• We are now running on a new, and hopefully much-improved, server. In addition we are also on new forum software. Any move entails a lot of technical details and I suspect we will encounter a few issues as the new server goes live. Please be patient with us. It will be worth it! :) Please help by posting all issues here.
  • The forum will be down for about an hour this weekend for maintenance. I apologize for the inconvenience.
  • If you are having trouble seeing the forum then you may need to clear your browser's DNS cache. Click here for instructions on how to do that
  • Please review the Forum Rules frequently as we are constantly trying to improve the forum for our members and visitors.

Cyber experts say FBI's warning to restart router is serious

Grapeshot

Legendary Warrior
Joined
May 21, 2006
Messages
35,317
Location
Valhalla

since9

Campaign Veteran
Joined
Jan 14, 2010
Messages
6,964
Location
Colorado Springs, Colorado, USA
"BIRMINGHAM, AL (WBRC) - A warning from the FBI..Reboot your router to stop Russian-Linked malware."

"Hunter Hudson works for ThreatAdvice and he says everyone needs to take this warning very seriousl"

"Cyber experts say turn your router off and back on and also change your WIFI passwords after it is reset."

http://www.nbc12.com/story/38301589/cyber-experts-says-fbis-warning-to-restart-router-is-serious

I say:

1. Log into your router's admin.

2. Turn off WiFi.

3. Disconnect your router from the Internet (remove coax)

4. Reboot your router.

5. Log into your router's admin.

6. Change the login username from admin to something hackers would never guess, like, jsIUYtf

7. Change the login password to something long and completely random.

8. If you're not already doing so, set WiFi security to WPA2 and/or PSK

9 Change the WiFi password to something long and completely random

10. Reboot your router.

11. Reconnect your router to the Internet (reattach coax)

12. Reboot your router.

13. After all lights are flashing normal...

14. Reboot your router.

15. Log into your router.

14. Check all settings.

15. Log out of your router's admin.

NOW you're good to go, but I suggest you upgrade the firewall setting to Medium.

The only thing a single reboot does is query the ISP's router maintenance servers if there's a flash update. That leaves your router's admin username, password, WiFi password, and WiFi security vulnerable.
 

2a4all

Regular Member
Joined
Jul 1, 2008
Messages
1,846
Location
Newport News, Virginia, USA
I say:

1. Log into your router's admin.

2. Turn off WiFi.

3. Disconnect your router from the Internet (remove coax)

4. Reboot your router.

5. Log into your router's admin.

6. Change the login username from admin to something hackers would never guess, like, jsIUYtf

7. Change the login password to something long and completely random.

8. If you're not already doing so, set WiFi security to WPA2 and/or PSK

9 Change the WiFi password to something long and completely random

10. Reboot your router.

11. Reconnect your router to the Internet (reattach coax)

12. Reboot your router.

13. After all lights are flashing normal...

14. Reboot your router.

15. Log into your router.

14. Check all settings.

15. Log out of your router's admin.

NOW you're good to go, but I suggest you upgrade the firewall setting to Medium.

The only thing a single reboot does is query the ISP's router maintenance servers if there's a flash update. That leaves your router's admin username, password, WiFi password, and WiFi security vulnerable.
Sadly, if your router has already been infected with malware, this procedure won't get rid of it. The malware can sit in "listening mode" simply monitoring traffic waiting for some keyword to activate it, which doesn't require any sort of log in on your part. For example, the malware could be looking for a bank url and transmit the connection dialogue to its host without interference with the banking connection.

So if the hacker doesn't have your "admin" password, how did s/he install the malware? Simply by using one or more of the well-known "back doors" that are built in to most commercially available routers. Now, you could log in to your router as "admin" and enable the logging feature, which will record the various connections that the router makes between your devices and the outside world. Be prepared to see a lot of information which will be difficult to read. Remember, your router is busy processing all the traffic generated between your devices and various web sites. A single connection to a busy web site like this one can generate hundreds of messages between your laptop and OCDO (the links to all those ads get trafficked too).

OK, I'll just reset my router to the "factory defaults". Guess what. These factory defaults are also well known, and can be accessed via various back doors as well. It's a good bet that many of the infected routers were accessed because the user didn't set their own passwords. I've personally seen instances where supposedly secure installations were connected to the internet via routers which still had the default passwords in effect after a year of service. If you do do this, be sure to generate a new admin password offline before connecting to your ISP. Then use the default parameters to connect to your ISP. You should also contact your ISP while you do this to verify that you have the correct parameters.

Fortunately, most of the ~600,000 infected routers were found in Ukraine.
 
Last edited:

blahpony

Regular Member
Joined
Aug 8, 2013
Messages
167
Location
Leesburg VA
I built my own router using a micro computer with two network interfaces. I was using a kinda old OS on it. I switched that out to a much newer one a few weeks ago. That is a fully patched up version. The wireless is on a separate access point and the router doesn't even know about it.

