Tag Archives: CERT

The Chinese Don’t Need To Hack Us, They Let Themselves In Via The Back Door They Left Open

The Computer Emergency Response Team (CERT), a part of the Department Of Homeland Security, released an alert this week regarding yet another series of DSL routers that have hard coded userids and passwords.  The routers, which likely share firmware from a common Chinese manufacturer, all have passwords of the form XXXXairocon, where XXXX are the last 4 digits of the router’s MAC address.   That means that hackers, worst case, have to try all combinations of 4 digit passwords to get into the router, but in reality, they can ask the router what it’s MAC address is and the router will tell the hacker, so they don’t need to guess at all.

Who knows if the Chinese did this on purpose so that they could walk into the network if they wanted to, but that is certainly a possibility.

CERT says that the vulnerability is not new, so who knows if hackers, the Chinese, the Russians and/or intelligence agencies have been using this open back door for years.  That would not surprise me.  US Cyber Command formalized a policy earlier this year that says that they will keep these vulnerabilities secret if it is important to national security.  CERT released an earlier advisory last year listing a different set of routers that have a similar problem.

CERT also says that they know of no way to mitigate this vulnerability other than to unplug the router, run your car over it and replace it with a different router.

This is a precursor to the Internet of Things (IoT) security nightmare to come.   IoT devices typically have an embedded web server and other software, written by a Chinese software company and purchased by the IoT device manufacturer from the lowest bidder.  These devices are usually not patched from when the shrink wrap is first removed until they visit a landfill at the end of their life.

That does not mean that these devices don’t have vulnerabilities, but rather that no one is looking for those vulnerabilities or patching them.  Even if the vendor does issue a patch, consumers are highly unlikely to install a patch.  After all, when was the last time you patched your refrigerator or VCR?  Do you even know HOW to patch them?  I will admit that I had  my dishwasher repaired a few months ago and the technician literally COULD NOT close the repair ticket until he patched the dishwasher.  If I had not had a service call, the dishwasher would remain unpatched.

A link to the CERT advisory, which lists some of the affected routers, can be found in the Computerworld article linked below.

Information for this post came from Computerworld.

CERT Alert on the Sony Malware

The U.S. CERT, part of the Department of Homeland Security,  has released an alert describing the malware that took Sony apart pretty effectively.   Without going into a lot of detail, here is the high level overview:

  • The malware takes advantage of Windows SMB (server message block) protocols that are common to all versions of windows
  • The malware worms its way through the target’s network using brute force guessing of Windows share passwords.  It reports back home every 5 minutes with its successes and asks for new instructions
  • It has a listening component that listens on specific ports on the infected machine (probably for commands)
  • It has a backdoor component that handles file transfer, system survey, proxying and can execute arbitrary commands.  It can even open ports on the victim’s host firewall (one reason I don’t like software based firewalls)
  • The malware has a proxy tool that allows it to listen on a particular port and perform a variety of administrative functions for the malware
  • It contains a module to overwrite data on up to 4 disk drives and if the user has local admin privileges, it also overwrites the master boot record so the computer will not boot.
  • It has a network propagation wiper that allows it to worm its way through the network using built in network shares, drop the malware on the new machine and start destroying that machine.

As you can tell from this very brief description, this is a pretty sophisticated piece of software that someone spent a fair amount of time constructing.

Based on what is described in the alert, this malware would do a pretty good job of laying waste to any network it was found on.

The wiper part is what does the actual damage.  The rest is for recon and control.  By overwriting the disk, you make recovery, for all reasonable situations, impossible and the only option left is to rebuild the system from scratch.  This is why Sony told employees not to turn on their computers and not to connect to the company Wi-Fi.

There were reports in the media of security experts (like Kevin Mandia of Mandiant)  saying that there was nothing Sony could have done to protect itself.  Given this analysis and the assumption that someone did something to get it started inside the Sony network (like clicking on a malicious link), I tend to agree with him.

They probably should have seen the data going out. 50 or 100 terabytes of outbound traffic is a lot, even for Sony.  But if these guys were in there for 6 months, then even that might not be obvious.  And, Sony may not do outbound traffic analysis.