Results 1 to 8 of 8

Thread: TalkTalk and Post Office router attack affects 100,000+ users

  1. #1
    HEXUS.admin
    Join Date
    Apr 2005
    Posts
    27,967
    Thanks
    0
    Thanked
    1,842 times in 625 posts

    TalkTalk and Post Office router attack affects 100,000+ users

    A similar attack affected nearly a million Deutsche Telekom internet customers.
    Read more.

  2. #2
    Senior Member
    Join Date
    Dec 2003
    Location
    Wilmslow
    Posts
    635
    Thanks
    214
    Thanked
    114 times in 82 posts
    • mtyson's system
      • Motherboard:
      • Gigabyte GA-B85M-HD3
      • CPU:
      • Intel Core i7 4790T
      • Memory:
      • 8GB
      • Storage:
      • Sandisk 128GB SSD + Seagate 750GB HDD
      • Graphics card(s):
      • Gigabyte Windforce GTX 660OC
      • PSU:
      • Corsair 400W
      • Case:
      • Zalman Z9 Plus
      • Operating System:
      • Windows 10
      • Monitor(s):
      • Acer IPS 24-inch 1080p
      • Internet:
      • 50MB Virgin fibre

    Re: TalkTalk and Post Office router attack affects 100,000+ users

    I've just received some expert comments on the attacks:

    Stephen Gates, chief research intelligence analyst at NSFOCUS:

    "The upsurge of commercial, industrial, and municipal IoT-based attacks and outages was part of my predictions for 2017. It appears the world will not wait for January 1, and the weaponisation of these technologies has arrived - ahead of schedule. No longer can service providers continue to operate their vulnerable networks in this fashion. Hackers apparently have them in their cross hairs, and the damage they can cause to their scantily secured infrastructures will continue to be a major pain in the backside for their customers; who are now likely looking for other options."

    Mike Ahmadi, global director - critical systems security at Synopsys:


    "Massively scalable attacks are the current trend in cybersecurity, and this should raise concern among all users and organisations. We have multiple issue to deal with here. One is the fact that most product vendors and organisations deploying the products remain unaware of the level of vulnerabilities in their systems. The other issue is for those that are aware, strategies to mitigate against large, scalable attacks are either rudimentary or non-existent. Simply put, organisations are not good at preparing for what they do not know about. The amount of risk out there is staggering, but there are ways for stakeholders to raise their awareness and come up with more effective pro-active strategies."

    Gavin Millard, EMEA Technical Director of Tenable Network Security:

    "With the battle for control of poorly configured IoT devices and routers being played out by multiple cybercriminal gangs at the moment, having default credentials on any device connected to the internet has a high probability of ending up with some derivative of Mirai installed. Any device that requires an inbound connection from the internet should have a strong, non default, password rather than one of the list Mirai is currently targeting. If you do have something with default credentials, reboot it and change the passwords immediately."

    Adam Brown, manager, security solutions at Synopsys:

    "Now that the source code for Mirai is out there this will most likely not be the last that we will see if this type of attack. Modern routers with 1+GHz CPU's make a great platform for a Botnet army and being located at the end of a high speed broadband connection make a great base for executing a DDoS attack. This outage may just be the first symptom of these infections. Suppliers of hardware like this must ensure they govern their supply chain."

    Andy Green, senior technical specialist at Varonis:

    “The lessons that should be learned from these ongoing Mirai attacks is just how vulnerable we were as a result of our own IT laziness. Sure, we can excuse harried consumers for treating their home routers and IoT gadgetry like toasters and other kitchen appliances – just plug it in and forget about it. So what excuse do professional IT types have for this rookie-level behaviour?

    Not much!

    Unfortunately, default-itis still plagues large organisations. As recently as 2014, the Verizon DBIR specifically noted that for POS-based attacks, the hackers typically scanned for public ports and then guessed for weak passwords on the PoS server or device – either ones that were never changed or were created for convenience, “admin1234”. This is exactly the technique used in the Mirai botnet attack against the IoT cameras.

    Even if hackers use other methods to get inside a corporate network — phishing, most likely — they can still take advantage of internal enterprise software in which defaults accounts were never changed.

    For those organisations who think that the Mirai botnet incident has nothing to do with them, or have to convince their board of this, here are two points to consider.

    1. The lesson of the Mirai botnet attack is that the perimeter will always have leaks. For argument’s sake, even if you overlook phishing scenarios, there will continue to be vulnerabilities and holes in routers, network devices, and other core infrastructure that allow hackers to get inside.

    2. Human nature tells us that IT will also continue to experience default-itis. Enterprise software is complicated. IT is often under pressure to quickly get apps and systems to work. As a result, default accounts and weak passwords that were set for reasons of convenience — thinking that users will change the passwords later — will always be an issue for organisations.

    You have to plan for attackers breaching the first line of defences, and therefore have in place security controls to monitor and detect intruders.

    In a way, we should be thankful for the “script kiddies” who launched the Mirai botnet DDoS attack: it’s a great lesson for showing that companies should be looking inward, not at the perimeter, in planning their data security and risk mitigation programs.”

    Lisa Baergen, director at NuData Security:


    “The unfortunate reality is that organisations that have been victimised by a breach can find themselves getting targeted over and over as cybercriminals seek to exploit previous known weaknesses or test systems to find new vulnerabilities.”

  3. #3
    Senior Member
    Join Date
    Apr 2004
    Location
    The Third Foundation
    Posts
    916
    Thanks
    2
    Thanked
    99 times in 91 posts

    Re: TalkTalk and Post Office router attack affects 100,000+ users

    I'm still kicking myself for forgetting to disable remote management then last time I reset my AMG1302, I always have done in the past. Luckily the virus doesn't appear to have done any harm before I worked out what was causing the erratic behaviour and reset it. The router got hit a week ago, and I only worked out what was causing it after a post on Tuesday by ISP Review:
    http://www.ispreview.co.uk/index.php/2016/11/talktalk-isp-routers-potentially-vulnerable-new-mirai-worm.html?replytocom=172837#respond

    It's ridiculous that these features are enabled by default. I understand why they're there, but they should be tied to a physical switch on the router or something so even the least technical user only needs to have them enabled when necessary. Otherwise they're just a disaster that'll repeatedly happen.

  4. #4
    Member
    Join Date
    Feb 2006
    Posts
    108
    Thanks
    0
    Thanked
    3 times in 3 posts

    Re: TalkTalk and Post Office router attack affects 100,000+ users

    This site may be able to tell you if your router is compromised it's by Bullguard AV (well know security company)
    http://iotscanner.bullguard.com/

    Some ISP branded routers require firmware updates from the ISP and wont work with vanilla firmware from the OEM, this only compounds the problem.

  5. #5
    I really don't care Dashers's Avatar
    Join Date
    Jun 2016
    Posts
    898
    Thanks
    30
    Thanked
    107 times in 88 posts
    • Dashers's system
      • Motherboard:
      • Gigabyte GA-X99-UD4
      • CPU:
      • Intel i7-5930K
      • Memory:
      • Corsair DDR4 3000 Quad
      • Storage:
      • Intel 750 PCIe SSD; RAID-0 x2 Samsung 840 EVO; RAID-0 x2 WD Black; RAID-0 x2 Crucial MX500
      • Graphics card(s):
      • EVGA GeForce GTX 970 x2 SLI
      • PSU:
      • CoolerMaster Silent Pro M2 720W
      • Case:
      • Corsair 500R
      • Operating System:
      • Windows 10
      • Monitor(s):
      • x2 23.5" 1080 72Hz OC
      • Internet:
      • Zen FTTC

    Re: TalkTalk and Post Office router attack affects 100,000+ users

    What I started to do last year was divvy up my internal network. Not really possible for your average home user though.

    So far I've started by separating my more traditional office it kit onto one subnet, my TVs and other connected media to a second, and anybody who rocks up and uses my wifi to a third. The main reason for doing this was to stop my brother from downloading dodgy stuff on my sky box with his phone each time he came around. But the rise of "smart" devices has had me worried for some time.

    This is all just controlled by DHCP reservations with everything not in it being dumped into the "public" subnet, which only has Internet access (still could be used to launch a DDOS attack, but less likely to be able to infect any network devices). There is no reason currently why somebody can't just manually IP their device and get onto the other network. That work starts after I upgrade my switch to handle VLANs.

    If you run an always-on server/NAS, you can virtualise it and slap on pfsense firewall too., and ditch that ISP provided colander.

