/ Technology

Computer hacking: how do we uncover online security flaws?

Say the word hacker and a certain image comes to mind: hooded top, hunched over a laptop, lines of green code fluttering around like menacing birds. But that’s mostly a Hollywood myth – and the reality is far more interesting…

Many so-called hackers are ‘white hats’; honest, curious and socially conscious individuals who want to share their knowledge to improve products and online environments for everybody. And they should be heard.

Responsible disclosure

As the lead for privacy and security testing and investigation in the Which? Product Research team, I have disclosed various flaws and vulnerabilities to companies.

Today, I published a story about a significant flaw found in an internet router supplied by full fibre broadband provider, Hyperoptic. The flaw meant the router was at risk of being hacked with a phishing message.

Our findings were based on in-depth testing by respected experts at Context IS. (Disclaimer: some of whom may wear hoodies.)

We disclosed the issue to Hyperoptic in November and, after some back and forth, it committed to address the vulnerabilities.

Hyperoptic has been cooperative ever since and has fixed the flaw, but it has taken more than six months for it to be safe to publish our findings without putting Hyperoptic customers at risk.

Legal threats

Although time-consuming and lengthy, the Hyperoptic disclosure was relatively painless. On other occasions, it has been much more challenging.

Some companies take the feedback as a constructive act, helping them fix an issue that could have been exploited in much more devastating fashion down the line, while also spinning a nice PR story about ‘taking security seriously’.

However, we still see too many occasions where companies take a much more defensive or even aggressive stance when an issue is disclosed. This can mean grumblings and radio silence. Or, at worst, it can manifest in legal threats.

‘Secure by Design’

In March, the government came to Which? to launch its new ‘Secure by Design’ project, aimed at creating a code of practice for companies making network-connected products.

Among its various recommendations is this: ‘They [companies] have a vulnerability policy and public point of contact, so security researchers and others can report issues immediately, and they are quickly acted upon.’

Not all security researchers have the power and resources of Which? behind them. They are often working alone, trying to help companies, and indeed the industry as a whole, improve standards of practice.

Of course, a company should be allowed to qualify what has been discovered about its own products, services and systems. But as long as the discloser is acting responsibly, it’s important that they are heard, rather than fobbed off, delayed or even threatened.

After all, not all hackers are bad…

Have you changed your internet router password to be more secure? Do you think internet service providers are doing enough to protect their customers?

Comments

This comment was removed at the request of the user

Have you changed your internet router password to be more secure? YES. (I usually change the wifi name too… one of my repeaters is called MadHouse.)

Do you think internet service providers are doing enough to protect their customers? NO. But I’m not sure how we should define “enough” here. I know some do offer free anti-virus & anti-spam, but I don’t know of any that do anything beyond that.

In practice though, just as we cannot have absolutely safe electrical appliances, we can never expect to be absolutely safe online. That said, we need to make sure that the benefits of going online far out weight the risks.

At one time my ISP was renamed to virusnet.

This comment was removed at the request of the user

Duncan, there seem to be plenty of public facing websites describing “fileless attacks”, so how exactly can you say this news is “covered up” from the general public? Hidden in plain view might be more accurate…

This comment was removed at the request of the user

Thanks Duncan. I think “covered up” is a “glass half-empty” viewpoint and the role of mass media is peripheral to the main topic here, which is more about the process of discovering, reporting and fixing vulnerabilities.

As for the (recently coined?) term “fileless attacks”, its prominence does perhaps show that regular antivirus s/w is now quite good at dealing with traditional virus attacks, i.e. where the user must be conned into downloading a file that contains a malicious executable program, before the main thrust of the attack can progress.

In that sense, there is really nothing new about the nature of “fileless attacks”. That said, as you suggest, an alternative name for them (e.g. “hostile websites”) won’t serve to encourage e-commerce for the benefit of Amazon and other business interests. (As we both already know “non-fileless attacks” generally only work against Windows systems, because downloaded files won’t be executable by default on more sensible OSes.)

With regard to the mass media, I think they generally need to pitch their stories so they can be understood by any average school leaver (i.e. with little or no qualifications or life experience), so it is hard for them to get into as much technical detail as we can here.

…primary school leaver, in the case of most tabloids…

Many of us have a router supplied ‘free’ by our internet service provider. Hopefully most users will have changed the password but would our ISP inform us of a security problem? I recall my ISP informed users of a problem with one model of router that they had supplied but cannot remember if it was a security issue because I had a different model.

Much in the same way as the first operation on many things has to be change the password, it is not beyond the wit of man for this to be a requirement on router installations – and I suggest it is disgraceful that that doesn’t happen where the defaults are empty, admin, 0000 etc. BT at least make their default router passwords unguessable and all different.

This comment was removed at the request of the user

In my experience, most ISPs now give you a sensible router passwords like 8d29ebf4 from the get go.

It’s ages since I last bought a new router, but the ones I’ve bought tend to come with default passwords like “admin”.

As Duncan said he does, I also backup passwords to paper records, as I don’t expect those to ever be hackable.

I’ve also recently discovered that saving passwords in web browsers like Chrome is really nasty, because they have to be capable of delivering the plain text version of the password. That probably explains why my banking websites don’t allow those functions to work.

This comment was removed at the request of the user

Duncan, where I work similar safeguards are in force, as part of paid for endpoint solutions.

In another convo you recently said “A good commercial firewall AND internet malware/virus protection is definitely required for Windows…”, from the basis that software engineers won’t often work for free, all this has to bought and paid for.

It may be that the costs are too high to encourage these particular solutions from being marketed or sold to the general public.

This comment was removed at the request of the user

Duncan, I think these services are publically available. A quick look on the Sophos website seems to suggest they claim to provide the kind of capabilities you mentioned above.

This comment was removed at the request of the user

Duncan, thanks for the info.

According to dmarc.org, anyone can use this protocol.

I think I had to enable script to dive into the Sophos website. As Sophos is the best security software that I’ve ever personally used, I was happy enough to do that.

This comment was removed at the request of the user

I’ve often thought that the principle of paying extra on domain registration for anonymity is wrong and that the detailed information should only be available to officialdom – a bit like the DVLA database should be.

This comment was removed at the request of the user

Duncan – thanks for that link.

Re “especially removing booting problems associated with Windows” – I agree that booting Windows generally leads to problems 😉

That said, those results show that many common a/v programs – including some free ones – seemed to perform quite well.

This comment was removed at the request of the user

Duncan – a piece of software like a hacking app, is just a tool. Of itself, it cannot be either good or evil. So there is no need to make such software illegal.

Hacking software can be put to good uses by “pen testers” and other security consultants, who will find, expose and then fix security flaws on computer systems.

Or, the same software might be used for malicious purposes by criminals intent on stealing data and/or committing fraud.

This comment was removed at the request of the user

Duncan, you’d said “It took me by surprise that they are not illegal” which struck me as odd, if not surprising, given that you claim to hang out on US hacker forums and such like…

This comment was removed at the request of the user

So when you said “illegal” you weren’t suggesting it might be a criminal offence to produce, posses or download such software?

This comment was removed at the request of the user

Duncan – I agree that was point exactly?

So by “illegal” did mean you thought your ISP or your a/v s/w (if you have any) ought to have blocked those downloads?

This comment was removed at the request of the user

Duncan, I wasn’t suggesting that you had downloaded any of those apps, I was just wondering whether or not you would expect any blocking software from stopping you if you had wanted too?

In the past I have experienced Windows Security Essentials did block the download of certain “utilities” that could be used for legal work – or potentially for other things too.

This comment was removed at the request of the user

This comment was removed at the request of the user

This comment was removed at the request of the user

Thanks Duncan and malcolm – that’s interesting. I think it shows the danger of leaving unfixed security flaws around, in case authorities might want to use them as backdoors into systems. The trouble is, if that’s done, then others might also be able to discover and use those flaws.

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan – now that this information is out there, won’t Windows anti-virus software just simply block those files from executing?

This comment was removed at the request of the user

Duncan – would I be right in thinking you have no hands-on experience of using Android phones and W10 PCs – either singly or in tandem?

This comment was removed at the request of the user

Duncan, I’m not happy making sweeping general statements from the basis of limited experience.

It concerns me that you have no such inhibitions.

And i think it leads you to post incorrect advice.

Like your recent advice on the use of Windows task manager for a boot- looping Android phone.

Then there was your recent project IT fear advice against the use of USB discs.

Hence, given the allowance for debate on W?C, I do sometimes feel moved to question some of your posts.

This comment was removed at the request of the user

With intelligent use I don’t see much problem with using flash drives as long as you don’t use them for sensitive data or if you do then treat them as if they were confidential paperwork. I trust that most people are aware that simply deleting a file on a flash drive does not erase the data.

I think it is good to be aware of risks but if they are overstated then readers will just switch off.

Duncan, I agree with wavechange that flash drives are safe to use.

My employer even lets me use them at work, so they think so too.

Duncan, if you are asking me prove to you that Windows 10 is “safe”, then I think you have just validated my position.

I would not even try to “prove” that plastic backed fridge-freezers are “safe”, yet I have one right here that is powered on 24/7/365 and seeing its hottest ever summer.

That said, I am content that the fire risk posed by my fridge freezer is tolerably remote.

I apply similar judgement to my uses of Andriod phones and tablets, Windows PCs and USB disc.

Duncan, I have not taken it upon myself to advise the public via W?C.

I merely question your posts as a member of the public, albeit one with experience that challenges the overall veracity of some of your statements.

The time you advocated ReactOS as a (presumably viable) alternative to Windows was another memorable time when I became aware of the need to challenge the wisdom of one of your posts.

This comment was removed at the request of the user

This comment was removed at the request of the user

Duncan, I’m not accusing you of lying. I’m just saying that, from the light of experience, I cannot attribute much value, utility or veracity to the information that you post. I have already explained my reasons, so this is my final post for this thread.