In-brief: A denial of service attack on the managed DNS firm DYN was due, in part, to attacks from Internet of Things devices running the Mirai malware, the firm Flashpoint reported. Analysis by the firm Flashpoint suggests that large-scale denial of service attacks against the managed DNS provider DYN on Friday were carried out, in part, by cameras, digital video recorders and other “Internet of Things” endpoints infected with the Mirai malware. In a blog post, Flashpoint said its analysis confirmed that some of the malicious infrastructure responsible for the distributed denial-of-service (DDoS) attacks were running the Mirai malware. From the blog post: Flashpoint has confirmed that at least some of the devices used in the Dyn DNS attacks are DVRs, further matching the technical indicators and tactics, techniques, and procedures (TTPs) associated with previous known Mirai botnet attacks. However, unlike the botnets used to launch attacks against the website of […]
The world of security for the Internet of Things just became more complex. IoT devices are no longer a potential threat to their owners; now they pose a significant threat to everything connected to the Internet.
The old IoT security problem
For the past year, the cybersecurity and IoT communities have been at odds regarding how to keep devices from harming their owners. Much of the focus emerged around industrial controls and transportation equipment. Vulnerable industrial controls devices could cause cascading effects to power stations, water distribution, chemical plants, heavy machinery, and other industrial facilities, posing a threat to workers or downstream users. There have been hacks, compromises, and stern warnings. Concerned governments are putting pressure and establishing requirements to protect services at a national level.
Vehicles, most notably airplanes and smart cars, have taken the bulk of the public’s attention. Hacks against Jeep, Tesla, and Volkswagen have shown how doors can be unlocked and total operating control commandeered with steering, breaks, and acceleration taken over by an attacker. A car that is rendered unusable by its owner or made to crash and injure occupants is frightening but apparently trivial if you do not own that type of vehicle. The public appears to be entertained by these research exploits but not too concerned. The danger may seem beyond the everyday consumer and the effects are likely limited to only those who could afford such conveyances.
On the low-cost side, home appliances, wearables, toys, and drones are already a part of the everyday consumer world, but hacking a smart toaster or rice cooker seems harmless, beyond some burnt starch.
Eventually, we will face more risks than we can imagine. As IoT devices are woven into the fabric of people’s daily lives, we will be at risk of their misuse. In the future they will begin to control the stoplights on the way to work, the equipment in the emergency room, control of progressively more vehicles on the road and in the sky, and the distribution of such necessities such as electricity, food, medicine, water, and communications. We will begin to understand how these little technical minions become critical to the smooth delivery of services in our future digital lives.
This is the space where thought-leading IoT manufacturers are working feverishly. The automobile industry in particular has been quick to invest in security to ensure their products do not cause accidents. Such work has begun, but it still has a long way to go in cars and across all the other billions of devices we will weave into our lives and businesses in the next few years.
The next generation of IoT devices is appearing and will work to help protect our property, monitor our health, automate our homes, keep our children safe, increase our communication, eliminate time-wasting chores, make us more efficient, and optimize our businesses. A great future to be sure, but it will need to be trustworthy and secure, as our reliance on the smallest elements will ultimately impact the biggest parts of our lives. These are all known and accepted security challenges in the world of IoT. This is not the end of the security story, only the beginning.
The new IoT security problem
We now face a new set of problems with IoT. Unlike the known challenges, in which IoT devices might impact local owners and bystanders, the new threat is a powerful weapon that can be pointed at anything connected to the Internet. Recent distributed denial of service (DDoS) attacks have been fueled by hacked IoT devices, called bots. DDoS attacks saturate Internet-connected devices and services to bring them down or make them unavailable. Such attacks have been around for years, and in fact were some of the first types of Internet attacks; but the scale is now changing the game at a pace not tenable for security workarounds.
The game has changed. These IoT DDoS attacks are typically run by “bot herders.” These herders compromise devices and install malware that allows them to be remotely controlled. By pointing hundreds or thousands of devices to flood a target with requests and data, they can overwhelm it to the point it can no longer maintain functions. There are several anti-DDoS services that offer protection for a price. But the scale of the new IoT-backed attacks, which are larger than anything ever seen, makes protection difficult and costly. Josh Shaul, Akamai’s vice president of web security, warned that if such an attack were sustained, it could cost the victim millions of dollars in cybersecurity services to stay online.
Traditionally, PCs were the prime targets to turn into bots, as many people did not bother with installing antimalware products. But over the last few years, PCs have become much better protected and thus difficult for bot herders to consistently control. The other problem is the shift to laptops. A bot is good only if it is online, can receive instructions from its master, and then continuously execute those orders. Laptops do not fit this model well, as they spend much of their time off, to save battery life.
What bot herders really want is a massive number of devices that are easy to hack, are ignored by their owners, and are constantly connected to the Internet. Recent attacks have proven IoT devices are the perfect solution for cybercriminals.
The rise of IoT is a dream come true for bot herders. Most IoT devices are not powerful enough to have any type of antimalware service. A majority of consumer products come with a default login and password that are published by the manufacturer and easily found on the web. Many stay continuously connected to the Internet and users rarely monitor or update these devices, especially consumers. The biggest factor is around scale. Unlike the hundreds or thousands of PCs that might be in a herd, IoT botnets can number in the hundreds of thousands!
With legions of exploitable devices, attackers are mustering massive DDoS armies and the results of IoT botnets are devastating.
How to secure the future of IoT
The problem is not just what to do now, with the current exploits, but also how to protect the future. Attackers are using the most simple and easy path to take control, the default passwords. But they will adapt as controls come into play. This is the pattern we have seen with many other attack vectors. It is a repeating cycle in which attackers follow the path of least resistance to achieve their objective. IoT devices are just too perfect for botnets for the attackers to easily give up. This is shaping up to be a long and drawn-out fight.
We must secure the future of IoT. This means blocking current exploits as well as interdicting the likely future maneuvers of attackers. This is what must be done to protect the life cycle of IoT devices, from inception to retirement.
- Designed and architected for security
IoT manufacturers must take the time to embed security into the architecture, interfaces, and designs of their products. Basic security concepts and capabilities such as compartmentalization of data and code, communication between trusted parties, data protection both in use and at rest, and authentication of users should be established and tested. Products in the future will get more powerful, store more data, and possess more functionality. This means products should have the ability for security updates, feature locking, build validation, software vetting, and default configurations that follow industry best practices. It all starts with the manufacturer. Future proofing begins at the foundations. The hardware, firmware, operating systems, and software must be designed to go into a hostile environment and survive.
- Secure provisioning and configuration
Most IoT devices require some kind of setup and provisioning upon installation. Device identity and authentication are a must, as part of this two-way process. Proper default configurations that adhere to best security practices are important and should be easy for users to understand. Rules should be in place that do not allow default passwords, require patches and updates to be signed, data to be encrypted, and only secure web connections. For enterprises, limiting network access, patching in a timely manner, and allowing only approved software to run will go a long way to keeping the devices secure. For gadgets that are capable, implementing security software such as antimalware, intrusion prevention systems, and even local firewalls will improve the device’s defense posture. Detection and telemetry should also be configured to detect when systems are under attack or are functioning in ways not intended by the organization. Policies must be established for privacy, data retention, remote access, key security, and revocation procedures.
- Proper administration and management
For devices owned by consumers, it is imperative they alone maintain the final say in how the device is managed. Manufacturers and online service providers play a role in provisioning but the owner must retain ultimate control of what the device will do. Provisioning is different than administration. For example, during installation of home cameras it makes sense to connect to the manufacturer for the latest patches and maybe even setting up cloud storage. But you would not want your home cameras controlled by the manufacturer. They should not have the ability to operate them outside of buyer’s authority. Owners must retain the power to turn on or off their products and choose which online services they allow to connect. This requires proper user identification and authentication. As before, allowing a common default password is not good because anyone can take over as the administrator. Imagine if Windows came with a default login password for every system. It would create a security nightmare because many would never change it and attackers would login as users. So, first IoT systems must be able to authenticate their owners. Management functionality must also extend to empower the owner to set limits, data policies, and privacy parameters that are more restrictive than those of any potential third-party vendor. Signed security updates should be automatically installed by default as they become available. Savvy owners should be able to configure limits for inbound and outbound connections, data types, ports, and security settings. Logs that can be pushed to a trusted system or viewed locally should capture errors, and unexpected and unusual activities. A system for remote-warning notifications, via email or text, is a welcome feature on some devices. Finally, a reset capability must be present in the event of an unrecoverable compromise or transfer of ownership.
Enterprise and industrial devices are typically managed centrally, by the purchasing organization. This may be part or different than provisioning by the manufacturer or service provider. Entire classes, potentially numbering in the thousands, may be controlled to operate individually or as part of a collective. The same choices and control are required. Instead of a single owner, an organization’s employees will administer the IoT devices, monitor for issues, and respond to problems.
Proper administration and management is about oversight and final control by the device owner. It should be simple to understand and easy to manage. Devices should possess the necessary processes to determine if something is wrong, communicate such events to their owners, and provide options to resolve issues. IoT devices are here to make our world better and smarter; they themselves must bring some intellect to the ecosystem to protect themselves and work with their owners for their benefit.
How do we make IoT security a reality?
Security and privacy take effort, resources, and commitment. To change from the status quo, we must hold manufacturers accountable for their devices. If they fail to design and architect security into their products, make them liable and stop buying their wares. For critical functions that could put the safety of people at risk, enact regulations and subject them to government penalties.
As part of the best practices, which manufacturers and service providers must follow, developers must institute the aspects that make provisioning and initial configuration secure by default. Industry consortiums are working to define best practices, configurations, and default settings for different device classes.
Last and perhaps most difficult, is to raise the level of awareness and involvement of users. It is their security and the operational availability of potential Internet targets that is at risk. Without some assistance from consumers and businesses, these controls will be easily undermined or neglected. Social interaction must take place. We all have a responsibility, as a digital community, to maintain reasonable hygiene for devices connecting to our common resource, the Internet.
The choice is ours
It may seem like a lot to consider, but remember attackers need only find a reasonable vulnerability to exploit. The opportunity is to make the effort challenging enough so they are not motivated to pursue these devices. We find ourselves in a situation in which billions of IoT products will flood every industry and quickly find their way into our homes, schools, governments, and businesses. We must make the necessary efforts to not bring vulnerabilities with them. The effects will go well beyond our own lives, data, and devices. They may be turned into legions of bots, which could cause havoc to even the biggest of organizations on the Internet. We could all become victims if we do not work together to make our future technology trustworthy, safe, and secure.
The post How to Secure the Future of the Internet of Things appeared first on McAfee.
Posted in Uncategorized | Comments (0)
We’re no strangers to Armageddon-scenario movies, but today a real disaster hit the internet. Using brute-force tactics that flood key elements of the internet’s structure, cybercriminals managed to shut down a variety of popular websites. The resulting chaos essentially closed the entire East Coast of the U.S., before spreading to other parts of the country and overseas, from a section of the web. Big names such as Twitter, Spotify, Netflix, and more count among those affected. The natural question is “How did this happen?” It happened due to a Distributed Denial of Service attack — or DDoS for short.
While powerful tools may seem miles ahead of the average cyber crook’s ventures, DDoS attacks aren’t incredibly complicated. Plainly speaking, these tools are available to any cybercriminal wanting to get their hands on them.
So let’s cover the term “DDoS.” A Distributed Denial of Service is when perpetrators flood a website with so much traffic that it shuts the site down. Essentially, think of a traffic jam so bad that nobody can enter onto the freeway. Such attacks require a huge amount of devices to succeed — we’re not talking about dozens, we’re talking about up to a million. To really understand the scale of these attacks, watch these videos.
Now how do criminals get a hold of so many devices? By slipping malicious codes onto devices that aren’t secured — or are using factory-set default passwords — cybercriminals can create an army of hijacked devices from across the globe. This is known as a botnet. And with all of today’s connected-devices, crooks are finding it easier to increase their botnets’ ranks. Even the modern kitchen toaster can be vulnerable.
Now, we’re still waiting for details from this incident. We’re still unsure which devices or criminals were involved. But one crucial fact is worthy of note: this attack didn’t hit websites one-by-one. To create wide-spread damage, perpetrators targeted something that every website relies on: a Domain Name System (DNS) service.
Whether you’re aware or not, the DNS is used every time a browser fires up. Think of it as the address book for the internet. Computers don’t speak the same language as humans. So when you type in “www.netflix.com,” a DNS provider has to first translate those letters into numbers which computers understand. When you want to see a website, this is how your browser finds the right servers to connect to.
