Hardware, Internet crime, IoT, Linux, Security, Things that are bad

Confirmed: record-breaking DDoS attacks using IoT devices

2 Comments

Another week, another huge DDoS attack, this time against French web hosting provider OVH.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.

Microsoft, Patches and updates, Windows 10, Windows 7, Windows 8.x

Windows 10 upgrade nagging removed from Windows 7 & 8.x

Leave a comment

Now that Microsoft’s offer of free Windows 10 upgrades for Windows 7 and 8.x users is over, it makes sense that we should stop seeing those annoying reminders everywhere. Sure enough, an update for Windows 7 and 8.x became available last Patch Tuesday (September 13) that removes the ‘Get Windows 10’ feature. The update is identified as KB3184143, and has the (surprisingly meaningful) title “Remove software related to the Windows 10 free upgrade offer”.

If you’ve been using the third-party software GWX Control Panel to keep those annoying Windows 10 upgrade messages away, and you’ve installed KB3184143 on your Windows 7/8.x system, you might be tempted to remove GWX Control Panel. Unfortunately, there’s no reason to assume that Microsoft won’t re-enable the ‘Get Windows 10’ feature again in the future. I plan to leave it running on my Windows 7 and 8.x computers.

Of course, knowing Microsoft, if they decide to start pushing Windows 10 on us again, they’ll probably develop something completely new, in which case GWX Control Panel probably won’t help.

Ars Technica has more.

In related news, at least one consumer group is calling for Microsoft to offer compensation to users and organizations that were harmed by unwanted Windows 10 upgrades.

Internet crime, Things that are bad

Brian Krebs site dumped by Akamai due to massive DDoS attack

Leave a comment

In what can only be viewed as a victory for the attackers, content delivery provider Akamai has dropped Brian Krebs’ web site krebsonsecurity.com in the midst of a record-breaking DDoS attack against the site.

Krebs and his site have been the target of DDoS, SWATting, and other attacks in the past, in response to his reporting on various illegal activities – and the people behind them. But this most recent attack, which began on Tuesday, is the largest in history.

Akamai provides services that limit the effectiveness of DDoS attacks. According to Krebs, Akamai was providing their services for krebsonsecurity.com at no charge. He doesn’t fault Akamai for dropping his site, but their doing so raises some interesting possibilities.

The most likely explanation is that Akamai could no longer justify providing their services to Krebs for free; dealing with such a large attack would have involved a lot of time and effort. Akamai may have offered to keep supporting krebsonsecurity.com, but at their normal price. Those prices are typically only paid by large corporate clients, and Krebs probably just can’t afford them.

As a result of all this, krebsonsecurity.com is offline, and likely to stay that way until the attackers lose interest. Once the attacks subside, I’m sure the site will return.

Although Krebs doesn’t blame Akamai for dropping him, it’s hard to see how Akamai can come out of this without their reputation being harmed. There will always be questions about exactly what happened. Was Akamai actually overwhelmed? I’m sure Akamai’s competitors will be looking at picking Krebs up as a client.

And finally, this is a clear win for the attackers. They now know that they can take down even high profile web sites, although perhaps not those owned by companies with very deep pockets.

Ars Technica has more, including speculation that the attacks involved hacked ‘Internet of Things’ devices.

Updates 2016Sep25: krebsonsecurity.com is back up, thanks to Project Shield, a free program run by Google to help protect journalists from online censorship. It will be interesting to see how well this service protects Krebs’ web site from inevitable, future attacks. And how will Akamai spin this?

Meanwhile, Krebs also thinks that poorly-secured ‘Internet of Things’ devices made the record-breaking size of this attack possible. And despite the site only being down for a few days, he feels that this kind of attack is a new form of censorship, referring to the effect as ‘The Democratization of Censorship‘.

Patches and updates, Vivaldi

Vivaldi 1.4.589.29

Leave a comment

This morning when I fired up Vivaldi (I still use it for social media), it popped up an update message. Luckily, I actually read the change notes in the message, so I can tell you that Vivaldi 1.4.589.29 consists of an engine (Chromium) update, plus a few bugfixes.

I say ‘luckily’, because as I’m writing this, there’s no announcement of the new version on the Vivaldi blog, and no release notes of any kind. Sheesh.

Internet, Privacy, Security, Things that make me happy

Let’s Encrypt’s finances

Leave a comment

I’m a big fan of Let’s Encrypt, an organization committed to encrypting all web traffic by proving free security certificates.

I’m also a big fan of transparency, so when LE published a summary of their financial information recently, my regard for their efforts clicked up another notch.

Highlights from LE’s financial information post:

  • Let’s Encrypt will require about $2.9M USD to operate in 2017.
  • The majority of LE’s funding comes from corporate sponsorships.
  • You can donate to Let’s Encrypt using PayPal.

For the record, this web site (boot13.com) and all my other secure sites now use Let’s Encrypt certificates.

Firefox, Patches and updates

Firefox 49

Leave a comment

I’m getting better at parsing Mozilla blog posts. I only had to read a few paragraphs of the latest post (“Latest Firefox Expands Multi-Process Support and Delivers New Features for Desktop and Android”) to be fairly certain that it’s talking about a new, just-released version of Firefox. The new version number (49) isn’t mentioned, and neither is there any definite indication of when the new version was released. But there is a link to the version 49 release notes, way down at the bottom of the post.

Why is that bad? Because the Mozilla blog also routinely includes posts that are not related to new versions of Firefox, and those posts are almost indistinguishable from posts about new Firefox versions. Of course, if your goal is to confuse and obfuscate, well, nice work, Mozilla.

According to the release notes, Firefox 49 enables multi-process tabs for even more users. After installing, you can determine whether your Firefox is using multi-process tabs by entering ‘about:support‘ in Firefox’s address bar and looking for the ‘Multiprocess Windows’ entry. In my case, that entry shows as 0/1 (Disabled by add-ons). I’m using add-ons that Mozilla hasn’t tested, I guess.

Also in Firefox 49, Reader Mode has been improved, and offline page viewing has been enabled for Android users.

Opera, Patches and updates, Privacy

Opera 40

Leave a comment

Version 40 of alternative web browser Opera includes several major enhancements. Most notable among the changes are:

  • free, unlimited, no-log browser VPN service: when turned on, the browser VPN creates a secure connection to one of Opera’s five server locations around the world;
  • automatic battery saving features for mobile device users;
  • Chromecast support via the Chrome extension;
  • improvements to the video pop-out feature;
  • the newsreader feature now supports RSS feeds;
  • updated browser engine (Blink, aka WebKit).

Sadly, the folks behind Opera seem to be taking a (rather dysfunctional) page from Mozilla – at least in the way changes are reported. Release announcements for Opera are still in the same place on the Opera Desktop blog. But whereas changes in previous versions were reported in changelog posts on the desktop blog (such as this one for version 39), on a page on the Opera documentation site (which stops at version 37), and on the Opera history page (which also stops at version 37), there doesn’t seem to be anything like a change log for Opera 40. Hopefully this is a temporary issue, and something better is on the way. But I’m not holding my breath. This trend toward a general reduction in (and dumbing-down of) information provided to users is not helpful, in my opinion.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.

Close

Ad-blocker not detected

Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.