[ad_1]
And those emotions and outrage led to a clear conclusion: Even in a “tough” field of activity like cybersecurity, there can be conflicting differences over seemingly basic concepts like “cybersecurity gap” or “closing the gap.”
Developer side
This analysis of Telia’s cybersecurity situation has been distributed by programmers who have not identified themselves by their first name, last name, or pseudonym.
It maintains that Telia’s cybersecurity practices are inappropriate, that reports of security vulnerabilities are not being adequately responded to, and that complainants are threatened.
The reporter’s first complaint is that Telia allows customers who are logged into their account on the self-service website to change the login password of the home router. According to the developer, the router does not check if it is communicating with a real Telia server, so it can be replaced by a specially designed “fake server”. And this, in turn, gave the programmer a universal login and password to connect to the router (and the researcher criticized it for being too weak), giving the user many more rights after that login. than your own normal password (eg disable firewall). or replace other settings that are not normally available to customers).
The second complaint is the theoretical possibility of executing commands from an unauthorized user remotely (RCE – Remote Command Execution). Typically this would be a huge gap that would allow you to take full control of the entire Telia network (possibly not even in Lithuania) as remote command line programmers can grant you exclusive system user privileges and rights, create connectivity and I endlessly use all Telia client devices as “zombies” that could make up perhaps the world’s largest botnet.
But this is only a theoretical possibility. In practice, the author of the report was unable to exploit this alleged loophole and acknowledged that it was difficult, as it required more time and more knowledge about the Telia server.
A third complaint that should be of concern to anyone who has found user data storage in the company is the report’s claim that Telia knows the personal login passwords of all its users, meaning that those passwords should not be used. for no other account.
And perhaps what was most echoed in the local and international cybersecurity community is the author of this “responsible disclosure” complaint: that Telia’s representatives allegedly threatened him (that is, they wrote a letter with the exact content quoted as continues: “Thank you for the information. Did you collect non-public electronic data without violating applicable law?”).
Telia is also criticized by Telia for not correcting any errors in this report and for correcting (but not correcting) just one of the deficiencies.
The report’s author said information about security vulnerabilities had been sent to Telia in late October, and a month later, after hearing if any action had been taken on that information, he received that “threatening” letter and the message that “everything has been solved”. Half a year later, in accordance with customary “responsible disclosure” ethical rules (first reporting deficiencies to the system owner, giving them three months, half a year, or other period to rectify the deficiencies, and only then making the message public).
Telia side
In their official comment on this security vulnerability, the mobile and internet operator stated that what the author of the report identified as security vulnerabilities was either actually no security vulnerability or had already been closed long before Telia was contacted. . With a notice.
Because the developer-provided action schedule is missing some critical lines. The first line should be marked 2019. In February, that was when Telia’s security experts believed that the actions described in the report had been taken. The second line is 2019. Telia closed the hole in March, when a security vulnerability (related to the KEX algorithm) was filled in during the planned system update cycle, and in July of the same year, immediately after it was will announce the libssh2 security vulnerability and the developer will announce the vulnerability. It is unknown why there was such a long delay in providing information to Telia’s experts.
In other words, Telia claims the author of the report blatantly lies in claiming that the libssh2 security vulnerability was not closed during “responsible disclosure”, when in fact it was closed almost a year earlier, before sending criticism of cyber security practices potentially inappropriate.
Also, according to the company representative, the statement that Telia can discover passwords for its clients’ connection to the router is similar to a bold lie: Company representatives claim that there is no way to discover those passwords, only they can change (which is common practice in any system that identifies the user with a password).
The ability to connect to the router was of little importance to malicious actors by Telia.
“The only practical use of a published router password, with sufficient technical knowledge, is limited to expanding the terminal’s configuration capabilities. Generally speaking, up to the same as those established by manufacturers when purchased at any store. The router of a company telecommunications is limited by increased security, better compatibility, smoother service delivery and the ability to troubleshoot remotely, for example, on standard Telia routers, it is not possible to disable the firewall via the user menu , which reduces the level of protection. And in “simple” devices that can be bought in stores, these fuses are generally not provided and the full responsibility for safety and other technical configurations rests with the user, “the company said. in a comment.
Telia described the ability to connect to a user’s router, which the owners called “landa” (back door) as “standard normal market practice” that allows a service provider to manage user services, update the router’s software , diagnose and eliminate software flaws in your hardware and the like. And the username and password combination that was made public in the report only applies to older ADB routers, which have been upgraded to a newer type for free for quite some time. This connection provides advanced control of those routers from the service provider.
As for RCE’s hacking threat, not only was it not exploited in practice by the author of the report, but it was also theoretically removed in July, six months before the report was presented to Telia employees.
“The theoretical possibility mentioned on the website of security vulnerability to connect remotely to Telia servers and influence the operation of the network is complete speculation, the implementation of which is not confirmed by a thorough investigation by Telia or by the hacker himself. ” Therefore, there was no real threat to the security of Telia’s network, servers or communication channels, “the company said.
“We are grateful to those who act ethically and report the detected security vulnerabilities, the information of which we never ignore, we carefully verify and correct any deficiencies.” However, we have a very negative view of the irresponsible dissemination of outdated information and of theoretical speculation and semi-correct interpretations that encourage people to feel insecure. Furthermore, Telia has never threatened its whistleblowers, and we treat such statements as defamation, “the programmer said of the” attempted threat, “Telia said.
Company spokesperson Audrius Stasiulaitis also stated that after receiving such information, it is quite natural to ask how, and if legally, the person was able to connect to the company team in a way that would not normally be possible.
As for the fact that the username and password conferring advanced administration rights have not been changed, Telia stated that this would not change anything: a person with specific technical skills would again have a password easy to learn with a Telia router. , but there would be little to do with that password. what to do.
Meanwhile, another point of criticism, that Telia does not protect customers from so-called Man in the Middle (MITM) attacks, was counterbalanced by the fact that telecom operators simply do not provide such services to ordinary private customers (and this It is not Telia, but the practical world), so the criticism of this only shows that the critic is not trapped in the functioning of the communications market.
The Side of an Independent Cyber Security Expert
Not even a cybersecurity expert (known to the editorial board) with five years of experience in the field tended to support the position of the expert who made the company’s mistakes public, but step by step discussed each specific statement from the programmer and Telia. ” And his clarification of the circumstances, his views on some issues changed.
The independent expert said there was no reason to believe Telia’s claim that the libssh2 loophole closed in July, as the company said. On the other hand, these are only statements made by the company against the statements of the security expert: independent professionals, without the threat of violating the law and, therefore, being prosecuted, do not have the opportunity to verify such matters.
This can be taken as an acknowledgment that the author of the report may have pointed to a false statement claiming that the libssh2 security vulnerability has not been completed so far. This does not mean that the entire report has been deliberately and maliciously fabricated, but its author’s position has fluctuated wildly as a result.
It also tends to refer to different versions of the report author and Telia regarding storing passwords for users’ routers in text form as “words against words”.
Even with 15 minutes The expert who interacted with Telia in the field of digital security tended to view Telia’s letter to the author of the report as a threat. According to him, those responsible for the security of the company should not communicate in this way with the person who pointed out the deficiencies, and in a larger market with a stronger community of security experts and a better public awareness of security problems. digital, the company would generally appreciate, apologize for the errors, correct them, and continue to work.
“I see an error in this report: The person who wrote the report gave their document their own CVE code, which Miter must provide. This is not a good thing, as it is not difficult to verify this code and make sure it is authentic. But In the case of a responsible disclosure report, assigning a CVE code is not a strict requirement – simply put, with a genuine officially registered escape code, the degree of significance of the error in the ten point system is also given , and this provides reliability. This was not done, “said the expert.
But the expert did not avoid criticism of Telia, which did not deal with the development of a report form responsible for cyber security vulnerabilities, which allows the secure reporting of detected errors.
“If there was a form of responsible disclosure and the company’s internal policy, this situation would not exist at all and Telia might even be absolutely right.” And if the rapporteur had not complied with the requirements of that policy, Telia would have been one hundred percent everywhere. But they don’t have that policy and they seem to have ignored the message. “
According to the expert, the answers and endpoints of this story should be compiled by experts from the National Center for Cyber Security (NCSC), who carried out a study to find out if the threats were eliminated at that time, according to Telia, or if the report is correct in the last days.
The final decision is in the hands of the NKSC
In turn, the NKSC for 15 minutes In response to a request from Telia to notify the authority about security vulnerabilities, the response to the request was that the PHP library vulnerability was received in 2019. Telia informed the NCSC about the update of the server machine, which removed the mentioned vulnerability, which threatened to implement cyber attacks.
The report, which casts doubt on Telia’s security, appears to have led to a deeper cyber analysis.
“Today, when information about previous software vulnerabilities is made public, the NCSC is conducting additional analysis to assess whether the threat has been avoided,” said specialists from the Department of Strategic Communication of the Ministry of National Defense, who have not yet answered additional questions about when to expect results.
[ad_2]
