Thank you, Jen.
I listened to all. Very interesting. (and frightening, too!)
BD
"jen" <jen@example.com> wrote in message
news:ODnOrusiIHA.6092@TK2MSFTNGP06.phx.gbl...<span style="color:blue">
> When you get time, you may be interested in these two podcasts style_emoticons/
> GNUCITIZEN on PaulDotCom:
> The best security podcast on the Web.
>
http://media.libsyn.com/media/pauldotcom/p...ITIZENpart1.mp3
>
http://media.libsyn.com/media/pauldotcom/p...ITIZENpart2.mp3
>
http://www.gnucitizen.org/blog/gnucitizen-on-pauldotcom/
>
> -jen
>
> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message
> news:8CEFAE8B-E1C7-41DA-96C6-59ABE7976434@microsoft.com...<span style="color:green">
>>I am aware of those possible exploits. Have you seen them in the wild? I
>>haven't. They would require quite an involved program to figure what
>>router and firmware revision was in use. AFAIK most current routers have
>>firmware updates available to protect against some of this. The exploits
>>are certainly possible. If they are possible I'm sure malware authors are
>>working on exploiting them. How successful they will be remains to be
>>seen. The only exploits I've seen in the wild are the two I mentioned in
>>an earlier post. Both are easily stopped. In the future this may not be
>>true.
>>
>> --
>> Kerry Brown
>> MS-MVP - Windows Desktop Experience: Systems Administration
>>
http://www.vistahelp.ca/phpBB2/
>>
>>
>>
>> "jen" <jen@example.com> wrote in message
>> news:uWE4gtriIHA.5280@TK2MSFTNGP02.phx.gbl...<span style="color:darkred">
>>> Have you read these reports?
>>>
>>> Hacking The Interwebs:
>>>
http://www.gnucitizen.org/blog/hacking-the-interwebs/
>>> Holes in Embedded Devices: Authentication bypass (pt 4):
>>>
http://www.gnucitizen.org/blog/holes-in-em...on-bypass-pt-4/
>>> Router Hacking Challenge:
>>>
http://www.gnucitizen.org/projects/router-hacking-challenge/
>>>
>>> -jen
>>>
>>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message
>>> news:260FDF05-7954-411E-8B8D-36FE5F905C4D@microsoft.com...
>>>> Reformatting once a month is a bit drastic. Keeping all your programs
>>>> up to date including an AV, and using common sense when surfing is
>>>> sufficient for most people. Router exploits are thankfully quite rare
>>>> and easily protected against so far.
>>>>
>>>> --
>>>> Kerry Brown
>>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>>>
http://www.vistahelp.ca/phpBB2/
>>>>
>>>>
>>>>
>>>> "sweathog" <sweathog@discussions.microsoft.com> wrote in message
>>>> news:F7633108-893C-42CE-8DEC-AD614EC02024@microsoft.com...
>>>>> Thanks for the help all you guys...but flashing the router was one of
>>>>> the
>>>>> first things I tried,and you are correct the router is now
>>>>> toast,somehow the
>>>>> mac address of it went to 00 00 00 00 00 00 and it won't let me back
>>>>> in...although it still passes traffic.
>>>>>
>>>>> Afew other symptoms, when I first noticed the problem usb mouse would
>>>>> freeze, (nothing wrong with the mouse) quickly switching usb ports
>>>>> would
>>>>> reactivate it. Thought it was a hardware problem because the
>>>>> connection to
>>>>> the motherboard was a bit sloppy... problem went away for a month.
>>>>> Problem
>>>>> returned after that but this time usb connection was solid.
>>>>>
>>>>> When I tried to pay for pctools product using https the web page would
>>>>> appear back as transaction incomplete, credit card showed 4 copies of
>>>>> the
>>>>> product.
>>>>>
>>>>> Anyways I"ve had to change credit card, cancel isp and email and I've
>>>>> had
>>>>> enough...thanks for your time and interest.
>>>>>
>>>>> I live in an isolated community way in the bush, people come to me to
>>>>> fix
>>>>> their computors. No one complained yet and the machines were clean,
>>>>> but
>>>>> yesterday I had to go to a big city some 400 miles away, while doing
>>>>> some
>>>>> business ,there was 4 or 5 customers with me waiting in line to be
>>>>> served.
>>>>> Got to talking computors, 3 of them said that they were doing the same
>>>>> as me.
>>>>> unplugging the machines. One young fellow said "So what ?" " don't
>>>>> bother
>>>>> with firewalls, viruses, etc., etc., Just reformat once a month who
>>>>> cares
>>>>> what is on the machine."
>>>>>
>>>>> "Kerry Brown" wrote:
>>>>>
>>>>>> "Shenan Stanley" <newshelper@gmail.com> wrote in message
>>>>>> news:OJfVl4fiIHA.1204@TK2MSFTNGP03.phx.gbl...
>>>>>> > Entire Conversation:
>>>>>> >
http://groups.google.com/group/microsoft.p...c31fc709607cf76
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > Kerry Brown wrote:
>>>>>> >> It sounds like your router may have been compromised.
>>>>>> >>
>>>>>> >> Unplug one of your computers from the router. Do a clean install
>>>>>> >> of
>>>>>> >> Windows on this computer making sure you delete all partitions
>>>>>> >> then
>>>>>> >> recreate them during the install. Leave this computer unplugged
>>>>>> >> from the router. Don't worry about updating it just yet. On a
>>>>>> >> different computer download the latest firmware for your router.
>>>>>> >> Burn this file to a CD or copy it to a flash drive. Make sure
>>>>>> >> there
>>>>>> >> are no other files on the CD or flash drive. Unplug all of the
>>>>>> >> computers from the router. Unplug the router from the Internet.
