Tax Phishing season is open. Go catch yourself a good one!
Showing posts with label phishing. Show all posts
Showing posts with label phishing. Show all posts
Saturday, March 22, 2008
Friday, February 16, 2007
drive-by pharming
If you have not set a hard-to-guess password on your broadband router, do it now. There's a way attackers can compromise your router from the inside using simple JavaScript.
The basic idea is this: you visit a malicious website and it distracts you. While you're distracted (playing a game, reading news, etc), it runs JavaScript code to scan your internal network and identify the IP address of your router. Once discovered, the malicious script can send "reconfiguration requests" to the router to attempt setting the DNS server your network uses. If successful, all DNS queries can be directed through an attacker's server, thus Pharming you. For technical details, please see our tech report, but in brief this attack is not complex.
The solution: make your router's admin password hard to guess.
I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.
Symantec PR picked up on what we did, and issued a press release today:
(Symantec Press Release)
Read More:
(Zully's Blog Post)
(Tech Report)
Select Media Coverage:
(Google aggregate)
(Info World -- IDG article)
(Forbes)
(Appscout)
(BroadbandReports.com -- amusing comments thread)
(Washington Post Blog)
(Red Herring)
(Computer World)
Update (16-Feb-07 9:30am ET): The story got picked up by Forbes ad the Washington Post, and the Google News index on "Drive-by Pharming" is roughly fifty-something.
My Favorite Headlines:
Researchers highlight a router route to pharming
New Drive-By Attack Taking Over Home Routers
Broadband routers welcome drive-by hackers
Change Your Router Password NOW!
Update (16-Feb-07 10:30am ET): Slashdot picked it up.
The basic idea is this: you visit a malicious website and it distracts you. While you're distracted (playing a game, reading news, etc), it runs JavaScript code to scan your internal network and identify the IP address of your router. Once discovered, the malicious script can send "reconfiguration requests" to the router to attempt setting the DNS server your network uses. If successful, all DNS queries can be directed through an attacker's server, thus Pharming you. For technical details, please see our tech report, but in brief this attack is not complex.
The solution: make your router's admin password hard to guess.
I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.
Symantec PR picked up on what we did, and issued a press release today:
(Symantec Press Release)
Read More:
(Zully's Blog Post)
(Tech Report)
Select Media Coverage:
(Google aggregate)
(Info World -- IDG article)
(Forbes)
(Appscout)
(BroadbandReports.com -- amusing comments thread)
(Washington Post Blog)
(Red Herring)
(Computer World)
Update (16-Feb-07 9:30am ET): The story got picked up by Forbes ad the Washington Post, and the Google News index on "Drive-by Pharming" is roughly fifty-something.
My Favorite Headlines:
Researchers highlight a router route to pharming
New Drive-By Attack Taking Over Home Routers
Broadband routers welcome drive-by hackers
Change Your Router Password NOW!
Update (16-Feb-07 10:30am ET): Slashdot picked it up.
Monday, February 12, 2007
bad security assumption
Good assumption:
Bad assumption:
Bad: DNS spoofing is done on the record level, and since each subdomain happens to be a different record, an attacker might control one subdomain and let you retain control over the rest.
Consequence of this: The same-origin policy enforced by most browsers says this: scripts served by one host cannot access, execute or change data served by another host. In this case b.a.com and a.com are considered different hosts.
There is one exception to the rule: a website may change its "document.domain" property to a suffix of what it currently might be. For example, a page served by b.a.com may set its domain to a.com AFTER it is served. In this case, b.a.com can play with a.com's data.
Your data is no longer safe, unless you control all of your subdomains. The case used to be simpler: a phisher or pharmer must create a complete duplicate of a site to fool with it. Now, he just creates a parasite frame, and watches you interact with the real thing. Beware of visiting update-security.yourbank.com.
Scary.
(Link to Abe Fettig's explanation)
(Link to Same-Origin Policy info)
My domain (DNS) name is not safe from forgery. Bad people might "hijack" it and use it to pretend they are me.
Bad assumption:
If my domain name is hijacked or spoofed, then I lose control of all the subdomains too. This means that if someone else pretends to be sidstamm.com then they will also take control over blog.sidstamm.com, mail.sidstamm.com and ohcrap.sidstamm.com.
Bad: DNS spoofing is done on the record level, and since each subdomain happens to be a different record, an attacker might control one subdomain and let you retain control over the rest.
Consequence of this: The same-origin policy enforced by most browsers says this: scripts served by one host cannot access, execute or change data served by another host. In this case b.a.com and a.com are considered different hosts.
There is one exception to the rule: a website may change its "document.domain" property to a suffix of what it currently might be. For example, a page served by b.a.com may set its domain to a.com AFTER it is served. In this case, b.a.com can play with a.com's data.
Your data is no longer safe, unless you control all of your subdomains. The case used to be simpler: a phisher or pharmer must create a complete duplicate of a site to fool with it. Now, he just creates a parasite frame, and watches you interact with the real thing. Beware of visiting update-security.yourbank.com.
Scary.
(Link to Abe Fettig's explanation)
(Link to Same-Origin Policy info)
Subscribe to:
Posts (Atom)