Home Tags Default passwords

Tag: default passwords

Australia’ Smart meter leaders lag in securing devices

Centre for Internet Safety calls for consumer safeguards Default passwords, unpatched firmware, unencrypted traffic: according to a report from a Canberra University research organisation, Australia's smart electricity meter rollouts are characterised by n00b-level security gaffes.…

Rash of in-the-wild attacks permanently destroys poorly secured IoT devices

Ongoing "BrickerBot" attacks might be trying to kill devices before they can join a botnet.

The Mistakes of Smart Medicine

A technological boom in medicine both encouraged medical institutions to use exclusively information systems in processing data and led to the emergence of new types of technological equipment and personal devices that can be used to interact with traditional systems and networks.

This means that the threats that are relevant for them can also be relevant for medical systems.

Linux nasty kicks weak, hacked gadgets when they’re already down

Linux-Proxy-10 allows crooks to remain anonymous online Several thousand Linux devices have been infected with a new Linux-based trojan, Russian security software firm Doctor Web warns. The Linux-Proxy-10 Trojan infects network devices running Linux, turning them into a platform for cybercrime that allows crooks to remain anonymous online.

Black hats run freeware code called the Satanic Socks Server on infected devices. Miscreants hack into devices that are running with default passwords or are already infected with Linux malware in order to plant the malware. Back in 2004, the Sasser worm removed infections caused by the MyDoom mass mailer worm on compromised systems.

This kind of red-on-red action is messy and chaotic. Last year's Mirai worm showed the carnage that could result from abusing compromised IoT systems.

The appearance of a new trojan that – like Mirai – takes advantage of default user credentials to infect IoT devices is therefore bad enough, without considering the possibility of more strains of malware capable of easily spreading onto already hacked devices. ® Sponsored: Continuous lifecycle London 2017 event.

DevOps, continuous delivery and containerisation. Register now

Passwords: A long goodbye

The campaign to eliminate passwords has been ongoing, and growing, for close to a decade.

There are even some declarations that this might be the year, or at least ought to be the year, that it happens. Don’t hold your breath.

Brett McDowell, executive director of the FIDO (Fast IDentity Online) Alliance, is as passionate an advocate of eliminating passwords as anyone. He says that day is coming, given the creation of a, “new generation of authentication technology” largely based on biometrics, and a “massive collaboration among hundreds of companies” to define standards for that technology. The goal of FIDO, a nonprofit created in 2012, is to supplant passwords with what it calls, “an open, scalable, interoperable set of mechanisms,” for secure authentication. But McDowell said last fall, and said again this past week that passwords will, “have a long tail,” that is unlikely to disappear anytime soon – certainly not this year. There are a number of reasons for that, even though the security problems with passwords are well known and well documented.

As Phil Dunkelberger, CEO of Nok Nok Labs, put it, “the username and password paradigm is fundamentally broken.
It was never designed for, and is inherently incapable of addressing, the use cases of modern society. “ Brett McDowell, executive director, FIDO Alliance And of course it is not just technology that has made it easier for attackers to compromise them. Users frequently make it ridiculously easy as well.

They use short, simple passwords that wouldn’t even take a machine to guess – like “admin,” “password,” “12345,” etc.

They continue to use the same user name and password for multiple sites, since they know they won’t be able to remember a couple dozen of them. The latest Verizon Data Breach Incident Report (DBIR) found that 63 percent of all data breaches involved the use of stolen, weak or default passwords. And even if users do have somewhat rigorous passwords, far too many can still be tricked into giving them away through social engineering attacks. Yet, passwords are such an embedded part of authentication systems – most popular websites still use them – that, as McDowell said, it will take considerable time for them to disappear. Or as Scott Simkin, senior group manager, threat intelligence cloud & security subscriptions at Palo Alto Networks, put it, “We have decades of legacy systems and behavior to change, and it will take years for the industry to catch up.” Joe Fantuzzi, CEO, RiskVision Beyond that, there are at least some in the security community who say we should be careful what we wish for.

They note that cyber criminals have always found a way around every advance in security.
So while biometric credentials – fingerprints, iris scans, voice recognition etc. – are much tougher to compromise than passwords, they may not be a magic bullet.

And if attackers can find ways to steal or spoof them, those will obviously be much more difficult to change or update than a password. Indeed, there have already been multiple reports of biometric spoofing.

FireEye reported more than a year ago that fingerprint data could be stolen from Android devices made by Samsung, Huawei, and HTC because, “the fingerprint sensor on some devices is only guarded by the ‘system’ privilege instead of root, making it easier to target and quietly collect the fingerprint data of anyone who uses the sensor.” The Japan Times reported earlier this month that a team at Japan’s National Institute of Informatics (NII) found that a good digital image of people simply flashing the peace sign could result in their fingerprint data being stolen. Researchers have reported that a high-resolution image of a person’s eyes can allow an attacker to make a ”contact lens” of the iris that would pass as the real thing for authentication. And there have already been demonstrations that a manipulated recording of a person’s voice can trick authentication systems. Advocates of biometric authenticators don’t deny any of this, but say one key to their successful use is for the data from them to stay on user devices only, as is the case with Apple’s Touch ID.

As McDowell notes, one of the many problems with passwords is that they are “shared secrets” – they exist not only on users’ devices, but also have to be given to a website’s server, which then matches them with what is stored in its database. When such a server gets compromised, millions of passwords get stolen at the same time, through no fault of the user. Zohar Alon, Co-Founder and CEO of Dome9 According to McDowell, the risk of biometric spoofing is “infinitesimal” compared to that of passwords. Since the biometric credential data never leaves the device, “the attacker must steal the phone or computer even to attempt an attack,” he said. “This doesn’t scale, and is therefore not viable for financially-motivated attackers.” James Stickland, CEO of Veridium, agreed. “You can purchase a kit from China for $10 to copy and extract a fingerprint.

This has been shown to work on fingerprint sensors from Touch ID to the device used for the Indian government, and is a problem for almost all but the most expensive sensors,” he said. “But this is a problem only when an attacker has access to the user’s device, so the time window for attack is pretty low.” Of course, not all biometrics remain only on the user device.
Some, such as the fingerprints of millions of people who work, or have worked, for government or that are taken by law enforcement, will be stored on servers. Joe Fantuzzi, CEO of RiskVision, said this might lead to the same risks that plague the healthcare industry, because of its storage of patient data. “Incorporating customer biometric information will essentially make all companies lucrative targets for attacks and ransomware,” he said. But those advocating the “death” of passwords say the other key to secure authentication is what security professionals have been preaching for years: multi-factor authentication. In other words, they are not trying to mandate that biometrics be the sole replacement for passwords.

Dunkelberger, who said the FIDO Alliance is using the authentication technology his firm created, said the core idea, “isn’t to replace passwords with biometrics, but rather to replace passwords with a strong, secure signal of any kind.” McDowell agreed. He said many FIDO implementations do use biometrics for authentication, but that the specifications are “technology agnostic.” It is implementers, he said, who decide what mechanisms it will support.
It could be, “a local PIN code for user verification vs. biometrics if you prefer.” He said FIDO specifications, “allow the use of authenticators built into a device, such as biometrics or a PIN, and/or external, second-factor authenticators, such as a token or a wearable.” The message from Stickland is similar. “The only current defense is multifactor authentication, using two or more biometrics – for example, fingerprint and face, or voice.

At the very least fingerprint plus a long, randomized PIN would be good.” He said his firm created an authentication tool that, “uses a combination of hardware, secure certificates, biometrics, and other information to validate not only the biometric, but every communication between a remote device and a server, basically verifying that not only is the user valid, but the hardware the user is using is also valid.” Simkin also said multifactor authentication, “of which there are many options available today,” should be used, “for all critical resources and applications.

The more time and resources you require attackers to expend, the lower the chances of a successful breach.” Stephen Stuut, CEO of Jumio, said organizations will still have to balance security with convenience, since “friction” in the process of signing on to a site may cause users simply to give up on it. “Companies should focus less on one single technology but rather on the correct combination that meets their business requirements and customer needs,” he said. “Adding too many steps to the process may increase session abandonment, especially on mobile, where attention spans are short.” All of which sounds like, passwords could for some time remain as a part of multi-factor authentication: Something you know, something you have and something you are. Zohar Alon, Co-Founder and CEO of Dome9, said he doesn’t think they will ever disappear. “They remain one of the simplest means of proving identity and gaining access,” he said. “We can design better security with multiple factors of authentication and authorization that are not correlated with each other, that cannot be compromised all at once.” But Stickland said he believes they will eventually become obsolete. “Passwords are painful. We forget them, they are stolen, it’s time consuming to reset them.

At some point, new technology will win.” This story, "Passwords: A long goodbye" was originally published by CSO.

Efforts to Improve IoT Security Advance in 2017

The U.S. Federal Trade Commission announces IoT Home Inspector Challenge, while the Online Trust Alliance aims to improve security with a new version of the IoT Trust Framework. The emerging internet of things (IoT) world is rapidly taking shape and with it have come a host of security related concerns and challenges. Multiple organizations and vendors are working hard to help improve the state of IoT security with new initiatives that are being announced this week.FTCAmong the biggest security issues that face consumers of IoT are unpatched devices that are at risk from security vulnerabilities. On Jan. 4, The U.S Federal Trade Commission (FTC) announced a new IoT challenge to help improve security in connected home devices. The goal of the IoT Home Inspector Challenge is to develop some form of technology tool that can help protect consumers against the risks posed by out-of-date software that runs on IoT devices. Those risks also include the challenge of dealing with hard-coded and factory default passwords that are embedded in devices.The top prize in the contest is $25,000 with up to three honorable mention winners that will be awarded $3,000. Submissions to the contest will be accepted by the FTC starting on March 1, and the deadline for final submissions is May 22 at 12:00 p.m. EDT. The FTC expects to announce the winners of the contest on or about July 27, 2017. "Every day American consumers are offered innovative new products and services to make their homes smarter," Jessica Rich, Director of the Federal Trade Commission's Bureau of Consumer Protection said in a statement. "Consumers want these devices to be secure, so we're asking for creativity from the public – the tinkerers, thinkers and entrepreneurs – to help them keep device software up-to-date." Online Trust AllianceThe Online Trust Alliance (OTA) updated its IoT Trust Framework on Jan. 5, providing guidance on how to develop secure IoT devices and assess risk."The IoT Trust Framework is a good example of the security culture that is needed in the connected devices space," Olaf Kolkman, Chief Internet Technology Officer for the Internet Society, said in a statement. "If companies are in the business of selling smart devices, they need to implement the requirements outlined in this framework before calling them smart."The framework is comprised of four key areas to help provide structure to understanding how to properly implement IoT security.The first category is security principles, which outline best practices for secure code development and deployment. The second category details requirements for user access and credentials security. The third area in the IoT Trust Framework is about privacy, disclosures and transparency. Among the required disclosures suggested by the OTA is for vendors to include disclosures around the impact to product features or functionality if connectivity is disabled.The fourth core category in the IoT Trust Framework defines notifications and related best practices for IoT security."These principles include requiring email authentication for security notifications," the OTA Trust Framework states. "In addition messages must be written for maximum user comprehension and tamper-proof packaging and accessibility considerations are recommended."The OTA's attempt at helping to define IoT security is one of many efforts in the market to develop guidelines for secure IoT devices. In October 2016, the Cloud Security Alliance released a detailed 75-page report for the development of secure IoT products.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

FTC sets $25,000 prize for automatic IoT patching

The U.S.

Federal Trade Commission is scheduled to announce Wednesday a “prize competition” for a tool that can used against security vulnerabilities in internet of things systems. The prize pot is up to $25,000, with $3,000 available for each honorable mention.

The winners will be announced in July.

The announcement is scheduled to be published Wednesday in the Federal Register. The tool, at the minimum, will “help protect consumers from security vulnerabilities caused by out-of-date software,” said the FTC. The government’s call for help cites the use of internet-enabled cameras as a platform for a Distributed Denial of Service (DDoS) attack last October. Weak default passwords were blamed. The FTC wants automatic software updates for IoT devices and up-to-date physical devices also.
Some devices will automatically update, but many require consumers to adjust one or more settings before they will do so, said the FTC in its announcement.

The winning entry could be a physical device, an app or a cloud-based service. This isn’t the first time the FTC has offered cash for software tools.
In 2015, it awarded $10,500 to developers of an app that could block robocalls. The winners of that contest were Ethan Garr and Bryan Moyles, the co-inventors of the RoboKiller app, both of whom work for TelTech Systems, a communications technology start-up.

Their winning app was initially developed as a side project. “It gave us something to work toward,” said Garr, of the FTC contest, in an interview. “It gave us a deadline, which in technology is really valuable because software projects can go on forever without one.” Their contest submission included an iPhone with the installed app.

They also had to pay their own expenses to attend a DefCon conference in Las Vegas for the FTC’s final judging. “I don’t think they get enough credit for how passionate they are in solving the problem,” said Garr, the vice president of product TelTech, of the people involved in the FTC’s effort. The initial version of RoboKiller forwarded all calls to the app’s servers for analysis.
It used an “audio-fingerprinting algorithm” to quickly determine whether it was a robocall or not. A new version incorporates Apple’s new CallKit technology to identify robocalls. Users can also set up conditional call forwarding to TelTech’s servers for those calls that are declined, for instance.

The service will check multiple databases for information about the call, and the developers plan to soon roll out an additional feature that will show a photo of the caller from social media.
It charges $1/month for the service. The FTC’s IoT patching plan may have limits. One issue with IoT security is embedded devices that may continue to operate long after their last patch, and may even survive the companies that created the systems. This story, "FTC sets $25,000 prize for automatic IoT patching" was originally published by Computerworld.

Data breaches through wearables put target squarely on IoT in 2017

Forrester predicts that more than 500,000 internet of things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed.

Drop the mic—enough said. With the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint. “Today, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly,” write Forrester analysts. The analyst firm adds that when smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed.
Security as an afterthought for IoT devices is not an option, especially when you can’t patch IoT firmware because the vendor didn’t plan for over-the-air patching. Alex Vaystikh, co-founder/CTO of advanced threat detection software provider SecBI, says small-to-midsize businesses and enterprises alike will suffer breaches originating from an insecure IoT device connected to the network.

The access point will be a security camera, climate control, an old network printer, or even a remote-controlled lightbulb.

This was demonstrated in September in a major DDoS attack on the website of security expert Brian Krebs.

A hacker found a vulnerability in a brand of IoT camera and caused millions of them to simultaneously make HTTP requests from Krebs’ site.  “It successfully crashed the site, but DDoS attacks are not a great way to make money. However, imagine an IoT camera within a corporate network being hacked.
If that network also contains the company’s database center, there’s no way to stop the hacker from making a lateral move from the compromised camera to the database,” Vaystikh said. “This should scare organizations into questioning the popular BYOD mentality. We are already seeing a lot of CCTVs being hacked within organizations.”  Florin Lazurca, senior technical manager at Citrix, believes that consumers will be a target of opportunity in 2017.
Innovative criminal enterprises will devise ways to monetize on potentially billions of internet-facing devices that many times do not meet stringent security controls. “Want to browse the internet? Pay the ransom. Want to use your baby monitor? Pay the ransom. Want to watch your smart TV? Pay the ransom,” Lazurca says. Florin Lazurca, senior technical manager at Citrix Mike Kelly, CTO of Blue Medora, agrees, stating that, “the inability to quickly update something, such as your home thermostat, is where we will see the risk.
It’s not about malware getting on the devices, the focus will need to be on the ability to remediate the issue. Like we saw with Windows, there will be a slew of vulnerabilities, but unlike with a computer, patching won’t be as easy with IoT devices,” he says. More connected devices will create more data, which has to be securely shared, stored, managed and analyzed.

