Home, PWN-y Home by

Again, home gateway vendors fail the basics.

According to The Register, Researchers have found another serious security flaw that can be used to hijack Netgear routers popular with home users. At least several hundred thousand devices are vulnerable, some estimates put it at over one million devices.

Cybersecurity Live - Boston

The flaw allows an attacker to extract any admin password. This could manifest as easily as a home user visiting the wrong webpage, which then uses JavaScript to take over the boxes, knock them offline, change their DNS settings to redirect them to more malware-injecting websites, and so on. The flaws, designated CVE-2017-5521 and TWSL2017-003, were discovered by researcher Simon Kenin of Trustwave. The Register reports that 31 different Netgear models are affected. Owners are advised to check and update their firmware. (PS, Netgear ignored the vulnerability for nine months).

The vulnerability is just another in a parade of high-profile fails for Netgear routers. This is especially troubling because most of Netgear’s customers are home and small-business users, and typically lack the security savvy necessary to check for – let alone install – a firmware patch.

Home users assume that technology vendors take sufficient steps to protect consumers. Almost always, that assumption is a bad one. Network devices in home (or enterprise) environments rarely perform as promised, and even more rarely are configured as the designing double-E’s might have preferred. That’s why Fortune 1000 security leaders are beginning to instrument security.

Home users can’t do much (yet) to Instrument Security, but enterprises can.

At Verodin, “instrumenting security” means NEVER ASSUMING that the enterprise defense stack is actually working correctly. When we instrument the security in the network, we can run thousands – or millions – of attack sequences against it to generate empirical data on what incursions you’ll detect, which you’ll block, and which you’ll miss completely. An instrumented network also quickly tags component vulnerabilities (like a bad router) or security appliances that simply aren’t pulling their weight. That helps you make targeted fixes to get the best security out of the investment you’ve already made, and also helps you clear out the dead metal so that you can replace it with solutions that generate a better ROI on next year’s security spend. With Verodin, you can quantitatively measure the cumulative effectiveness of your entire defensive stack.

*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: