What I don't get is why the Linksys WRT54G router has a password but not a login name. Wouldn't it be MORE SECURE if I could change the login name?
I can type anything I want into the login name field but it doesn't take.
Am I doing something wrong?
Why does the Linksys v5 WRT54G router have a login name if it isn't used? Likewise with the host name. Why does it have a host name that isn't used and why can't I just set the hostname to a blank.
It seems topsy turvy to me. Am I wrong?
This is among the reasons you only let trusted parties on your LAN if at all possible.
IIRC, it requires LAN access to exploit unless you are running a non-default configuration whereby remote admin is enabled.
It pertains to wireless insofar as if you don't have wireless security enabled, then any old neighbor can join to your LAN and then exercise the vulnerability.
Debbie Hurley hath wroth:
You don't need a new router. You need a firmware update. No big deal. What I'm concerned about his how remote access got turned on and who did it (and why). You might want to interrogate the kid.
Yes, but don't presume it's my good intentions or generous attitude. The problem is that old bugs tend to come back. One version fixes a problem, the next version brings it back as sloppy coders recycle old code. In the software biz, it's part of regression testing.
Chuckle. Ever see any magic tricks or sleight of hand? It looks real, but you just know something is going on in the background. Well, hacking and breaking in are like that. I derived considerable entertainment at the expense of a few IT people (who now hate my guts) breaking into their systems using social engineering, and then making it look like some kind of vulnerability or systemic problem. Yeah, I know I have a warped sense of humor, but it keeps me entertained. The only problem is that the IT people now hate my guts. Oh well.
Anyway, be careful that what you're seeing is actually a breakin or vulnerability in progress, and not the residue from a previous breaking. The fact that remote access was apparently enabled makes me VERY suspicious.
Well sure. Blame the victim and all that. Nobody wants to be told their network is full of holes and vulnerable to attack. Why bother fixing the problem when you can simply discredit the person that found the problem?
It's old firmware. Someone goofed and it's been fixed. All vendors have their security holes and problems.
Actually, that's a good point because I couldn't find it in the firmware release notes. It's fashionable to disclose vulnerabilities only after the fixes are available. That's a fair method, but doesn't work if users like yourself do not perform ritualistic firmware version checks and updates.
There are instructions on the Linksys web site (somewhere). It's basically very easy. Download the firmware image file. Make an extra effort to be sure you have the correct version and file. You still haven't bothered to disclose your WRT54G hardware mutation, so I can't offer specific advice, filenames, and URL's.
Uncompress the download if it's a ZIP file. Go to the firmware update page:
and browse merrily to the .bin (or whatever) file. Hit update and wait. When you think it's done, wait some more. Figure on about 2 minutes to be safe. With v5/v6, I don't think you have to reset anything. That's it.
Don't bother. Almost all of that manner of improving security consists of either obscuring your setup or introducing additional obstacles. Those are good if you enjoy complicating your own life as well as that of the prospective hacker, but are generally near worthless. See the FAQ at:
Your real security is in: WPA-PSK or WPA2-PSK encryption Password for router access Firmware updates Most of the tweaks are of marginal value.
If you want real security, setup a VPN and a RADIUS server. The RADIUS server provides a login and password per user, but also delivers a unique one time WPA encryption key which cannot be leaked. If I wanted to attack your system, I would not attack the router, but would try to extract the WPA key from your Windoze registry. See:
A RADIUS server eliminates the use of a shared key, but preventing it from being leaked. Ummm... Don't tell the 15 year old brat.
As for your other questions....
You can't do that with the stock Linksys firmware. There's only one user and that's admin. Other routers allow additional users and even user levels, such as read-only users. If you really want this feature, the alternative firmware (DD-WRT, OpenWRT) all have additional users. However, again, this is nothing but security by obscurity and doesn't provide any real security. Anyway, user names are suppose to be publicly accessible and not hidden like a password.
Incidentally, one of my accomplices decided that I should test his system security. He did all the right things, but I still managed to break in. I tricked him into using his laptop to "test" the security by claiming my laptop was dead. He stupidly saves all his passwords in his Firefox browser. It was a simple matter to connect, automatically login with the saved password, and collect my free lunch. This is again why I don't like shared keys, stored passwords, and other convenience features.
