Attacks On The Internet Keep Getting Bigger And Nastier

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Do we really need all these networks of connected devices? A refrigerator that can use the internet? Connected thermostats? And, if you do use these devices, how about throwing a little security on them so that they can't be used in attacks like this?

On Friday, epic cyberattacks crippled a major internet firm, repeatedly disrupting the availability of popular websites across the United States. The hacker group claiming responsibility says that the day's antics were just a dry run and that it has its sights set on a much bigger target. And the attackers now have a secret weapon in the increasing array of internet-enabled household devices they can subvert and use to wreak havoc.
 
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
 
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
The problem with that is - you-me-we non offenders pay for that person for life.
 
Maybe we need a simple way to isolate home LANs from the internet. Not just a firewall; something more physical. I have a printer, NAS and security cameras on my LAN. They're behind a firewall, but I'd love to isolate them further. VLAN is the closest thing I could find and that doesn't look ideal. Then again they all need firmware and software updates from time to time. Tough little problem. I guess we just need better firewalls?
 
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.

The problem with that is - you-me-we non offenders pay for that person for life.

Yeah, I don't want my tax dollars to be going towards housing/food/clothing/education/entertainment/medical, etc for these idiots.

Hang them I say.
 
Maybe we need a simple way to isolate home LANs from the internet. Not just a firewall; something more physical. I have a printer, NAS and security cameras on my LAN. They're behind a firewall, but I'd love to isolate them further. VLAN is the closest thing I could find and that doesn't look ideal. Then again they all need firmware and software updates from time to time. Tough little problem. I guess we just need better firewalls?

Sophos UTM is a great little firewall setup.. if you don't mind making rules for absolutely everything that needs to get in/out. It is so locked down by default that basically nothing works. Great for security, but normal home users would never be able to figure it out.
 
  • Like
Reactions: Rahh
like this
Here is my question, how is it that people find security holes and exploit them? Have no experience on finding way to exploit security holes, but I am curious on what app or software is being employed? Are these custom software developed by hackers or people with deep knowledge on how OS core was developed?
 
I have a clearos set up on my network connected to my wireless AP so all my wireless goes through a better firewall - My wired network goes through my Ubituti edge router -

sheildsup is still a great site to check for holes in your network.
 
Sorry, but I personally see no reason or advantage to having my home appliances connected to the internet.
 
maybe it's my paranoia but i never put all my eggs in one basket
ie thermostat, garage opener, home security apps from your phone
i hope these ppl's phones never get hacked because they're basically opening the doors into their houses
 
Gotta shutdown the interwebs. Remember, we want to roll back news reporting to 3 lapdog networks, like the good old days.
 
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.
They are using he devices to DDoS the internet backbone in some cases by simply making them 'phone home' more often than normal.
 
The problem is not that someone get access to your fridge and makes your chicken go bad by adjusting the temperature. The problem is that a lot of iot devices, like ip webcams, fridges, bidets etc. have very bad security (pretty much login is "admin" and password is "admin"). That makes it easy to write a piece of software to randomly try various ip adresses and log in. That in turn allows creation of huge botnets that are hard to fix (anyone running antivirus on your fridge?) and then those botnets can be used to take down services etc.
More info here Extra-Large Denial of Service Attack Uses DVRs, Webcams
 
Why would companies spend more from their bottom line in order to secure their $40 "smart" light switch or power adapter? This is exactly why we can't have nice things. I hate government intervention, but at this point I'm thinking that we need to start legislating security into any Internet-connected IoT device. As we approach x Tb/s attacks, no server farm is going to be able to handle the loads and I'll be knocked off a portion of the web until someone is satisfied with their attack.
 
The problem is not that someone get access to your fridge and makes your chicken go bad by adjusting the temperature. The problem is that a lot of iot devices, like ip webcams, fridges, bidets etc. have very bad security (pretty much login is "admin" and password is "admin"). That makes it easy to write a piece of software to randomly try various ip adresses and log in. That in turn allows creation of huge botnets that are hard to fix (anyone running antivirus on your fridge?) and then those botnets can be used to take down services etc.
More info here Extra-Large Denial of Service Attack Uses DVRs, Webcams


So that is what they are doing? Using software to scan all ip's for vulnerabilities for known username and passwords on various PC devices? If the software finds one then it alerts the user to this IP address?
 
Why would companies spend more from their bottom line in order to secure their $40 "smart" light switch or power adapter? This is exactly why we can't have nice things. I hate government intervention, but at this point I'm thinking that we need to start legislating security into any Internet-connected IoT device. As we approach x Tb/s attacks, no server farm is going to be able to handle the loads and I'll be knocked off a portion of the web until someone is satisfied with their attack.

Government has a place in a civilized society - regulation of that nature is one place it is appropriate IMO.
 
So that is what they are doing? Using software to scan all ip's for vulnerabilities for known username and passwords on various PC devices? If the software finds one then it alerts the user to this IP address?

It is really easy to set a program to just start spamming IP's and attempting logins. On a successful login it would note the ip/user/pass that worked and you let it go for a couple hours/days. Come back and you have a nice list of unsecured devices you can work on subverting for your pleasure and/or profit.
 
So that is what they are doing? Using software to scan all ip's for vulnerabilities for known username and passwords on various PC devices? If the software finds one then it alerts the user to this IP address?
It's a bit more complicated than that, but the basic gist is that it's very easy to gain access to some of those devices (and yes, there are webcams using the default login from factory on multiple devices. There was an article on hackaday about that).
 
Why would companies spend more from their bottom line in order to secure their $40 "smart" light switch or power adapter? This is exactly why we can't have nice things. I hate government intervention, but at this point I'm thinking that we need to start legislating security into any Internet-connected IoT device. As we approach x Tb/s attacks, no server farm is going to be able to handle the loads and I'll be knocked off a portion of the web until someone is satisfied with their attack.
A lot of their products share a lot of code, so the incremental cost of writing (more) secure code for all of the devices is quite low.

On the flip side, though, a lot of these devices run some form of Linux, and so they can share the same vulnerabilities. And once they're out in the field, fixing vulnerable devices is hard, unless you adopt Microsoft's you-will-update-when-we-say-so-and-you'll-like-it approach.
 
Sophos UTM is a great little firewall setup.. if you don't mind making rules for absolutely everything that needs to get in/out. It is so locked down by default that basically nothing works. Great for security, but normal home users would never be able to figure it out.
Honestly it's gotten a LOT easier to setup out of the box over the years with a lot more features added.

Ahh the days when it was Astaro Security Linux, then Astaro Security Gateway, now it's Sophos Unified Threat Management. -- I haven't tried Sophos XG yet, but it looks like it's a vast departure from the previous generations

If there isn't one on Youtube, at some point I should record a video for basic home setup configuration. :) Don't worry I wouldn't go all old man & talk about the olden days prior to HTTP proxy being integrated into it or gripe when they went from certain open source projects to closed source in house projects.
 
Looking at how fast the attacks on my workplace have become large enough for the companies that provide mitigation to be seriously strained, and then just a couple of days later seeing a new record 4+ times as large hit being driven in significant portion by shitty IoT crap, it's clear we are oging to see the end of the internet as we know it, and it is going to be due to useless shit like wi-fi connected color changing lightbulbs.

I'm not saying it's the end of the internet, but being on it, providing access to it, etc. is going to radically change as we know it.
 
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.

Lol, most of the people doing the hacks are in China, Russia or Eastern Europe. They dont give a shit. They probably are in bed with their governments security services.
 
Honestly it's gotten a LOT easier to setup out of the box over the years with a lot more features added.

Ahh the days when it was Astaro Security Linux, then Astaro Security Gateway, now it's Sophos Unified Threat Management. -- I haven't tried Sophos XG yet, but it looks like it's a vast departure from the previous generations

If there isn't one on Youtube, at some point I should record a video for basic home setup configuration. :) Don't worry I wouldn't go all old man & talk about the olden days prior to HTTP proxy being integrated into it or gripe when they went from certain open source projects to closed source in house projects.

Sophos UTMs are some the best appliances around and I have used them for almost all my clients networks since it was Astro version 5.

The fact that they still give anyone a completely free, fully functional licensed software for home use with all the features full enabled is just amazing. Though it is not made for the normal Joe and does require some professional tweaking to get it right but when you do. It is solid.

XG is a big departure since it is now cloud based management and requires the use of a cloud.sophos.com account to manage the device. I have tested it and while it has some huge performance improvements on the same UTM hardware. I am not a fan of requiring an cloud connect to manage my in-house hardware.
 
There are alerady ransomware on thermostats (show in demo) where someone puts code on an IOT thermostat - sets the heat to 90 degrees with a message that you need to pay 100 dollars to get your thermostat back.

Now sure you could rip it off the wall and put an old style non connected on..but this is just on example of the new ransomware
 
Sophos UTMs are some the best appliances around and I have used them for almost all my clients networks since it was Astro version 5.

The fact that they still give anyone a completely free, fully functional licensed software for home use with all the features full enabled is just amazing. Though it is not made for the normal Joe and does require some professional tweaking to get it right but when you do. It is solid.

XG is a big departure since it is now cloud based management and requires the use of a cloud.sophos.com account to manage the device. I have tested it and while it has some huge performance improvements on the same UTM hardware. I am not a fan of requiring an cloud connect to manage my in-house hardware.

I hear ya on the cloud connection, the whole time I worked with Astaro from early 1.x releases every firewall mfg has been screaming turn networks into a black hole for incoming traffic for step one of safety. -- Yes I'm an old fart who found & started selling Astaro after the I-Gear Proxy was purchased by Symantec & discontinued.

Also for anyone looking to test Sophos UTM out please oh please don't follow to the letter. Sure it'll get you going but it's missing a ton of steps to get you securely on the net. Protip: For security reasons if you can force a service through a proxy, it takes longer to configure but it gives those extra layers of protection that are sorely needed these days.
 
Lol, most of the people doing the hacks are in China, Russia or Eastern Europe. They dont give a shit. They probably are in bed with their governments security services.
IoT ransom scams are being run by rich American kids, mostly. International governments are more interested in getting a hold of other governments' secrets. How can they do that if they take the internet down? These DDoS attacks are being used to hold internet access for ransom, with the acquisition of money being the end goal.

https://krebsonsecurity.com/2016/09/ddos-mitigation-firm-has-history-of-hijacks
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released
https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack
https://krebsonsecurity.com/2016/10/feds-charge-two-in-lizard-squad-investigation
https://krebsonsecurity.com/2016/10/spreading-the-ddos-disease-and-selling-the-cure
 
Like I said in another post, we need a third world war, too many people causing too many problems.


"Kill one person, and you can solve so many problems. I wonder at the possibilities!" -Runa Fair-Shield
 
Like I said in another post, we need a third world war, too many people causing too many problems.


"Kill one person, and you can solve so many problems. I wonder at the possibilities!" -Runa Fair-Shield

We are almost there, be careful what you ask for! :joyful:
 
The problem is not that someone get access to your fridge and makes your chicken go bad by adjusting the temperature. The problem is that a lot of iot devices, like ip webcams, fridges, bidets etc. have very bad security (pretty much login is "admin" and password is "admin"). That makes it easy to write a piece of software to randomly try various ip adresses and log in. That in turn allows creation of huge botnets that are hard to fix (anyone running antivirus on your fridge?) and then those botnets can be used to take down services etc.
More info here Extra-Large Denial of Service Attack Uses DVRs, Webcams
That's one part of the larger issue of having easy attack vectors into a network. Most high profile hacks have been accomplished by taking over an old network printer that was mistakenly configured with an externally facing IP address. Since all it takes to hack IoT devices is a slight breeze it allows entry to the network, which someone can use to pivot onto other devices quite easily, your firewall isn't really going to care about weird traffic going through your internal network. Not many people set up vlans in their home.
 