Now we’re ready to tackle the original question: how did an attack of such scale happen? Ultimately, cybercriminals targeted a large DNS provider. Specifically, the victim was Dyn. They support many of your favorite websites. Think of Twitter, Spotify, Netflix, PayPal, and Reddit. By launching a DDoS attack on the DNS provider, crooks blocked people’s browsers from accessing the servers of many popular websites — the very infrastructure of the internet itself was attacked.
Today’s news comes as a great shock. The truth is, we haven’t seen anything at quite this scale before. Think about it: an entire region of the United States was blocked from accessing parts of the internet. So if a cybersecurity wake-up call was needed, this is it. In my colleague Steve Grobman’s words, “this is a reminder of how effective an attack on one can be an effective attack on many.”
The post Major Websites Twitter, Spotify, Netflix Shut Down by DDoS Attack appeared first on McAfee.
There weren't too many surprises inside Google's $750 device. During disassembly, the site actually broke the Samsung-made OLED panel, noting "the OLED panel separated from the digitizer glass a little too easily for our liking. Super-thin components and no frame or bezel behind the display make it extra sketchy to remove." On the plus side for repairability, the OLED panel isn't bonded to the glass, so you can replace just the broken glass instead of having to buy another expensive OLED.
Under the display, iFixit found a "slim and flexible" magnesium mid-frame that hides most of the components. Buried under that you'll find a (hopefully non-explosive) HTC-branded battery—the only sign of the device's true manufacturer—along with Samsung-provided storage and RAM. Interestingly, like the Nexus devices last year, the Pixel contains a Qualcomm Quick Charge 3.0 chip despite not actually being QC 3.0 compatible—it uses USB-PD.
In news that will have Star Wars fans exclaiming, “cool, cool-cool-cool,” LucasFilm confirmed on Friday that it had cast comedian, actor, and rapper Donald Glover to portray “young Lando Calrissian” in the first Han Solo origin-story film. Glover will star alongside previously announced Solo actor Alden Ehrenreich in the still-unnamed film, which is set to launch in theaters sometime in 2018.
Glover, who broke out as a writer on 30 Rock before starring in the weird-and-hilarious series Community, will portray Calrissian "in his formative years as a scoundrel on the rise in the galaxy’s underworld," according to a LucasFilm statement. The announcement didn't mention previously leaked details about the Solo film leading off a trilogy, to which Ehrenreich is already signed in case the first film does well enough at the box office.
According to Phil Lord and Christopher Miller (of Clone High, Jump Street, and LEGO Movie fame), who will be directing the first Solo film:
Ideas about a possible ninth planet have been kicking around since shortly after we discovered the eighth in 1781. But so far, all that we've come up with is Pluto and a handful of other objects orbiting out in the Kuiper Belt. And these dwarf planets simply don't have the mass to have a significant gravitational influence on our Solar System.
But our inability to find anything big beyond the known planets may just have been because we weren't thinking radically enough. One of the people responsible for the discovery of a number of Kuiper Belt Objects noticed an odd alignment in their orbits. When running models of how that oddity could be produced, he and his team found that a large planet with an extreme orbit would work.
Calling it Planet 9, they suggested it could be over 10 times Earth's mass and so far out it takes 20,000 years to complete one orbit. Planet 9, they speculated, has a lopsided orbit that's tilted relative to the other planets and much closer to the Sun on one side.
In-brief: The arrest of a 29-year-old man in Prague for suspected involvement in the 2012 hack of LinkedIn is a big victory for law enforcement. Even more important: viral video of the arrest. (Editor’s note: This post first appeared on Digital Guardian’s blog. ) The arrest of a 29-year-old man in Prague for suspected involvement in the 2012 hack of LinkedIn earlier this month was a big victory for law enforcement. The release this week of video footage of his arrest and subsequent “perp walk” may be even more important. Czech authorities disclosed on Tuesday that they had taken an individual identified as “Yevgeniy N” into custody on October 5 at a restaurant in Prague. Reports on U.S. news outlets including CBS, citing unnamed sources, say the man was wanted for his involvement in the hack and theft of data from LinkedIn, the social networking web site, in 2012. Judging from […]