Misfortune Cookier - real world example

[Chicog]

I do a bit of voluntary work for a local group, and they phoned me the other day to say their Interweb was broken; last night I found the time to go and check it out.

Stone me if I didn't find that the default DNS servers had been pointed to Sevastopol (yes the Crimean/Russian one).

Remembering that I'd seen headlines about 12 million routers having the Misfortune Cookie flaw, I looked up this aging DLink and there it was on the list.

So I threw it out and put in a new Linksys, which does not have the flaw.

From what I can deduce, the hackers pointed DNS traffic at their servers, and they've probably been taken down by now hence the "Internet not working". So they could have been in this router for months.

As a precaution I'm going to advise anyone who might have used that network to change their Hotmail passwords, etc., but what I would urge you to do is check your Router against this list of known flawed models, and if you can't upgrade the firmware to a version that blocks the vulnerability, ditch it for one that does.

http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf

[Pib]

A person definitely needs to keep their router firmware updated. Although my ASUS router was not on the list in above link it did remind me to check the ASUS support website to see if I had the latest firmware....the last time I checked was in December and I was still up to date...I had already done a couple firmware updates in the year or so I've had the router. So, I checked again about 30 minutes ago and sure enough there was a new firmware update as of mid Jan to fix some issues but the fix list didn't mention above malware. Anyway, I did the firmware update...good to go.

[Xircal]

Rename the SSID. You can use any description you like such as the name of your cat or dog for example. The default name which the router broadcasts identifies the model which makes it a lot easier to hack using the factory default setup.

Also, rename the WPA2-PSK key and use a combination upper and lowercase alphanumeric characters. Avoid special characters though such as + @ % etc.

In addition, change the default login which is usually just "admin/admin". Use a strong password of at least 14 characters to include upper and lowercase letters, numbers and the characters found on the top row of your keyboard.

If you think you might have a problem remembering the changes, print them on a label and stick it on the back of the router somewhere.

Keepass is a good, open source password manager which you might find useful too: http://www.keepass.info/

EDIT: I should also mention that you should avoid using WPS which was meant to create a secure home network because tools have been released which can crack it in no time at all. See this Sophos article for more info: https://nakedsecurity.sophos.com/2014/09/02/using-wps-may-be-even-more-dangerous/

Edited January 21, 2015 by Xircal

[Chicog]

I don't think the steps above are going to protect you against this vulnerability.

The answer is to patch it or dump it.