Security Week 05: Facebook login on token, vulnerabilities in Netgear routers, self-DDoS in the British Ministry of Health

    Cybersecurity is not necessarily a defense against external cyberattacks. According to the British edition of The Register, on November 14 last year, the day at the British Ministry of Health (National Health Service) was not set. In the morning, an employee created a new mailing list for colleagues from her own small department. After creating the list, she sent there an empty message with the subject “Test”.

    As it turned out later, in the system for creating mailing lists, the item “only employees of my organization” was selected, which actually meant “all employees, in general everything”, and for a minute, there were 850 thousand of them at the NHS office in England. After the test was sent, approximately 80 annoyed colleagues responded to the mailing list asking them to be deleted immediately. And off we go.

    According to The Register sources, in just an hour with a small department’s postal system, about 500 million mail messages flashed, which caused delays in the delivery of regular letters during the day. To the credit of the employees of the external contractor responsible for setting up the mail, the system did not fall to the end, despite the sudden opening of a collective chat room. In the end, the contractor was made guilty anyway, forced to modify the system for creating mailing lists and disconnected from harm's way. Such is spontaneous DDoS.

    Facebook added factors to the authorization system, supports
    news hardware tokens . Facebook Announcement .

    Facebook Now Supports Universal 2nd Factor Hardware Tokenssuch as YubiKey . A corresponding option appeared in the Facebook settings where you can attach a token to your account and log in to the social network even if there is no access to the phone. Prior to this, the smartphone was the main method of two-factor authentication on Facebook: a fairly convenient system allowed you to log in to a new device by looking at the authorization code on an already logged-in phone, or by receiving the corresponding SMS.



    At first glance, token authorization is not the most efficient and convenient scheme, if only because the "token" can only be inserted into a full-fledged PC, for mobile phones and tablets it’s more complicated. Even on computers, only Chrome and Firefox browsers are supported so far. In the future, this issue may be resolved with the advent of tokens working via NFC without wires. Even so, the design breaks down when the telephone serves as your token. You can lose, in general, both of them with approximately the same probability. As a backup option, the token is useful, but there are other ways. Apparently, the social network in this case acts according to the “no harm” rule. The latter initiative is in line with other methods to protect users: from reporting a cyber attack to potential victims, to supporting OpenPGP.

    Netgear routers found a vulnerability to bypass the password
    News . Trustwave study . Information on the Netgear website.

    I recommend reading the link the story Simon Kenin above: a rare case when the research process protection systems presents a human understandable to mere mortals language. It all started with the fact that Simon's Internet suddenly fell, he was too lazy to go to the router and reboot, and the password from the web interface was forgotten. Examining the HTML code of the page about the incorrect password, Simon found the string unauth.cgi with some kind of digital code in the form of a parameter. By that time, the Internet itself rose, thanks to which it was possible to google for the presence of vulnerabilities in this model of Netgear router.



    It turned out that the vulnerability had already been discovered (and possibly patched, but who updates the routers at all?): If you take the same code from unauth.cgi and feed it on another technical web page, you can get the password. Then the full-scale tests began: Simon found other owners of Netgear routers and decided to find out what other models are affected. Since he had to “exploit the vulnerability” remotely, he wrote a python script.

    He wrote it poorly: an error led to the fact that instead of the necessary code, garbage was transferred to the router. So what do you think? It turned out that garbage was received with a bang, a password was returned, and this is a completely different vulnerabilitywhich affects a lot more models. The vulnerability is easily exploited locally, but can also be used remotely if remote access to the web interface is enabled. According to Netgear, the vast majority of users have it turned off. According to Simon, it may be so, but hundreds of thousands of devices are still subject to remote exploitation.

    Workdays began further: the data was transferred to the manufacturer in April last year, since then the process of closing vulnerabilities has been going on, lasting until last week. This is of course a positive example of the interaction of a researcher and a vendor, if you recall the recent story about an Internet service provider that generally ignoredinformation. But do not forget that routers are now probably the most problematic devices in terms of delivering patches to the end user.

    Antiquities


    "V-5120"

    Non-resident non-hazardous virus. It infects .COM and .EXE files by default. Since 1992, upon launching infected files, it reports “ACCESS Denied” and returns to DOS.

    Quote from the book "Computer viruses in MS-DOS" by Eugene Kaspersky. 1992 year. Page 93.

    Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.

    Also popular now: