Major security flaw found in Oman stock exchange
Fri 19 Jan 2018
An ethical hacker discovered a major flaw in the security of Oman’s stock exchange which left it vulnerable to hacking for months.
The Muscat Securities Market, which has a market capitalisation of around $23 billion (approx. £16.5 billion), had its username and password set as ‘admin’ on a core router, according to a report by ZDnet.
Security researcher Victor Gevers discovered this flaw, and spent several months attempting to inform the securities exchange, but was ignored.
Had less ethical hackers realised the flaw, it would have allowed complete access to the network of Oman’s only stock exchange. Staff at the exchange have now fixed the issue.
The IP address of the Huawei-developed router was found amongst a list of 33,000 credentials. Many of these credentials still worked when attempting to access devices over an old telnet protocol.
Gevers, who is chairman of Netherlands-based ethical hacking group GDI Foundation, had reported these vulnerable devices to each of their original owners. It was during this process that he found the Oman stock exchange’s router.
Speaking to ZDnet, he said: “Our advice was to block the telnet protocol on your firewall because this protocol is not safe to use anymore.
“If you need to mitigate this problem quickly we suggest you change this telnet password for a long and complex one. And then immediately apply a firewall rule to block the telnet service to only allow on their local network and start a replacement for this Huawei router as soon as possible.”
Testing common or default passwords is a commonly used tactic by attackers, according to Gevers. Security commentators agree that this is not likely to be the only vulnerability of its type.
Ilia Kolochenko, CEO of web security company High-Tech Bridge, commented: “Unfortunately, similar negligence is pretty common nowadays. IT people don’t really care about cybersecurity, while IT security teams have too many other priorities and emergencies to take care of. I wouldn’t be surprised if well-known western stock exchanges have similar problems and omissions.
“In case of a breach, their financial liability to the victims may surge if facts of overt and continuous ignorance of cybersecurity essentials are proven. While enforcement of GDPR in May 2018 may severely punish such carelessness even if victims don’t file a civil lawsuit.”