If you use Twitter, reddit, Amazon, Tumblr, Spotify or Netflix, you may have noticed that they were slower than usual for parts of yesterday. That’s because the affected sites and services use Dyn, a DNS service provider, and Dyn was hit by two huge DDoS attacks yesterday.
The attacks lasted for a few hours, and while they certainly affected a lot of people, they were no more than an inconvenience for most. Still, the surge in the number and size of these attacks is troubling.
Analysis of the attacks shows that they were made possible by the Mirai botnet, which uses a huge network of poorly-secured (and now compromised) DVRs and security cameras. Those are the same tools used in the recent krebsonsecurity.com and OVH DDoS attacks. The source code for Mirai was released to the public recently, which means just about anyone could have caused the Dyn attacks.
Brian Krebs has more.
Update 2016Oct24: Dyn has released a statement about the attack on their systems, in which they clarify the timeline, and confirm that the Mirai botnet was involved. Meanwhile, security expert Bruce Schneier doesn’t believe that the recent attacks were perpetrated by a state actor such as China. He also doesn’t think they were related to the probing attacks he reported earlier. But he is concerned that the attacks will continue to grow in size and frequency, because nobody involved is motivated to fix the problem.
Chinese device maker Hangzhou Xiongmai has issued a recall for several of its webcam models that were used in the attacks. However, they are only one company out of hundreds (maybe thousands?) of companies producing poorly-secured IoT devices.
Update 2016Oct25: According to Brian Krebs, Xiongmai has also made vague legal threats against anyone issuing ‘false statements’ about the company. This is presumably part of a PR effort to improve the company’s image in the wake of the attacks, but it’s hard to see how this will help anyone. The company’s main objections apparently relate to statements by Brian Krebs and others about users’ ability to change passwords. Testing has shown that back-door, unchangeable passwords exist on some of the affected devices.
At this point it’s clear that thousands of poorly-secured IoT devices were used in the recent large-scale DDoS attacks against krebsonsecurity.com and OVH. Ongoing analysis points to devices manufactured by a Chinese company called XiongMai Technologies, which makes generic Digital Video Recorder (DVR) and Internet camera devices that are sold to vendors who use them in their own products.
Chinese vendor Dahua sells products that use these vulnerable devices. Dahua products appear several times in the list of affected devices published by Brian Krebs, and Flashpoint Intel also identifies Dahua devices as being involved.
Companies like XiongMai Technologies and Dahua share the blame for flooding the Internet with these easily-co-opted devices. XiongMai Technologies created devices that are inherently insecure and unsuitable for direct connection to the Internet. Dahua either failed to comprehend the danger, or chose to ignore it, producing deeply flawed consumer devices and – as Brian Krebs puts it – dumping toxic waste onto the Internet. These devices are spread around the globe, most to be plugged in and forgotten for years, ready to be abused by whoever can find them. Some of these devices can’t actually be fixed, since their vulnerabilities exist in firmware that can’t be updated.
Dahua’s response to all this isn’t likely to reduce concerns, since it tries to shift the blame onto users who failed to change default passwords, while ignoring the fact that these passwords cannot be changed in some cases.
What can be done about this? Beyond locating and removing the current crop of vulnerable devices – a difficult task in itself – how can we avoid this situation in the future? Preventing poor quality products from entering the market is ultimately the responsibility of governments. Until authorities get involved, this is likely to keep happening. If they fail to act now, the attacks will continue to get worse until commerce is affected, at which point it will no longer be possible for governments to ignore the problem. Bruce Schneier shares this view.
The good news is that the European Union is already taking action. The EU is planning to upgrade its telecommunications laws, which are now expected to include requirements for labeling IoT devices that are secure and approved for Internet connection. This kind of labeling already works well for showing the energy usage of electrical appliances.
Kudos to the European Commission for recognizing that the ongoing flood of crappy IoT devices is a major contributor to Internet-related problems, including the recent, massive DDoS attacks. Let’s hope that other governing bodies wake up soon.
Cryptocurrency-mining malware known as Mal/Miner-C is targeting specific Seagate Central Network Attached Storage (NAS) devices. The malware locates the devices when they’re exposed to the Internet and installs a special file in a public folder. Unwary users try to open the file, which installs the malware on their Windows computer. Once installed, the malware uses available resources to mine the Monero cryptocurrency. There are about 7000 of these devices globally.
It’s standard practice to tell users to lock their computers when they walk away from their desks. A locked computer presents an obstacle to anyone with physical access who’s interested in poking around or stealing data. But in reality, once someone has physical access to a computer, there are ways to gain full access, even when that computer is locked. Now there’s a new technique that simplifies this task. A specially set up thumb drive is inserted in the target computer (Mac or PC), and 20 seconds later, the intruder has valid login credentials in their hands.
Two Factor Authentication (2FA or MFA) is an increasingly-common way to bolster your security when using Internet-based services and web sites. It adds a second step to the login process, which usually involves entering a special code. Many sites and services that offer 2FA send codes to your registered cell phone via SMS text messages. Unfortunately, that specific method (codes via SMS) can be co-opted by attackers who already have your password (which is increasingly likely with all the recent breaches). If you’re using SMS text for 2FA, you should look into more secure methods. Google Authenticator generates temporary, time-limited codes using an app on your smartphone. Duo Security has an app that receives special ‘push’ messages from the site you’re trying to access, and all you have to do is click a button on your cell phone to get in.
Bruce Schneier wants everyone to stop blaming the user for security problems and create systems that are more inherently secure. As things are today, the user gets most of the blame when something goes wrong. Clearly, using weak passwords, re-using passwords, and generally being vulnerable to phishing and other manipulation point to the user as the weak link. But Schneier thinks pointing at the user isn’t helpful, especially when that link is unlikely to ever change. Instead, he wants to limit the involvement of the user; to create fewer security pitfalls. He points to current efforts along those lines, including automatic security updates, and virtualization. Which are both great ideas, as long as us techie folks have a way to bypass those things.
Another week, another huge DDoS attack, this time against French web hosting provider OVH.
Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.
Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.
Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.
What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.
Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.
Noted writer and technology analyst Cory Doctorow just posted a new article on the Locus Online web site: “The Privacy Wars Are About to Get A Whole Lot Worse.”
In case you hadn’t guessed, we are talking about the Internet of Things. Despite plenty of warnings from privacy advocates, and numerous real-world examples of the consequences to privacy of poorly-designed devices, the current move toward ‘smart’, connected devices continues apace. And these devices won’t ask for your consent, they’ll just compromise your privacy by default.
Doctorow is worried about this, and so am I.
Cloud storage provider Backblaze publishes their hard drive reliability findings quarterly, thus providing a useful benchmark for us regular folks.
In their most recent report, Backblaze’s data includes 8 terabyte drives for the first time. Failure rates for the 8 TB drives is slightly higher than smaller drives, but this may be due to the fact that all of the 8 TB drives are new, and new drives tend to fail more often than drives that have been running for a while.
As usual, HGST (Hitachi) drives top the reliability charts, but Seagate is now close behind. Western Digital failure rates are the worst of all the drives analyzed.
Security researchers at Bastille tested a variety of wireless keyboards and found several that are vulnerable to keystroke interception and injection techniques.
The researchers developed a specific attack called Keysniffer, and used it to both read user keystrokes and inject their own keystrokes remotely, from as far away as 250 feet. The attack is possible because the affected keyboards don’t encrypt communications with the host computer.
Bastille obviously didn’t test every wireless keyboard out there, but they did provide a list of those they found to be vulnerable.
A recent report from Duo Security shows that pre-assembled, ready-to-run computers purchased from major vendors almost always include pre-installed software that often makes those computers much less secure. That’s in addition to being unnecessary, unstable, resource-hungry, and often serving primarily as advertising conduits.
If you purchase a pre-assembled computer, you should uninstall all unnecessary software as soon as possible after powering it up. Before even connecting it to a network. It can be difficult to identify exactly which software should be removed, but a good starting point is to remove anything that shows the manufacturer’s name as the Publisher. PC World has a helpful guide.
And now the good news, at least for some of us: Microsoft now provides a tool that allows a user with a valid license to reinstall Windows 10 from scratch at any time. Minus all the crapware that the manufacturer originally installed.
Backblaze provides online backup services. The core of their service is an enormous collection of hard drives of various makes, capacities and models. Backblaze tracks the reliability of the hard drives in their systems, and publishes their findings yearly.
This year’s report shows that HGST (Hitachi) drives are still the most reliable, but also shows substantial improvement in Seagate drives over previous years.
Ransomware made news frequently in March. Two more healthcare networks in the USA were hit with ransomware. A new variety of ransomware called Petya took things to a new level, encrypting the core data structures of hard drives. TeslaCrypt continued its destructive march across Europe and into the USA. A surge in malware-laden advertising (aka malvertising) on several popular web sites, including the Certified Ethical Hacker site, led to numerous ransomware infections.
Smartphones and tablets running Google’s Android operating system remain a popular target for malware. A newly-discovered vulnerability can allow malware to permanently take over a device at the root level. Malware that exploits the still largely unpatched Stagefright vulnerability was identified.
Security researchers discovered malware that can infect computers that are not connected to networks, using external USB devices like thumb drives. The malware, dubbed USB Thief, steals large quantities of data and leaves very little evidence of its presence.
A hacking group known as Suckfly is using stolen security certificates to bypass code signing mechanisms, allowing them to distribute malware-laden apps more effectively.
The folks at Duo Security published an interesting post that aims to demystify malware attacks, describing malware infrastructure and explaining how malware spreads.
Ars Technica reported on the surprising resurgence of Office macro malware. Macros embedded in Office (Word, Excel) documents were a major problem in the 1990s but subsequent security improvements by Microsoft reduced their prevalence until recently. Getting around those improvements only requires tricking the document’s recipient into enabling macros, and it turns out that this is surprisingly easy.
Millions of customer records were made available in the wake of yet another major security breach, this time at Verizon.
Google continued to improve the security of its products, with more encryption, better user notifications and other enhancements to GMail.
Brian Krebs reported on spammers taking advantage of the trust users have in ‘.gov’ domains to redirect unsuspecting users to their spammy offerings.
Opera announced that their web browser will now include ad-blocking features that are enabled by default.