Skip to content

Monthly Archives: October 2016

What Really Broke Dyn this week? IOT

Quote

Today a vast army of hijacked internet-connected devices – from security cameras and video recorders to home routers – turned on their owners and broke a big chunk of the web.

Compromised machines, following orders from as-yet unknown masterminds, threw massive amounts of junk traffic at servers operated by US-based Dyn, which provides DNS services for websites large and small.

The result: big names including GitHub, Twitter, Reddit, Netflix, AirBnb and so on, were among hundreds of websites rendered inaccessible to millions of people around the world for several hours today.

We’re told gadgets behind tens of millions of IP addresses were press-ganged into shattering the internet – a lot of them running the Mirai malware, the source code to which is now public so anyone can wield it against targets.

  • Dyn’s chief strategy officer Kyle York told The Register by phone that devices behind tens of millions of IP addresses were attacking his company’s data centers. 
  • A lot of this traffic – but not all – is coming from Internet-of-Things devices compromised by the Mirai botnet malware. This software nasty was used to blast the website of cyber-crime blogger Brian Krebs offline in September, and its source code and blueprints have leaked online. That means anyone can set up their own Mirai botnet and pummel systems with an army of hijacked boxes that flood networks with junk packets, drowning out legit traffic. 
  • One online tracker of Mirai suggests there at least 1.2m Mirai-infected devices on the internet, with at least 173,000 active in the past 24 hours. 
  • Mirai spreads across the web, growing its ranks of obeying zombies, by logging into devices using their default, factory-set passwords via Telnet and SSH. Because no one changes their passwords on their gizmos, Mirai can waltz in and take over routers, CCTV cameras, digital video recorders, and so on. 
  • York said the waves of attacks were separate and distinct – there are multiple bot armies out there now smashing systems offline. “We’re expecting more,” he added.

It is well known the Internet of Things (IOT) has very poor security. It could be improved if people would simply change the default password and manufactures write a mandatory change on a time basis. Not a cure all, but an improvement. But El Reg can saids it better

El Reg [ed. The Register] has been banging about IoT security for ages: Mirai is now targeting cellular gateways. Not enough is being done to patch insecure gadgets. Do gizmos need some sort of security-warning labels? The blame here is not with Dyn. It is not even with the owners of the hijacked devices.

It lies with the botnet operators – and, perhaps more crucially, the dimwit IoT manufacturers who crank out criminally insecure hardware that can be compromised en masse. Particularly China-based XiongMai Technologies, which produces vulnerable software and hardware used in easily hijacked IP cameras, digital video recorders and network-attached video recorders. These crappy devices were at the core of today’s attacks, according to Flashpoint.

Until there is a standards crackdown, and vulnerable devices are pulled offline, this will continue on and on until there is no internet left.

Cracking the Code

I was recently asked for the first 4 digits of my SSN on an insurance application. I refused. I was told the usual answer “no ever has had a problem with this before.” well that does not surprise me. The security IQ of the average business in my estimation barely registers. This is especially true for small and medium businesses, although as seen, even their larger brethren are pretty bad. Anyway I digress. It is not just this hapless insurance company. Doctors offices continue to be notoriously bad. 1 month ago I tried to make an appointment with a doctor and they asked for my full SSN. Of course I refused. I made it all the way to the CEO of the practice and this fool simply repeated over and over it was their policy as their software used it as a unique identifier. Idiots.

How easy is it to guess SSN’s?

Quote

Researchers have found that it is possible to guess many — if not all — of the nine digits in an individual’s Social Security number using publicly available information, a finding they say compromises the security of one of the most widely used consumer identifiers in the United States.

Many numbers could be guessed at by simply knowing a person’s birth data, the researchers from Carnegie Mellon University said. ….read more

My advice – refuse to give your SSN to anyone. And guard your birth-date also, especially online. Use a fake birth-date for any site requesting it.