As a result, databases will become more complex and the management burden will increase.

Those organizations that can most effectively monitor their database layer to optimize peak performance and resolve bottlenecks will be in a better position to exploit the opportunities the IoT will bring, he says. Lucas Moody, CISO at Palo Alto Networks, says security has to be baked into the IoT devices – not be an afterthought.

The bloom of IoT devices has security practitioners in the hot seat, with industry analysts suggesting a possible surge up to 20 billion devices by 2020. “Given the recent upward trend in both frequency and intensity of DDoS attacks of late, 2017 will introduce an entirely new challenge that security teams will need to contend with; how do we secure devices, many of which are by design dumb and, for that matter, cheap?,” he says.  Large corporations are still challenged with finding security talent to manage security in the “traditional” sense, leaving IoT startups to fend for themselves in a digital economy.  Moody asks, can they keep up? For the interconnected future of cars, televisions and refrigerators, maybe, but maintaining the security of smaller – and seemingly less critical items – such as toasters, thermostats, and pet feeders, it seems unlikely. “Security has to be baked into these technologies from the conception and design stages all throughout development and roll-out.
Security practitioners will need to do more than just scramble to develop strategies to address this pivotal trend,” he says. Corey Nachreiner, CTO at WatchGuard Technologies, predicts that IoT devices will become the de facto target for botnet zombies. With the shear volume of internet-connected devices growing every year, IoT represents a huge attack surface for hackers. More disturbingly, many IoT manufacturers do not create devices with security in mind, and therefore release devices full of potential vulnerabilities. Many of their products have vulnerabilities that were common a decade ago, providing easy pickings for cyber criminals. Many IoT devices coming on the market have proprietary operating systems, and offer very little compute and storage resources. Hackers would have to learn new skills to reverse engineer these devices, and they don’t provide much in terms of resources or data for the attacker to steal or monetize. On the other hand, another class of IoT products are devices running embedded Linux.

These devices look very familiar to hackers.

They already have tools and malware designed to target them, so “pwning” them is as familiar as hacking any Linux computer. “On top of that, the manufacturers releasing these devices seem to follow circa 2000 software development and security practices. Many IoT devices expose network services with default passwords that are simple for attackers to abuse,” Nachreiner says. He cited the leaking of the source code for the Mirai IoT botnet.

This botnet included a scanner that automatically searched the internet to find unsecured, Linux-based IoT devices, and take them over using default credentials. With this leaked code, criminals were able to build huge botnets consisting of hundreds of thousands of IoT devices.

They used these IoT botnets to launch gigantic DDoS attacks that generated up to 1Tbps of traffic; the largest ever recorded. In 2017, criminals will expand beyond DDoS attacks and leverage these botnets for click-jacking and spam campaigns to monetize IoT attacks in the same way they monetized traditional computer botnets.

Expect to see IoT botnets explode next year, he says. Mike Davis, CTO at CounterTack, believes IoT will continue to be a part of the threat conversation in the coming year, but fundamentally there will be a massive change in the risks associated with the devices—it won’t be about security, it will be about patching.  Hold your IoT security hypberbole Stan Black, CSO at Citrix, says we need to dispel security myths around emerging technology like IoT, machine learning and artificial intelligence. “Many people are afraid to adopt these emerging technologies for fear that they may be their security downfall, but as with any technology, the same security 1-2-3s apply.

