Warning: This post is quite technical and might only be interesting to true geeks.
[singlepic id=313 w=320 h=240 float=right]Yesterday I found out frgdr.com was injected with malicious code which redirected some visitors to discount-canadian-medshop.com, an e-commerce website selling pharmaceutical drugs (read: Cialis). This was a particularly conniving hack as only some posts were affected, making it harder to detect anything was wrong. If you are interested in such details, after the jump is a summary of the incident.
Continue reading O Canada! – or – frgdr.com Just Got Base64’ed, Again!
“Reports that say something hasn’t happened are interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”
– – Donald Rumsfeld, US Secretary of Defense, 2002
Update: frgdr.com was base64’d a second time on May 12, 2010. New insights at the bottom of this post.
[singlepic id=270 w=320 h=240 float=right]A few hours ago frgdr.com was injected with malicious code which redirected every visitor to a website that tries to trick people into downloading a fake antivirus program. Everything is fine now. If you are interested in such details after the jump is a summary of the incident, including why my hosting provider GoDaddy is awesome.
Continue reading Back in Business
Do you have a cell phone?
Would you mind terribly if a stranger listens to your voicemail?
So why haven’t you changed the default ‘1234‘ password?
Do you have a wireless router?
Would you care if a stranger connects to your home network?
So why haven’t you changed the default ‘admin/admin‘ username/password combination?
Do you have a webcam system?
Would you mind terribly if a stranger watches your video feed?
So why haven’t you changed the default anonymous login?
People think of hacking as something done by Russian spies or by genius kids. No one thinks that most of the time the only thing you need is the default password. I honestly don’t get it – how difficult is it to change the initial password out of the box? Why live in the realm of uncertainty when peace of mind is just around the corner?
Here are a few examples to push you in the right direction:
You would think that a 4-digit password combination allows for 10,000 possibilities, and since after 3 wrong tries the phone call is disconnected, then it would take too much time and too much money to crack the voicemail volt. That is only true in theory, since most people do not change the default 1234 or 1111, it would take exactly one phone call to get in.
Wanna bet? Can you wholeheartedly click this play button knowing there is zero chance of you hearing your own voicemail?
[singlepic id=177 w=320 h=240 float=right]Paying for your Internet service? Your neighbor used to do that but decided it would be wiser to use yours instead. Now, there might be legitimate reasons why you would not want your home network to use encryption, but can we agree on MAC address filtering as the bare minimum so that only the computers you know can use it? Even if you have a Jewish attitude of ‘All who are thirsty for bandwidth, let them come and drink my connection’ (a.k.a. ‘Kol dichfin’) – is it too much effort to change the default router password, so that no one will be able to configure it?
And don’t get me started on the legal ramifications of someone downloading copyrighted or illegal material using your bandwidth. Yes, I am sure after three years of trial you would probably be exonerated from any wrongdoing, but it sure would be a fun period until then. To quote Mister Rogers: ‘It’s a beautiful day in this neighborhood’.
You have a small business and you want to keep an eye on it from home, so you hooked up a video surveillance system. You have an aging mother and you want to keep an eye on her caretaker. That is all fine, but why risk someone looking in through the Internet peephole? Let your imagination run wild with the kind of people that might want to watch these video feeds. No imagination? Here are some visual aids captured today:
|[singlepic id=178 w=253 h=253]
||[singlepic id=179 w=253 h=253]
Since my aim is to educate people about privacy and not to teach them how to hack, I did not go into further details. Suffice to say that any one of you can easily enter these systems using your banged up computer and without buying any hardware or software.