Criticize Donald Trump, get your site smashed offline from Russia

Quote

Newsweek Cuban connection story enrages miscreants

It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

“Last night we were on the receiving end of what our IT chief called a ‘massive’ DoS [denial of service] attack,” he told Talking Points Memo.

“As with any DDoS [distributed DoS] attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything. We are still investigating.” ….As with any DDoS attack, finding the culprit is nearly impossible. But it appears that the article has pissed off a lot of people who control many Russian servers.

Security analyst says Yahoo!, Dropbox, LinkedIn, Tumblr all popped by same gang

Quote

Says five-strong ‘Group E’ may have lifted a billion Yahoo! records, sells to states

Five hackers are said to be behind breaches totalling up to a staggering three billion credentials from some of the world’s biggest tech companies including the Yahoo! breach that led to the loss of 500 million credentials.

The claims, made to The Reg by recognised threat intelligence boffin Andrew Komarov, pin the world’s largest hacks on “Group E”, a small Eastern European hacking outfit that makes cash breaching companies and selling to buyers including nation states.

Komarov told The Register the group is behind a laundry list of hacks against massive household tech companies including the breach of Yahoo!, Dropbox, LinkedIn, Tumblr, and VK.com among other public breaches.

The analyst says the same hacking group has breached other major tech firms but would not be drawn on revealing the names of the affected companies nor the number of compromised credentials. Komarov has reported those breaches which are not on the public record to police.

He goes further and says much of the reporting concerning the Yahoo! breach was inaccurate, and suggests the number of affected credentials could be as high as one billion, double what was reported.

Group E had, according to Komarov, breached Yahoo! and sold the massive data haul through a recognised hacker identity who served as a broker.

It was then sold to a unnamed nation-state actor group.
….
Komarov, an established threat intelligence man formerly of Intelcrawler before its acquisition by Arizona-based security firm InfoArmor, is one of a handful of cybercrime intelligence analysts who closely monitor closed crime forums and dark web sites.

He fingers a Russian-speaking criminal hacking identity known as Tessa88 as the broker used by the two hacking groups.

Quote

AT&T is getting rid of Internet Preferences, the controversial program that analyzes home Internet customers’ Web browsing habits in order to serve up targeted ads.

“To simplify our offering for our customers, we plan to end the optional Internet Preferences advertising program related to our fastest Internet speed tiers,” an AT&T spokesperson confirmed to Ars today. “As a result, all customers on these tiers will receive the best rate we have available for their speed tier in their area. We’ll begin communicating this update to customers early next week.”

Data collection and targeted ads will be shut off, AT&T also confirmed.

Good news at last on privacy

More than 400 malicious apps infiltrate Google Play

I have ranted about this before, but so many apps are spyware and some are just plain malicious. Google does a piss poor job of vetting because for many of them which are spyware, they benefit as they are able to hoover up more user info. As one of the commenters to the article stated

So what it does is just allow network probing from behind a company or personal firewall, should you actually be behind one that matters? That’s potentially troubling, but doesn’t appear to be “controlling” the device. What bothers me more is that Google appears to have made too many compromises for ad-paid games, carriers, and OEMs instead of giving people the easy control over what can do things on their own devices.

Quote

“DressCode” apps turned phones into listening posts that could bypass firewalls.

Google Play was recently found to be hosting more than 400 apps that turned infected phones into listening posts that could siphon sensitive data out of the protected networks they connected to, security researchers said Thursday.

One malicious app infected with the so-called DressCode malware had been downloaded from 100,000 to 500,000 times before it was removed from the Google-hosted marketplace, Trend Micro researchers said in a post. Known as Mod GTA 5 for Minecraft PE, it was disguised as a benign game, but included in the code was a component that established a persistent connection with an attacker controlled server. The server then had the ability to bypass so-called network address translation protections that shield individual devices inside a network. Trend Micro has found 3,000 such apps in all, 400 of which were available through Play.