• July 17, 2025, 04:16:55 PM
  • Welcome, Guest
Please login or register.

Login with username, password and session length
Advanced search  

News:

This Forum Beta is ONLY for registered owners of D-Link products in the USA for which we have created boards at this time.

Author Topic: Article over at The Register  (Read 6913 times)

pingjockey

  • Level 1 Member
  • *
  • Posts: 16
Article over at The Register
« on: May 15, 2009, 01:21:16 PM »
Have as one else read this yet?

http://www.theregister.co.uk/2009/05/15/dlink_router_gimmick/

I am not a overly happy camper about this. I like having a somewhat secure network
Logged

EddieZ

  • Level 10 Member
  • *****
  • Posts: 2494
Re: Article over at The Register
« Reply #1 on: May 15, 2009, 02:47:19 PM »
Wow...I think the Dlink-developer that got the bonus for cooking up this gadget so fast will have to restitute that Las Vegas Weekend after all.....  ;D

Seriously, this is quite a gap we have here...
Logged
DIR-655 H/W: A2 FW: 1.33

kegobeer

  • Guest
Re: Article over at The Register
« Reply #2 on: May 15, 2009, 03:03:34 PM »
Hmmm, with this new "discovery" and the issues with Shareport, I think I'll just stick with 1.21.
Logged

Lycan

  • Administrator
  • Level 15 Member
  • *
  • Posts: 5335
Re: Article over at The Register
« Reply #3 on: May 15, 2009, 03:13:01 PM »
Guys before we fly off the handle, I've forwarded this post to our PM group, give them a chance to rebutt.
Logged

EddieZ

  • Level 10 Member
  • *****
  • Posts: 2494
Re: Article over at The Register
« Reply #4 on: May 15, 2009, 03:39:19 PM »
Quote from: Lycan on May 15, 2009, 03:13:01 PM
Guys before we fly off the handle, I've forwarded this post to our PM group, give them a chance to rebutt.


Since there is no way to evaluatie the POC a reaction from Dlink would be nice from the authors.
Logged
DIR-655 H/W: A2 FW: 1.33

lotacus

  • Level 4 Member
  • ****
  • Posts: 450
Re: Article over at The Register
« Reply #5 on: May 15, 2009, 07:43:42 PM »
I would like to see a proof of concept. I do know that the salt hash is easily attainable in a txt file on the router.. however I forget the local url that retrieves it. I didnt bother trying to exploit it though.
Logged

MJBURNS

  • Level 1 Member
  • *
  • Posts: 24
Re: Article over at The Register
« Reply #6 on: May 18, 2009, 06:24:52 AM »
Quote from: lotacus on May 15, 2009, 07:43:42 PM
I would like to see a proof of concept. I do know that the salt hash is easily attainable in a txt file on the router.. however I forget the local url that retrieves it. I didnt bother trying to exploit it though.

The exploit is demonstrated here:
http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/#more-159

As has been noted in a lot of security forums, the CAPTCHA "feature" even if properly implemented is of dubious value in that it is never turned on by the people who never configure their routers away from the factory default passwords, and does nothing for those who do configure their routers with robust passwords (pass phrases).
« Last Edit: May 18, 2009, 07:07:41 AM by MJBURNS »
Logged

Lycan

  • Administrator
  • Level 15 Member
  • *
  • Posts: 5335
Re: Article over at The Register
« Reply #7 on: May 18, 2009, 08:21:59 AM »
Aggreed. Personally I would prefer a lockout after failed attempts method.
Logged

aljimenez

  • Level 1 Member
  • *
  • Posts: 22
Re: Article over at The Register
« Reply #8 on: May 20, 2009, 09:57:34 PM »
Is there a workaround to avoid this security risk? Is turning off CAPTCHA enough to remove the risk?  Al
Logged