July 6, 2015
There's a way to compromise a home network without actually being on it. It's called "cross-site request forgery." It starts by redirecting a user to a malicious website, typically by phishing.
The site uses the prey's browser to send requests to the home router. The router thinks the prey is sending the requests from the home network. "Home routers are very naive," said Incapsula's Ofer Gayer.
Most consumers pay as much attention to routers as they do to doorknobs. That's not the case with Net marauders. They're finding the devices ripe targets for mischief.
"We've seen a big increase in malware designed for home routers," said Incapsula researcher Ofer Gayer.
"Every week, we see a new vulnerability in a vendor's routers," he told TechNewsWorld. "They're low-hanging fruit if you're a hacker. They're a very soft target."
Home routers are the soft underbelly of the Internet, observed Andrew Conway, a threat researcher at Cloudmark.
"They were never designed to be high security components, and once they are installed, they are typically never updated," he told TechNewsWorld.
"Even when vulnerabilities are discovered, a vendor may not patch their firmware -- and if they do, the patches are rarely applied," Conway said.
As soft a target as routers may be, they have been protected by a restriction on how their settings can be altered. Typically, you have to be on a network locally before you can access and change those settings. That's not always the case, though, as Incapsula recently pointed out.
Incapsula discovered one router maker had installed what was essentially a backdoor in its products to make it easier to service the routers. Unfortunately, Net miscreants discovered what the router maker had done, and they began herding many of the routers together to mount distributed denial-of-service attacks.
"Routers are strong enough today to create a pretty significant denial-of-service attack," Gayer said.
Even if your router maker doesn't put a backdoor in your router, there's a way to compromise a home network without actually being on it. It's called "cross-site request forgery."
It starts by redirecting a user to a malicious website, typically by some kind of phishing email. The site uses the prey's browser to send requests to the home router. The router thinks the prey is sending the requests from the home network.
"Home routers are very naive," Gayer explained.
Once a predator opens up the channel between the prey's browser and the router, a host of options become available.
"I can change whatever I want," Gayer noted. "I can change the DNS server. I can open a hole in the firewall. I can change the admin password." To do all that, no access to the router is needed.
"I just make you perform the requests by redirecting you," Gayer said.
Targeting Uncle Sam
Last week wasn't the best of times for federal employees. The decibel level of the furor over the Office of Personnel Management data breach continued to rise.
It didn't take long for signs to appear that Net bandits were putting the stolen data to use. For example, an Army base in Alabama warned its employees of a phishing email purporting to be from the OPM and directing targets to a website where personal information could be cajoled from them.
Meanwhile, OneWorldLabs, which monitors the Dark Net, spotted data apparently from the OPM breach for sale. If that were the case, though, it would throw cold water on the idea that the Chinese government was behind the OPM break-in, since it likely would keep the data under wraps and not be trying to sell it to cybercriminals.
Nevertheless, most of the U.S. finger-pointing has been toward Beijing.
"China would like to be in every U.S. system on some level," said Jared DeMott, principal security researcher at Bromium.
"The data the hackers stole could just be the initial phase of the attack, while moving toward more attractive targets," he told TechNewsWorld.
What makes matters worse is that there's little the United States can do about the breach, said Securonix Chief Scientist Igor Baikalov.
"First of all, the U.S. spies for 'national security advantages' just like China does -- no moral high ground for he U.S. there," he told TechNewsWorld.
"Second and most frustrating, there's not much the U.S. can do to retaliate for this attack," Baikalov said. "Economic sanctions? They're hardly applicable to the country that holds most of your national debt."