February 23rd, 2007


Change Your Router Passwords!

Less geeky version: change your router password from blank, "admin", or "default" or your computer and network could get hacked.

More geeky:  Security researcher Bruce Schneier describes a newly discovered attack where malicious Javascript code on a webpage can change the settings on your home networking router.  These are commonly used with DSL or cable modems; I've got one on my home network, and most of my friends use one too.  I just read through the paper, and the attack is pretty clever, using image and script tags to find out information about your router and to send commands to it.  The takeaway from this is simple: make sure you change any default passwords on devices on your network to something else.  For companies that make routers, the lesson is that you need better security on your commands -- don't let them respond to HTTP GET requests and add a session token to the commands to authenticate requests as actually being originated from the router configuration forms.