Attacks On The Internet Keep Getting Bigger And Nastier

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Do we really need all these networks of connected devices? A refrigerator that can use the internet? Connected thermostats? And, if you do use these devices, how about throwing a little security on them so that they can't be used in attacks like this?

On Friday, epic cyberattacks crippled a major internet firm, repeatedly disrupting the availability of popular websites across the United States. The hacker group claiming responsibility says that the day's antics were just a dry run and that it has its sights set on a much bigger target. And the attackers now have a secret weapon in the increasing array of internet-enabled household devices they can subvert and use to wreak havoc.
 

Ducman69

[H]F Junkie
Joined
Jul 12, 2007
Messages
10,493
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
 

JayteeBates

[H]ard|Poof
Joined
Jul 21, 2007
Messages
4,708
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
The problem with that is - you-me-we non offenders pay for that person for life.
 

Poseur

Limp Gawd
Joined
Oct 7, 2009
Messages
352
Maybe we need a simple way to isolate home LANs from the internet. Not just a firewall; something more physical. I have a printer, NAS and security cameras on my LAN. They're behind a firewall, but I'd love to isolate them further. VLAN is the closest thing I could find and that doesn't look ideal. Then again they all need firmware and software updates from time to time. Tough little problem. I guess we just need better firewalls?
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
13,467
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
The problem with that is - you-me-we non offenders pay for that person for life.
Yeah, I don't want my tax dollars to be going towards housing/food/clothing/education/entertainment/medical, etc for these idiots.

Hang them I say.
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
13,467
Maybe we need a simple way to isolate home LANs from the internet. Not just a firewall; something more physical. I have a printer, NAS and security cameras on my LAN. They're behind a firewall, but I'd love to isolate them further. VLAN is the closest thing I could find and that doesn't look ideal. Then again they all need firmware and software updates from time to time. Tough little problem. I guess we just need better firewalls?
Sophos UTM is a great little firewall setup.. if you don't mind making rules for absolutely everything that needs to get in/out. It is so locked down by default that basically nothing works. Great for security, but normal home users would never be able to figure it out.
 
  • Like
Reactions: Rahh
like this

Nobified[H]

[H]ard|Gawd
Joined
Mar 21, 2013
Messages
1,096
Here is my question, how is it that people find security holes and exploit them? Have no experience on finding way to exploit security holes, but I am curious on what app or software is being employed? Are these custom software developed by hackers or people with deep knowledge on how OS core was developed?
 

groebuck

2[H]4U
Joined
Mar 9, 2000
Messages
2,500
I have a clearos set up on my network connected to my wireless AP so all my wireless goes through a better firewall - My wired network goes through my Ubituti edge router -

sheildsup is still a great site to check for holes in your network.
 

Armenius

Fully [H]
Joined
Jan 28, 2014
Messages
21,830
Sorry, but I personally see no reason or advantage to having my home appliances connected to the internet.
 
Joined
Sep 4, 2016
Messages
573
maybe it's my paranoia but i never put all my eggs in one basket
ie thermostat, garage opener, home security apps from your phone
i hope these ppl's phones never get hacked because they're basically opening the doors into their houses
 

Jagger100

Supreme [H]ardness
Joined
Oct 31, 2004
Messages
7,589
Gotta shutdown the interwebs. Remember, we want to roll back news reporting to 3 lapdog networks, like the good old days.
 

Jagger100

Supreme [H]ardness
Joined
Oct 31, 2004
Messages
7,589
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
They are using he devices to DDoS the internet backbone in some cases by simply making them 'phone home' more often than normal.
 

Koween

Limp Gawd
Joined
May 24, 2012
Messages
486
The problem is not that someone get access to your fridge and makes your chicken go bad by adjusting the temperature. The problem is that a lot of iot devices, like ip webcams, fridges, bidets etc. have very bad security (pretty much login is "admin" and password is "admin"). That makes it easy to write a piece of software to randomly try various ip adresses and log in. That in turn allows creation of huge botnets that are hard to fix (anyone running antivirus on your fridge?) and then those botnets can be used to take down services etc.
More info here Extra-Large Denial of Service Attack Uses DVRs, Webcams
 

TheSoldier

Limp Gawd
Joined
Dec 9, 2011
Messages
175
Why would companies spend more from their bottom line in order to secure their $40 "smart" light switch or power adapter? This is exactly why we can't have nice things. I hate government intervention, but at this point I'm thinking that we need to start legislating security into any Internet-connected IoT device. As we approach x Tb/s attacks, no server farm is going to be able to handle the loads and I'll be knocked off a portion of the web until someone is satisfied with their attack.
 

