If we could somehow mandate that these devices were supported with firmware updates for the indefinite future, that would simply destroy the entire market. And you can't do that, because even the devices created by an entity that no longer exists and didn't sell its IP to anybody else will eventually be enough to do these DDoSes, if they aren't already.
The Internet wasn't envisioned with a single email provider, single DNS provider, single app container provider. (Ok, for most of these you have two, sometimes three choices, but still, that is too few). The centralization makes everything very vulnerable - imagine what would happen when Gmail is knocked out for a day.
There's no RFC that talks about methods for preventing or mitigating hundreds of thousands of machines all sending arbitrary traffic at you at the same time.
The only way to protect yourself from that sort of attack is to buy filtering from someone who has a bigger pipe than the largest DDoS available, and have them filter the packets so that you only get clean traffic. Unless you know of an alternative that nobody else has heard of yet.
So you wind up buying transit / scrubbing from one of a few big providers, because that's the only way to avoid being sniped by DDoSers.
Your average user says "Sure I can setup cameras" then sees "remote access" in the menu, sets it up, maybe it has some UPNP to the router and BOOM. Magic remote login without any type of mitigation.
My prediction is that it'll get worse before it gets better and that these type of botnets will be around for at least 5 years. Look at what happened to unsecured-by-default routers, android phones, Windows PCs, cars...the way consumers will get more secure stuff is by manufacturers being publicly embarrassed / sued over problems until caring about security makes business sense, then they'll have it in their hands when their old insecure gadgets die.
My cynical side side thinks this will be a problem until all the old endpoints supporting these insecure things are shut down eventually in 5-10 years.
as you proved, fixing the situation by fixing the devices wouldn't be a feasible approach. The traffic from those devices is carried by ISPs and this is there this traffic should be stopped. To me the situation reminds about email spam. We didn't get rid of spammers, instead the email traffic is analyzed and dealt with accordingly. I'm sure that ISPs easily see the patterns of such massive DDoS attacks and could just drop (or throttle down into oblivion, like 100s times down) the participating traffic.
Nothing. If the economic system revolves around capital's valorization of itself, security is a distraction from that. I have to spend five seconds typing my password in every time I sit at my desk? I can't just easily e-mail this executable file to my co-worker and have them run it? My desktop is locked down by the desktop admins to prevent me being able to do this, and many other things? Every implementation of security costs money for the personnel to do it and possibly the product cost. Plus any lost productivity it might cause (15 seconds to type in a password each time one sits at their desk, compounded).
Donn Parker wrote one of the first books on computer security in 1976, Crime by Computer. The opening words are as apt for corporate security now as it was then. The #1 fear for the corporate manager are the employees of that company. They are the ones with the greatest control over the means of production, so to speak, even more than the managers themselves who are de jure in charge, but are de facto one step away from actual control. Look at how much access someone like Snowden had at Booz Allen.
Obviously, if all products have wide open holes, script kiddies will be able to get control. Some minimal security will always be done to stop this sort of thing. On the other hand, one (or better yet, several) dedicated people who want to get past some security arrangement can almost always get in. Even if the firewall is supposedly impenetrable, the wifi or the building security or the social engineering credulity of employees or something will be there. There will be some weak link in the chain. Especially for a company that needs to make a profit.
The real security is that semi-intelligent, persistent agents that seek to access and control systems without authorization are lacking. Things depend on the conditions that cause this to rise or diminish. Because once it rises, there is little that can be done. I forget who said that the czar's Russian Okhrana was one of the largest, most extensive security forces that existed. That meant little when Russia began collapsing in 1916 though - all it meant was that they were even more aware that virtually everyone in the country was becoming the czar's enemy.
Securitypocalypse events due result in business and government putting more focus on security for a while, but time moves on, and attention drifts back to the main focus. These things go in waves, and total security is never something of the highest priority.
And every time I read about the IoT botnet, my immediate response is to look around my apartment at my Internet-connected lights, and wonder if they're part of it.
How can I find this out?
Is anyone making a tool that a non-technical user can run to squint at their network and look for evidence of Mirai, or anything else trying to take advantage of this niche?
There are plenty of tools with a reasonably simple interface that will tell me if my laptop/desktop computer is infected with something. But what can I use to diagnose the health of all of the other computers proliferating around my house?
How can a non-technical user easily monitor the overall health of their connected household? Is this a project anyone is building? Because I think it's definitely something that needs to exist now.
And it's probably not gonna get any better any time soon, either. Because I'm not sure there's a money stream in making this something a non-programmer can do. And maybe there shouldn't even be a money stream in this - maybe there should just be huge-ass fines to motivate as many people as possible along the chain from "my Internet Thing" to "the Internet" to include a white/grey hat or three on their team very early in the design process of making their camera/light bulb/pacemaker/router/modem/whatever. Although if someone reading this can figure out a way to get a money stream out of making it a lot easier to see the health of your home's devices, and keep them safe, that might be a decent YC app for you.
How do we add an immune system to the Internet Of Things? Because we sure as hell need one.
Assuming the flirting displayed is sincere, that security researcher may prove much more scalable than you'd imagine.
* Inventory all IOT devices in your possession.
* Find the device manuals and make sure you've changed the default password(s). Note there may be devices where it appears you've updated, but that have secret credentials you can't modify.
* Make note of which of your devices do not have an obvious way to change the factory default password.
* Keep an eye out for lists of devices that are known problems, here is one such sample list: https://blog.sucuri.net/2016/09/iot-home-router-botnet-lever...
* Check each manufacturer to see if they have issued a firmware upgrade to address security issues. Apply update.
* Think about retiring devices that appear on the "bad" hardware lists or the devices with unchangeable factory defaults.
Hope this helps.
You can even hook up Dowse to your TV set and show a live animation of where on the your internet your devices connect to https://youtu.be/vquh3IXcduc?t=74
As for a non-technical solution, it will be difficult to implement. It requires some computer know how and time. Such a secure device could be created or better yet offered by the manufacturers of the modems/routers frequently deployed in homes.
It would be good to have an IDS with bare minimum settings, easy to turn on layer after layer, though I understand it's tricky.
Turn off the devices you don't want to check; leave only those up you want to investigate.
Visit your router on the web interface and see if there are any graphs are possible to check for things like requests/second or packets/second. If it's really high while you're not actively doing anything, that's a clue.
Visit the UPnP settings on the router. If there are ports listening for incoming internet connections, turn the UPnP off on the router.
If you can SSH to your router, log in and start collecting data with tcpdump[1]. This later can be analyzed with tools like wireshark[2], which can show you per protocol what is going in. Most of the botnets use telnet- or IRC-like interfaces which are, in most cases, plain text commands, so it's possible to spot them.
Apart from this: reset everything to factory and change all the passwords before letting anything on your network.
[1]: https://www.linux.com/blog/tcpdump-tutorial-beginners
[2]: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntr...
I think you unintentionally helped to cement GP's point. There is a huge opportunity for some kind of little box - vetted/certified or even insured - that non-technical users can plug in, click Next > Next > Finish, and be notified when any device on their home network starts acting suspicious.
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things...
Edit: I guess it's more accurate to say that a lot of poorly designed devices use UPnP IGD to work around NATs/firewalls and Mirai takes advantage of this to infect them.
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twit...
Personally I think his case is pretty convincing.
"Last month, a hacker by the name of Anna_Senpai released the source code for Mirai, a crime machine that enslaves IoT devices for use in large DDoS attacks. The 620 Gbps attack that hit my site last month was launched by a botnet built on Mirai, for example."
I repeatedly hear people refer to IoT devices that are notoriously difficult to update...yet this Mirai code is technically able to access millions of devices and bend them to its will.
So what I'm wondering is just, what prevents the good guys from using Mirai to slurp down every available device to patch the vulnerability that allowed Mirai to work in the first place?
It seems like if vulnerabilities in these devices can destabilize the entire internet that it should be perfectly viable as a response to actively look for those vulnerabilities, patch/minimize them and notify their creators of the issue.
Now, you might say "why doesn't a good samritan just login to all of those devices and change the password to something random?"
OK - ignoring the fact that THEY would be committing felonies in several countries... what happens when the device manufacturer wakes up and decides to patch these devices via that remote access? Suddenly the password doesn't work, and the end-user can't change it because... what's the procedure for changing the default ssh password on a light bulb?
Technically you could make the situation better by writing a worm that changes the passwords, but at this point even that is a lost cause since mirai has a command that will change the pw on all infected hosts.
And the article about BackConnect mentioned by Bloomberg: http://webcache.googleusercontent.com/search?q=cache%3Ahttps...
I'm wondering what would be the negative consequences of this and if they outweigh the benefit of being more resilient to these types of attacks.
77.88.8.8
77.88.8.1
The reputation of the government - shutting down access to websites that hurt them is kind-a no-go for me.
I had disabled adblock at their insistence...
i re-enabled adblock and I could get the article. hmmmm. maybe something about the 50 unrelated js calls?? perhaps?
https://threatpost.com/mirai-bots-more-than-double-since-sou...
It absolutely is an area that governments should be mandating, because the problem is an externality. These attacks are a cost imposed on neither the producer nor the consumer of the device itself, and (apart from some highly speculative libertarian conjectures) the only things that can fix externalities are taxes, regulations, and lawsuits.
Lawsuits are infeasible in this case since we probably can't prove whose devices were involved in any given attack, so that leaves taxes and regulations - and the latter would be better so we don't have to go through the business of collecting taxes from manufacturers and then distributing them to the victims of attacks.
> That puts unnecessary strain on small companies
Clearly it isn't unnecessary, because I can't get to any friggin websites today. If small companies don't have the resources to update the devices, they shouldn't be building them in the first place.
Something similar could work for IT.
