Skip to content

Uncategorized

What Really Broke Dyn this week? IOT

Quote

Today a vast army of hijacked internet-connected devices – from security cameras and video recorders to home routers – turned on their owners and broke a big chunk of the web.

Compromised machines, following orders from as-yet unknown masterminds, threw massive amounts of junk traffic at servers operated by US-based Dyn, which provides DNS services for websites large and small.

The result: big names including GitHub, Twitter, Reddit, Netflix, AirBnb and so on, were among hundreds of websites rendered inaccessible to millions of people around the world for several hours today.

We’re told gadgets behind tens of millions of IP addresses were press-ganged into shattering the internet – a lot of them running the Mirai malware, the source code to which is now public so anyone can wield it against targets.

  • Dyn’s chief strategy officer Kyle York told The Register by phone that devices behind tens of millions of IP addresses were attacking his company’s data centers. 
  • A lot of this traffic – but not all – is coming from Internet-of-Things devices compromised by the Mirai botnet malware. This software nasty was used to blast the website of cyber-crime blogger Brian Krebs offline in September, and its source code and blueprints have leaked online. That means anyone can set up their own Mirai botnet and pummel systems with an army of hijacked boxes that flood networks with junk packets, drowning out legit traffic. 
  • One online tracker of Mirai suggests there at least 1.2m Mirai-infected devices on the internet, with at least 173,000 active in the past 24 hours. 
  • Mirai spreads across the web, growing its ranks of obeying zombies, by logging into devices using their default, factory-set passwords via Telnet and SSH. Because no one changes their passwords on their gizmos, Mirai can waltz in and take over routers, CCTV cameras, digital video recorders, and so on. 
  • York said the waves of attacks were separate and distinct – there are multiple bot armies out there now smashing systems offline. “We’re expecting more,” he added.

It is well known the Internet of Things (IOT) has very poor security. It could be improved if people would simply change the default password and manufactures write a mandatory change on a time basis. Not a cure all, but an improvement. But El Reg can saids it better

El Reg [ed. The Register] has been banging about IoT security for ages: Mirai is now targeting cellular gateways. Not enough is being done to patch insecure gadgets. Do gizmos need some sort of security-warning labels? The blame here is not with Dyn. It is not even with the owners of the hijacked devices.

It lies with the botnet operators – and, perhaps more crucially, the dimwit IoT manufacturers who crank out criminally insecure hardware that can be compromised en masse. Particularly China-based XiongMai Technologies, which produces vulnerable software and hardware used in easily hijacked IP cameras, digital video recorders and network-attached video recorders. These crappy devices were at the core of today’s attacks, according to Flashpoint.

Until there is a standards crackdown, and vulnerable devices are pulled offline, this will continue on and on until there is no internet left.

Cracking the Code

I was recently asked for the first 4 digits of my SSN on an insurance application. I refused. I was told the usual answer “no ever has had a problem with this before.” well that does not surprise me. The security IQ of the average business in my estimation barely registers. This is especially true for small and medium businesses, although as seen, even their larger brethren are pretty bad. Anyway I digress. It is not just this hapless insurance company. Doctors offices continue to be notoriously bad. 1 month ago I tried to make an appointment with a doctor and they asked for my full SSN. Of course I refused. I made it all the way to the CEO of the practice and this fool simply repeated over and over it was their policy as their software used it as a unique identifier. Idiots.

How easy is it to guess SSN’s?

Quote

Researchers have found that it is possible to guess many — if not all — of the nine digits in an individual’s Social Security number using publicly available information, a finding they say compromises the security of one of the most widely used consumer identifiers in the United States.

Many numbers could be guessed at by simply knowing a person’s birth data, the researchers from Carnegie Mellon University said. ….read more

My advice – refuse to give your SSN to anyone. And guard your birth-date also, especially online. Use a fake birth-date for any site requesting it.

Avon Calling?

Quote

Security researchers have discovered a glaring security hole that exposes the home network password of users of a Wi-Fi-enabled video doorbell. The issue – now resolved – underlines how default configurations of IoT components can introduce easy to exploit security holes.

The Ring allows punters to answer people knocking on your door from your mobile phone, even when you’re not at home. The kit acts as a CCTV camera, automatically activating if people approach your door, letting homeowners talk to visitors, delivery couriers and so on.

There’s an optional feature that allows the kit to hook up to some smart door locks, so users can let guests into their home even when they aren’t in. …The device is secured outside a house using two commonly available Torx T4 screws, leaving it vulnerable to theft. Ring offer a free replacement if the kit is stolen, so homeowners are covered in that scenario (at least).

However that’s not the end of the problems with the device. An easy attack makes it all too simple to steal a homeowner’s Wi-Fi key. To do this, hackers would need to take the kit off the door mounting, flip it over and press the orange “set up” button.

“Pressing the setup button [puts] the doorbell’s wireless module (a Gainspan wireless unit) into a setup mode, in which it acts as a Wi-Fi access point, Pen Test Partners consultant David Lodge explains in a blog post. “By connecting to a web server running on the Gainspan unit, the wireless configuration is returned including the configured SSID and PSK in cleartext,”

A colleague of calls the Internet of Things, the Internet of Targets — how true.

iKettle Leaks! (…WiFi Passwords)

iKettle_Breach

Quote

A security man has mapped and hacked insecure connected kettles across London, proving they can leak WiFi passwords.

The iKettle is designed to save users precious seconds spent waiting for water to boil by allowing the kitchen staple to be turned on using a smartphone app.

Pen Test Partners bod Ken Munro says hackers can make more than a cuppa, however: armed with some social engineering data, a directional antenna, and some networking gear they can “easily” cause the iKettle to spew WiFi passwords.

….

Munro says the state of internet of things security is “utterly bananas” and akin to the quality of infosec in the year 2000.