Nobified[H]

[H]ard|Gawd
Joined
Mar 21, 2013
Messages
1,096
The problem is not that someone get access to your fridge and makes your chicken go bad by adjusting the temperature. The problem is that a lot of iot devices, like ip webcams, fridges, bidets etc. have very bad security (pretty much login is "admin" and password is "admin"). That makes it easy to write a piece of software to randomly try various ip adresses and log in. That in turn allows creation of huge botnets that are hard to fix (anyone running antivirus on your fridge?) and then those botnets can be used to take down services etc.
More info here Extra-Large Denial of Service Attack Uses DVRs, Webcams

So that is what they are doing? Using software to scan all ip's for vulnerabilities for known username and passwords on various PC devices? If the software finds one then it alerts the user to this IP address?
 

JayteeBates

[H]ard|Poof
Joined
Jul 21, 2007
Messages
4,708
Why would companies spend more from their bottom line in order to secure their $40 "smart" light switch or power adapter? This is exactly why we can't have nice things. I hate government intervention, but at this point I'm thinking that we need to start legislating security into any Internet-connected IoT device. As we approach x Tb/s attacks, no server farm is going to be able to handle the loads and I'll be knocked off a portion of the web until someone is satisfied with their attack.
Government has a place in a civilized society - regulation of that nature is one place it is appropriate IMO.
 

JayteeBates

[H]ard|Poof
Joined
Jul 21, 2007
Messages
4,708
So that is what they are doing? Using software to scan all ip's for vulnerabilities for known username and passwords on various PC devices? If the software finds one then it alerts the user to this IP address?
It is really easy to set a program to just start spamming IP's and attempting logins. On a successful login it would note the ip/user/pass that worked and you let it go for a couple hours/days. Come back and you have a nice list of unsecured devices you can work on subverting for your pleasure and/or profit.
 

Koween

Limp Gawd
Joined
May 24, 2012
Messages
486
So that is what they are doing? Using software to scan all ip's for vulnerabilities for known username and passwords on various PC devices? If the software finds one then it alerts the user to this IP address?
It's a bit more complicated than that, but the basic gist is that it's very easy to gain access to some of those devices (and yes, there are webcams using the default login from factory on multiple devices. There was an article on hackaday about that).
 

Mohonri

Supreme [H]ardness
Joined
Jul 29, 2005
Messages
5,749
Why would companies spend more from their bottom line in order to secure their $40 "smart" light switch or power adapter? This is exactly why we can't have nice things. I hate government intervention, but at this point I'm thinking that we need to start legislating security into any Internet-connected IoT device. As we approach x Tb/s attacks, no server farm is going to be able to handle the loads and I'll be knocked off a portion of the web until someone is satisfied with their attack.
A lot of their products share a lot of code, so the incremental cost of writing (more) secure code for all of the devices is quite low.

On the flip side, though, a lot of these devices run some form of Linux, and so they can share the same vulnerabilities. And once they're out in the field, fixing vulnerable devices is hard, unless you adopt Microsoft's you-will-update-when-we-say-so-and-you'll-like-it approach.
 

Pyro411

Weaksauce
Joined
Oct 8, 2009
Messages
92
Sophos UTM is a great little firewall setup.. if you don't mind making rules for absolutely everything that needs to get in/out. It is so locked down by default that basically nothing works. Great for security, but normal home users would never be able to figure it out.
Honestly it's gotten a LOT easier to setup out of the box over the years with a lot more features added.

Ahh the days when it was Astaro Security Linux, then Astaro Security Gateway, now it's Sophos Unified Threat Management. -- I haven't tried Sophos XG yet, but it looks like it's a vast departure from the previous generations

If there isn't one on Youtube, at some point I should record a video for basic home setup configuration. :) Don't worry I wouldn't go all old man & talk about the olden days prior to HTTP proxy being integrated into it or gripe when they went from certain open source projects to closed source in house projects.
 

raz-0

Supreme [H]ardness
Joined
Mar 9, 2003
Messages
4,643
Looking at how fast the attacks on my workplace have become large enough for the companies that provide mitigation to be seriously strained, and then just a couple of days later seeing a new record 4+ times as large hit being driven in significant portion by shitty IoT crap, it's clear we are oging to see the end of the internet as we know it, and it is going to be due to useless shit like wi-fi connected color changing lightbulbs.

I'm not saying it's the end of the internet, but being on it, providing access to it, etc. is going to radically change as we know it.
 

Monkey God

Mangina Full of Sand
Joined
May 7, 2007
Messages
6,723
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
Lol, most of the people doing the hacks are in China, Russia or Eastern Europe. They dont give a shit. They probably are in bed with their governments security services.
 

SGTGimpy

Limp Gawd
Joined
Oct 7, 2009
Messages
233
Honestly it's gotten a LOT easier to setup out of the box over the years with a lot more features added.

Ahh the days when it was Astaro Security Linux, then Astaro Security Gateway, now it's Sophos Unified Threat Management. -- I haven't tried Sophos XG yet, but it looks like it's a vast departure from the previous generations

If there isn't one on Youtube, at some point I should record a video for basic home setup configuration. :) Don't worry I wouldn't go all old man & talk about the olden days prior to HTTP proxy being integrated into it or gripe when they went from certain open source projects to closed source in house projects.
Sophos UTMs are some the best appliances around and I have used them for almost all my clients networks since it was Astro version 5.

The fact that they still give anyone a completely free, fully functional licensed software for home use with all the features full enabled is just amazing. Though it is not made for the normal Joe and does require some professional tweaking to get it right but when you do. It is solid.

XG is a big departure since it is now cloud based management and requires the use of a cloud.sophos.com account to manage the device. I have tested it and while it has some huge performance improvements on the same UTM hardware. I am not a fan of requiring an cloud connect to manage my in-house hardware.
 

groebuck

2[H]4U
Joined
Mar 9, 2000
Messages
2,500
There are alerady ransomware on thermostats (show in demo) where someone puts code on an IOT thermostat - sets the heat to 90 degrees with a message that you need to pay 100 dollars to get your thermostat back.

Now sure you could rip it off the wall and put an old style non connected on..but this is just on example of the new ransomware
 

Pyro411

Weaksauce
Joined
Oct 8, 2009
Messages
92
Sophos UTMs are some the best appliances around and I have used them for almost all my clients networks since it was Astro version 5.

The fact that they still give anyone a completely free, fully functional licensed software for home use with all the features full enabled is just amazing. Though it is not made for the normal Joe and does require some professional tweaking to get it right but when you do. It is solid.

XG is a big departure since it is now cloud based management and requires the use of a cloud.sophos.com account to manage the device. I have tested it and while it has some huge performance improvements on the same UTM hardware. I am not a fan of requiring an cloud connect to manage my in-house hardware.
I hear ya on the cloud connection, the whole time I worked with Astaro from early 1.x releases every firewall mfg has been screaming turn networks into a black hole for incoming traffic for step one of safety. -- Yes I'm an old fart who found & started selling Astaro after the I-Gear Proxy was purchased by Symantec & discontinued.

Also for anyone looking to test Sophos UTM out please oh please don't follow
to the letter. Sure it'll get you going but it's missing a ton of steps to get you securely on the net. Protip: For security reasons if you can force a service through a proxy, it takes longer to configure but it gives those extra layers of protection that are sorely needed these days.
 

Armenius

Fully [H]
Joined
Jan 28, 2014
Messages
21,830
Lol, most of the people doing the hacks are in China, Russia or Eastern Europe. They dont give a shit. They probably are in bed with their governments security services.
IoT ransom scams are being run by rich American kids, mostly. International governments are more interested in getting a hold of other governments' secrets. How can they do that if they take the internet down? These DDoS attacks are being used to hold internet access for ransom, with the acquisition of money being the end goal.

https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack
https://krebsonsecurity.com/2016/10/feds-charge-two-in-lizard-squad-investigation
https://krebsonsecurity.com/2016/10/spreading-the-ddos-disease-and-selling-the-cure
 

Azphira

[H]ard|Gawd
Joined
Aug 18, 2003
Messages
1,823
Like I said in another post, we need a third world war, too many people causing too many problems.


"Kill one person, and you can solve so many problems. I wonder at the possibilities!" -Runa Fair-Shield
 

Nobified[H]

[H]ard|Gawd
Joined
Mar 21, 2013
Messages
1,096
Like I said in another post, we need a third world war, too many people causing too many problems.


"Kill one person, and you can solve so many problems. I wonder at the possibilities!" -Runa Fair-Shield
We are almost there, be careful what you ask for! :joyful:
 

Scizyr

Limp Gawd
Joined
Jun 24, 2015
Messages
235
The problem is not that someone get access to your fridge and makes your chicken go bad by adjusting the temperature. The problem is that a lot of iot devices, like ip webcams, fridges, bidets etc. have very bad security (pretty much login is "admin" and password is "admin"). That makes it easy to write a piece of software to randomly try various ip adresses and log in. That in turn allows creation of huge botnets that are hard to fix (anyone running antivirus on your fridge?) and then those botnets can be used to take down services etc.
More info here Extra-Large Denial of Service Attack Uses DVRs, Webcams
That's one part of the larger issue of having easy attack vectors into a network. Most high profile hacks have been accomplished by taking over an old network printer that was mistakenly configured with an externally facing IP address. Since all it takes to hack IoT devices is a slight breeze it allows entry to the network, which someone can use to pivot onto other devices quite easily, your firewall isn't really going to care about weird traffic going through your internal network. Not many people set up vlans in their home.
 

cyclone3d

[H]F Junkie
Joined
Aug 16, 2004
Messages
13,467
That's one part of the larger issue of having easy attack vectors into a network. Most high profile hacks have been accomplished by taking over an old network printer that was mistakenly configured with an externally facing IP address. Since all it takes to hack IoT devices is a slight breeze it allows entry to the network, which someone can use to pivot onto other devices quite easily, your firewall isn't really going to care about weird traffic going through your internal network. Not many people set up vlans in their home.
Even newer machines are easily vulnerable.

A year or so ago I was searching for the user manual for a Xerox machine we had.

A google search came up with a random IP address. I was curious, so I clicked on the link and it gave me access to somebody's printer.

I looked up the IP and was able to find the company it belonged to, their address, etc.

I edited the email address list with a message saying that they needed to secure their printer because it was wide open for anybody to use.
 

stormy1

[H]ard|Gawd
Joined
Apr 3, 2008
Messages
1,050
Its not just home users a fairly large multi-state company I occasionally used to do some work for has an old HP laser printer directly connected to the internet at each location and refuse to do anything about it. Every night they print reports to the home printer and the home office prints stuff back during the day. Why wont they use email? Its insecure. lol
 

Devilpup

[H]ard|Gawd
Joined
Sep 4, 2002
Messages
2,047
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
Maybe someone already said this but the point is not to hack your thermostat for the sake of hacking your thermostat, the point is to hack your thermostat and use that as a relay to do other things. If you have memory available which can be written to then it can be used to host and serve malware. At a minimum if you're connected to the web then it can be used to send queries to another address ala the current Mirai trend. There may not be much value in your net-enabled coffee pot in and of itself, but if it has any chance of being compromised and has any bandwidth available then it has some value in a botnet.
 
D

Deleted member 93354

Guest
Some day the internet will be useless, like usenet became useless full of worthless spam and viruses. People will scream and bemoan how useless it becomes. And 15 years later internet 2 with secure devices will pop up in that once your device has been identified as being a problem, it gets cut off from the net. All messages will come with a 4096bit Perfect Forward Encryption (elliptic curve based) that will be used to identify them by IP address. The server will ping back to confirm with a handshake the message is valid from the source. Home client devices can only http outside your LAN (Port 80, 8080) and any software must be digitally signed by author using the above handshake methodology.
 
Last edited by a moderator:
D

Deleted member 93354

Guest
Here is my question, how is it that people find security holes and exploit them? Have no experience on finding way to exploit security holes, but I am curious on what app or software is being employed? Are these custom software developed by hackers or people with deep knowledge on how OS core was developed?
Biggest target is no doubt android devices/phones (including NEST) which do not get patched by vendors. Next 99% of IP cameras aren't patched (a majority run on the same embedded linux platform). 99% or routers aren't patched based on flawed libraries from intel. Hackers use well known exploits on them like flood, default password "admin" and Intel's PnP vulnerability.

My philosophy: If your device doesn't encrypt traffic, secure ports, receive updates, and doesn't use digital signatures, you're asking for it.

BTW: Make your subnet address something different than 192.168.1.xxx
 

Biznatch

2[H]4U
Joined
Nov 16, 2009
Messages
2,224
Some day the internet will be useless, like usenet became useless full of worthless spam and viruses. People will scream and bemoan how useless it becomes. And 15 years later internet 2 with secure devices will pop up in that once your device has been identified as being a problem, it gets cut off from the net. All messages will come with a 4096bit Perfect Forward Encryption (elliptic curve based) that will be used to identify them by IP address. The server will ping back to confirm with a handshake the message is valid from the source. Home client devices can only http outside your LAN (Port 80, 8080) and any software must be digitally signed by author using the above handshake methodology.

Dunno what you are talking about, but usenet is alive and well.... Maybe not in its original form thought, but it's FAAAAR more useful/safer than torrents hope to be. Max my download bandwidth over an SSl tunnel, and never uploading a thing, so no getting burned for 'sharing'.
 
Top