  6. #6
    root Member DanceswithUnix's Avatar
    Join Date
    Jan 2006
    Location
    In the middle of a core dump
    Posts
    9,499
    Thanks
    462
    Thanked
    968 times in 823 posts
    • DanceswithUnix's system
      • Motherboard:
      • Asus X470-PRO
      • CPU:
      • 2600X
      • Memory:
      • 16GB 3200MHz
      • Storage:
      • 1TB Linux, 1TB Games (Win 10)
      • Graphics card(s):
      • Asus Strix RX Vega 56
      • PSU:
      • 650W Corsair TX
      • Case:
      • Antec 300
      • Operating System:
      • Fedora 28 + Win 10 Pro 64 (yuk)
      • Monitor(s):
      • Benq XL2730Z 1440p + Samsung 2343BW 2048x1152
      • Internet:
      • Zen 80Mb/20Mb VDSL

    Re: TalkTalk and Post Office router attack affects 100,000+ users

    Quote Originally Posted by Dashers View Post
    , and ditch that ISP provided colander.
    It should be a perfectly reasonable first line of defence. I have a Linux box with two ports on it acting as secondary firewall behind the consumer router, with public facing servers in the DMZ between all wired in red cables so I don't mis-plug something.

    One thing that is quite scary is how fast you can be attacked though. Apparently the time between incoming attacks on a router in the recent German outage was 5 to 10 minutes, so change the password and lock down the router on the LAN port *before* you plug the phone/WAN cable in else it might be compromised before you get to log in yourself!

  7. #7
    I really don't care Dashers's Avatar
    Join Date
    Jun 2016
    Posts
    898
    Thanks
    30
    Thanked
    107 times in 88 posts
    • Dashers's system
      • Motherboard:
      • Gigabyte GA-X99-UD4
      • CPU:
      • Intel i7-5930K
      • Memory:
      • Corsair DDR4 3000 Quad
      • Storage:
      • Intel 750 PCIe SSD; RAID-0 x2 Samsung 840 EVO; RAID-0 x2 WD Black; RAID-0 x2 Crucial MX500
      • Graphics card(s):
      • EVGA GeForce GTX 970 x2 SLI
      • PSU:
      • CoolerMaster Silent Pro M2 720W
      • Case:
      • Corsair 500R
      • Operating System:
      • Windows 10
      • Monitor(s):
      • x2 23.5" 1080 72Hz OC
      • Internet:
      • Zen FTTC

    Re: TalkTalk and Post Office router attack affects 100,000+ users

    Not sure the purpose of having two physical firewalls. Virtualise it, save on power. Do it all on your linux box.

    Totally agree with the speed of these things. I remember many years ago building a friend's computer, before the days of all-in-one routers and windows firewall, we attached his cable modem to the computer to run Windows update but before we could get the patch to plug the vulnerability, it had been infected.

    Anyway, anybody who fancies something different: you can buy a pre-made pfsense firewall for £130: https://shop.amicatech.co.uk/shop/hardware/sg-1000-microfirewall/

    Or, you could knock yourself together your own micro-server with an SoC board: https://www.scan.co.uk/products/gigabyte-ga-n3050n-d3h-integrated-dual-core-intel-celeron-n3050-16ghz-soc-ddr3-ddr3l-so-dimm-on-boar

    None of these contains modem, so you'll need a standalone modem (although, not router), such as the BT Openreach VDSL modem if you're on FTTC.

  8. #8
    Registered User
    Join Date
    Dec 2016
    Posts
    2
    Thanks
    0
    Thanked
    0 times in 0 posts

    Re: TalkTalk and Post Office router attack affects 100,000+ users

    Hello!


    From the default configuration of D-Link DSL-3780 by TalkTalk:

    "<Account>
    <Entry0 username="admin" web_passwd="admin"
    console_passwd="admin" display_mask="DF FF F7 BF FF DF FF FF FF" />
    <Entry1
    username="qwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiopqwertyuiop qwertyuiopqwertyuiopqwertyuiopqwertyui"
    web_passwd="1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678 9012345678901234567890123456789012345678"
    display_mask="D2 8C 84 8C 8C 8C 8C 8C 8C" />
    <Entry2 username="user3"
    web_passwd="1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678 9012345678901234567890123456789012345678"
    display_mask="5E 8C 6 8C 8C 8C 8C 8C 8C" />
    </Account>"

    I believe that this "issue" had been conveyed to TalkTalk earlier! Tech companies should limit the number of products released per year and provide better and long term support for these products in line with the capablities of their staff.

    Regards,
    Ahmed

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •