Main Menu

Misfortune Cookie

Started by DebAmstutz, December 19, 2014, 07:01:12 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

DebAmstutz

Deb Amstutz
Missing TAM 5 days a week

Mark

Manufacturers affected included Linksys, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

In addition to Misfortune Cookie, there is also this from earlier this year:

http://arstechnica.com/security/2014/02/bizarre-attack-infects-linksys-routers-with-self-replicating-malware/
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

Quote from: DebAmstutz on December 19, 2014, 07:01:12 AM
I wasn't really sure where to put this, but since it affects routers and such, it ended up here:

http://www.msn.com/en-us/money/technology/misfortune-cookie-flaw-puts-12-million-routers-at-risk/ar-BBgYuXd

I haven't checked out Mark's link, but thought I would post this link that includes a list of suspected vulnerable routers.

http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

My link was not exactly related to Misfortune Cookie, but was an additional vulnerability to home routers.

Also, I think Linksys was just added the the Misfortune Cookie list yesterday.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Joshua Conner

I wonder if custom firmware is affected?   I have an asus but it has custom tomato firmware on it.
Joshua Conner
Conner Insurance
Tam 2014 R2
Epic online with CSR24 and Salesforce Integration
39 Employees
Former Vice President Indiana Applied User Group
Webmaster http://www.appliedusergroup.com
Blog http://mylifewithtam.blogspot.com

Jeff Zylstra

Silly question here, but it never ceases to amaze me what ill advised things that computers and routers will allow.  In the case of the routers, apparently they are either able to write code to the router or make it pass through the router somehow.  Probably by this one, faulty chip.  I know that some hard drives require that you either slide a switch or insert a jumper to allow data to be written to it.  It would seem like that some physical safeguard like that would be possible to insert somehow downstream from other chips or programming that would stop this kind of stuff.  If you need to flash your ROM or something, you just insert a jumper and then flash it.


And computers and browsers allow executable code to be downloaded to the temp folder as a "drive by" download.  Why?  If I want to download something other than HTML code (webpages), I wouldn't mind using another browser or software.  It seems like things are too wide open for the sake of relatively little convenience.  Or am I over-simplifying things?
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

AS far as the router, if data could not be written to it (read: saved) how would you configure it?

As far as browsing, it's a little more complicated than that in my opinion.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jeff Zylstra

#7
Quote from: Mark on December 22, 2014, 08:29:26 AM
AS far as the router, if data could not be written to it (read: saved) how would you configure it?

As far as browsing, it's a little more complicated than that in my opinion.

I was thinking of a physical method, such as a "jumper" pin that would need to be inserted in order to program the router.  Maybe you could reset the router if it froze by power cycling it, but not remotely programming or configuring it.  It might be a pain, but if you were really concerned with these kinds of attacks, it might prove invaluable. 

If I remember correctly, Ironkey did something like this years ago with their USB drives.  The drive was read only until you slid a switch, then you could write to it.  I think it's purpose was for disinfecting computers with malware without allowing it to spread. 


Not sure if VMs/"sandboxes" or proxy servers would have helped this or not, but I have think it would have made it at least more difficult.  I'm interested to hear any analysis of Sony's corporate IT defenses, but I'm sure that won't ever happen.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Mark

Interesting concept, for sure.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Billy Welsh

Quote from: Jeff Zylstra on December 22, 2014, 09:34:10 AM
Quote from: Mark on December 22, 2014, 08:29:26 AM
AS far as the router, if data could not be written to it (read: saved) how would you configure it?

As far as browsing, it's a little more complicated than that in my opinion.

I was thinking of a physical method, such as a "jumper" pin that would need to be inserted in order to program the router.  Maybe you could reset the router if it froze by power cycling it, but not remotely programming or configuring it.  It might be a pain, but if you were really concerned with these kinds of attacks, it might prove invaluable. 

If I remember correctly, Ironkey did something like this years ago with their USB drives.  The drive was read only until you slid a switch, then you could write to it.  I think it's purpose was for disinfecting computers with malware without allowing it to spread. 


Not sure if VMs/"sandboxes" or proxy servers would have helped this or not, but I have think it would have made it at least more difficult.  I'm interested to hear any analysis of Sony's corporate IT defenses, but I'm sure that won't ever happen.

That is an awesome solution, IMHO.  No changes, no updates/firmware without the jumper.  Just make it a larger than standard jumper for the old fogies like me, and easily accessible from the outside.  An easy "analog" type solution that requires physical access to the device - so there is nothing that can be "hacked."

A bit of a pain, yes, but I'd gladly put up with that over always worrying that I cannot keep up with the latest greatest digital defenses.
Billy Welsh
Director of Accounting
LCMC Health

Mark

"Hacking" doesn't always require anything to be written to the device though.  I think more often it is "tricking" it.   Not saying this idea is impossible, just don't think it's fool-proof.

Also, in order to keep a dhcp table, it would need to write to the device.  Same for logging, if any.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Joshua Conner

I am amazed my home internet is DSL.  Which has a modem.  The company I am with hands out private ips so we are all on a nat.  I called and requested a public ip to which they said ok.  I had to log into my modem which has default passwords and set it to get off the NAT.  I was shocked that it was all defaults and how easy it would be to log into everyones modems and make changes crippling everyone.
Joshua Conner
Conner Insurance
Tam 2014 R2
Epic online with CSR24 and Salesforce Integration
39 Employees
Former Vice President Indiana Applied User Group
Webmaster http://www.appliedusergroup.com
Blog http://mylifewithtam.blogspot.com

Jeff Zylstra

Quote from: Mark on December 22, 2014, 10:23:22 AM
"Hacking" doesn't always require anything to be written to the device though.  I think more often it is "tricking" it.   Not saying this idea is impossible, just don't think it's fool-proof.

Also, in order to keep a dhcp table, it would need to write to the device.  Same for logging, if any.

Yes, I think that the DHCP table could be an issue and could lead to a kind of a "DNS Poisoning" of sorts where traffic is rerouted to malicious sites.  Not sure the firewall could separate those functions adequately or not.  And I think that you are correct in that this would not be a foolproof thing, but may need to be one in many different counter-measures that might include proxies, VMs and other things as well. 

I don't remember if it was Jimmy V, or someone else who turned their router off at night using a light timer, but I thought its simplicity was brilliant.  If you need to transmit or receive, turn it on for 20 minutes or something, then turn it off.  Kind of like a "burst transmission".  And if you really need to turn on remote access, just call it on the "secret line" using an old fashion modem to activate the router.   I like those kind of "low tech" counter-measures.   

"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop