Feb 21, 2007 (11:02 AM EST)
Cisco Warns That 77 Routers Are Vulnerable To New Drive-By Pharming Attack
Read the Original Article at InformationWeek
Cisco Systems Inc. has advised its customers that 77 of its routers are vulnerable to a new form of attack called drive-by pharming.
Researchers at security company Symantec first warned users about the new type of attack last week, calling for all users -- both home and commercial -- to change the default user name and password on their routers if they hadn't already done so. Running the routers with the out-of-the-box password leaves users open to attack.
Symantec's Zulfikar Ramzan posted an online warning that hackers are lacing phony Web sites with malicious code that actually will log into and mess with broadband routers. He's coined a term for it: Drive-By Pharming.
"I believe this attack has serious widespread implications and affects many millions of users worldwide," wrote Ramzan, senior principal researcher in the Advanced Threat Research Group at Symantec, on the company's Security Response Weblog. "Fortunately, this attack is easy to defend against, as well."
The defense simply is to change the default password.
Cisco posted a Security Response on its Web site, outlining which routers are vulnerable to the attack and offering advice on changing the password.
Mike Caudill, incident manager at Cisco, says he doesn't have an estimate on how many users change the default user name and password, but adds that it's probably a significant number. He notes that drive-by pharming mostly affects smaller routers used in homes and small- and medium-sized businesses, because the larger enterprise-level routers come with a configuration tool that automatically calls for the default user name and password to be changed during set up.
Once the attackers get into the router, they have control over it, allowing them to direct users and their browser to whatever Web sites they choose. A user may want to visit www.informationweek.com, but instead will be directed to whatever site the attackers want to send him to.
Caudill explains that most router manufacturers use basic, and relatively unsecure, default user names and passwords to make the set-up process easier for the user. "It might be a simplified login mechanism with a known user name and password," he says. "If they put a different one on every single box, how would they possibly do technical support? If you have 100,000 boxes and have 100,000 user names and passwords, how would I ever be able to help people get set up?"