When it comes to cybersecurity, researchers play a very important role in keeping the public safe. Usually they do this by discovering massive vulnerabilities such as Meltdown and Spectre, but sometimes, like in the case of the potential Oman stock exchange hack, it’s much simpler than that.
Warnings about potential Oman stock exchange hack for months
The Muscat Securities Market in Oman is one of the biggest stock exchanges in the Middle East, and a security researcher apparently contacted officials there multiple time over the “past few months” to warn about a serious vulnerability. Victor Gevers told ZDNet about the potential for a major hack at the Oman stock exchange, and both he and ZDNet continued to contact officials there by both phone and email.
An Oman stock exchange hack was possible for months because a key router there was left vulnerable, with both its password and username set at “admin” for the entire time. Gevers discovered the router’s settings, and although he didn’t know which model the router was, he did say that it was made by Huawei. It runs a web interface that enables administrators to configure the network from web browsers, and many of these types of routers come with default settings for the username and password. If they are not changed, hackers can easily gain access to the network.
Gevers told ZDNet that an Oman stock exchange hack could have enabled hackers to intercept and manipulate traffic on the stock exchange’s network. Officials at the Oman stock exchange apparently fixed the vulnerable router’s settings quietly without responding to either Gevers or ZDNet.
Not an unusual situation
As shocking as it would be if an Oman stock exchange hack actually occurred, vulnerabilities such as the one discovered by Gevers are not uncommon. Experts say cybersecurity is low on the priority list of many IT experts, despite the growing number of widely-publicized security breaches.
“Unfortunately, similar negligence is pretty common nowadays,” Ilia Kolochenko, chief executive of web security company High-Tech Bridge, commented in an email. “IT people don’t really care about cybersecurity, while IT security teams have too many other priorities and emergencies to take care of. I wouldn’t be surprised if well-known Western stock exchanges have similar problems and omissions. In case of a breach, their financial liability to the victims may surge if facts of overt and continuous ignorance of cybersecurity essentials are proven. While enforcement of GDPR in May 2018 may severely punish such carelessness even if victims don’t file a civil lawsuit.”