- planned obsolescence cranked to 11, you must replace everything in your house every month
- monthly subscription fees for each lightbulb, refrigerator, and everything else
- all products must refuse to operate unless they can connect to a central update server (which is being DDOSed by competing products made in a country without that government mandate, that are still working, while no products made in your country work)
- company shuts down, goes out of business, and a new company with a different name (but all the same employees and products except for the logo) opens every month
- all software created must be maintained indefinitely into the infinite future for free by...magic elves?
From my experience in the aviation software world, we spend a great deal more on demonstrating reliability than in producing it. This forces a huge amount of overhead on our projects. This isn't a bad thing, mind you, but it is a thing to consider.
It is hard for a couple engineers to start a new company making these sorts of systems. The only practical way is to have a truly good and demonstrably better solution, or be inside a large corporation with already deep pockets.
Edit: forgot the /s
If no product with less then X thousand installs has to deal with the regulatory overhead of certification then experiments and early stage companies are less likely to be squashed. I would also exempt open source software from having forced audits or minimum standards for security. This would have the side effect of encouraging more companies to publish their firmware open source which would also not be a bad outcome.
To prevent companies manufacturing lots of almost identical product lines each individually under the limit for audits I think it would also be necessary to count all products that share more then half their code as one product.
In the case of ISPs providing cable modems and routers and DVRs and other boxes to their customers, they should be responsible for keeping those secure.
If people start getting fines or sued over what their internet-connected devices are doing, they might stop connecting them to the internet, or shop more carefully for devices or providers that are secure.
I don't think so.
You make a little gizmo with shitty security, you are liable. Full stop.
That's not the same thing at all. For a car to hurt somebody, the owner has to be actively using it, and doing so in a reckless or negligent manner; and furthermore, note that reckless operation of a car can hurt somebody even if the manufacturer built it perfectly. (if your car somehow did hurt somebody when nobody was using it, then the liability probably would belong to the manufacturer).
IoT devices are the exact opposite: they can cause harm when the owner has done nothing wrong, and they can only cause harm if the manufacturer screwed up and did not secure it propertly.
All the liability belongs to the producer.
Being a small company doesn't mean you should be able to ship a defective product that is guaranteed to eventually become part of a botnet.
The mistake in this case was relying on one vendor for DNS. Amazon Route 53 would be a good alternate vendor for DNS, for example.
If you have an iot device, by its nature it only needs to connect to a few services and hosts.
The manufacturer can provide this in their docs, and give an automatic config url that the router uses to load its egress rules.
The rules to load are displayed and the user checks they are legit by comparing to the printed version in the manual, then clicks ok. Or something like that.
Rate limits in terms of packets per second, total bandwidth both instantaneous and over time, are set also.
The app was down for me until I switched my WiFi network to use OpenDNS. It's possible your phone has the DNS record cached, or it's using a different DNS server. (Is it on cellular?)
Hardcoding IPs into a mobile app typically isn't done because it makes changing your infrastructure extremely painful.
Internet, in the beginning, was even more insecure. Including the computers and OSes. There were less abuse because few had resources and knowledge. Read some old software and you'll find all bad designs in it. Software didn't become worst, it's just targeted with more knowledge and intensity.
We need protocols and systems that are designed to be distributed from the outset.
So if a DNS provider starts banning public IPs (which are the only IPs it sees), you could end up with an entire college getting banned because of one hacked webcam in one student's dorm room.
Or someone in an apartment somewhere with (unknowingly) a hacked thermostat finds their internet no longer works (DNS provider has banned them), so they reboot their modem, which causes their ISP to provide them with a new IP address. Guess what happens to their old IP address? It goes back into the pool of available IPs that that ISP can assign to other customers, and more and more banned-from-DNS addresses keep getting passed along to innocent, un-hacked customers.
e.g.s:
a so-called distributed denial-of-service (DDoS) attack
York said Dyn was “actively” dealing with a “third wave” of the attack.
Edit: sorry there, this worked for me but apparently it's not guaranteed.
They have other IPs as well, but that's what I'm using
But, just to be clear, it's not Google's fault: 8.8.8.8 are not the authoritative name servers for the sites that are down. Rather, Dyn, the provider of the NS is down, and I presume Google (8.8.8.8) is correctly not returning any IP address because the underlying authoritative name server is not.
Presumably Open DNS is working because it's not abiding by the TTL it's supposed to? It's caching the underlying authoritative name server longer than it was told?
It would take a lot longer than a couple of hours of twitter being down for that to have a useful effect. For something as major as the presidential election result, it would probably take minimum a week before people got bored and moved on to a different topic.
So this kind of attack that only takes something out for a few hours would have no useful effect for an actor that wants to prevent people from discussing a recent event.
IMHO, it would be hard in general to take out a service run by a serious IT organization (of which there are admittedly few, by my definition of serious) for more than a few days unless the attacker carried out non-trivial physical damage (eg, bombing multiple datacenters, murdering multiple system administrators, etc) or managed to somehow destroy enough backups (which in a serious IT shop, should be hard, as there should be some offline cold backups that require physical human activity to destroy)
... Perhaps if you try to argue that they did it in order to make sure everyone was on edge for the election... but even then it makes very little sense.