Tag Archives: vulnerability

Vulnerability found in Netgear home and small business router

netgearrouterA significant vulnerability has been found in the latest version (WNDR3700v4) of Netgear’s N600 Wireless Dual-Band Gigabit Router.  Per the researcher with Tactical Network Solutions that discovered the flaw, it is “trivially exploitable” and allows the attacker to disable authentication, open up a backdoor (telnet session), and then return the router to its original state so that the user never knows it was open.  According to PC World, other routers may be affected as well.

To mitigate the risk:

  • get the latest patch from Netgear (the Shodan database still shows at least 600 unpatched routers with the WNDR3700v4 hardware revision)
  • disable remote administration of the router (always)
  • use strong WPA2 pass phrases
  • don’t allow strangers on your network

D-Link begins offering router patches

D-Link announces that they are actively working to address (patch) the vulnerabilities to admin access via the web.  The post also cautions against responding to unsolicited emails about security vulnerabilities that “prompt you to action” as they could be opportunistic phishing scams.  They also recommend disabling wireless access to the router.

Router patches so far are available at the bottom of this D-Link post.

Patches for a separate issue involving D-Link network camera vulnerabilities are available here.

Vulnerability discovered in several D-Link wireless routers

One of the models with the vulnerability

One of the models with the vulnerability

The Register reports that a vulnerability has been discovered in several home and small business router models made by D-Link. The vulnerability allows unauthenticated users to gain administrative access to the router’s Web interface, thereby providing access to the network behind the router.  Per the post, models include DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units.

 

Because there is no current fix, users should disable admin access via wireless connection.

Lions and Tigers and Bears

In this age of exponentially growing information risk, we can become like Dorothy was early in her journey and focus only on the things that can go wrong. We can get so caught up in what can go wrong that we forget to take inventory of what needs to go right.

Lions and tigers and bears ...

Lions and tigers and bears …

Over lunch recently, a friend of mine with a career in risk management shared a helpful perspective on this.  Instead of always approaching risk as trying to think of everything that can go wrong, think of what must go right first. That might sound like two sides of the same coin, but I think it is more than that. This approach helps to prioritize efforts and resources.

It’s easy to get caught up in trying to create an exhaustive list of everything that can go wrong. A problem with this is that it can:

      1. be overwhelming to the point of analysis paralysis, and
      2. tend to identify risk that may not be relevant to your situation. 

There are some risks that may not be immediately pertinent to you. For example, the latest specification for encryption for data at rest for DOD contractors might not be at the top of your list.  However, having an always-on internet connection so that you can make company website updates might be.

Take the hypothetical of a bike shop with three stores.  Some things that must go right for the owner might be:

  • Internet connection constant for running credit cards
  • Customer information (to include personally identifiable information) retained for billing and marketing and only accessible by authorized employees
  • Bookkeeper has secure connection to financials from outside the stores
  • Safe, secure workstations available 6:00 am – 6:00 pm for employees
  • 24/7 access to current inventory across all stores

These are some pretty basic requirements, but they help to prioritize need. By looking at these requirements for things to go right, what are things that can prevent this from happening? What’s the risk of loss of internet connection? Are we sure that customer information is available to only authorized employees?   What kind of connection is the bookkeeper using? Do the workstations have regular anti-virus updates? Are there policies/guidelines on workstation use by employees? If the computer with the store inventory fails, is there backup? How quickly does it need to be recovered?

In spite of the risks of lions, and tigers, and bears, Dorothy was able to return to her mission and seek the Wizard. We must do the same and not lose sight of our business objectives in our analysis of the lions and tigers and bears.

 

Can you name 5 things in your organization that must go right for you to be successful? What vulnerabilities do these objectives have? What threats do they face?

 

Risk Managing Residual Old-School Devices

I’ve encountered this risk discussed in this Forbes article more than once when taking over an organization and doing an initial information risk assessment.  People tend to forget that these embedded devices can have simple or full fledged Linux distributions (or other OS) in the firmware.  Also, the default ports that were left open can be eye opening.

An image from H.D. Moore's presentation on serial server security vulnerabilities, showing an oil and gas infrastructure setup networked with serial port connections. (via Forbes.com)

An image from H.D. Moore’s presentation on serial server security vulnerabilities, showing an oil and gas infrastructure setup networked with serial port connections. (via Forbes.com)

Researcher’s Serial Port Scans Find More Than 100,000 Hackable Devices, Including Traffic Lights And Fuel Pumps