Misfortune Cookie Crumbles Millions of Security Systems

Check Point Software Technologies recently revealed a flaw in millions of routers that allows the devices to be controlled by hackers.

The company’s Malware and Vulnerability Group detected 12 million Internet-connected devices that have the flaw.

The vulnerability, which Check Point dubbed “Misfortune Cookie,” can be found in the code of a commonly used embedded Web server, RomPager from AllegroSoft. A system attacker can exploit it to take control of a router and use it to steal data from both wired and wireless devices connected to a network.

Fixes for the flaw have been available since 2005, but 98 percent of the devices using RomPager haven’t been updated and still contain the vulnerable version of the software.

Even if device makers had been on the ball and kept the embedded subsystems on their hardware up to date, chances are there still would be lots of vulnerable devices connected to the Net, observed Shahar Tal, malware and vulnerability research manager at Check Point Software Technologies.

“Most people don’t install upgrades to their firmware,” he told TechNewsWorld. “That’s why we believe this vulnerability will stay around for months and years to come.”

Thing Attacks

Infected routers aren’t a new attack vector for Net marauders. A widely reported incident early this year included routers in a malicious email campaign that flooded the Internet with 750,000 junk messages. Thousands of other gadgets also were used to disseminate the spam — things like home media centers, televisions, and at least one smart refrigerator.

Proofpoint, which discovered that caper, explained that it didn’t take rocket science to compromise the devices. Attackers simply exploited misconfigurations or factory-set passwords to crack them.

Billed as the first large-scale attack using the Internet of Things, the Proofpoint discovery may be a sign of things to come down the road.

“I don’t think this will be widespread in 2015, and we don’t expect that IoT devices will be main targets, but it will start to evolve next year,” said Cathal McDaid, head of data intelligence and analytics for AdaptiveMobile.

A number of things make IoT devices ripe for hacking. They’re not monitored by people as a phone or computer would be. They don’t get upgraded often, and they may reside in out-of-the-way locations.

Attacks on IoT devices in 2015 likely will mirror the Proofpoint incident.

“Next year, we may see some of these mobile IoT devices compromised to send spam,” McDaid told TechNewsWorld. “Spam generated might be email — or if they are able to send text messages, then spam SMS.”

Asleep in the Corner Office

Since the limelight has shone on information security at Sony, a multitude of sins have been exposed, including a tidbit about the company’s CEO, Michael Lynton, being regularly reminded in insecure emails of secret passwords for his personal and family mail, banking, travel and shopping accounts.

Security naivete isn’t limited to Sony’s corner office. Many CEOs are disconnected from the cyberthreats hurled at their companies every day.

For example, 80 percent of CEOs in corporate America don’t have any idea their company’s systems are being attacked on a regular basis, suggests a survey released earlier this year by Lancope and the Ponemon Institute.

Recent events at Sony may be changing that level of awareness, though.

“They are changing their behavior now, but it’s a painful process,” Lancope CTO Tim “TK” Keanini told TechNewsWorld.

Lack of awareness isn’t limited to the corner office, either — not when companies have to be told by outside parties that systems have been breached.

“Defenders need to detect a threat in its early stages, not when the Secret Service calls you — not when your source code is posted to Pastebin,” Keanini said. “If that’s your form of detection, we’ve got worse things coming.”

Breach Diary

  • Dec. 15. Two former employees sue Sony Pictures Entertainment in federal court for data breach that resulted from failing to secure its computer systems despite weaknesses it has known about for years. Lawsuit is first in what is expected to be many resulting from the Nov. 24 breach by a group calling itself the “Guardians of Peace.”
  • Dec. 15. University of California at Berkeley begins notifiying some 1,600 current and former employees, as well as some individuals with ties to the school’s real estate divison, that their Social Security numbers or credit cards may be at risk due to a breach of the school’s computer systems.
  • Dec. 15. Microsoft files in federal court 10 briefs from groups ranging from technology companies to media firms to trade associations supporting its refusal to honor subpoena issued by a U.S. court for emails stored at a data center in Ireland.
  • Dec. 18. Sony Pictures Entertainment cancels theatrical release of The Interview after a threat by hackers prodded America’s five largest cinema chains to refuse to screen the comedy about the assasination of the leader of North Korea.
  • Dec. 18. Survey of 2,011 consumers by One Poll and Dimensional Research finds 40 percent of shoppers believe using a third-party payer, like PayPal or Google Wallet, is the safest way to pay online; only 1 percent feel using a third-party payer, like Apple Pay or Google Wallet, is a safe way to make in-store purchases.
  • Dec. 19. FBI announces it has extensive evidence that the North Korean government organized the cyberattack that led to the data breach of Sony Pictures Entertainment on Nov. 24.
  • Dec. 19. Boston Children’s Hospital agrees to pay US$40,000 fine to Massachusetts and improve its security measures as result of 2012 theft of a physician’s laptop containing personal information for more than 2,000 patients, the majority of whom were less than 18 years old.
  • Dec. 19. Federal judge in Minneapolis rules customers may sue Target for 2013 data breach in which the personal and payment card information of 110 million shoppers was stolen.

Upcoming Security Events

  • Jan. 19. B-Sides Columbus. Doctors Hospital West, 5100 W Broad St., Columbus, Ohio. Fee: $20.
  • Feb. 4-5. Suits and Spooks. The Ritz-Carlton, Pentagon City, 1250 South Hayes Street, Arlington, Virginia. Registration: $675.
  • Feb. 10-12. International Disaster Conference and Exposition (IDCE). Ernest N. Morial Convention Center, New Orleans. Registration: government, nonprofit, academia, $150; private sector, $450.
  • Feb. 11. SecureWorld Charlotte. Harris Conference Center, Charlotte, North Carolina. Registration: $695 (with 16 CPE credits); $295 (with 12 CPE credits).
  • Feb. 19. Third Annual 2015 PHI Protection Network Conference. The DoubleTree – Anaheim-Orange County, 100 The City Drive, Orange, California. Registration: before Jan. 2, $199; after Jan. 1, $249.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

1 Comment

  • We often hold up CEO’s as some kind of superhuman breed. CEO’s are supposed to have highly specialized knowledge and skills to guide their companies through the tricky reefs of today’s market conditions. Far more often they are men who through an accident of fortunate promotion have ended up in positions of corporate power that they really don’t merit.

    An executive that has his passwords insecurely emailed to him, is a fine example of this. It’s hard to imagine anything more stupid or irresponsible in today’s I.T. security environment, especially for a corporation like Sony with thousands of jobs and billions of dollars on the line.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels