Update your D-Link Wifi router?...maybe not

[Edinho]

Just come across this on Register

http://www.theregister.co.uk/2009/05/15/dlink_router_gimmick/

Its easier understood in this link

http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/#more-159

Who makes up these security features, a 16 year old on work experiance?

One of the reasons I dont use WiFi besides the connection problems. If you have one of these you might want to cut off that antenea.

 

[yashiro]

It means IF you use a dictionary or simple alphanumerc passphrase then it can't be brute forced unless they pass the CAPTCHA too.
Yes, it's very annoying on web pages. But on a router page you might use once a month? It's not such a bad idea.

Unfortunately like almost every security measure these days the idea is OK but the implementation is weak. Shame for D-Link, there.
Those expensive encrypted USB keys that send passphrases as plain text spring to mind.

 

[Azuse05]

Well you're afew days adrift but it's still the same old sky is falling register. If this is the reason you don't use wifi then the reason is ignorance.

For this to work the attacker has to 1. be in your wifi range and 2. be wired into a pc on your lan i.e have a physical connection which means unless you hang lan cables out your window it's business as usual. So really, it's an oversight (human error) on the programmers part, albeit a small one. Dlink need to load them up with coffee next time round.

Truth is, if you use the full length hexadecimal wpa2 key it will take a long, long time for anyone to crack your wifi, but if you we're truly paranoid then changing it monthly is common in high security places.

Compromised web page is not wifi related, hence this is separate. Using code in a web page to use a lan pc to attack a router is not new at all, in fact this is exactly what two of the most recent java & flash exploits were geared to do. Seeing as most people simply assume every pc on the lan is safe it's an effective route usually, and even if they don't the guys at MS who made upnp already did (which is why it's so awful) so it generally works. The only sure-fire way of stopping it is to not load the malicious code, the reason NoScript is so popular, but since there's no such thing as 100% security for anything attached to the net you accept the risk or don't connect.