Hull surfers cut off by router attack Thousands of broadband customers in the Hull area have been left without reliable internet access following a cyber attack. Local telco KCOM blamed difficulties for its customers which began over the weekend and remains ongoing on an attack it said was targeted at models of routers it supplies to some of its customers. Since …
"We have now identified that the root cause of the problem was a cyber attack..."
No. The root cause lies somewhere between the stupid vulns that are present in so many routers, and the fact that the telco didn't see that coming.
I don't know whether this is the same exploit that brought down large numbers of Deutsche Telekom customers four days earlier, but it doesn't really matter. Checking the routers you sell or lease to your customers against recently reported security problems is something I'd expect from _any_ telco these days.
But you can, of course, adopt that old "Hey, everything's going fine so far - why worry" mentality, whether you're a telco or a person just passing the third level while falling down from a 20-story building. The outlook is about the same.
We're all doomed.
I don't know whether this is the same exploit that brought down large numbers of Deutsche Telekom customers four days earlier, but it doesn't really matter.
Up to a point, Lord Copper.
This wasn't a DoS attack on random domestic broadband customers. The DoS was a side effect of the latest round of scans looking for vulnerable InternetOfShit devices to recruit for the Mirai botnet. It would be naive to imagine that all the attackers managed to do was crash or brick a few million routers; they've obviously been adding to their list of trivially pwned devices (either via exploits, common default admin passwords or unauthenticated management interfaces left open to 0/0.) My educated guess is that we'll find out how big the botnet is now at some point in the next few weeks / couple of months. Do we have any big events coming up? Let's see... there's the massive Christmas Day spike in gaming traffic as all the newly unwrapped consoles are fired up, I suppose. And something's happening in Washington in late January, IIRC. Any other obvious candidates for a spectacular DDoS?
Well, there is prior form for LulzSec and LizardSquad and the like to DDoS the XBL and Sony servers out of existence. Maybe they'll go for Steam and some of the other nice things that people would want to be enjoying over the Christmas break too... And then get back to holding infrastructures hostage.
Beer in anticipation of the inevitable "Mistakes were made".
I'm sure I read a recent story on here about certain models of ZyXel being wide open to attacks due to an internet facing open management port which was meant to be locked down to certain IPs, but was left open to everyone and his dog.
I thought it was Talk-Talk, but apparently not, I can't find the story now.
Could well be the same problem though.
... Deutsche Telekom, in the library, with a lead pipe Germany, with a Mirai botnet.
http://www.theregister.co.uk/2016/11/28/router_flaw_exploited_in_massive_attack/
I'm sure I read a recent story on here about certain models of ZyXel being wide open to attacks due to an internet facing open management port which was meant to be locked down to certain IPs, but was left open to everyone and his dog.
TalkTalk and the Post Office apparently. Hard to believe a company as diligent as TT got hit though... they'll have to deploy Dido to allay fears!
Actually, the linked BBC article mentions that the Post Office have/are deploying router updates and requesting customers to reboot their routers to install the update. So that's something.
“ZyXel has developed a software update for the affected routers that will address the vulnerability. In most cases this will be applied remotely and customers will not need [to] do anything”
So ZyXel have a backdoor into the routers they have sold? What happens when (not if) the bad guys get a hold of that?
No, not ZyXel, but your ISP has a way to "remotely manage" the router they gave you.
There are valid reasons for this, e.g. installing the firmware update that fixes this bug, or trying to troubleshoot a connection issue, either by getting logs from the router or by changing router settings for you.
Details of the remote management protocol are here: https://en.wikipedia.org/wiki/TR-069
However, this is a security trade-off, of course, and the remote management feature can be a source of security vulnerabilities.
In my opinion, ideally ISPs should document exactly what TR-069 features they've enabled on the router, and how it's secured, so customers could make informed decisions on whether to use the "free" router or not. (99.999% of customers wouldn't be able to understand the technical details, but security experts could read the ISP's documentation and provide advice). However, most companies try to avoid providing documentation like that, instead saying basically "trust us".
"We have now identified that the root cause of the problem was a cyber attack that targets a vulnerability in certain broadband routers, causing them to crash and disconnect from the network......"
"....If we'd bothered to update the firmware for this known and fully document problem prior to this, you wouldn't have suffered this issue....but we couldn't be arsed."
And ISPs that leave the management ports open to the internet
Why would one need the management interface enabled at all in a TR69 environment beggars belief. The management system(s) used in a SP DO NOT use normal config ports for management. At all. The connection is originated from the router to the control system and should (if the SP had any clue) be secured with X509 one way or even both ways (router and ACS). While the TR69 spec is considered by all people who have had to develop for it an Abomination Onto Nuggan, it is, if deployed as per its standard design, reasonably secure.
This is criminal stupidity and incompetence. Actually what can I expect from a SP which used to advertise for a senior engineer position with laptop specified as a "benefit" in the job spec. I still keep that advert as a reminder "do not ever apply here" (from around 2007-ish). I guess they did not change. At all.
The same Telecoms provider had an air-con unit above the main email server.
So when the air-con leaked, it took down most of the client base email, consequently the P45 printer went into operation.
Kit was replaced / repaired, but put back in the same location.
Cue second leak.....taking it all down again.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
