Drive-By Practical Joking
 
 
 
With the spirit of mirthful holiday merrymaking in the air these days, you can't resist the urge to have a little Purim fun of your own. But how? You're too old for costume wearing, and there are only so many hamentaschen you can eat.
 
Instead, you might be tempted to run a little Purim practical joke - say, logging into your neighbor's wireless router and changing a few settings, and maybe even try to log on to their actual computers, read their e-mail - you know, innocent stuff like that. It's really not all that difficult - in fact, in many cases, it's downright easy!
 
The latest computer threat, as reported in the media, has been dubbed "drive by pharming," as described in a little on-line video by security company Symantec (http://tinyurl.com/2uqwug). Drive-by pharming entails a compromise of a user's ability to surf the Internet safely by surfing a site that runs a piece of Javascript, logs into the user's wireless router, and changes the DNS server settings to point to a rogue server run by hackers. The DNS server, which resolves Web site names, directs users to phony sites that seem legitimate, allowing the hackers to steal sensitive data. For example, if your router's DNS settings have been changed to point to a rogue server, you could end up surfing to a phony site for your bank, for example.
 
With this kind of attack, just typing http://www.yourbank.com into your browser will lead you not to your bank, but a phony Web page that looks just like your bank, cached on the phony DNS server. When you try to log onto the site with your name and password, you can basically kiss your cash goodbye! And the worst part is, you won't even know you've been hoodwinked until it's too late.
 
How does the Javascript program get into your router? Easy. According to Symantec statistics, over half of users don't bother changing the default password on their mass-marketed home routers (Netgear, Linksys, etc.). The Javascript tries combinations of default names/passwords - like admin/admin, admin/password, etc. - and is able to log onto the router, changing settings and scripts for the benefit of the bad guys.
 
The "drive-by" part of this pharming scam refers to users who surf to a random site from where this Javascript routine is uploaded to your computer. But it also works when you just drive by the houses in your neighborhood and seek out unprotected wireless networks - or, in some cases, a password "protected" network, if the password is a standard or weak one. In the case of the "drive-by" invasion, where you have to surf to a specific site to be infected with the rogue Javascript. But in a neighborhood drive-by invasion, getting proactive - by changing the default settings on your router - is the only way to protect yourself.
 
Note: The techniques I will be describing are meant to be taken as a guide - not for hackers, but for people who need protection from them, because they work, with a minimum of effort. Don't try this at home, Purim time or any time.
 
As the competition between manufacturers of wireless routers grows, as does the market for these routers, manufacturers utilize various methods to tout their products - and ease of use is always a major customer consideration. Router makers believe that customers want an "out of the box" solution, with as little configuration of the device required as possible.
 
Technically, one could just plug most Netgear, D-Link, Linksys, and other popular routers into the wall, and connect their computer to the router either wirelessly or via ethernet cable. Most routers are set to distribute IP addresses automatically, and if your computer is set to pick up its IP address via DHCP, you'll be able to connect to the Internet with no setup whatsoever. If you use the default IP settings, your router's address on the local network will be either 192.168.0.1, 192.168.1.1, or 10.0.0.1, in the vast majority of cases (surprisingly, the default address of the Siemens modem I recently installed was the relatively obscure 10.0,0.138). And, as I mentioned, the passwords on these routers are also standard, and public knowledge (check out http://www.routerpasswords.com/ or http://www.phenoelit.de/dpl/dpl.html, among others, for a list of these default names/passwords for almost all routers made in the past few years).
 
If your neighbor, like mine, hasn't bothered to password protect his wireless network at all, you can easily join that network and use it for surfing the Internet. This you already know. But chances are that the network's name is going to be a standard one - either the name of the router itself - such as "default" (Netgear). Often the network name is the router's name and model number, so you can easily check out all the details by Googling the info. In my neighbor's case, the rta1025w network indicated a Dynalink router, and a further search yielded its default name/password and IP address.
 
Armed with this information logging onto the router - and the network - was easy. Since the router is configured via a Web page which you log onto while connected to the router, you can easily load the configurations for your victim's router in your own browser. From there it's just another easy step to the user's computer, which is likely set without a password either; the router will list the IP addresses it's distributed via DHCP, so all you have to do is set up a network drive on your computer with the remote address (something like \\192.168.1.2\C$ should do nicely). The user name in the case of Windows is almost always Administrator, and if you're asked for a password, try the same word, or something like 1234 or ABCD.
 
For a real challenge, try breaking into an ostensibly password protected network with a standard or router name. It stands to reason that someone with a network named "default" will not really have understood the concept of secure passwords, and may have used the "Admin/Admin" combination as their network password, having seen it in their manual. But why bother? There are probably dozens of open networks all around you that you can have your way with.
 
 
The lesson? Being very, very paranoid - you're much less safe than you think. Even a specific non-standard password can be cracked in seconds or minutes by a cracking program (http://tinyurl.com/rmun6). But, like I said, there are plenty of other victims hackers can more easily attack who aren't protected at all - so setting up even a basic password on your network will probably discourage them from even bothering with you. While you're at it, I would recommend changing the default router address - from 192.168.1.1 to 192.168.1.48, for example - a number that would be harder to guess and less likely to allow a hacker to use a browser to connect to your router, even if they somehow figured out your wireless network password. And, of course, make sure you change your router administrator name and/or password, to keep the bad guys off your cyber-property. This will provide protection against both kinds of drive by invaders, as the pharner's Javascript is programmed to try default name/password combinations, while the nosy neighbors, unless they're very determined, will give up if they're rejected enough times. And rejection is something the neighbors just can't handle, Purim or anytime!