Monday, March 2, 2015

"super" as a master key, or the security of mainstream services

"super." As it sounds, written in lowercase letters. It might have been "admin" or "1234", but someone thought of "super." Just like this, in plain text included on a configuration file.

"super" is the new master key for home routers. A failure in a router led researchers to perform social engineering on its firmware. They found out that they could use "super" and "super" to log into its manufacturer’s website. But they did not stop there and try their luck with other brands. Voilà! 10 manufacturers of routers incorporated the same backdoor.

However routers are not the only devices making headlines today. Seagate NAS devices contain several known exploits based on partial updates of some their elements. For instance, an old version of PHP allows to remotely hijack the device.

In fact, the security of these connected systems contrasts with the evolution of cybersecurity over-the-top apps for smartphones and tablets. It seems that the high number of security breaches affecting digital services is leading developers and businesses to invest more and more resources in security and data privacy, mainly for instant messaging, browsers, customizing applications, access to files and editing in the smartphone world; access and editing of files, customizing applications, browsers and sales tools in the tablet world.

All this has to be taken into consideration through the prism of security in the cloud. Is it time to trust the cloud? Are services connected to the Internet secure enough to let us finally jump to the cloud? These are complex questions to answer, especially when the problems arising from the cloud can come from misconfigurations or developments on physical devices of the system, such as those routers using "super" and "super" as login credentials or vulnerable NAS to a known attacks. Or even risk can go along with external services, such as an app market or a specific application library a mobile operating system.

Should we trust the cloud then?


Post a Comment