Modems, ISPs & the media How the Comhem vulnerability could have been handled, and what happened instead.

Slides:



Advertisements
Similar presentations
Zenith Visa Web Acquiring A quick over view. Web Acquiring Allows merchants to receive payments for goods and services through the Internet Allows customers.
Advertisements

SECURITY CHECK Protecting Your System and Yourself Source:
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Computer Threats I can understand computer threats and how to protect myself from these threats.
A few simple steps, hints and tips to figure out if it is indeed fake. - By Emily Breuss.
Unit 9 Network Fundamentals. Describe a network Explain the benefits of a network Identify risks in computing Describe the roles of clients & servers.
Starting up a Security Class for Students Created by: Beth Byrnes Larry James Zac Reimer For Information Services University of Nebraska-Lincoln.
Presented by: Luke Speed Computer Security. Why is computer security important! Intruders hack into computers to steal personal information that the user.
Internet Security Passwords.
Wi-Fi Structures.
E-Commerce Strategy By Callum Kirkman.
1 Configuring Linksys Wireless Router Prof. Valencia Community College.
SiteLock Internet Security: Big Threats for Small Business.
INTERNET SAFETY FOR STUDENTS
evidence. Safety To stay safe on the internet there are many points you need to follow. The first point is to change your password regularly, you.
Threats to I.T Internet security By Cameron Mundy.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Introduction Our Topic: Mobile Security Why is mobile security important?
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
CS101 Lecture 14 Security. Network = Security Risks The majority of the bad things that can be done deliberately to you or your computer happen when you.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Ashley Chambliss ED 505 Fall 2. “Digital Citizenship is a way for teachers to prepare you for a world full of technology.” (Ribble, ) “A means.
CYBERSAFETY Presentations Keeping Safe on the Internet.
Security Chapter 8 Objectives Societal impact of information and information technology –Explain the meaning of terms related to computer security and.
CS 3214 Computer Systems Godmar Back Lecture 24 Supplementary Material.
Identity Theft By: Chelsea Thompson. What is identity theft? The crime of obtaining the personal or financial information of another person for the purpose.
Staying Safe Online Keep your Information Secure.
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
Threat to I.T Security By Otis Powers. Hacking Hacking is a big threat to society because it could expose secrets of the I.T industry that perhaps should.
IT security By Tilly Gerlack.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS). SELECT AND USE APPROPRIATE METHODS TO MINIMISE SECURITY RISK TO IT SYSTEMS AND DATA 1.1 I can describe.
GROUP POLICIES AND SECURITY USING WINDOWS SERVER 2008 Raymond Ross EKU, Dept. of Technology, CEN.
-Tyler. Social/Ethical Concern Security -Sony’s Playstation Network (PSN) hacked in April Hacker gained access to personal information -May have.
Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.
TZO Troubleshooting Training for Agents By Erik Collett
Edit the text with your own short phrases. To change a sample image, select a picture and delete it. Now click the Pictures icon in each placeholder to.
Layer 2 and Switching. How Computers Communicate  In a two node flat network data can be sent without addressing.
Security Vulnerabilities Linda Cornwall, GridPP15, RAL, 11 th January 2006
P aul Asadoorian Founder & CEO, PaulDotCom Enterprises POST Exploitation Going Beyond The Happy Dance Carlos.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Kamran Didcote.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Frontline Enterprise Security
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
NETWORKING & SYSTEM UPDATES
INTRODUCTION & QUESTIONS.
Session 13 Cyber-security and cybercrime. Contents  What’s the issue?  Why should we care?  What are the risks?  How do they do it?  How do we protect.
Unit 2 Assignment 1. Spyware Spyware is a software that gathers information about a person or site and uses it without you knowing. It can send your information.
Computer Networks. Computer Network ► A computer network is a group of computers that are linked together.
Introduction: Introduction: As technology advances, we have cheaper and easier ways to stay connected to the world around us. We are able to order almost.
Confidentiality, Integrity, Awareness What Does It Mean To You.
COMPUTER VIRUSES By James Robins. THE IMPACT OF VIRUSES By James 2.
Online Shopping. Learning Objectives To learn how society has been affected by online shopping (e-Commerce)
Zeus Virus By: Chris Foley. Overview  What is Zeus  What Zeus Did  The FBI investigation  The virus for phones  Removal and detection  Conclusion.
Responsible digital citizenship By: Aiden. What is responsible digital citizenship? Responsible digital citizenship is many things. The topics I am covering.
Is the Domain Name System the heart of the internet?
Network and hardware revision
Technology Audit Brandon Hall.
How to use the internet safely and How to protect my personal data?
How to use the internet safely and How to protect my personal data?
Putting It All Together
Putting It All Together
Forensics Week 11.
Cyber Security Experts
Introduction to Computers
An Introduction to Cloud Computing
Computer Security.
Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.
Presentation transcript:

Modems, ISPs & the media How the Comhem vulnerability could have been handled, and what happened instead

Who am Penetration Omegapoint Säkerhetspodcasten Annoyer of ISPs

This talk is about How I hacked my own modem How Comhem handled my bug report How I worked with the media to force Comhem into handling it better How they still failed And finally – How it should have been done

Lets go back a while All the way back to August, 2013

I live in a ComHem house Which means I get one of these:

Its my gateway to the internet I decided to see if I could hack myself. There where two obvious ways to go about it.

Pros & Cons Firmware Analysis Pros Can find stuff not obvious on the web interface Could possibly reprogram the modem Could find cooler vulnerabilities Cons Could brick my modem Lots of work Not my area of expertise Web Interface hacking Pros Easy and quick Could find really stupid vulnerabilities Little to no risk of damaging the modem Cons I wouldn’t be learning anything new Soldering is cool! Won’t find hidden stuff

The web interface

Fiddling around with burp

Finding CSRF Vuln

Impact of the CSRF vuln Changing DNS Harvest account details Spread malware Steal Credit Card and bank details Port Forwarding Expose internal network to internet Turning on remote admin Changing all modem settings Stealing stored passwords (wifi passwords stored in cleartext) Downgrade security DOS Brick the modem

Hardware hacking

Analyzing firmware

Sending the bug report

ComHem Responds

A year goes by

What is responsible disclosure?

Comhem Responds

Comhem responds again “The DNS problem only exists in Stockholm” -Comhem

Comhem locks down DNS Limiting their modems to only using Comhems DNS. This still doesn’t solve the following problems: Port Forwarding Expose internal network to internet Turning on remote admin Changing all modem settings Stealing stored passwords (wifi passwords stored in cleartext) Downgrade security DOS Brick the modem Etc…

Minister proposes Law Change and PTS investigates

Comhem solves the problem On the 14 th of November a firmware update finally arrives, solving the problem. At this point, the media attention has died down Noone cares that the issue is resolved The damage to Comhem is already done, and can’t be reversed at this point

What did we learn How should they have done it? Can we help our clients and companies handle these issues? What is it like to deal with the media Knowing what you want to say and being able to back it up

Evil DNS - Swedbank

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.