<<< Date Index >>>     <<< Thread Index >>>

Wireless networks/Default Admin username security problem in Croatia



There are two quite common practices used in Croatia that have left huge 
number of users wide open to attacks. I presume that, if you look around, 
you might find one or both in your general vicinity. 

First one is the fact that computer "manufacturers" in Croatia always chose 
one of dozen default usernames while installing Microsoft Windows for 
their customers. They rarely, if at all, change the username, so lot of 
people get their boxes with the same Administrator login. To make things 
worse, all of those accounts have blank password, and automatic log-in so 
the end user doesn't have to think about it. Real plug-and-play 
technology, isn't it? 

Note that some of them ship Linux as well, and the same story goes for the 
root user, making Linux box just as secure as it's Windows neighbor. While 
we might think that Linux box will either be replaced with pirated Windows 
installation or have an user that know a little bit about security, we 
just don't know how many open Linux boxes there are. But, given the 
growing popularity of Linux among ordinary people, it is wise to presume 
that this might not be an insignificant number. 

Windows users en-masse don't care about the security stuff, they just power 
up the computer and start working. So we have a whole lot of Windows boxes 
and probably a big pile of Linux boxes really easy prey for 0wn4ge. 
There's no easy remedy for that - "manufacturers" don't really care about 
this, so it is up to the end user to protect herself. And we all know that 
everyone is security aware, don't we? 

Second problem is that largest Croatian telecom company, T-Com (used to be 
Croatian Telecom until our politicians sold majority of shares to Deutsche 
Telekom), is advertising their aDSL/WiFi combo, in fact an ordinary DSL 
line with wireless router at the user's premises. 

The trouble here is that T-Com does nothing more than to connect the 
hardware and make sure it is working, leaving end-user with a wireless 
network that happily broadcasts over an unsecured channel. 

Now, let's put these two together: we have a whole lot of users in Croatia 
that bought their PC from a "manufacturer", never bothered to change 
administrator password let alone the username, hooked on wireless network 
that is both unencrypted and open to access to anyone who is in radio 
range and knows the mysteriously secret default SSID  "ConnectionPoint" 
that is being broadcasted by hundreds of AP-s just in capital city of 
Zagreb.  

So, what we have here is a lot of clueless people that might have problem 
with any or all of these:

- anyone in range can connect to the WiFi network and surf (probably 
unnoticed), to the very surprise of the poor user who get's the DSL bill 
at the end of the month (and our DSL rates are HUGE) - affects both 
Windows and Linux users because it's got nothing to do with PC, but with 
AP;

- since there's just a dozen of default administrator usernames and none of 
them has a password associated with it, it is a child's play to hook on 
the wireless network and connect to user's computer (that DOES include 
Linux guys who didn't bother to change password) and wreak havoc - steal 
banking info, stored PINs and passwords, delete or modify data, etc. - 
affects both Windows and Linux; 

- intruder can inject a virus on user's computer, effectively hiding his 
point of entry - the one that goes to jail would be poor uneducated user - 
affects Windows and theoretically Linux as well, given the number of Linux 
viruses spotted in the wild (but does make an excellent petri dish for 
Linux viruses, due to the fact that it is so easy to get root 
permissions);

- intruder can use the network or computer to spam around, to his own 
enjoyment and the horror and huge DSL bill of the user; oh, and wrath of 
the spammed will be felt by the user, of course... :-) - affects Windows 
and Linux;

- last, but not least, it is possible to war-drive around and seed clients 
to be used as DDoS drones later. In fact, it can be scripted, so you just 
have to drive around, and the script will discover the network, log on it, 
try all of those dozen default administrator usernames for you and if 
successful, seed the drone then go on searching for next victim.
In that case, user might never discover that he's hosting a parasite - 
affects mostly Windows but Linux is not invulnerable to this neither.

We have released a security advisory (18.1.2005.) regarding this issues, as 
well as step-by-step description on how to protect yourself by changing 
administrator password and securing WiFi network. 

http://www.opsus.hr/index.php?folder=69&article=78

We have sent a message to Croatian "Office for e-Croatia" as well, for this 
vulnerabilities might severely interfere with their project of having 
100.000 broadband users in Croatia by the end of this year (note: Croatia 
has just about 4.5 million citizens and transition - anyone who is living 
in a country in transition will understand my point). So far we haven't 
heard back from them. 

T-Com has issued a warning to all their WiFi customers at the beginning of 
February as well, providing them with the advisory on how to protect their 
network

http://www.t-com.hr/privatni/internet/pristup/wlan/sigurnost.asp#

that looks a lot like our own advisory. 

However, their advisory is slightly flawed - their advice is to let AP get 
all the MAC addresses it can see, while our advice is to enter MAC 
addresses one by one, for if you use the automatic collection and there's 
already someone piggybacked on your network, and you don't really know 
what you're doing (we're talking about Hrvoje Average here, remember), it 
is easy to enter attacker's MAC address in a list as well. Taking the PC 
Card out of it's slot and reading the MAC address from the back of the 
card is more work, but much much more secure in this case. Not to mention 
that ordinary household will have just one or two computers. 
 
One note: T-Com does provide end user with a manual for their WiFi network 
that has all this security staff inside, but their mistake was to count on 
end-user to take care of security, which is, as you all know, a dream. 

It is hard to find a remedy in this case. It is almost impossible to force 
"manufacturers" to stop using the same administrator login/blank password 
in production because it takes a little bit longer to put up a computer 
and might increase problem with the customers who forget their passwords, 
so it cuts into their profit margin. 

It might be possible for T-Com to take more care about security while 
installing WiFi hardware for the end user (and we did advice Office for 
e-Croatia to try to push T-Com to do security for the end-user), but this 
cuts into their profit margin as well, but since they earn about 
1.000.000$ each day from their GSM service (honestly!), a few thousand 
bucks more spent on having end-user secured immediately after the 
installation of WiFi hardware is both good for the company image (they 
should really work on it, given their popularity) and is of extreme 
importance for growing IT infrastructure in Croatia.

The last option is to have people educated. The government is doing 
something about it, but it is too little, too late. We're still struggling 
with having majority of people understand why they get all sorts of adware 
and dialers, this might be overkill for them. However, the only real 
solution is to educate people. Slim chances. 

-- 
Radoslav Dejanović
Operacijski sustavi d.o.o.
http://www.opsus.hr