That's one part of the larger issue of having easy attack vectors into a network. Most high profile hacks have been accomplished by taking over an old network printer that was mistakenly configured with an externally facing IP address. Since all it takes to hack IoT devices is a slight breeze it allows entry to the network, which someone can use to pivot onto other devices quite easily, your firewall isn't really going to care about weird traffic going through your internal network. Not many people set up vlans in their home.

Even newer machines are easily vulnerable.

A year or so ago I was searching for the user manual for a Xerox machine we had.

A google search came up with a random IP address. I was curious, so I clicked on the link and it gave me access to somebody's printer.

I looked up the IP and was able to find the company it belonged to, their address, etc.

I edited the email address list with a message saying that they needed to secure their printer because it was wide open for anybody to use.
 
Its not just home users a fairly large multi-state company I occasionally used to do some work for has an old HP laser printer directly connected to the internet at each location and refuse to do anything about it. Every night they print reports to the home printer and the home office prints stuff back during the day. Why wont they use email? Its insecure. lol
 
Home automation is awesome. But who would risk committing a felony just to make my lights turn on and off or changing the temperature in my house? IMO, go at it, but if we catch you, my vote is to throw your ass in jail until you rot as an old man, basically forfeiting the rest of your life.

Maybe someone already said this but the point is not to hack your thermostat for the sake of hacking your thermostat, the point is to hack your thermostat and use that as a relay to do other things. If you have memory available which can be written to then it can be used to host and serve malware. At a minimum if you're connected to the web then it can be used to send queries to another address ala the current Mirai trend. There may not be much value in your net-enabled coffee pot in and of itself, but if it has any chance of being compromised and has any bandwidth available then it has some value in a botnet.
 
Some day the internet will be useless, like usenet became useless full of worthless spam and viruses. People will scream and bemoan how useless it becomes. And 15 years later internet 2 with secure devices will pop up in that once your device has been identified as being a problem, it gets cut off from the net. All messages will come with a 4096bit Perfect Forward Encryption (elliptic curve based) that will be used to identify them by IP address. The server will ping back to confirm with a handshake the message is valid from the source. Home client devices can only http outside your LAN (Port 80, 8080) and any software must be digitally signed by author using the above handshake methodology.
 
Last edited by a moderator:
Here is my question, how is it that people find security holes and exploit them? Have no experience on finding way to exploit security holes, but I am curious on what app or software is being employed? Are these custom software developed by hackers or people with deep knowledge on how OS core was developed?

Biggest target is no doubt android devices/phones (including NEST) which do not get patched by vendors. Next 99% of IP cameras aren't patched (a majority run on the same embedded linux platform). 99% or routers aren't patched based on flawed libraries from intel. Hackers use well known exploits on them like flood, default password "admin" and Intel's PnP vulnerability.

My philosophy: If your device doesn't encrypt traffic, secure ports, receive updates, and doesn't use digital signatures, you're asking for it.

BTW: Make your subnet address something different than 192.168.1.xxx
 
Some day the internet will be useless, like usenet became useless full of worthless spam and viruses. People will scream and bemoan how useless it becomes. And 15 years later internet 2 with secure devices will pop up in that once your device has been identified as being a problem, it gets cut off from the net. All messages will come with a 4096bit Perfect Forward Encryption (elliptic curve based) that will be used to identify them by IP address. The server will ping back to confirm with a handshake the message is valid from the source. Home client devices can only http outside your LAN (Port 80, 8080) and any software must be digitally signed by author using the above handshake methodology.


Dunno what you are talking about, but usenet is alive and well.... Maybe not in its original form thought, but it's FAAAAR more useful/safer than torrents hope to be. Max my download bandwidth over an SSl tunnel, and never uploading a thing, so no getting burned for 'sharing'.
 
Back
Top