Change the admin username and password, allow and enable devices on separate networks (separate from the networks used to pass sensitive data), create management and access policies, and above all, make sure that employees are educated about how, when and where to use these kinds of technologies,” he says.  Adoption of emerging tech like IoT can actually have more security benefits than challenges, if implemented correctly, Black says.

The same goes for machine learning.

The security wave of the future includes these technologies, so it’s best for businesses to learn about them early, learn about the benefits and reap the rewards of clouds, devices and networks that can learn from, and adapt to, changing behaviors to make for a stronger security posture. The wave of the future will be computers that can grant or deny access based on fingerprinted keyboards that can sense the normal amount of pressure your fingers normally apply.

Taking advantages of benefits like these will help companies move to a new security infrastructure and mindset, he predicts.  “The mobile devices we depend on every day are loaded with sensors, heat, touch, water, impact, light, motion, location, acceleration, proximity, etc.

These technologies have numerous applications including sensing motion and location to ensure people are safe when they travel,” Black adds. These devices are rarely protected or maintained with the same vigor as corporate IT systems, making them generally more vulnerable to being compromised and drafted into a zombie army.

This situation is nothing new, but in the next year we can expect to see “personal networks of things” reside in homes with gigabit internet connections—like those offered by Google and AT&T—and so make home networks far more interesting, especially if vulnerabilities in popular home devices can be exploited mechanically (e.g., how the Mirai botnet was built). Consumers will need to protect their personal networks from this new version of Mirai botnets, creating demand for services that safeguard them. More importantly, vendors will need to adopt better standards for protection of devices.
If the Mirai botnet is any indication, the lack of security in device design is still quite profound, Black says. Speaking of standards Steven Sarnecki, vice president of federal and public sector at OSIsoft, pointed to the National Institutes of Standards and Technology’s (NIST) National Cyber Center of Excellence for a glimpse of what is to come. NIST is currently piloting a project to assess how energy companies can better utilize connected devices to integrate and increase security with hopes of sharing those best practices and insights across the energy sector.   “As more companies wake up to the reality of IoT security threats, these solutions will become more commonplace, enabling enterprises to markedly increase their security footprint with only minimal incremental cost,” he says. Sarnecki adds that in 2017 he would expect a large portion of IoT users, especially within the enterprise and industrial spaces, to begin to seriously consider the “internet of threats” aspect posed by IoT to their networks.

Energy companies, water utilities, and many other critical infrastructure sectors rely on connected devices to support their missions. Jeannie Warner, security manager at WhiteHat Security, agrees that new guidelines will emerge from organizations such as NIST requiring that application security vendors partner with device manufacturers and testing labs to deliver secure IoT systems.  “The internet of things is growing daily, with smart devices and controlling applications at the core of every business from healthcare to smart cars and smart buildings.
It’s essential to protect smart anything from attackers attempting to exploit their vulnerabilities,” she says. In the same way manufacturing safety testing via the American National Standards Institute controls new releases in devices, she believes NIST SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing. Commonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications that combine to expand the borders of the security ecosystem, she says. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products. Big data The enterprise has paid attention to IoT for some time, though 2017 will be the year we move past the “wow” phase and into the “how do we do we securely and effectively bring IoT to the enterprise, how do we handle the high speed data ingest, and how do we optimize analytics and decisions based on IOT data,” says Redis Labs Vice President of Product Marketing Leena Joshi. Mark Bregman, Chief Technology Officer at NetApp, believes 2017 will be about capitalizing on the value of data.

The explosion of data in today’s digital economy has introduced new data types, privacy and security concerns, the need for scale and a shift from using data to run the business to recognizing that data is the business. Off-line data analytics and threat hunting become endless money pits, says Gunter Ollmann of Vectra Networks. “We’re told, and we observe, that each year our corporate data doubles.

