Jump to content

Massive cyberattack the result of malware-infected IoT devices


Reefa

Recommended Posts

Quote

Massive cyberattack the result of malware-infected IoT devices

 

The widespread internet outage that affected a number of the US’s biggest websites on Friday was the result of a huge distributed denial of service (DDoS) attack on Dyn, a domain name registration provider. Now security expert Brian Krebs, of Krebs on Security, has reported that the attack was carried out through the use of a botnet using the Mirai malware, which made use of a wide range of compromised IoT (Internet of Things) devices.

 

With the use of this “very sophisticated and complex attack,” as described by cyber security researchers Flashpoint, big websites like Twitter, Amazon, Netflix, Spotify, Reddit, and PayPal suffered outages and service interruptions throughout the day. Krebs writes that the same malware that was used in an attack in on his website last month, Mirai, was used to scan for and compromise IoT devices with weak security settings (i.e. factory default logins and passwords).

 

With control over these devices, Mirai was able to build a botnet, using it as a digital army to attack Dyn’s networks and servers with bogus requests designed to slow data speeds or cause entire shutdowns. When websites like Netflix or Twitter then get overrun with this traffic, it leaves no room for data from actual users.

 

So, other than those relying on factory default security settings, how are IoT devices specifically part of the problem? Here’s how Kreb explained it:

 

Quote

“According to researchers at security firm Flashpoint, […] the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.”

 

This means it’s possible that every single XiongMai product was turned into a piece of the botnet that attacked the US, with Flashpoint noting the possibility of multiple botnets being used against Dyn.

http://www.slashgear.com/massive-cyberattack-the-result-of-malware-infected-iot-devices-22461186/

 

Link to comment
Share on other sites


  • Replies 6
  • Views 893
  • Created
  • Last Reply
Quote

 

Jeff Jarmoc, head of security for global business service Salesforce, pointed out that internet infrastructure is supposed to be more robust.

"In a relatively short time we've taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,"

 

 

Excerpt from a BBC article on the same subject

 

'Smart' home devices used as weapons in website attack

Link to comment
Share on other sites


In my opinion the question should be "Who did this and why?" Without understanding the peoples real motivation, building up defense line would be a temporary solution. We know that every system on the planet has vulnerabilities so nobody can guarantee %100 safe system. Nor today, neither in the future.

Link to comment
Share on other sites


  • Administrator

What is not mentioned here is that AVs and such are probably not even made yet for these devices. They really need to look into improving the security of these devices, it's in the best interest of the future tech, the users of these devices and even them.

Link to comment
Share on other sites


24 minutes ago, DKT27 said:

What is not mentioned here is that AVs and such are probably not even made yet for these devices. They really need to look into improving the security of these devices, it's in the best interest of the future tech, the users of these devices and even them.

 

AV is not much use in securing or protecting devices any longer.  The problem with IoT devices is the failure of the manufacturers and/or owners to put a secure password on them.  Most of them don't even require a password.  If they were made so that when they were first ran the user had to create a secure password, and that security was enforced by the software itself by forcing a secure password creation, then they would be less susceptible to being hacked.  The term hacking for these devices is actually wrong since access can be obtained without any actual hacking.  I was asked to check the modem/router at a gas station/convenience store a friend owns in a small town up north earlier this week.  He said the telephone people had installed and set it up and he had never looked at it.  I asked him for the login information and he didn't know it, so I started through the generic ones and hit it on the first try.  It was admin/admin.  If there had been a few lines of code written in the setup program then it could have forced a login/password change during setup, and if the program is written correctly it could force the choice of a secure password.  At some point in time we have to make the manufacturer/developer responsible for creating secure devices.  It would be hard to hold the user responsible since there is no certification or requirement for any training or skills before someone can purchase a computer.  If there were there would be hundreds of millions fewer computers in the world.  I am a firm believer in the concept that most problems are caused by idiots with computers.  In some organizations if a person causes a computer to become infected with any type of malware and that infection was a direct result of an action taken not in respect to their work, then they are fired. Applying the same general policy to home computer users, that if they get a malware infection their internet access is taken away until they take remedial computer classes, would go a very long way in protecting the internet.  Some would see it as government intrusion. But just like you have to have a license to buy, register, insure, and drive a car, which by the way is a privilege and not a right, why couldn't there be a licensing requirement for buying a computer, accessing the internet, or using certain software.  It would be a privilege and not a right and would only allow those that obtain a certain level of expertise to have a computer.

Link to comment
Share on other sites


The thing i dont like about it  is they try to make it look like it's the consumers fault when it's  really the vendors fault ..All trough history people buy what's the latest tech ..It up to the vendor to make it safe  and when they start putting internet in things that could cause people to get hurt  they crossed the line . One day something really bad is going happen because of IOT and they will be sued  tell  it puts some conman sense in there heads. IOT  is not a PC were people can make judgment whats safe and not safe  some seems  very confused  about it,  and off topic.

 

Here is a small example of what IOT is

Quote

 

Smart Door Locks

Smart Bluetooth Trackers

Smart Bike Locks & Trackers

Smart Home Retrofit

Connected Smart Kitchen

Smart Home Apps

CAR Sensors

 

Its not a PC  were you sit behind with a keyboard  !!!

Link to comment
Share on other sites


  • Administrator

@straycat19: Good points. Was not aware about it. Security has never been a priority for the most, including the companies, the people managing products and the common users.

 

I do not exactly blame the common users though. They are neither aware of the commitment required for the security nor have the time and knowledge for it. They know how to drive a car, how to refill the fuel and maybe how to change the oil, but they do not know how to fix it or know what is under the hood when it is required to do so.

 

Having said, I expect and am really eager for the people to take security with more sincerity here.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...