the exploit that wasn't

For discussions about security.
Post Reply
Message
Author
User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

the exploit that wasn't

#1 Post by prehistoric »

This is one for the record books.

After finding a long list of malware on a compromised system, and going through a grueling process of recovering the system from a state where I had to boot off a floppy, and untangling (allegedly) important personal data from gigabytes of junk, I was trying to change the wireless router connected to a system to use WPA encryption. (This turned out to be impossible, because the router was manufactured before this was available, and did not have enough flash memory for the upgrade.) The problem which got my attention was that there was no response at all when I tried to use the web administration interface at 192.168.1.1, or several likely alternatives. The user didn't even know how to change this address, told me the password was "admin" and even expected to see the device detected through UPnP under Windows. (Though they didn't know the terminology.)

I downloaded the manual originally shipped with the device, and confirmed the manufacturer had not yet caught on, at that time, that it was a very bad idea, from a network security standpoint, to ship routers with UPnP and remote management enabled, plus a default password. After trying, and failing, to come up with an innocent explanation, I began to suspect this user had been doing Internet banking via Moldova.

When I recommend immediately replacing the router -- if not impounding it as evidence -- the other shoe drops. While I was off checking on the possibilities mentioned above, the aforementioned user had kept trying to connect, and eventually succeeded! The working address was 192.168.3.1, the default password was changed, and UPnP was disabled.

How did they get in? They remembered the address and password. Why did they tell me they didn't remember, and hadn't changed any of the above, (indeed, did not know how)? They were severely concussed in an automobile accident several years ago, and had profound lapses in memory from time to time. :roll:

If anyone out there has a story to top this one, I will read it with considerable interest.

Added: This wasn't the kind of memory problem we all suffer from time to time. This person was honestly telling me that no one else had worked on the network, and they didn't have a clue about how to change the things I was looking for. They even tried a direct connection to a laptop, and were surprised that the device didn't identify itself, as it would with UPnP enabled. What they told me was true, in that they were the only person who set up and modified the network, and -- at the time of the accident -- they had had no idea how to change the IP address of the web interface. They could tell me about problems with a large multifunction machine on the network and a VOIP set up. A large chunk of experience in the years since had simply dropped out of reach. They were completely convincing, and could have testified under oath.

They must have had non-verbal memory they could access, otherwise they would not have kept trying to connect to the web interface after I gave up. Several aspects of this case fit a diagnosis of frontal lobe syndrome.

I've been reminded that a very similar medical problem was the basis of the movie "50 First Dates". To set the record straight, I was (unfortunately) not helping Drew Barrymore. Problems in movies, like people, are typically more attractive than in reality.

DMcCunney
Posts: 889
Joined: Tue 03 Feb 2009, 00:45

Re: the exploit that wasn't

#2 Post by DMcCunney »

prehistoric wrote:This is one for the record books.
Not really.
When I recommend immediately replacing the router -- if not impounding it as evidence -- the other shoe drops. While I was off checking on the possibilities mentioned above, the aforementioned user had kept trying to connect, and eventually succeeded! The working address was 192.168.3.1, the default password was changed, and UPnP was disabled.
All routers don't use 192.168.1.1 as the main address. My deceased Linksys did. The old Belkin pressed into service when it failed uses 192.168.2.1. 192.168.3.1 is quite possible.

And while UnPNP can be used to control a router, it's not on by default in any router I know of, and requires installing an optional component (at least in Windows XP) to provide the OS support.

I found it a handy feature in the Linksys, as my bit torrent client (Azureus) could use UnPNP to tell the router to open a port for the incoming connection, then close it again when I shut down bit torrent. But it wasn't a default, and took work on my end to make it happen.
How did they get in? They remembered the address and password. Why did they tell me they didn't remember, and hadn't changed any of the above, (indeed, did not know how)? They were severely concussed in an automobile accident several years ago, and had profound lapses in memory from time to time. :roll:
It's quite possible. An awful lot of learning is "state related". Consider what happens when you can't remember something you were told when you were drunk. Have a couple of drinks and your memory might just get jogged.

My SO has fallible memory, as a side-effect of medications taken for years to control a chronic illness. To remember stuff, she writes things down. The act of committing it to paper not only provides a written record, but also helps store it in her memory. I don't fully understand the mechanism, but know it works for her.
They must have had non-verbal memory they could access, otherwise they would not have kept trying to connect to the web interface after I gave up.
Yep. Lots of things happen on that level. Ever tried paying attention and consciously trying to tie your shoe?
______
Dennis

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

router web address, paranoia

#3 Post by prehistoric »

Hi Dennis,

I realize after I removed some details which might identify the individual the story sounds mundane.

You are correct when you say no routers are shipped with UPnP enabled today, or for some years past. This one was old enough so that the exploit had not surfaced, and Windows had not disabled UPnP by default, at the time it was shipped.

The router was definitely shipped with web interface address 192.168.1.1, I downloaded the original manual for that particular version and checked.

I spent about half an hour with this person, just trying to figure out what was going on with their network, and not counting the time spent removing an infestation, before I went off to think. They were actually perplexed that the router did not show up when they looked for it. Even though they claimed not to know what UPnP meant, they were doing exactly what people do when they use it to set up a router.

What seems to have happened is that their memory didn't just lose a password or an address, a large part of it actually jumped back to the time before the accident, when they didn't know how any of this worked. They were completely convincing, because they were convinced themselves.

I've left out a good bit more, like the set up for email they went back to, just as it had been years in the past. I spent considerable time uninstalling things that were of no use, and had not been for years. There were more cockeyed problems than I can now remember.

Now that I know about the person, the crazy state of the system begins to make sense. Part of the time they were operating with recent memories, and part of the time they were doing things as they had 10 years ago. When memory failed they had no conscious appreciation that they might be the source of the problem. This explains a fair number of the many thousand emails in their "sent" folder. It helps to explain why this machine had both 3 1/2" and 5 1/4" floppy drives.

I'm used to the idea that debugging computer systems may also require debugging the people who use them (to the extent this is even possible.) This is the first time I've run into a severe neurological problem in someone running around loose. Professionals who cope with this regularly have my profound respect.

I'd say more, but I think I've gone as far as is proper. This case left my confidence shaken. If solving computer problems requires this level of suspicion, I could end up in a locked ward.

User avatar
pemasu
Posts: 5474
Joined: Wed 08 Jul 2009, 12:26
Location: Finland

#4 Post by pemasu »

The problem which got my attention was that there was no response at all when I tried to use the web administration interface at 192.168.1.1, or several likely alternatives.
Howabout using commandline ?

Code: Select all

ipconfig /all
It should tell what is address for default gateway and DHCP.

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

this was a long story

#5 Post by prehistoric »

Hi pemasu,

First, in response to your suggestion, I thought this case was one where the web administration interface was changed separately. There was another router on the network as well, so figuring out which device was doing what, without getting a look at the set up, was a problem. The easy solution would have been to push the reset button and go back to factory settings, but I wanted to find out what else this thing had been doing. There have been real exploits using routers. (See note at the bottom.)

When I put this in the off-topic area, I really meant it to be there. The system I was working on was a Windoze system I was rescuing for a friend of a friend. The network was set up without any idea of using Linux, let alone Puppy Linux. If you care to, you can find more in the long thread started by obxjerry. I mentioned this other infested system near the end.

I've run into so many nasty problems on Windoze that my main reason for explaining what is necessary to rescue such a system is to motivate people to make the effort to switch. The promised ease of use mainly works if someone else takes care of security, backup and recovery. Just applying needed updates can take hours.

The lesson I learned from this episode was that things that look like really sneaky malware may be due to innocent causes you wouldn't imagine. There are plenty of examples of real exploits, but with most people using computers overwhelmed by complexity it is hard to separate innocent mistakes from malicious causes.