Lack of sufficient RAM and NVRAM in the router limits the features that can be crammed inside. Again, the login name is suppose to be publicly known and accessible and should not be treated as yet another password. It also doesn't add much security as the same mechanisms I've previously listed to bypass passwords will work with login names.
That's been asked before, but with no definitive conclusion. The current guess is that a hostname is required for syslog to work. It can be anything, but not blank.
So far, here's what people have emailed to my yahoo address or posted here or in the linksys forum about this horrid WRT54G vulnerability which allows anyone to eliminate all my security settings in a single curl command without ever logging into my router.
Robert hath wroth:
Good questions that deserve an answer.
I've done some hiring in the past with mixed results. I tend to judge applicants and employees by their "willingness and ability to learn" and not what they currently know. This is currently not a very popular method. I have a variety of (illegal) tricks to test for these attributes. I've found it amazingly difficult to find someone that is actually able to learn something new. Who needs to learn anything when you can just look it up on the internet? I even find myself guilty of such intellectual laziness.
At age 15, this kid hasn't experienced the alleged benefits or the stultifying and regressive practices of the US secondary and college educational system. He seems to have initiative, which is a sure sign that he is still able to think for himself. He may be a script kiddie, but he has the guts to show off what he knows, which suggests he has pride in what he knows. He mows lawns, which implies that he knows what money is worth and how it's obtained. He's trying to be helpful, which is a substantial improvement over those that just try to be destructive.
At age 15, I would not expect him to be particularly useful as an employee. I haven't hired anyone quite that young, but I've had some experience hiring the local high skool and college inmates. Results have been mixes, but in general, the smart ones do very well, while the intellectually lazy eventually screw up and do badly.
I'm self employed and have been successfully playing computer consultant since about 1982. Prior to that, I designed communications radios for various employers, owned a communications repair shop, and owned a print shop. A minor reason why I'm self employed is my unwillingness to deal with employees (and partners). I currently hire contractors as needed, but not employees.
I suspect that the OP could hire the kid to fix her wireless security. However, that's not what's needed. I think he might be more useful in cleaning up the system security, including the desktops and laptops, as well as possibly teaching the OP how it all works. He may be recycling stuff from the internet, but that's how kids learn things these days. In effect, she would be hiring him as her personal security advisor and update manager, something a 15 year old could easily do for a single small system.
Incidentally, in the distant past, when the internet was mostly usenet news, I ran a Cnews server and BBS in my office. A common initiation rite at the local high school was to break into my system. Some of the methods used were amazingly clever and ingenious. I learned quite a bit. I would later pay some of the better hackers to help maintain my systems. All of them did well after graduation, although not necessarily in computing.
It's possible that you fear that your job in firewall security might be in danger from a 15 year old. I've seen some rather impressive IOS configuration work done by 18 year olds. I've also seen some disgusting security holes found by kids who simply don't know that you're not suppose to do this or that. My former neighbors 12 year old was an amazing "finger hacker" who could read my keystrokes almost as fast as I could type. How many older IT people do you know that can spot a hacked and wiretapped KVM switch? Are your server room keystrokes being recorded by the security camera? Are your backup tapes and drives encrypted and/or secure? Done any dumpster diving lately? None of this is particularly appealing to the typical IT employee, but is stock and trade to a 15 to 18 year old. What we gain in knowledge and experience, we lose in imagination and initiative.
In case you're wondering, I got my start in tech as a 16 year old phone phreak, which was the accessible high tech of the 1960's. You'll probably find my name in some Ma Bell horror stories. I was later lucky enough to find part time employment with companies and individuals that needed imagination and smarts more than experience and knowledge.
This recommended reference says the Linksys WRT54G firmware update only fixes half the problems in that something called "authentication bypass vulnerability" was fixed but not something called "the CSRF vulnerability"
Yes. It was enabled. I don't know how as I never touched that before. Web access, whatever that is, was also enabled, as was pnp and a zillion other things.
I understand but I would have thought this would warrant a recall like they do with cars where you bring it in and they bring it back up to safety specifications. There's no way they should have sold that router to me with such an unsafe vulnerability. Why do we recall cars but not routers that have safety problems?