>>>>>> >> Reset the router to the factory defaults. Plug in the computer
>>>>>> >> with
>>>>>> >> the fresh Windows install. Use it to flash the router with the
>>>>>> >> downloaded firmware. Reset the router again. Set a password for
>>>>>> >> the
>>>>>> >> admin account. Plug the router back in to the Internet and update
>>>>>> >> this computer. Do not plug in any of the other computers until
>>>>>> >> they
>>>>>> >> have been wiped clean and a fresh install of Windows done.
>>>>>> >> The key is to flash the router with a clean computer then set a
>>>>>> >> password on the router before reconnecting to the Internet.
>>>>>> >
>>>>>> > BoaterDave wrote:
>>>>>> >> I feel there is much merit in what you say. FYI I did raise this
>>>>>> >> topic here
>>>>>> >>
http://aumha.net/viewtopic.php?t=26677&sta...=asc&highlight=
>>>>>> >> before I became persona non grata at AumHa.
>>>>>> >> Are you aware of any way to check whether or not a router has been
>>>>>> >> compromised - before one follows the procedure you have
>>>>>> >> outlined.
>>>>>> >> I should be interested to learn more about this subject. Do you
>>>>>> >> (or
>>>>>> >> anyone else reading here) have any pointers as to where to begin?
>>>>>> >>
>>>>>> >> I found this item which I found interesting - others may too:-
>>>>>> >>
http://www.pcadvisor.co.uk/news/index.cfm?newsid=12026
>>>>>> >>
>>>>>> >> A fairly recent news item here, too:
>>>>>> >>
http://www.pcpro.co.uk/news/173883/chinese...r-firmware.html
>>>>>> >
>>>>>> > While I know of no way to find out if a router has been
>>>>>> > compromised - if
>>>>>> > there is even one ounce of suspicion that it could have been
>>>>>> > compromised -
>>>>>> > it would be better to reset the router to defaults, set a new
>>>>>> > password
>>>>>> > (strong one) on it, leave remote management turned off, make sure
>>>>>> > wireless
>>>>>> > (if a feature of said router) is using WPA or WPA2 at least for
>>>>>> > security,
>>>>>> > etc.
>>>>>> >
>>>>>> > What makes that even better is doing that 'offline' - the router
>>>>>> > does not
>>>>>> > need a Internet connection for any of that.
>>>>>> >
>>>>>> > In this particular case (that where the original poster seems to
>>>>>> > have been
>>>>>> > targeted in some way - or overlooking some part of re-securing
>>>>>> > their
>>>>>> > entire system (not just the computer)) - the advice is spot-on in
>>>>>> > my
>>>>>> > opinion. Start from the first piece of equipment you can control
>>>>>> > and work
>>>>>> > your way through to the last - keeping them all 'offline' until you
>>>>>> > have
>>>>>> > changed the setup on all of them and secured them to the best of
>>>>>> > your
>>>>>> > ability.
>>>>>> >
>>>>>>
>>>>>>
>>>>>> There's currently two exploits for routers I know of. They both
>>>>>> change the
>>>>>> DNS servers the router uses to compromised DNS servers. This means
>>>>>> whatever
>>>>>> url you type in isn't necessarily where you end up. They can use the
>>>>>> compromised DNS servers to send you wherever they want. You type in
>>>>>>
www.google.com and end up at some malware site that tries every trick
>>>>>> in the
>>>>>> book to get more malware on your computer or more likely a site that
>>>>>> is full
>>>>>> of advertising where you are enticed to click on ad links while
>>>>>> trying to
>>>>>> get to where you wanted to go in the first place. It's a vicious
>>>>>> circle.
>>>>>> Every legitimate site you try to go to you're redirected to a
>>>>>> non-legitimate
>>>>>> site. They can even let you get to legitimate online AV sites to scan
>>>>>> the
>>>>>> computer. Because the router is compromised, not the computer, all
>>>>>> the AV
>>>>>> scans come up negative. The original trojan that compromised the
>>>>>> router has
>>>>>> long since erased itself.
>>>>>>
>>>>>> One exploit is a trojan that probes common IP addresses for a router.
>>>>>> If it
>>>>>> finds one it takes advantage of the fact that most people never set a
>>>>>> password on the router and reprograms the DNS settings. The trojan
>>>>>> tries a
>>>>>> few common passwords as well as no password. Setting a strong
>>>>>> password on
>>>>>> the router admin account stops this exploit.
>>>>>>
>>>>>> The other exploit uses a flaw in some older versions of Flash to
>>>>>> change the
>>>>>> router's DNS settings via uPNP. All they have to do is trick you into
>>>>>> watching an infected Flash video. You go to what looks like a normal
>>>>>> website
>>>>>> with some streaming video. While watching the video your router is
>>>>>> reprogrammed. Keeping Flash up to date and/or turning off uPNP on the
>>>>>> router
>>>>>> stops this exploit.
>>>>>>
>>>>>> Doing a hard reset of the router is probably enough to fix a changed
>>>>>> DNS
>>>>>> setting. I have seen a couple of cases on networks that had highly
>>>>>> compromised computers where someone or something had tried to flash
>>>>>> the
>>>>>> router unsuccessfully and the router was toast. This tells me there
>>>>>> may be
>>>>>> an exploit that tries to flash a router. That's why I recommended
>>>>>> flashing
>>>>>> the router.
>>>>>>
>>>>>> --
>>>>>> Kerry Brown
>>>>>> MS-MVP - Windows Desktop Experience: Systems Administration
>>>>>>
http://www.vistahelp.ca/phpBB2/
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>
>>></span>
>></span>
>
>
> </span>