Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: EE BrightBox router hacked - bares all if you ask nicely

From: Źmicier Januszkiewicz <gauri () tut by>
Date: Thu, 16 Jan 2014 12:52:51 +0100
True, some sort of legislation might do the trick, but there is always
this nasty question which we all really hate: who is going to pay for
that? We can't burden national budgets with stuff like that, ISPs do
not produce more than they are paid by customers, so... end users! So
technically, we'll be forcing end users to pay more for something they
do not care as much about. :-) Also, the "standards" would need to be
defined somehow (see Huawei vs U.S. of A. and other countries).

With regards to security costs, my freelance programming experience
tells me that people tend to produce no more than they are paid for;
assuming someone would work extra hours to implement something not
previously negotiated (see above) and hence not paid for is a bit
naive (no offense). Same goes for companies that do outsourcing
contracts, they are paid by hours and they pay by hours, so sometimes
you are actually asked NOT to put in extra effort. :-) As for basic
security practices, well, the device does ask for password, doesn't
it. :-) Seems we should define "basic" here.

A somewhat related point is that these "basic security practices" you
mention are not actually taught anywhere on CS courses one would
usually take, even less so on some "teach yourself {a language} in 21
days" sort of courses/books. It is a ground-breaking revelation for
many development folks that you can compromise an application via a
crafted data file exploiting some sort of a buffer overflow!

2014/1/16 Dan Ballance <tzewang.dorje () gmail com>:

So your point is that there should be legislation to require companies to
adhere to certain security standards? I'd support that - particularly in an
ISP market which is clearly defined by national boundaries and law.

I do agree with you this is probably to do with cheap out-sourcing, as well
as subsequent economic analysis. Where I disagree is that basic security
costs any more. Most of this stuff is what I would classify as "school boy
errors" - not a super-secure system designed by the finest security minds in
the industry. Anyone with even mid-range skills should be able to implement
basic security practises as they work IMHO. But I do take your general point
:)

As for my shock - well I am still shocked. It sucks big time and they really
should be doing better. Let's hope Scott's article gets some coverage and
finds its way back to them.





On 16 January 2014 09:32, Źmicier Januszkiewicz <gauri () tut by> wrote:



Absolutely shocking lack of security considerations.


Is it, really? I've got a feeling that companies don't give a s--t
about your data, your privacy, and so on (proved by numerous examples
out there), unless absolutely required to do so by law, and there is a
good reason behind that. It is not a charity fund, you see; a company
is all about money, even if they state otherwise via their "motto" or
"mission", and as we all know, a dollar saved is a dollar earned... So
they try to get it working by hiring 1-2
Chinese/Indian/Pakistan/Younameit techies (not because they are bad at
what they do, but because they are cheap), and squeeze them until the
stuff is working somewhat. And that's it! Then those who made it work
are fired, and another group with even thinner payslip is hired for
"support". Note that at no point any emphasis on security of the
product is made -- a company is not interested in spending more money,
and workers are not interested in spending their life without any
compensation.

Why a company is not interested? Just some simple calculations anyone
can do: having a working device/service/whatever brings in paying
customers, having a secure device/service/whatever brings in expenses.
So, we get the usual "sorry, we have no budget for that!" reply even
if one asks for a security review.

And then, see, even if your company manages to produce a "highly
secure" device/service by hiring N brilliant minds and paying a
5-digit/mo each of them, then magic happens -- the cost of the end
product is so high nobody buys it! Surprise! Will you pay 300 pounds
more for something that does the same, but claims to be "secure"? No.
Will a punter pay 300 pounds more for that? Hell no. Just as simple as
that.

I do find it amusing as people get "shocked" by such a simple thing...


2014/1/16 Dan Ballance <tzewang.dorje () gmail com>:

What a great write up and what an appalling mess for a UK ISP to be in
in
2014. Absolutely shocking lack of security considerations. Thanks for
sharing this. I've just followed you on Twitter as well,

cheers,

Dan.


On 15 January 2014 20:28, Scott Helme <scotthelme () hotmail com> wrote:


The BrightBox router is the standard equipment issued by UK ISP
Everything
Everywhere (EE) to its subscribers.

The device not only leaks sensitive data but is remotely exploitable
too.
An attacker even has the ability to take control of your account as the
router leaks your ISP account credentials.

You can read the full article here:
https://scotthelme.co.uk/ee-brightbox-router-hacked/

Scott.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/





_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: