A few articles ago there was a thread on how easy it was for an intruder to obtain the password of your router, even if you're using WPA2/PSK.
Assuming the intruder 'does' obtain the password, what 'can' they do besides the obvious which is to log all the web sites you go to?
For example, can they get your bank password & login? Can they put a rogue program on your computer? Can they log your keystrokes?
Or can they only just see all the web sites you go to?
At a trivial level, yes, it's possible to see not only the websites you go to but in any situation where the connection is not protected by https it's possible to see all the content, too (including anything you send in a form or a login).
At a more sophisticated level, it becomes possible to start spoofing DNS responses, so that when you think you're going to (say) your bank's website you're actually going somewhere else. Your bank's website will be protected by SSL, sure, but would you *actually* action a "uh oh, this certificate isn't recognised by your webbrowser" warning when you "know" you've got to your bank? Would you even realise that the connection was being made with http instead of https? (No errors, so it must be ok, yes?)
Now, while you personally might be sure you'd never fall foul of these scenarios, consider whether that level of assurance can be applied to everyone who has a wireless router.
Chris
I hate security questions, but there's nothing better available today.
No. It's encrypted with SSL between the your computah and the bank computah. Sniffing does not work.
Maybe. If you have no security or firewall running on your computah, it might be possible to drop a trojan horse program in an open share and wait for you to run it. If you do something dumb, like share the entire hard disk drive, then yes, all manner of evilware can be installed.
No. They can only see the results of those key strokes that make it to the internet. For example, if I login to my bookkeeping system (Quickbooks) on my PC, my login and password are not sent over the network and therefore cannot be sniffed. However, if someone is able to install a key logger, it will be logged.
That is possible depending on the logging and debugging features of the router. If it's fairly crude, not much can be seen. If it's detailed logging, then sniffing will bury the attacker in too much info. In general, if the router has a "block this web site" feature, it also has a parser built in that will make URL logging easier.
I had a customer that had their router hijacked from the internet. I'm not sure exactly how it happened, but I have some guesses.
Bottom line... if an attacker wants to collect user files and keystrokes, they need to attack the users computer, not the router.
Good!
I think this is good since I don't expressly share anything so the only things shared would be whatever is shared by default (CentOS, Windoze XP Home).
Whew!
I guess they would break into the router, and then somehow install the keylogger on an open share and THEN I'd still have to click on the offending executable, right?
At one point I enabled logging on my WRT-54G and it was pretty boring stuff in the log file.
Interesting.
I guess what you're saying is that it's much worse when the computer is attacked than when the router is attacked (which makes sense).
The router, it seems, will only give them information, and maybe set up a rogue DNS server - while the computer can do anything.
Thanks!
Basically correct. However, if your computer isn't properly configured, protected, and updated, there are other ways of installing malware.
Look at it this way. If you plugged your computer directly into the DSL or cable modem, with no router in between, how safe would you expect to be? In the past, it was fairly easy to attack a machine through open ports and unpatched exploits. That's not the case so much these days. It's an easy test to try. Make an *IMAGE* backup of your computah (I use Acronis True Image). Then, put it directly onto the internet and see what happens. If it gets compromised, then patch the hole or restore the image backup. If not, you're safe.
Yep.
The rogue DNS server was apparently to deliver advertisements while browsing web pages. However, the bad guys could sniff everything you do on the internet with the proxy server setup. All your outgoing traffic would go through the proxy. Of couse, that would take far too much bandwidth to be worthwhile, so it's not commonly done. However, the proxy server setup is done on the computah, not in the router.
Also keep in mind that the Internet connection itself may be what someone is after.
That would be an interesting case study!
Maybe I should post my IP address here too!
(just kidding)
It's 127.0.0.1. ;)
Actually, no. If it doesn't get compromised during the test it just means that it wasn't compromised during the test. It does not mean it's safe.
Chris
I knew there was a reason that I don't get involved in security discussions. Sigh...
There's a small logic problem. While it's quite easy to demonstrate that the computer is unsafe by showing that it's vulnerable to some manner of exploit, it's completely impossible to demonstrate that the computer is completely safe, invulnerable, and free of security holes. Even the best secured servers have been successfully attacked. My crude test does not demonstrate that it's safe. It demonstrates that it might be safe to use without an external firewall, relying on whatever incoming firewall comes with the operating system.
I'm also assuming that most attacks are scripted and automated. I haven't turned on detailed logging on my firewall in a while, but back about a year ago, I found that about 5-10% of my incoming traffic came from probes, port scans, and exploit attempts. It's probably about the same today. If someone manually targets a specific machine, it's highly likely that they'll eventually be successful at taking over the machine.
Crudely, there's little on a home users machine worth stealing. The amount of effort needed to steal credit card numbers and passwords to accounts is somewhat higher than the potential reward. It's much more profitable to target a web servers that stupidly saves credit card numbers on the web server, or a service provider that leaves user account information accessible from the internet. At best, what an attacker wants is a spam relay or a new addition to their botnet.
Machines directly on the internet is going to become a real problem as IPv6 is deployed. IPv6 does not allow for NAT, which is the main form of workstation protection these daze. You can either put the machine directly on the internet, or buy a SPF (stateful packet inspection) firewall. Either way, it's one routeable and targetable IP address per machine.
First IPv6 Distributed Denial of Service Internet attacks seen.
Internet attacks target small cities, small biz in India
25% of bot- infections reported from small cities, targeted attacks up from 77 a day to 82.Those who would give up essential security to purchase a little temporary convenience, deserve neither security nor convenience. (Appologies to Ben Franklin).
I don't think it is - so long as the vendors of consumer-grade gear do everybody a favour and make the stateful inspection approach the default. IOW, it'll be just like it is now with an IPv4 NAT router, except there won't be NAT. Only people who get onto their routers and have a tinker will end up vulnerable.
This is something I hear oft-repeated about IPv6. It's not the NAT that's the protection - it's fact that you need the stateful inspection to make the NAT work that makes it look like it's the NAT doing security, and if you somehow manage to turn off the stateful inspection with IPv4, your internet will stop working, which won't be the case with IPv6.
Ummm... that's what I said. Quoting myself: You can either put the machine directly on the internet, or buy a SPI (stateful packet inspection) firewall. Either way, it's one routeable and targetable IP address per machine. The only problem with this is that there's no way for Joe Sixpack to know that the SPI firewall is actually working. I could turn it off and most people would not know that anything has changed.
Many older models do not do SPI. However, with forged and custom crafted packets floating around everywhere, relying on just NAT for external security is not a good idea. However, please note that there are some routers (i.e. most Linksys) where SPI can be disabled. For example, the shiny new Linksys E4200:
There are some good reasons for disabling SPI, but I don't want to discuss it without doing some reading first.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.