unfortunately, Net miscreants discovered what the router maker had done, and they began herding many of the routers together to mount distributed denial-of-service attacks.

“Routers are strong enough today to create a pretty significant denial-of-service attack,” Gayer said.

Even if your router maker doesn’t put a backdoor in your router, there’s a way to compromise a home network without actually being on it. It’s called “cross-site request forgery.”

It starts by redirecting a user to a malicious website, typically by some kind of phishing email. The site uses the prey’s browser to send requests to the home router. The router thinks the prey is sending the requests from the home network.

“Home routers are very naive,” Gayer explained.

Once a predator opens up the channel between the prey’s browser and the router, a host of options become available.

“I can change whatever I want,” Gayer noted. “I can change the DNS server. I can open a hole in the firewall. I can change the admin password.”To do all that, no access to the router is needed.

“I just make you perform the requests by redirecting you,” Gayer said.

Targeting Uncle Sam

Last week wasn’t the best of times for federal employees. The decibel level of the furor over the Office of Personnel Management data breach continued to rise.

It didn’t take long for signs to appear that Net bandits were putting the stolen data to use. For example, an Army base in Alabama warned its employees of a phishing email purporting to be from the OPM and directing targets to a website where personal information could be cajoled from them.

Meanwhile, OneWorldLabs, which monitors the Dark Net, spotted data apparently from the OPM breach for sale. If that were the case, though, it would throw cold water on the idea that the Chinese government was behind the OPM break-in, since it likely would keep the data under wraps and not be trying to sell it to cybercriminals.

Nevertheless, most of the U.S. finger-pointing has been toward Beijing.

“China would like to be in every U.S. system on some level,” said Jared DeMott, principal security researcher at Bromium.

“The data the hackers stole could just be the initial phase of the attack, while moving toward more attractive targets,” he told TechNewsWorld.

What makes matters worse is that there’s little the United States can do about the breach, said Securonix Chief Scientist Igor Baikalov.

“First of all, the U.S. spies for ‘national security advantages’ just like China does — no moral high ground for he U.S. there,” he told TechNewsWorld.

“Second and most frustrating, there’s not much the U.S. can do to retaliate for this attack,” Baikalov said. “Economic sanctions? They’re hardly applicable to the country that holds most of your national debt.”

Breach Diary

  • June 8. Information Technology and Innovation Foundation releases report estimating high tech industry losses due to revelations about massive U.S. surveillance programs to exceed US$35 billion.
  • June 8. U.S. Army suspends operation of website after it discovers it has been compromised. Syrian Elecronic Army, which supports the ruling regimie in Syria, claimed responsibility for attack.
  • June 8. Ponemon Institute and Dell SecureWorks release survey results that include finding that 50 percent of security and IT professionals say their organizations’ board of directors and C-Level executives are frequently not briefed, nor are they given the necessary information to make informed budgeting decisions regarding system security.
  • June 9. Obama administration asks FISA court to allow NSA to indiscriminately collect phone records of Americans for six months, when the USA Freedom Act will take full effect.
  • June 9. Redstone Arsenal, a U.S. Army post in Alabama, warns employees of phishing scam using a fake letter from the federal Office of Personnel Management that includes a link to a malicious website where the employees will be asked to divulge sensitive information. The OPM on June 4 announced its systems were breached by hackers who stole personal information of millions of federal employees.
  • June 10. OneWorldLabs, founded by White Hat hacker Chris Roberts, reports information from federal Office of Personnel Management data breach, in which personal information of an estimated 4.1 million current and former federal employees was stolen, has begun appearing for sale on online underground sites.
  • June 11. American Federation of Government Employees claims data breach revealed by Office of Personnel Management June 4 is greater than originally reported. All federal employees and retirees, as well as 1 million former federal employees, are affected by the breach, it says.
  • June 11. Holiday Valley Resort, a ski resort in western New York, reports data breach from Oct. 17 to June 2 has put any payment cards used at the facility at risk.
  • June 11. U.S. Senate Homeland Security and Governmental Affairs Committee holds hearing on government retaliation against whistle-blowers.
  • June 11. Internal Revenue Service and representatives of tax preparation and software firms, payroll and tax financial product processors, and state tax administrators announce agreement to combat identity theft refund fraud, including new steps to validate taxpayer and tax return information at the time of filing.
  • June 12. French government orders Google to extend “right to be forgotten” rule to all Internet domains, not just those in France.

Upcoming Security Events

  • June 19-20. Suits and Spooks NYC. Soho House, New York City. Registration: $595.
  • June 20. B-Sides Cleveland. B Side Liquor Lounge & The Grog Shop, 2785 Euclid Heights Blvd., Cleveland Heights, Ohio.
  • June 25. Optimizing Your Security Defenses For Today’s Targeted Attacks. 1 p.m. ET. Dark Reading Interop Webinar. Free with registration.
  • July 3. B-Sides Lisbon. Forum Picoas, 40 Avenida Fontes Pereira De Melo, Lisbon, Portugal. Free.
  • July 18. B-Sides Detroit. McGregor Memorial Conference Center, Wayne State University, Detroit. Free.
  • July 22-24. RSA Asia Pacific & Japan. Marina Bay Sands, Singapore. Registration: before June 21, SG$700; after June 20, SG$850.
  • July 25. B-Sides Cincinnati. Cincinnati Museum Center, 1301 Western Ave., Cincinnati, Ohio. Free.
  • August 1-6. Black Hat USA. Mandalay Bay, Las Vegas, Nevada. Registration: before June 6, $1795; before July 25, $2,195; after July 24, $2,595.
  • August 4-5. B-Sides Las Vegas. Tuscany Hotel and Casino, 255 E. Flamingo Rd., Las Vegas, Nevada. Free.
  • August 6-9. Defcon 23. Paris Las Vegas, 3655 S. Las Vegas Blvd., Las Vegas, Nevada, and Bally’s, 3645 S. Las Vegas Blvd., Las Vegas, Nevada. $230, cash only at the door.
  • August 24-25. Gartner Security & Risk Management Summit. Hilton Hotel, 488 George St., Sydney, Australia. Registration: prior to June 27, AU$2,475; after June 26, AU$2,875; public sector, AU$2,375.
  • Sept. 12. B-Sides Augusta. GRU Harrison Education Commons Building, 1301 R.A. Dent Blvd., Augusta, Georgia. Free.
  • Sept. 16-17. SecureWorld Detroit. Ford Motor Conference & Event Center, Detroit. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 22-23. SecureWorld St. Louis. America’s Center Convention Complex, St. Louis. Registration: open sessions pass, $25; conference pass, $175; SecureWorld plus training, $545.
  • Sept. 28-Oct. 1. ASIS 2015. Anaheim Convention Center, Anaheim, California. Through May 31: member, $895; nonmember, $1,150; government, $945; student, $300. From June 1 through Aug. 31: member, $995; nonmember, $1,250; government, $1,045; student, $350. From Sept. 1 through Oct. 1: member, $1,095; nonmember, $1,350; government, $1,145; student, $400.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels