I for one welcome our new convention of giving security vulnerabilities cute logos and names. It elevates their importance in the public eye, which -- I hope -- will elevate the importance of finding, fixing, and avoiding security vulnerabilities among the technoscenti.
I'll go out on a limb and say that if this pattern continues, it may be the most significant legacy of heartbleed.
The problem with this strategy is it runs the risk of reassigning resources from the most dangerous vulnerabilities (which infosec-trained sysadmins and developers know how to judge) to those with the best marketers and designers behind their team. It's the same as Oracle DB deals being sold to executives over rounds of golf instead of to the developers who will actually work with the service. To be clear, I'm not sales-phobic or anti-design, I just don't think that security vulnerabilities need to be marketed.
The only argument I can see would be consumer awareness, but that might be worse than anything else - just look at the mass hyperbole being thrown around right now about the alleged direct North Korean involvement in the Sony hacks, a contention which few people in the security world appear to take seriously. I guess find a way to get hotfixes out reliably?
> To be clear, I'm not sales-phobic or anti-design, I just don't think that security vulnerabilities need to be marketed.
I understand this worry, but I don't think executives will ever see sites like this... except when engineers say HOLY HANNAH WE NEED HOURS TO FIX THIS RIGHT NOW, and the executive says "I have a fixed budget, and this doesn't make me money."
Then this site is brought up. And the world is better.
Hmm. So maybe, within the bowels of listservs and whitepaper archives, we hide a secret repository of slick, sexy marketing pdfs that engineers can print, cover in a shiny plastic folder, and strategically deploy as a measure of last resort.
Or just work to make developer<->management communications more effective.
I think you've captured the absurdity of the scenario quite well. Unfortunately, I don't have quite the poker face to pull off a claim like "developer <-> management communications aren't absurd".
To be slightly more fair: it's pretty easy to think "if solving this problem was really important, it would already have a budget, like how hurricanes get disaster relief". And so spending $100 on a logo helps people not dismiss the urgency.
This whole situation is not amazing. But an emergency isn't the time to start working on developer <-> management communication problems -- at that point, whatever gets the job done is great.
I, for one, do not welcome the trend of information-free wankerism masquerading as security research. I would like proof-of-concept code, formatted in 80-column plain text, dropped on mailing lists. Not this unreadable javascript-laden junk that doesn't even tell me anything worth knowing.
Note how they drop the CVE number at the beginning of the article, even though it's not actually a published CVE yet. Is there any legitimate reason to do that other than to lend your news release a false air of authority to those who won't bother to go read the CVE?
Seriously. I call these "designer vulnerabilities"
They have little substance beyond a flashy name, logo and website giving the most generic of bullet points about their exploit.
Do a Google search and you'll find dozens of news articles harping about the designer vulnerability alongside the name of the company that discovered it. What could be a legitimate exploit dealt with through the channels we've always addressed them through becomes a marketing vehicle for info sec charlatans.
If this results in reduced attention for vulnerabilities that don't have a site, logo, and marketing department, then what we've done is imposed a tax on security research.
Which is fine, because security work is extremely overfunded and we don't have globally critical infrastructure like OpenSSL developed by one or two dudes begging for donations.
Great, a huge vulnerability potentially affecting millions of routers around the world, and no information on how to check if your router is vulnerable.
For those trying to read this page but unable to deal with the broken JS, text dump to Pastebin: http://pastebin.com/munLi0Cy
Misfortune Cookie is a critical vulnerability that allows an intruder to remotely take over an Internet router and use it to attack home and business networks.
The verbosity of this vs. actual information makes my flag-finger itch. It also, apparently, keeps getting killer on /r/netsec[1].
<TLDR>"The affected software is the embedded web server RomPager from AllegroSoft."
"AllegroSoft issued a fixed version to address the Misfortune Cookie vulnerability in 2005 [...]" but it's complicated.
TR-069 is mentioned because it makes it sound cooler, and also uses the RomPager in certain implementations.</TLDR>
Yeah, Home Gateway security is almost as nonexistent as their release/update cycle. TR-069 is a blasphemy and an anathema in the first place[2].
This is an attempt to 'heartbleed'-ize a much broader issue. It is one of many, and they are known, and they never get patched.
Maybe make this into a crowd-type-movement to take back our routers, intending to put pressure on manufacturers to be more responsible with security and the intermediates for pushing the updates (since they've provided themselves the functionality to do that/TR-069/The Irony), but do not try to heartbleed-ize it, kinda comes off cheap.
In the meantime, for those that can (Hello Friends!), we already know the available patches:
* OpenWRT
* DD-WRT
* Tomato
It's tricky though, because you may have to spend $20/$60 for a new router.
[2] "So my ISP can just flash my router with a new firmware, remotely, and then flash back the original, at any time? Or anyone with my ISP's private keys/credentials* , for that matter, but let's not open that can of worms. And you say that, despite this being active (and sometimes partly hidden and un-killable cough BTHomeHub cough) our routers are still running archaic software that hasn't received a 9-year-old patch? Then... ugh.. what is this used for, exactly? Why is it there?"
* Oh God I hope it is at least private keys and not 'admin:P@ssword1' :S
I've been assuming DD-WRT is clear, but is it confirmed[0]? I can see no reason why DD-WRT would use the RomPager SDK, but I haven't checked the actual internals.
Checkpoint marketing is experimenting with new marketing techniques. No way this peacock-style creation could've come directly from engineering. They really want some of the CNN coverage that Heartbleed enjoyed, except now it will have a discreet "Checkpoint" logo in the corner. Ain't that clever.
Two months ago I decided that I didn't want to be in the position of waiting for a vendor to release an upgraded firmware OS for my house firewalls.
If Ubiquiti's EdgeRouter Lite ran an actual Debian release rather than a derivative with no obvious toolchain, I would have bought that. (If they change to that, I would recommend them.) I worked my way through the capabilities list of the PCengines mini-ITX devices (ALIX: underpowered; APU: a little expensive) and settled on AMD's successor to the APU, now called Athlon 5150/5350.
I built mine on an Avoton Intel Atom C2750. It's the first amd64 Atom, the first to support ECC memory, and has 20W TDP. It runs FreeBSD 10.1 and I'm very happy with it. Before Avoton you had to go for a Pentium D or a Xeon for ECC support on the Intel side.
What did you use for the wireless (if anything)? I gave up trying to use Debian on an Alix board with an Atheros radio because the open ath9k stuff is missing all of the vendor work-arounds that make the radio actually function for more than 20 minutes in a row. I'd love to revisit that project if I thought it wasn't a complete waste of my time.
It's amazing how much nicer the web can be without images and javascript. These tool-bags really want to "promote their brand," but they might consider creating a website that looks less like malware.
Using Firefox (guess Chrome way is similar):
1. Turn off javascript
2. Load the page, you see only spinner
3. Right Click on the spinner => Inspect element
4. You see evil div element with id="preloader"
5. Right Click on it => Delete Node
6. ???
7. PROFIT
From what I understand this gives the attacker administrative access via a routers Web UI configuration interface. So they could change the configuration of the router, which could be concerning in some scenarios but irrelevant most others. Assuming it is something like this, you can help protect yourself by disabling remote Web UI management. This is the default already for most routers. Though I guess we will know when Lior Oppenheim presents the issue at the 31C3 in a week or so.
The biggest question I have about this is how they managed to register the fortunecook.ie domain knowing the hoops you have to jump through to get an IE domain in the first place
I'll go out on a limb and say that if this pattern continues, it may be the most significant legacy of heartbleed.