Hmmm... that's not one of my options. I have WPA2 Personal on the Linksys WRT54G router (which I looked up to be the same thing as WPA2 PSK) but I don't have WPA2-Personal or WPA2-PSK options on my Windows XP fully updated. Something must be wrong with my windows setup so I will keep looking to see what I need to fix. At least Microsoft constantly updates my operating system automatically so I don't have to worry about "flashing" the computer! :)
I thought I did. It's version 5, and firmware version v1.00.6. Is there ANOTHER version I need to be aware of?
I did search for "curl" but I didn't know what to look for. I did find the linksys forums and searched there and posted there the exact same question. They said to upgrade the firmware and tell them if it worked or not to stop the next curl attempt.
The fix seems good but (see prior) it only fixes "authentication bypass vulnerability" but not "the CSRF vulnerability" according to the references cited above.
Huh. I trust you. Aren't you trying to help me?
Oh. I was trying to be responsive and courteous to my friends who were trying to help me. I'll stop replying so as to prevent the confusion and allow you to get me to the point I need to be.
Thank you! Debbie
BTW, which is the "right" newsgroup forum for this kind of Linksys WRT54G security vulnerability solution type of question?
Debbie Hurley hath wroth:
I'll look at it later. It's a holiday and I'm lazy.
Easy. Because no router manufacturer has been successfully sued for damages resulting from security holes, while automobile manufacturers tend to get sued for anything and everything.
Please note that there are literally huge number of vulnerabilities in various computer products. Given time and limited resources, it's impossible to just TEST for these vulnerabilities, much less find the time to fix them.
Open Source Vulnerability Database
Security and Vulnerability announcements
Here's the statistics for MS XP Home:
Note that 15% of the 155 vulnerabilities announced since 2003 has NOT been patched.
WPA-PSK is exactly the same as WPA-Personal WPS-RADIUS is exactly the same as WPA-Enterprise I traced back where the name change came from. The Wi-Fi Alliance is more consumer oriented and went for the Personal and Enterprise. The IEEE is addicted to acronyms and elected to use PSK and RADIUS.
Wrong. Microsloth only automagically updates *CRITICAL* updates or those that compromise security. Optional updates must be downloaded manually. Start -> Run -> wupdmgr It should start IE6 or IE7 and run Windoze update. If it suggests you upgrade to "Microsoft Update", do it. Then, hit the "Custom" button. It will grind the hard disk for perhaps 10 minutes deciding what needs to be updated and present you with a list. Check EVERYTHING, download and install. Shutdown when it demands and reboot.
You're not done yet. MS Office might need some updates. Start IE6 or IE6 and go unto:
In the upper right hand corner, is a tiny obscure well buried button for Office Update. Pick your version of MS Office and do the updates.
There are also plenty of applications on your machine that could use an update and may have vulnerabilities. Quicktime, Itunes, Winamp, etc as well as your favorite virus and spyware scanners all need to be updated.
If you think this is a drag, you're right. There should be a unified update and notification mechanism. Not this week. Meanwhile, this is a good thing for your 15 year old prospective hacker to do after butchering your lawn.
Sorry. You did in another message that didn't arrive until after I posted my reply. This is why I don't like a large number of messages. I get easily lost.
Ok, you're partially forgiven. If you had typed in the curl command (wrapped in double quotes), you would have found all the security advisories.
I think we have different criteria for acceptability. The authentication problem (curl example) is serious and if unpatched, I too would consider the WRT54G to be dangerously insecure. However, I know of other vulnerabilities and oddities that also might be used to compromise security that do not warrant such a drastic action like recycling the router. Is the WRT54G useful and fairly safe (after patching)? Methinks so. Can Linksys do better? Probably. Would a different router do better? No way to tell.
Nope. I'm just a wolf in sheeps clothing. In may spare time (usually under the cover of darkness), I join the forces of evil in a never ending effort to uncover security holes and screwups in computing. As a side effect, security does gradually tend to improve. However, it's the challenge that gets my attention, not the side effects. I tend to do best with social engineering and physical security, but when those fail, hacking will suffice. Try not to let it bother you as many of those that really know what they're doing, didn't learn security from a book, and also tend to have a checkered past.
I don't know. I only infest alt.internet.wireless. One technical newsgroup is all I handle in my ever shrinking spare time.
My IT 'kid" is just turned 20. I turn him loose to fix customer issues - if he can't fix it, he knows how to find the answer. There has never been a service call that he hasn't cleared.
Its not what you know...its all in how to recognize what the problem is, how to fix it or find the answer...and learn from it. And document the whole episode for future references.
And he's starting up his own trucking business on the side.
Your rourter default settings, other than 192.168.0.1/24 and the password and WPA-PSK were fine. Your choice of allowing the default subnet and the remote access was a large mistake that let him in.
And there is more than just not using the default IP, and it does make a difference, as there are web sites that will hack your router without using the wireless connection, and they don't "cap it off the air". So, again, change your subnet, that's first.
Next, you ENABLED REMOTE MANAGEMENT (which is not the fault), so you screwed yourself there also - disable remote management and setup a strong password.
Yes, there are exploits, for most any device, but, you can limit your exposure.
Oh really. If you're daft enough to put an open access point in the big bad world, you deserve everything coming.
Oh really.
Very dangerous, especially where there is a self identifying problem between the chair and keyboard.
greg
Quite, I get the distinct stench of troll......
So, you're clever enough to change the default configuration, but you cannot figure out how to configure WPA-PSK.
Hmmmm.
Debbie Hurley hath wroth:
Baloney. All 802.11 wireless is done on by bridging on Layer 2 with MAC addresses. There is nothing in the 802.11 protocol or specs that even mentions IP addresses. Not all wireless packets are encrypted. However, all packets that contain an IP address in the header, including ARP broadcasts and responses, are encrypted. He could sniff all he wants and without the encryption key, he's not going to see an IP address go by.
I wasn't 100.0% sure of this so I ran some old capture log files through Ethereal looking for telltale ARP broadcasts (frame.pkt_len==68 and wlan.da==ff:ff:ff:ff:ff:ff) and their corresponding responses. No IP's visible. I'll run some more tests later as I'm still not 100.0% sure that all IP's are suitably encapsulated in encrypted packets.
He can do network discovery successfully from the wired ethernet part of the network, because the packets are not encrypted. That would require he plug his laptop into your router and run whatever application he finds useful. However, if he were to attempt that via wireless, on an encrypted WLAN to which he does NOT have the key, it won't work. He would see the MAC addresses of most of the devices, but not the IP addresses.
Sigh. GENERIC-MAP-NOMATCH means that the vulnerability does not match anything in the Common Vulnerabilities and Exposures database. In other words, it's either something new, weird, or ridiculous. It's not a specific vulnerability or problem.
Yeah, they do reproduce themselves. Kinda like recycled year old vulnerabilities rise from the near dead.
Ask him to post somewhere, a capture log and WireShark decode of an wirleess encrypted session that shows exposed IP addresses. I'm too lazy to do the work on a holiday.
Greg Hennessy hath wroth:
Right. Blame the victim. Nicely done.
Look carefully at the paper box the consumer routers are packaged. They're mostly advertising material and are full of acronyms attesting to the high levels of security the user gets if they buy the product. "Buy me and you'll be safe" from evil hackers like me is the mantra. Well, there's just one problem. All the security is disabled by default. Plug, play, and you're wide open.
Now, I know a little about business/commercial law. I'll spare everyone the hair splitting and leave out the legal rubbish. Basically, the consumer has a perceived notion that this router will protect them for evil. If it fails to do that, who's fault would you guess it is? To an average person, of average abilities, the level of education necessary to properly administer a wireless router is substantial and well above what a court of law would consider necessary. Therefore, the responsibility for adequate security falls on the manufacturer, and not the consumer. The not so minor detail that all consumer grade wireless router manufacturers, except 2Wire, are shipping their routers insecure by default, should open up suitable opportunities for litigation. I've been contacted by a few ambulance chasers planning to do exactly that, but have declined their offers.
A suitable analogy would be if you purchased a consumer device that allegedly protected you from some evil, but required that you upgrade your esoteric knowledge level considerably. During this several year long education process, you discover that the device has been essentially disabled and wasn't doing anything useful. Whom would you blame?
Blame the victim again. At least you didn't resort to name calling and labeling.
I have a loaded question for you: Are you so in love with the technology that you forget that real humans are expected to operate the devices? I'm curious because this problem seems to be epidemic among technical types. I'm sometimes guilty of it myself.
Did you miss the part where the OP enabled wireless access and also enabled remote management?
It's entirely the OP's fault.
On the contrary, speaking as someone who is the one eyed man in the land of blind for half a dozen folks who have no PC knowledge.
I am intimately aware of the frustration caused by technology and go out of my way to avoid causing the 1000 yard stare inflicted by an overdose of geekese which is so easy to slip into.
Someone changed the router from it's default settings. The question is who. If you're capable of posting to a newsgroup, securing one of the best selling wireless routers out should not be that much of a challenge.
greg
In message at 10:49:52 on Wed, 4 Jul 2007, Debbie Hurley wrote
I remember your post in uk.telecom.broadband about a month ago where you'd forgotten the admin password for your router, and wondered how it could be reset (I remember your name cos it's the same as someone I know from work). Did you let your neighbour friend configure your router for you then?
Greg Hennessy hath wroth:
Well, it's fairly easy to get lost in the flurry of postings and followups, so I'll summarize. There is no security risk to enabling remote management as longs as one uses SSH or SSL (if available) to access the router config and the router has a reasonably secure password setup. For the stock WRT54G firmware, there is no secure method of doing remote access, as it lacks SSH or SSL and the password is probably sent unencrypted, so remote management is disabled by default. See settings as show at:
The problem I had with the original start of this thread question was that she indicated that: "He showed me how to disable remote administration but he said the vulnerability still exists until I get a new router." The implication was that someone had previously turned on remote admin. We can only speculate as to whom at this time. Until a suitable culprit is established, we really shouldn't be assigning the blame. The first step to solving a problem is NOT to assign he blame.
There is also an open issue as to who is responsible for updating the firmware. Linksys formerly had a "check for firmware updates" button, but that never worked even in the original incantation. It was long ago quietly dropped. Is Linksys responsible for informing customers that their firewall is porous? Probably, but I don't see an easy way to implement updates, especially since the prime directive at Linksys seems to be to reduce costs by reducing RAM, NVRAM, and features. At the present time, the customer is responsible for updates. This is more by the abdication of responsibility than by intenet, as few customers are qualified and even fewer understand the necessity of updates.
There's also a skool of thought that suggest that if things are working, don't touch them. I've probably seen more systems destroyed by updates than by hacking, viruses, and worms. After a few disasters, customers tend to be paranoid. I hear "leave it alone" all too often. I fight it, but not very well. With some vendors, I intentionlly delay updates as they have a track record of breaking more things than they fix. Who's responsible for these updates? I guess it's me.
Really? Then why are there so many FAQ's, guides, blogs, and re-hashed instructions on how to setup a "simple" wireless router? Could it be that it's really not that simple? Just read through the questions on the Linksys wireless forums for a clue.
For today, there are already 51 questions, a mess of followups, and the day isn't half over. There seem to be an awful lot of people having problems with Linksys wireless. Perhaps it's because wireless is NOT so simple?
Switching over to dslreports.com, it's somewhat better:
I'll spare you my list horror stories that illustrate that there are still plenty of problems to be solved with consumer wireless hardware, drivers, and config. Try roaming between consumer wireless AP's for a great exercise in frustration.
Another clue is the cancerous growth of wireless acronyms, buzzwords, protocols, and specs. I'm directly involved in all this and even I can't keep them straight. Every time I open a magazine, new terms appear out of nowhere. Then, there are the vendor proprietary hang-on's (Cisco Compatible Extensions). I can't even pronounce some of the wireless company names. I can barely keep up to date and you claim that setting up one of these isn't much of a challenge?
As for a persons posting abilities being indicative of their ability to setup a wireless network, I don't think there's much of a connection. An amazing (and alarming) number of help requests in alt.internet.wireless are missing the absolute minimum information necessary to craft a sane reply. Briefly:
Finally, permit me the liberty of some semantic hair splitting and guesswork. You suggest that "... securing one of the best selling wireless router..." I have a very tiny problem with this statement. You don't secure the router, you secure the system (or network). In home wireless, it takes at least two to tango. Each link has at least two ends. Securing one end is insufficient as I can breach security just as easily at the client end. I posted a few examples in a previous message in this thread.
Now THAT is a *really* interesting question! ;) bj
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.