That power-of-two exponential growth, after merely four years of storing, mining, and analyzing logs for threats, means a 16-fold increase in overall costs—with an accompanying scaled delay in uncovering past threats.” Cybersecurity will be the most prominent big data use case, says Quentin Gallivan, CEO of Pentaho, a Hitachi Group Company.

As with election polls, detecting cybersecurity breaches depends on understanding complexities of human behavior.

Accurate predictions depend upon blending structured data with sentiment analysis, location and other data. This then opens another door for hackers. WatchGuard’s Nachreiner says attackers will start leveraging machine learning and AI to improve malware and attacks. “In the past few years, cyber security companies have started leveraging these technologies to help defend our organizations. One of the big problems in infosec today is we are too reactive, and not predictive enough when it comes to new threats.
Sure, once we recognize a piece of malware or a new attack pattern, we can design systems to identify and block that one threat, but hackers have become infinitely evasive.

They have found techniques that allow them to continually change their attacks and malware so regularly that humans and even basic automated systems can’t keep up with the latest attack patterns. Wouldn’t it be great if we had technology that predicted the next threats instead?,” he says. Machine learning can help us do just that.

By feeding a machine learning system a gigantic dataset of good and bad files, or good and bad network traffic, it can start to recognize attributes of “badness” and “goodness” that humans never would have noticed on their own. “Next year, I expect the more advanced cyber criminals to start somehow leveraging machine learning to improve their attacks and malware,” he says, adding that today, both good and bad guys have easy access to open source machine learning libraries like Google’s TensorFlow. The security community as a whole will utilize big data more effectively in order to identify trends and threats, predicts Matt Rodgers, head of security strategy at E8 Security. “Organizations have the information they need, but they cannot find it.
In 2017, companies will start looking at their data sets through advanced analytics to identify trends and risks.

Big companies are already starting to augment their existing SIEM technology with behavior analytics capabilities to this end,” he says. This story, "Data breaches through wearables put target squarely on IoT in 2017" was originally published by CSO.

Is Mirai Really as Black as It’s Being Painted?

