[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH72vii9NCQQv14SWqUgoyNib62nmDeb7RqDAAh_XHkOPVhFDg@mail.gmail.com>
Date: Thu, 16 Jan 2014 10:32:29 +0100
From: Źmicier Januszkiewicz <gauri@....by>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: EE BrightBox router hacked - bares all if you
ask nicely
> Absolutely shocking lack of security considerations.
Is it, really? I've got a feeling that companies don't give a s--t
about your data, your privacy, and so on (proved by numerous examples
out there), unless absolutely required to do so by law, and there is a
good reason behind that. It is not a charity fund, you see; a company
is all about money, even if they state otherwise via their "motto" or
"mission", and as we all know, a dollar saved is a dollar earned... So
they try to get it working by hiring 1-2
Chinese/Indian/Pakistan/Younameit techies (not because they are bad at
what they do, but because they are cheap), and squeeze them until the
stuff is working somewhat. And that's it! Then those who made it work
are fired, and another group with even thinner payslip is hired for
"support". Note that at no point any emphasis on security of the
product is made -- a company is not interested in spending more money,
and workers are not interested in spending their life without any
compensation.
Why a company is not interested? Just some simple calculations anyone
can do: having a working device/service/whatever brings in paying
customers, having a secure device/service/whatever brings in expenses.
So, we get the usual "sorry, we have no budget for that!" reply even
if one asks for a security review.
And then, see, even if your company manages to produce a "highly
secure" device/service by hiring N brilliant minds and paying a
5-digit/mo each of them, then magic happens -- the cost of the end
product is so high nobody buys it! Surprise! Will you pay 300 pounds
more for something that does the same, but claims to be "secure"? No.
Will a punter pay 300 pounds more for that? Hell no. Just as simple as
that.
I do find it amusing as people get "shocked" by such a simple thing...
2014/1/16 Dan Ballance <tzewang.dorje@...il.com>:
> What a great write up and what an appalling mess for a UK ISP to be in in
> 2014. Absolutely shocking lack of security considerations. Thanks for
> sharing this. I've just followed you on Twitter as well,
>
> cheers,
>
> Dan.
>
>
> On 15 January 2014 20:28, Scott Helme <scotthelme@...mail.com> wrote:
>>
>> The BrightBox router is the standard equipment issued by UK ISP Everything
>> Everywhere (EE) to its subscribers.
>>
>> The device not only leaks sensitive data but is remotely exploitable too.
>> An attacker even has the ability to take control of your account as the
>> router leaks your ISP account credentials.
>>
>> You can read the full article here:
>> https://scotthelme.co.uk/ee-brightbox-router-hacked/
>>
>> Scott.
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists