New Cyber Risk Users Your Browser to Hijack Your Router

Cybercriminals have developed a new Web-based attack tool to hijack routers on a large scale when users visit compromised websites or view malicious advertisements in their browsers.

The goal of these attacks is to replace the DNS (Domain Name System) servers configured on routers with rogue ones controlled by attackers. This allows hackers to intercept traffic, spoof websites, hijack search queries, inject rogue ads on Web pages and more.

What is DNS? 

dns-rev-1The DNS is like the Internet’s phonebook and plays a critical role. It translates domain names, which are easy for people to remember, into numerical IP (Internet Protocol) addresses that computers need to know to communicate with each other.

The DNS works in a hierarchical manner. When a user types a website’s name in a browser, the browser asks the operating system for that website’s IP address. The OS then asks the local router, which then queries the DNS servers configured on it — typically servers run by the ISP. The chain continues until the request reaches the authoritative server for the domain name in question or until a server provides that information from its cache.

Hijacking DNS

If attackers insert themselves in this process at any point, they can respond with a rogue IP address. This will trick the browser to look for the website on a different server; one that could, for example, host a fake version designed to steal the user’s credentials.

The attacks typically work like this: Malicious code injected into compromised websites or included in rogue ads automatically redirect users’ browsers to an attack server that determines their OS, IP address, geographical location, browser type, installed plug-ins and other technical details. Based on those attributes the server then selects and launches the exploits from its arsenal that are most likely to succeed.

These types of attacks are possible through a technique called cross-site request forgery (CSRF) that allows a malicious website to force a user’s browser to execute rogue actions on a different website. The target website can be a router’s administration interface that’s only accessible via the local network.

Many websites on the Internet have implemented defenses against CSRF, but routers generally lack such protection.

Depending on the detected model, the attack tool tries to change the router’s DNS settings by exploiting known command injection vulnerabilities or by using common administrative credentials. It uses CSRF for this as well.

If the attack is successful, the router’s primary DNS server is set to one controlled by attackers and the secondary one, which is used as a failover, is set to Google’s public DNS server. In this way, if the malicious server temporarily goes down, the router will still have a perfectly functional DNS server to resolve queries and its owner will have no reason to become suspicious and reconfigure the device.

The vast majority of routers need to be updated manually through a process that requires some technical skill. That’s why many of them never get updated by their owners.

Protecting Yourself

To protect themselves, users should check manufacturers’ websites periodically for firmware updates for their router models and should install them, especially if they contain security fixes. If the router allows it, they should also restrict access to the administration interface to an IP address that no device normally uses, but which they can manually assign to their computer when they need to make changes to the router’s settings.

Share This:

What is DHCP?

dhcp-logoThis past couple of days have brought some weird DHCP woes to our network. The resulting digital turmoil was causing connectivity issues for workstations and printers. As I worked on the issue over a course of a couple of days I must have mentioned “DHCP” dozens of times to confused co-workers who would look at me strangely as I raced through through their offices “rolling their eyes” with comments like “whatever”.

Anyway with the DHCP problems hopefully behind us I wanted to explain a little bit about “DHCP” and why it such a critical element which works behind the scene, not only on your office networks but often at home on your wireless network as well.

DHCP (Dynamic Host Configuration Protocol) is a communications protocol that allows network administrators to centrally manage and automate the assignment of Internet Protocol (IP) addresses in an organization’s network. Using the Internet Protocol, each machine that can connect to the Internet needs a unique IP address, which is assigned when an Internet connection is created for a specific computer.

Automation & DHCP

Without DHCP, the IP address must be entered manually at each computer in an organization and a new IP address must be entered each time a computer moves to a new location on the network. DHCP lets a network administrator supervise and distribute IP addresses from a central point and automatically sends a new IP address when a computer is plugged into a different place in the network.  this is why when your DHCP was experiencing some sort of hangover I was able to get those effected workstations back online. By manually assigning the IP address at the workstation.

Leasing your DHCP

DHCP uses the concept of a “lease” or amount of time that a given IP address will be valid for a computer. The lease time can vary depending on how long a user is likely to require the Internet connection at a particular location. It’s especially useful in education and other environments where users change frequently. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses. The protocol also supports static addresses for computers that need a permanent IP address, such as Web servers.

DHCP Server Performing DNS Dynamic Update on Behalf of DHCP Client

DHCP Server Performing DNS Dynamic Update on Behalf of DHCP Client

 

So there you have it. DHCP is a service which usually runs on a server in your network, automating the assignment of IP addresses to workstations and other networked devices. When this does not work properly, which is very infrequently, chaos often results for the IT staff and confusion for everyone else, because their computers just won’t “get online”.

Notice to Technology Professionals

So what actually caused my DHCP meltdown anyway? Well it seems that when Symantec Endpoint Protection was upgraded from 12 to 12.2 the application added a new “feature”, network intrusion protection to the DHCP server which was refusing connections from our workstations.

Once this was disabled DHCP returned to normal and so did my work day.

Share This:

Get To Know DNS

Did you ever wonder how you can type www.startrek.com into your web browser and it instantly transports you to the official website for Star Trek. Our how you can shop at amazon.com by simply entering www.amazon.com into your browser? This magic is all made possible by something known as the Domain Name System, or DNS.

You can think of DNS as the phone book of the internet, which is really what it was intended to be.

DNS was born way back in 1983 as part of the emerging internet. DNS is critical because without it reaching destinations on the internet would be a much more complex task.

It is DNS that converts www.startrek.cominto 72.34.239.185 which is the real internet address of the official home of Star Trek. Give it a try by typing in 72.34.239.185 into your browser and see where you end up. Very simply DNS converts the real numeric internet addresses into friendly hostnames that we can easily remember.

There is a lot of stuff going on when you browse the web.
 

I am discussing this because we are fast approaching the 30th anniversary of DNS. This is an amazing technology that we use every day on the internet. What is so amazing about this is that the translation into the “friendly hostname” is made so quickly and with so little effort (on our part) that many do not even know this translation is occurring.

How does this happen on my home computer? There are several public DNS servers that provide this service. Your computer normally uses the public DNS servers which are pre-configured in the router you have at home. So what happens at home is that when you type a web address into your browser, lets say www.startrek.com you PC talks to your router, then your router go to the Public DNS server it is setup for and translates it back to your browser. This is all done in a blink of an eye. Amazing.

DNS is an example of what I call “invisible technology”. Something that everyone relies on and the majority are unaware of its existence.

You can look at a list of some public DNS servers here.

Share This: