Netgear Router Private Keys Insecure System

It turns out that 2 researchers found a problem in Netgear routers. Tom Pohl and Nick Starke found a private key in firmware which can be used to fool the router.

Here is their github link and a screenshot:

The problem seems to be how the router is configured, as you see from a settings page of one of the WiFi-enabled routers:

The issue is due to allowing the usage of routerlogin.net to be trusted by browsers the router has to use a private key which is stored in an unsecured firmware.  So anyone who is ingenious enough can download the private key. And with some cleverness can create an attack on the netgear routers.

I am not going to point out how this can be done – but suffice it to say the criminal underworld in the Internet will find a way to monetize this issue.

 

So several issues arise out of this problem. Why did Tom Pohl and Nick Starke disclose this issue to the general public before a fix was issued?  Because there wasn’t enough communication by Netgear.

This is another cybersecurity complexity that occurs which does not make much sense to many people.

Contact Us to discuss this subject and if it affects you.

Why is Cybersecurity so Difficult to Understand?

Not everyone understands all of  the complex pieces and the economic ramifications of them.

What makes this  decision so difficult to require an owner to spend at least 3-4 hours a week on a topic which will not make any money, but will just help you keep running your business.  In fact this “expenditure” of resources (time) makes it increasingly unlikely you will be ready for a possible extinction level event.

The problem is a matter of perception – the owner that is running their business has many hats, performs many different functions.  The ultimate goal of a business is to sustain itself and grow, make a profit, perform a specific function in the marketplace. The goal of the business does not usually include a strategy to protect the business in case of disaster.  That is something that should be done but it is not in the goals of the business.

So to perform the function well and ensure that it is done it will require a concerted effort.  Otherwise as the informationweek.com article mentions: “SIM study points to Lax Focus on cybersecurity”

Cybersecurity has become more important, but the ‘paying attention’ department is a difficult one.

To some degree it is a level of understanding – should we meander our way to making things ‘right’? Or should we push and cajole the business owners to do the right thing?

How else to explain this?  It is a matter when some systems need to be upgraded  instead of just the software patch. (Some patches require a lot of changes).  But when one gets a new computer it is sometimes a wrenching change – so this decision is sometimes delayed.  This is why a Security Policy is so important by codifying the thoughts and actions of many decisions made and to be done.

The other aspect of Cybersecurity that may be challenging is the ever changing nature of it. Due to constant patch management and End of Life decisions by software and hardware companies nothing in the environment stays the same for very long.

The following image is a small snapshot of what happening in the IT world on a monthly basis.

  1. Patch Tuesday – (Microsoft releases it’s slew of patches on 2nd Tuesday of month.
  2. This month Windows7 End of Life, but all devices have an end of life.
  3. Chinese hacking groups are being uncovered again -(which means there are others)
  4. Vulnerability management  is not easy.

While your business may have marketing and cost challenges due to changes in the world, the IT world is in constant flux of new vulnerabilities, older systems, and many other issues like new adversaries.  So to make sure you do not have a disaster in your hands and control this cybersecurity beast it requires 3-4 hours per week in my opinion.  Contact Us to discuss

Can Cybersecurity Crowdfunding Fix Psychology of Security?

Crowdfunding is the practice of funding a project/venture by raising small amounts of money from a large amount of people.

What I propose to do to solve the phenomenon of Psychology of Security is to create a ‘CrowdCyber’ situation!

We need to set up a peer pressure situation –

If you shop at your local small business and hope to have it there 1 year from now then we need to know that they are performing proper IT techniques.  How would you know they are doing the right things?

If the small business has the following sticker then you know they are doing what is needed to survive even if a catastrophe occurs (major drive failure or ransomware)

 


 

Contact Us to discuss your favorite business that should get the Oversitesentry Seal

Timeline of Ransomware as 2019 closes

So as we review the last year and really the last few years – what has changed in the last 10 years in the decade of the 2010’s.

 

There are many ransomware timelines – like at TCDI.com

But what is the meaning of the ransomware review as we look at the last 15 years? They started out slow the criminals, the first ones were clunky and not very good. In fact they didn’t even work, but year after year there were improvements and soon enough a breakthrough:

2014 with Cryptowall produced a large amount of revenue for the criminals (325$ million is the estimate). Other things happened, but this was the major event because now there is a “criminal business” with a budget and employees and more. The underworld also has ways to hide in the shadows, and other things that happened of note is the reduction of needing to be a master hacker specialist to attack people. Some criminal enterprises created online marketplaces to sell their ‘wares’ and ‘services’

for example cardingworld.cc (as discussed in KrebsonSecurity.comKrebsonSecurity.com:

So in 2014 there was a perfect storm of criminal elements and once $325 million were received, the next year and the next has to be more right?

 

So now we have a very sophisticated attacker set on making more money using sophisticated ransomware that will likely change every year.  And the entry into “new business” of making money with ransomware is easier than ever. Since now one can buy a ransomware technology, the support infrastructure, and then all one has to do is find the ‘suckers’ that will have to pay up. Well here is where one either sends out spam or other ways of hacking people. If more people would do what is good for defense this would be hard, but since we have a significant amount of people not paying attention there are plenty of targets out there.

The ROI on ransomware is 1425% as per Darkreading article.

Think about this now  what happens if there are plenty of targets and 1425% return on investment(ROI).  There are going to be lots and lots of competitors.  And that is exactly what has happened in the last few years.

You must have your act in gear and at least have the 12 PCI compliance pieces  in place to defend yourself. https://oversitesentry.com/small-company-cybersecurity-basics-pci-compliance/

 

Contact Us to discuss your situation

 

Psychology of Security Part 2 or “let’s try this again”

The Psychology of Security is a unique phenomenon:

Psychology of Security

Or a screenshost:

So how to explain the Psychology of Security in a new and simpler? way…

Let’s say we have a small business – we do not have a large payroll (a few employees), so the sales are also less than a million$, let’s put sales at half a million dollars. The margins of the business is not that large – so it takes all the efforts and energy of the owner and employees to keep things operational with all of the changes in the world.

So this means there really is not enough time or resources for new initiatives as the owner would like.

So now we have set the stage.

What about Cybersecurity? Well, the owner expects the IT department to take care of that (usually it is an employee that is good with technology- or a 3rd party consultant).

So should you pay more attention to Cybersecurity or leave the arrangement as is?

To pay more attention to Cybersecurity there has to be a reason. When the choice is looked at one has to spend more time and money on Cybersecurity to essentially not lose data and resources.

This choice is not easy to analyze for the business owner. Unless one has a natural disposition to security. The choice of spending money to lose less money is a choice 30% of people do not make.

The problem is that the criminals know this, and have developed ransomware for a few thousand dollars (programmers are cheap in east europe). It only takes 5 ransomware successes in a scatter shot of millions to get money back. One does not need a business degree to see that out of a million email campaign that costs $50-$100 where one receives $300-$500 for every successful attack.

We are going to receive more possible attack angles, not less.

The real choice is not losing a little bit of money, but losing your business.  IF one does not have the IT setup just right and ransomware is successful how will you recover when you lose all your data?

It is too difficult of a burden to overcome – thus many businesses give up and reincarnate as something else or forget about it altogether.

 

What do you think of this new attempt at explanation? Contact us to let us know.