Radoslav Dejanoviæ
05/02/05, 01:35
There are two quite common practices used in Croatia that have left huge=20
number of users wide open to attacks. I presume that, if you look around,=20
you might find one or both in your general vicinity.=20
=46irst one is the fact that computer "manufacturers" in Croatia always cho=
se=20
one of dozen default usernames while installing Microsoft Windows for=20
their customers. They rarely, if at all, change the username, so lot of=20
people get their boxes with the same Administrator login. To make things=20
worse, all of those accounts have blank password, and automatic log-in so=20
the end user doesn't have to think about it. Real plug-and-play=20
technology, isn't it?=20
Note that some of them ship Linux as well, and the same story goes for the=
=20
root user, making Linux box just as secure as it's Windows neighbor. While=
=20
we might think that Linux box will either be replaced with pirated Windows=
=20
installation or have an user that know a little bit about security, we=20
just don't know how many open Linux boxes there are. But, given the=20
growing popularity of Linux among ordinary people, it is wise to presume=20
that this might not be an insignificant number.=20
Windows users en-masse don't care about the security stuff, they just power=
=20
up the computer and start working. So we have a whole lot of Windows boxes=
=20
and probably a big pile of Linux boxes really easy prey for 0wn4ge.=20
There's no easy remedy for that - "manufacturers" don't really care about=20
this, so it is up to the end user to protect herself. And we all know that=
=20
everyone is security aware, don't we?=20
Second problem is that largest Croatian telecom company, T-Com (used to be=
=20
Croatian Telecom until our politicians sold majority of shares to Deutsche=
=20
Telekom), is advertising their aDSL/WiFi combo, in fact an ordinary DSL=20
line with wireless router at the user's premises.=20
The trouble here is that T-Com does nothing more than to connect the=20
hardware and make sure it is working, leaving end-user with a wireless=20
network that happily broadcasts over an unsecured channel.=20
Now, let's put these two together: we have a whole lot of users in Croatia=
=20
that bought their PC from a "manufacturer", never bothered to change=20
administrator password let alone the username, hooked on wireless network=20
that is both unencrypted and open to access to anyone who is in radio=20
range and knows the mysteriously secret default SSID "ConnectionPoint"=20
that is being broadcasted by hundreds of AP-s just in capital city of=20
Zagreb. =20
So, what we have here is a lot of clueless people that might have problem=20
with any or all of these:
=2D anyone in range can connect to the WiFi network and surf (probably=20
unnoticed), to the very surprise of the poor user who get's the DSL bill=20
at the end of the month (and our DSL rates are HUGE) - affects both=20
Windows and Linux users because it's got nothing to do with PC, but with=20
AP;
=2D since there's just a dozen of default administrator usernames and none =
of=20
them has a password associated with it, it is a child's play to hook on=20
the wireless network and connect to user's computer (that DOES include=20
Linux guys who didn't bother to change password) and wreak havoc - steal=20
banking info, stored PINs and passwords, delete or modify data, etc. -=20
affects both Windows and Linux;=20
=2D intruder can inject a virus on user's computer, effectively hiding his=
=20
point of entry - the one that goes to jail would be poor uneducated user -=
=20
affects Windows and theoretically Linux as well, given the number of Linux=
=20
viruses spotted in the wild (but does make an excellent petri dish for=20
Linux viruses, due to the fact that it is so easy to get root=20
permissions);
=2D intruder can use the network or computer to spam around, to his own=20
enjoyment and the horror and huge DSL bill of the user; oh, and wrath of=20
the spammed will be felt by the user, of course... :-) - affects Windows=20
and Linux;
=2D last, but not least, it is possible to war-drive around and seed client=
s=20
to be used as DDoS drones later. In fact, it can be scripted, so you just=20
have to drive around, and the script will discover the network, log on it,=
=20
try all of those dozen default administrator usernames for you and if=20
successful, seed the drone then go on searching for next victim.
In that case, user might never discover that he's hosting a parasite -=20
affects mostly Windows but Linux is not invulnerable to this neither.
We have released a security advisory (18.1.2005.) regarding this issues, as=
=20
well as step-by-step description on how to protect yourself by changing=20
administrator password and securing WiFi network.=20
http://www.opsus.hr/index.php?folder=3D69&article=3D78
We have sent a message to Croatian "Office for e-Croatia" as well, for this=
=20
vulnerabilities might severely interfere with their project of having=20
100.000 broadband users in Croatia by the end of this year (note: Croatia=20
has just about 4.5 million citizens and transition - anyone who is living=20
in a country in transition will understand my point). So far we haven't=20
heard back from them.=20
T-Com has issued a warning to all their WiFi customers at the beginning of=
=20
=46ebruary as well, providing them with the advisory on how to protect thei=
r=20
network
http://www.t-com.hr/privatni/internet/pristup/wlan/sigurnost.asp#
that looks a lot like our own advisory.=20
However, their advisory is slightly flawed - their advice is to let AP get=
=20
all the MAC addresses it can see, while our advice is to enter MAC=20
addresses one by one, for if you use the automatic collection and there's=20
already someone piggybacked on your network, and you don't really know=20
what you're doing (we're talking about Hrvoje Average here, remember), it=20
is easy to enter attacker's MAC address in a list as well. Taking the PC=20
Card out of it's slot and reading the MAC address from the back of the=20
card is more work, but much much more secure in this case. Not to mention=20
that ordinary household will have just one or two computers.=20
=20
One note: T-Com does provide end user with a manual for their WiFi network=
=20
that has all this security staff inside, but their mistake was to count on=
=20
end-user to take care of security, which is, as you all know, a dream.=20
It is hard to find a remedy in this case. It is almost impossible to force=
=20
"manufacturers" to stop using the same administrator login/blank password=20
in production because it takes a little bit longer to put up a computer=20
and might increase problem with the customers who forget their passwords,=20
so it cuts into their profit margin.=20
It might be possible for T-Com to take more care about security while=20
installing WiFi hardware for the end user (and we did advice Office for=20
e-Croatia to try to push T-Com to do security for the end-user), but this=20
cuts into their profit margin as well, but since they earn about=20
1.000.000$ each day from their GSM service (honestly!), a few thousand=20
bucks more spent on having end-user secured immediately after the=20
installation of WiFi hardware is both good for the company image (they=20
should really work on it, given their popularity) and is of extreme=20
importance for growing IT infrastructure in Croatia.
The last option is to have people educated. The government is doing=20
something about it, but it is too little, too late. We're still struggling=
=20
with having majority of people understand why they get all sorts of adware=
=20
and dialers, this might be overkill for them. However, the only real=20
solution is to educate people. Slim chances.=20
=2D-=20
Radoslav Dejanovi=E6
Operacijski sustavi d.o.o.
http://www.opsus.hr
number of users wide open to attacks. I presume that, if you look around,=20
you might find one or both in your general vicinity.=20
=46irst one is the fact that computer "manufacturers" in Croatia always cho=
se=20
one of dozen default usernames while installing Microsoft Windows for=20
their customers. They rarely, if at all, change the username, so lot of=20
people get their boxes with the same Administrator login. To make things=20
worse, all of those accounts have blank password, and automatic log-in so=20
the end user doesn't have to think about it. Real plug-and-play=20
technology, isn't it?=20
Note that some of them ship Linux as well, and the same story goes for the=
=20
root user, making Linux box just as secure as it's Windows neighbor. While=
=20
we might think that Linux box will either be replaced with pirated Windows=
=20
installation or have an user that know a little bit about security, we=20
just don't know how many open Linux boxes there are. But, given the=20
growing popularity of Linux among ordinary people, it is wise to presume=20
that this might not be an insignificant number.=20
Windows users en-masse don't care about the security stuff, they just power=
=20
up the computer and start working. So we have a whole lot of Windows boxes=
=20
and probably a big pile of Linux boxes really easy prey for 0wn4ge.=20
There's no easy remedy for that - "manufacturers" don't really care about=20
this, so it is up to the end user to protect herself. And we all know that=
=20
everyone is security aware, don't we?=20
Second problem is that largest Croatian telecom company, T-Com (used to be=
=20
Croatian Telecom until our politicians sold majority of shares to Deutsche=
=20
Telekom), is advertising their aDSL/WiFi combo, in fact an ordinary DSL=20
line with wireless router at the user's premises.=20
The trouble here is that T-Com does nothing more than to connect the=20
hardware and make sure it is working, leaving end-user with a wireless=20
network that happily broadcasts over an unsecured channel.=20
Now, let's put these two together: we have a whole lot of users in Croatia=
=20
that bought their PC from a "manufacturer", never bothered to change=20
administrator password let alone the username, hooked on wireless network=20
