Security Week 05: Facebook sign-on token, vulnerabilities in Netgear routers, self-DDoS in the British Ministry of Health

Cybersecurity is not necessarily protection from external cyber attacks. According to the British edition of The Register, November 14 last year, the day in the British Ministry of Health (National Health Service) is not set. In the morning, the employee created a new mailing list for colleagues from her own small department. After creating the list, she sent there an empty message with the subject “Test”.

As it turned out later, the “only employees of my organization” item was selected in the mailing list creation system, which actually meant “all employees, in general, everything”, and there are, for a minute, 850,000 people in the NHS office in England. After the test was sent, about 80 irritated colleagues responded to the mailing list with a request to exclude them immediately. And off we go.

According to the sources of The Register, in just an hour or so, about 500 million mail messages passed through the department’s mail system, which caused delays in the delivery of regular letters during the day. To the credit of employees of an external contractor responsible for setting up mail, the system did not fall to the end, despite the sudden opening of the collective chat. In the end, the contractor was still guilty, forced to modify the system for creating mailing lists and cut it off from harm's way. Such is the spontaneous DDoS.

Facebook added factors to the authorization system, supports hardware tokens
News Facebook Announcement
')
Facebook now supports Universal 2nd Factor standard hardware tokens, such as YubiKey . A corresponding option appeared in the Facebook settings, where you can link a token to your account and enter the social network even if you do not have access to the phone. Prior to that, the main method of two-factor authorization on Facebook was exactly the smartphone: a fairly convenient system allowed to authenticate on the new device, by viewing the authorization code on the already logged-in phone, or by receiving an appropriate SMS.



At first glance, authorization by token is not the most efficient and convenient scheme, if only because you can only insert a token into a full-fledged PC, everything is more complicated for mobile phones and tablets. Even on computers, only Chrome and Firefox browsers are currently supported. In the future, this issue may be resolved with the advent of tokens working through NFC without wires. Even so, the design breaks when your phone serves as your token. You can lose, in general, both of them with approximately the same probability. As a backup option, the token is useful, but there are other ways. Apparently, in this case, the social network operates according to the “does not hurt” rule. The latter initiative is in line with other methods to protect users: from reporting cyber attacks to potential victims, to supporting OpenPGP.

A vulnerability was discovered in Netgear routers that allows to bypass the password.
News Trustwave study . Information on the Netgear website.

I recommend reading the story of Simon Kenin at the link above: a rare case when the process of researching security systems is described in a human language understandable for mere mortals. It all started when Simon suddenly dropped the Internet, he was too lazy to go to the router and reboot, and the password from the web interface was forgotten. Investigating the HTML code of the page about incorrect password entry, Simon discovered the string unauth.cgi with some digital code as a parameter. The Internet had risen by that time, thanks to which we managed to google for the presence of vulnerabilities in this model of Netgear router.



It turned out that the vulnerability had already been disclosed (and possibly patched, but who updates the routers at all?): If you take that same code from unauth.cgi and feed it to another technical web page, you can get the password. Further field tests began: Simon found other owners of Netgear routers and decided to find out which other models were subject to. Since “exploit the vulnerability” had to be remote, he wrote a script in python.

He wrote it badly: an error led to the fact that instead of the necessary code, garbage was transmitted to the router. And what do you think? It turned out that garbage is accepted with a bang, in response a password is given, and this is a completely different vulnerability , to which many more models are exposed. The vulnerability is easily exploited locally, but can also be used remotely if remote access to the web interface is enabled. According to Netgear, the vast majority of users have it turned off. According to Simon, this may be so, but hundreds of thousands of devices are still subject to remote operation.

Then the working days began: the data was transferred to the manufacturer in April last year, since then there has been a process of closing vulnerabilities, which lasted until last week. This is certainly a positive example of interaction between the researcher and the vendor, if you recall the recent story about an Internet provider who ignored information altogether. But do not forget that routers are now probably the most problematic devices in terms of delivering patches to the end user.

Antiquities

"V-5120"

Non-resident non-dangerous virus. Standardly infects .com and .EXE files. Since 1992, when running infected files, reports “ACCESS Denied” and returns to DOS.

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 93.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.