Have you set a password for your router or modem?

Forum Moderators: phranque

Message Too Old, No Replies

Have you set a password for your router or modem?

here's why you should...

RonPK

10:55 am on Jul 29, 2006 (gmt 0)

Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as routers or printers.

Cnet article [news.com.com]

I had a look at the proof of concept. It appears to be shockingly simple to write a javascript that can detect any device connected to a local network. It probes known local IP numbers, such as 192.168.1.1. If a device is found, the script reads the device's response and uses it as a fingerprint to determine the device brand. If the device has a web based interface, and no password is required to use the interface, the script can easily send all sorts of commands to reconfigure the device.

My router/DSL modem lives at 192.168.1.1, has a web based interface, and I haven't set a password - yet...

lecter

2:44 pm on Jul 29, 2006 (gmt 0)

many people don't change the default password of their ADSL modem......

varya

3:37 pm on Jul 29, 2006 (gmt 0)

I changed my password immediately.

And the name of the network.

Wireless is set to only accept access from my laptop's MAC address.

And the network key is 25 digits long.

coopster

3:43 pm on Jul 29, 2006 (gmt 0)

Good advice. I helped a member once (I thought it was on this forum, but I couldn't find it) who wanted to update their firewall automatically through some scripting. It was quite easy to accomplish, quite easy.

I always set the password and most often I will change the default LAN settings too. I don't let my browser cache the userid/password either. On wireless routers I turn on encryption (WAP, not WEP) and I turn off the SSID broadcast. Other tips welcome ...

henry0

8:43 pm on Jul 29, 2006 (gmt 0)

My PCC FW is set to only accept com between machines that are registered.
if not I am asked to override the setting and accept or disallow.which is useful since I use a wireless router - 4 machines -

BTW
I found that if you conn directly via USB from the wireless router to your machine and disallow MS firewal. The rate of FTP upload increase drastically.

RonPK

11:55 pm on Jul 29, 2006 (gmt 0)

Henry, the point is that the script runs within your browser. Your firewall probably does not block your browser from accessing IP addresses on your local area network. If you can access your router's configuration inteface with your browser, then so can the script.

henry0

12:26 pm on Jul 30, 2006 (gmt 0)

I am by all means not a network educated person
where should I look for to reinforce my system?

<edit>
I just did again read your answer
last time it did exactly that:
Nothing was appearing in my browser until I approved or disallowed accessing.
</edit>

aspdaddy

8:24 pm on Jul 30, 2006 (gmt 0)

Of course password protecting all security devices makes sense. And firewall and router config should only be accessible from trusted machines and accounts, not any machine on the LAN. And hijacked web sessions should not have admin privelages to turn off encryption or enable wireless...Just bear in mind what kind of solutions SPI are trying sell :)