that is both unencrypted and open to access to anyone who is in radio=20
range and knows the mysteriously secret default SSID "ConnectionPoint"=20
that is being broadcasted by hundreds of AP-s just in capital city of=20
Zagreb. =20
So, what we have here is a lot of clueless people that might have problem=20
with any or all of these:
=2D anyone in range can connect to the WiFi network and surf (probably=20
unnoticed), to the very surprise of the poor user who get's the DSL bill=20
at the end of the month (and our DSL rates are HUGE) - affects both=20
Windows and Linux users because it's got nothing to do with PC, but with=20
AP;
=2D since there's just a dozen of default administrator usernames and none =
of=20
them has a password associated with it, it is a child's play to hook on=20
the wireless network and connect to user's computer (that DOES include=20
Linux guys who didn't bother to change password) and wreak havoc - steal=20
banking info, stored PINs and passwords, delete or modify data, etc. -=20
affects both Windows and Linux;=20
=2D intruder can inject a virus on user's computer, effectively hiding his=
=20
point of entry - the one that goes to jail would be poor uneducated user -=
=20
affects Windows and theoretically Linux as well, given the number of Linux=
=20
viruses spotted in the wild (but does make an excellent petri dish for=20
Linux viruses, due to the fact that it is so easy to get root=20
permissions);
=2D intruder can use the network or computer to spam around, to his own=20
enjoyment and the horror and huge DSL bill of the user; oh, and wrath of=20
the spammed will be felt by the user, of course... :-) - affects Windows=20
and Linux;
=2D last, but not least, it is possible to war-drive around and seed client=
s=20
to be used as DDoS drones later. In fact, it can be scripted, so you just=20
have to drive around, and the script will discover the network, log on it,=
=20
try all of those dozen default administrator usernames for you and if=20
successful, seed the drone then go on searching for next victim.
In that case, user might never discover that he's hosting a parasite -=20
affects mostly Windows but Linux is not invulnerable to this neither.
We have released a security advisory (18.1.2005.) regarding this issues, as=
=20
well as step-by-step description on how to protect yourself by changing=20
administrator password and securing WiFi network.=20
http://www.opsus.hr/index.php?folder=3D69&article=3D78
We have sent a message to Croatian "Office for e-Croatia" as well, for this=
=20
vulnerabilities might severely interfere with their project of having=20
100.000 broadband users in Croatia by the end of this year (note: Croatia=20
has just about 4.5 million citizens and transition - anyone who is living=20
in a country in transition will understand my point). So far we haven't=20
heard back from them.=20
T-Com has issued a warning to all their WiFi customers at the beginning of=
=20
=46ebruary as well, providing them with the advisory on how to protect thei=
r=20
network
http://www.t-com.hr/privatni/internet/pristup/wlan/sigurnost.asp#
that looks a lot like our own advisory.=20
However, their advisory is slightly flawed - their advice is to let AP get=
=20
all the MAC addresses it can see, while our advice is to enter MAC=20
addresses one by one, for if you use the automatic collection and there's=20
already someone piggybacked on your network, and you don't really know=20
what you're doing (we're talking about Hrvoje Average here, remember), it=20
is easy to enter attacker's MAC address in a list as well. Taking the PC=20
Card out of it's slot and reading the MAC address from the back of the=20
card is more work, but much much more secure in this case. Not to mention=20
that ordinary household will have just one or two computers.=20
=20
One note: T-Com does provide end user with a manual for their WiFi network=
=20
that has all this security staff inside, but their mistake was to count on=
=20
end-user to take care of security, which is, as you all know, a dream.=20
It is hard to find a remedy in this case. It is almost impossible to force=
=20
"manufacturers" to stop using the same administrator login/blank password=20
in production because it takes a little bit longer to put up a computer=20
and might increase problem with the customers who forget their passwords,=20
so it cuts into their profit margin.=20
It might be possible for T-Com to take more care about security while=20
installing WiFi hardware for the end user (and we did advice Office for=20
e-Croatia to try to push T-Com to do security for the end-user), but this=20
cuts into their profit margin as well, but since they earn about=20
1.000.000$ each day from their GSM service (honestly!), a few thousand=20
bucks more spent on having end-user secured immediately after the=20
installation of WiFi hardware is both good for the company image (they=20
should really work on it, given their popularity) and is of extreme=20
importance for growing IT infrastructure in Croatia.
The last option is to have people educated. The government is doing=20
something about it, but it is too little, too late. We're still struggling=
=20
with having majority of people understand why they get all sorts of adware=
=20
and dialers, this might be overkill for them. However, the only real=20
solution is to educate people. Slim chances.=20
=2D-=20
Radoslav Dejanovi=E6
Operacijski sustavi d.o.o.
http://www.opsus.hr