@DMcCunney,

Here's where these exploits were reported. The widespread coverage took a while to develop. (Check the dates.) As for what is possible for someone who completely controls the router, you might look into DD WRT. (The site is doing hardware hacking in the ethical sense of understanding devices and getting more functionality, not promoting computer crime. It does show just how thoroughly you can alter the behavior of a device capable of updating flash memory firmware.)

I know of one case in which the UPnP exploit was used to redirect to an Internet banking page hosted in Mexico. This was a clumsy attempt to grab a lot of money quickly, and was quickly investigated and shut down. There are much more sophisticated ways of monetizing computer crime in play at present, and I thought I had caught someone.

User avatar
pemasu
Posts: 5474
Joined: Wed 08 Jul 2009, 12:26
Location: Finland

#6 Post by pemasu »

I have heard many times question: Is it virus which affects my machine. Rarely it has been the cause at my work. Router malfunction, loose cable attachment to hdd, loose vga cable, misunderstanding howto apps should work, FAT table damaged, even lightning hitting the nearby tree has been reason.

But at home my teenage son has gathered very nice collection of different kind of viruses, trojans and malware to his computer, repeatedly. Even after repeated negotiation of pages where you should not go. And I had couple of virus and malware apps guarding all the time. Well, reinstallation of XP has been easy from image backup when the OS has been compromised.

So circumstances quite often affects what is more probable reason.

What comes to memory impairment. I believe that kind of problems will become more consistent when computer using people gets older and computer has become needed tool. Dementia and brain infarctions will affect memory and mysterious problems will become more frequent. Well, it might also be the reason to see doctor when one day you dont remember how to reply at discussion forum. :)

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

security, complexity, aging

#7 Post by prehistoric »

When I first started to think about computer security, the typical exploit did not involve brilliance, it required stupidity that was hard to believe.

Example from Bruce Schneier: ("How did you get in?" "I called them up and told them I forgot my password.")

Example close to home: One mysterious rash of exploits was traced to dumpster divers finding old printouts which had not been shredded.

There were many theoretical weaknesses which went unexploited because nobody could make it pay.

In the last decade, I've seen a dramatic shift in threats. They are more sophisticated, and more commercial. The people using them are not geniuses, but they will pay brilliant people to provide them with tools for crime. Some of the tool kits out there are frightening enough to make you stop using the Internet entirely. The social engineering aspects of computer crime have been better matched to technical wizardry.

This year I am seeing more compromised systems in the hands of people who are supposed to know what they are doing on computers. I just got a call about another one today. After hearing what it would take to clean it out, the person said, "Never mind, I'll wipe everything and install Windows 7." If that works for him, fine. I have a different solution.

I've long been concerned that much of the potential value of small computers in the hands of individuals is being lost, because the intellectual investment needed to use them has been too great for people who don't devote most of their thought to computers. They shouldn't have to.

I've been concerned about the impact of this complexity on elderly relatives and friends who would simply like to use email to stay in touch, for example. I can't travel as much as necessary to maintain regular face-to-face communication. I have been so frustrated with trying to keep people who were corresponding with me on-line that I have reached the point of mailing them entire computer systems. Then I have the problem of getting someone to set these up, if I can't go there and do it myself.

These devices could function as a kind of prosthetic for failing neurons, reminding us of things we used to keep in our heads, or making difficult tasks easy enough so we can continue. Instead we seem to have added a layer of complexity to everything pre-existing.

Today's newspaper has an article on a rebate program for people with old inefficient appliances who buy new ones. After telling us that it is likely to run out in a single day, the writers tell us there is no way to apply for the rebate except on-line. This is unlikely to help people who have been having financial trouble replacing refrigerators, because they probably don't have an up-to-date computer either.

The complexity of our systems, and the complexity of the Internet environment, is both depriving people who might benefit of help, and opening them up to exploitation.

Post Reply