It is the simplest of security precautions, but it is one that still is often not followed: Change your default router password to something else.
My colleague Carolyn Duffy Marsan this week posted an excellent article on the "10 dumbest mistakes network managers make," and No. 1 on the list is "Not changing the default passwords on all network devices." This rule extends to routers, switches, servers or network appliances.
In the past, much of the concern has been around home routers. So many home users just leave their routers with the default passwords, and this creates a rich target set for an attacker.
However, Marsan quotes a security expert who says he sees corporations making this blunder all the time. The solution for an organization of any size is to run a vulnerability scanner against everything on the organization's network with an IP address, and change any default passwords found.
Two years ago, researchers at Symantec and Indiana University described how someone could take advantage of default router passwords to redirect users to fraudulent Web sites. The attack was called "drive-by pharming."
Then, a few months ago, a worm started taking advantage of 55 different routers and cable/DSL modems, including those from Linksys and Netgear. While the botnet capabilities of the worm had been disabled, it again proved the concept. Called Psyb0t, the worm used 6,000 common user names and 13,000 popular passwords to attempt to gain access. Since many routers have no limits on access attempts, the worm could just bang on the routers thousands of times until it hit upon a combination that worked.
So, the moral of the story is that not only do you have to change your default router password, but you also have to be at least a little creative. And don't use the same password for multiple devices, or you run into No. 2 on the list of dumbest mistakes.