back to article Router ravaging, crippling code, and why not to p*ss off IT staff

It has been a busy week for security, with the CYBERUK 2018 conference in the UK and the industry gearing up for BSides and the RSA conference in San Francisco next week. But there have been a bunch of smaller stories that may have slipped under your radar, plus all the other bits and pieces we've covered this week. Wreckin' …

Anonymous South African Coward
Silver badge

Tsk.

Still boggles my mind that people will try to beat the BOFH... and they get caught.

It is not worth it. Rather walk away, keep your record clean and avoid all sorts of nasty surprises down the line.

tfewster
Silver badge
Facepalm

Walk away after making sure someone disables your accounts and remote access.

>As any security professional will tell you it's not outside hacking attacks that make up the bulk of issues, but your own staff.

BS - A recent El Reg article estimated internal issues as 25% of the total, and even that was inflated by inappropriate access, e.g. users accessing celebrities records.

>Kugler pleaded guilty to one count of fraud

Strange that a fraud charge was used, as it doesn't appear that she took money. But maybe it's easier for the courts to handle than hacking charges.

Blockchain commentard

Creating fake user accounts to log on = fraud (by impersonation of people other than herself). I think the US reserves hacking charges to UK citizens !!!!

Anonymous Coward
Anonymous Coward

Rather ensure that it can't be traced back to you. And that any business you're trying to take down is taken down hard - including all backups etc.

I see such a plan as taking around 2 years to mature (ie ensure that backups are corrupt or at least no longer relevant). By that time they will most likely have other people who are more likely to be blamed too.

AC, natch

macjules
Silver badge

Drupalgeddon

The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25

https://www.drupal.org/psa-2018-002

Basically, if you didn’t patch then why not?

Ken Moorhouse
Silver badge

Re: Basically, if you didn’t patch then why not?

My guess would be website designers who promise to get you to the top of google not providing any ongoing means for the end-user to maintain their site.

Anonymous Coward
Silver badge
Facepalm

Re: Drupalgeddon

Maintenance costs are unappealing.

Repairing after it has been hacked and defaced is a legitimate expenditure.

The fact that the one could have been prevented by the other is irrelevant.

Anonymous Coward
Anonymous Coward

"nasties leveraging vulnerable ......."

What are you? Some kind of reject from Pointy Haired Boss School?

Walter Bishop
Silver badge
Linux

Advanced malware infects people's systems

@anon: "What are you? Some kind of reject from Pointy Haired Boss School?"

Not exactly, it's just a violation of elReg editorial policy to mention $THAT->SYSTEM in relation to computer malware. The short version being that if you enable UPnP and use the default password on your router, you can get compromised.

Lee D
Silver badge

"In all, Akamai estimated that around five million routers could be vulnerable to hijacking via UPnP exploits: miscreants can use the flaws to rewrite networking tables, and turn devices into proxy servers. "

Yep. If you didn't know this, you didn't do your research and turned on UPnP because it was "convenient". UPnP is an unauthenticated protocol that allows ANY LOCAL USER to open ANY PORT to the world and direct it to ANY internal machine. Yes, your kids clicking one thing doesn't just break the computer they are on, it can put a permanent port forward of your CIFS/SMB port out to the public Internet for all the see, if it wants.

Most routers have terrible UPnP implementations too, so that it's not just local users, so that settings can persist, so that the user is never aware they're being accessed, etc.

UPnP is, was, and always will be a ridiculous idea for "convenience" when 99.9% of the world doesn't need to open any incoming ports anyway, no, not even for gaming. Only if YOU are hosting the server do you need to do that, and even then with an intermediary server on the Internet, you can still host games with ZERO open ports. Companies are just lazy and ask UPnP to open up port X to the world while you're playing your game rather than deploy even a single intermediary server.

And if you have UPnP on... tell me how the average user is supposed to know what's open, why and when it opens up? Because I've never seen a router that had that level of detail outside of big commercial things. Literally, UPnP is just a trojan horse that can unlock all your network firewall protections in seconds because ANY user asked it to, even unwittingly, from a games console, mobile phone or PC.

OzBob

Works both ways

I left a job in acrimonious circumstances, and made one of the most senior people there in terms of service (the facilities management lady) who could not be bought or intimidated by manglement, watch while my replacement disabled my accounts and changed the root passwords with me in the room (me being on the other side of the room). I also had a copy of the dates, sizes and checksums for all the important config files and libraries, and told manglement I did so (in a secure repository) and that if they falsely attributed my work to any faults, I would hear about it and I would sue. (I had references from others who had already left, and from my replacement who was a stand-up lady). Post-departure was surprisingly quiet in terms of support requests :)

Anonymous Coward
Anonymous Coward

Akamai report flawed.

The report from Akamai regarding UPnP and the list of 400 router models from 73 manufacturers that are hackable is somewhat flawed.

i.e. ASUS 'have not' opened up UPnP to the Internet (it is not supposed to be), therefore I am puzzled what vulnerability has been proven on the listed routers, or has an assumption been made based on other routers without verification. !!!

Dave Bell

Re: Akamai report flawed.

The Akamai report mentions "Open WRT" with a note that they couldn't tell the version.

Well, it's open source software for any number of different boxen, so maybe the model number is pointless, but it looks a bit odd how they handled it.

On the version I have on my router, UPnP is not enabled by default. It's a bit reckless not to check the Firewall settings.

I suspect that finding whether UPnP is enabled is easier to check than some think, but many users will need some hand-holding while they do the check. And that can start getting expensive.

Mayday
Silver badge
Pirate

$6k

Doesn't seem a lot by yank standards. They tend to flog people for $50M and demand 25 years in the joint when someone changes a password, modifies a screensaver or makes a PHB's homepage Goatse or Lemonparty.

Anonymous Coward
Anonymous Coward

> the cops, who quickly fingered Kugler and arrested her.

Prst. V.Jeltz
Silver badge

fnarr fnarr?

Seriously though, If I rang the local plod with a story like that there no way they would quickly apprehend a suspect. Hell , I could ring them and say my garage has been broken into , here's the kid on cctv , unfortunately wearing a balaclava , but we all know its billy from "the estate" and still nothing would happen.

Adrian 4
Silver badge

Not fnarr. Port 79.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018