I'm pretty sure the router that Verizon sent me is 100% safe. It's sitting in it's box on a shelf in my den. ;)
 

since9

Campaign Veteran
Joined
Jan 14, 2010
Messages
6,964
Location
Colorado Springs, Colorado, USA
Sadly, if your router has already been infected with malware, this procedure won't get rid of it. The malware can sit in "listening mode" simply monitoring traffic waiting for some keyword to activate it, which doesn't require any sort of log in on your part. For example, the malware could be looking for a bank url and transmit the connection dialogue to its host without interference with the banking connection.

My bad. I forgot to mention Step 0: Hard reset your router. That forces it to reflash from the ISP's servers (presuming they've fixed their source by now, which they have).

The remainder of the steps work to secure the router by removing the built-in security holes.

OK, I'll just reset my router to the "factory defaults". Guess what. These factory defaults are also well known, and can be accessed via various back doors as well. It's a good bet that many of the infected routers were accessed because the user didn't set their own passwords. I've personally seen instances where supposedly secure installations were connected to the internet via routers which still had the default passwords in effect after a year of service. If you do do this, be sure to generate a new admin password offline before connecting to your ISP. Then use the default parameters to connect to your ISP. You should also contact your ISP while you do this to verify that you have the correct parameters.

Uh, er... What? That's the point of the article: The factory defaults were patched.

Fortunately, most of the ~600,000 infected routers were found in Ukraine.

IT security in the U.S. is significantly more advanced than most of the rest of the world. The routers rented from Comcast and similar companies are updated on a routine basis.

In addition to your ISP's modem/WAP/router, you can isolate your home network using your own firewall/WAP/router between your ISP's modem and your network. Like you said, the default settings on ISP's modems (cable or DSL) leave a lot to be desired.

Consider finding an older or used router and using one of these replacement router firmware. I've used the first two, DD-WRT and Tomato.

DD-WRT provides a great level of granularity, but unless you're have Cisco iOS training, it can be a bit daunting. Tomato, on the other hand, remains pretty powerful yet automates most functions.

Both of them are significantly more secure than your ISP's equipment.
 

since9

Campaign Veteran
Joined
Jan 14, 2010
Messages
6,964
Location
Colorado Springs, Colorado, USA
I built my own router using a micro computer with two network interfaces. I was using a kinda old OS on it. I switched that out to a much newer one a few weeks ago. That is a fully patched up version. The wireless is on a separate access point and the router doesn't even know about it.

I'm pretty sure the router that Verizon sent me is 100% safe. It's sitting in it's box on a shelf in my den. ;)

Lol. :)

Did you use Tiny Firewall? I tested some software-based firewalls about 18 years ago. Tiny Software's software was simple, but very slick. It was also one of two, out of six, that actually survived destructive testing.
 

blahpony

Regular Member
Joined
Aug 8, 2013
Messages
167
Location
Leesburg VA
Lol. :)

Did you use Tiny Firewall? I tested some software-based firewalls about 18 years ago. Tiny Software's software was simple, but very slick. It was also one of two, out of six, that actually survived destructive testing.

I had IPCop on there. I put on pfSense.
 

blahpony

Regular Member
Joined
Aug 8, 2013
Messages
167
Location
Leesburg VA
That's me, all corporate and polished and such.

ONb0rc6l.jpg
 

2a4all

Regular Member
Joined
Jul 1, 2008
Messages
1,846
Location
Newport News, Virginia, USA
My bad. I forgot to mention Step 0: Hard reset your router. That forces it to reflash from the ISP's servers (presuming they've fixed their source by now, which they have).

The remainder of the steps work to secure the router by removing the built-in security holes.
Provided that your router is furnished by your ISP. If it's one you bought yourself, then you may be out of luck.

Uh, er... What? That's the point of the article: The factory defaults were patched.
Patched, as in fixed? By whom? When? There are a plethora of (residential/small business) routers in service that haven't been updated since the day they were installed by the user (or at least since the last automatic factory furnished update was installed). Whatever flaws they had since then likely still exist. As a vendor's product line expands, support for older products tends to dry up. They can't keep up with everything; it costs too much. As long as a router still provides the service that the user is looking for, they're not prone to upgrade.


IT security in the U.S. is significantly more advanced than most of the rest of the world. The routers rented from Comcast and similar companies are updated on a routine basis.

In addition to your ISP's modem/WAP/router, you can isolate your home network using your own firewall/WAP/router between your ISP's modem and your network. Like you said, the default settings on ISP's modems (cable or DSL) leave a lot to be desired.

Consider finding an older or used router and using one of these replacement router firmware. I've used the first two, DD-WRT and Tomato.

DD-WRT provides a great level of granularity, but unless you're have Cisco iOS training, it can be a bit daunting. Tomato, on the other hand, remains pretty powerful yet automates most functions.

Both of them are significantly more secure than your ISP's equipment.
Before routers were commonplace (or even available), we configured a server with multiple network interfaces to route traffic to various networks. If we could ascertain an IP address for an external router on another network, we'd add it to the routing table(s) to improve efficiency. When Morris unleashed his worm in 1988, we began to think seriously about firewalls. Good times.
 
Top