The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, causing denial of service across an entire region, has been extensively covered by the mass media. Given that the botnet’s source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future. To put this in perspective, recall the year 2012, when the source code of the Zeus banker Trojan was made publicly available. A huge number of modifications of the Trojan appeared as a result of this, many of which are still active and rank among the most widespread financial malware. Similarly, the recent leak is likely to result in the emergence of Mirai modifications, created by cybercriminals and based on the source code that was made public. The botnet remains active. We carried out an analysis of its activity to find out how Mirai operates, what objectives its owners are pursuing and, most importantly, what needs to be done to avoid becoming part of the botnet in the future. How Mirai Works Based on the botnet’s source code that was published on a user forum, Mirai consists of the following components: a command-and-control center (C&C) that contains a MySQL database of all infected IoT devices (bots) and sends commands to intermediate command distribution servers; a Scan Receiver component that collects the results of each bot’s operation and forwards them to the component that downloads the bot onto vulnerable devices (the Distributor); a downloader component, which delivers the bot’s binary file to a vulnerable device (using the wget and tftp utilities – but if they are not present in the system, it uses its own proprietary downloader); a bot, which, after being launched on an infected device, connects to the command-and-control center, scans an IP range (SYN scanning) for vulnerable IoT devices and sends the scan results to the Scan Receiver component in order for further malicious code to be subsequently downloaded to the device. An important feature of the way the Mirai botnet scans devices is that the bot uses a login and password dictionary when trying to connect to a device. The author of the original Mirai included a relatively small list of logins and passwords for connecting to different devices. However, we have seen a significant expansion of the login and password list since then, achieved by including default logins and passwords for a variety of IoT devices, which means that multiple modifications of the bot now exist. List of logins and passwords used by the original Mirai in its search for vulnerable IoT devices However, this is by no means all the Mirai botnet can tell us about itself. Analysis of the Botnet’s Activity All you need to do to evaluate the Mirai botnet’s current activity is to deploy a server with an open telnet port somewhere on the Internet and analyze connection attempts made by different bots. For example, we detected the first attempts to connect to our telnet port, by several different hosts, within three minutes of putting our experimental server online. Two facts indicate that these connections are made by bots of the original Mirai or its modifications (i.e., by infected devices): the accounts used by the bots in their attempts to establish a connection are found on the original botnet’s brute force word list; an analysis of connection sources has shown that infected hosts that perform scanning are in most cases IoT devices (cameras and routers of different manufacturers). Connection attempts by infected Mirai workstations in search of IoT devices using default passwords Here is a list of login and password pairs most often used by Mirai bots in connection attempts: “Login:password” combinations 1 admin : admin 2 root : xc3511 3 root : vizxv 4 root : juantech 5 root : default 6 admin : admin1234 7 root : password 8 root : root 9 root : xmhdipc 10 admin : smcadmin If you ignore trivial combinations like “root:root” or “admin:admin”, you can get a good idea of which equipment the botnet is looking for. For example, the pairs “root:xc3511” and “root:vizxv” are default accounts for IP cameras made by rather large Chinese manufacturers. Admin panel for managing an IP camera that is part of the botnet As for the activity of the botnet itself, you can analyze the number of login attempts over 24 hours and see for yourself. On December 13, 2016 we recorded 5,553 attempts by Mirai bots to connect to our server, while 10 days before that, on December 3, 2016, we recorded 8,689 connection attempts. Does this mean that the botnet is losing power? Reduced activity related to searching for new potential bots might certainly be an indication that the rate at which Mirai is infecting new devices is falling, but it is too early to draw any conclusions. How to Avoid Becoming Part of the Mirai Botnet We recommend the following measures to prevent your devices from being included in the Mirai botnet: Change the default account parameters on each of your devices. Account passwords should be at least 8 characters long and include digits, upper-case letters and special characters. On each device, install the latest updates provided by the manufacturer. It is a good idea to block all potential entry points to the operating system on your devices (telnet/SSH/web panel, etc.) from being accessed over the Internet. More details about the Mirai botnet are available to Kaspersky Intelligence Services reports’ subscribers. For more information, email intelreports@kaspersky.com

Evolved DNSChanger malware slings evil ads at PCs, hijacks routers

Software nasty is packed with exploits for vulnerabilities in home broadband boxes Malware that spreads via evil web ads and menaces broadband routers has been discovered – and it's going to be particularly horrible for small business and home internet users, which it targets. This latest variant of the years-old DNSChanger nasty, just spotted by Californian infosec biz Proofpoint, works like this: some JavaScript code is hidden in advertisements placed on mainstream websites via ad networks. The code – which prefers Chrome on Windows and Android – checks for the local IP address of the browser visiting the site using a WebRTC request to a Mozilla STUN server. If the target isn't in the desired IP range for the attacker, a legitimate advert is fetched and displayed, and nothing further happens. If the IP address is within range, the JS code downloads a bogus ad in the form of a PNG image, and extracts HTML from the comment field of the picture. The HTML is rendered in the page and it redirects the browser to another website that hosts the DNSChanger Exploit Kit. Evil JavaScript on that webpage then fetches an AES key, concealed in an image using steganography, that is used to decrypt a separate payload that contains more code, a bunch of default username and passwords used in broadband routers, and 166 fingerprints used to identify the victim's router. Next, the exploit kit, running within the browser using the decrypted data, tries to figure out the router being used from the list of possible fingerprints. If there's a match, it fetches the necessary code to run to exploit vulnerabilities in that particular gateway to hijack it. If there is no match, it tries out all the default login credentials, and if those don't work, it tries to run a load of exploits against common vulnerabilities in devices. The ultimate aim is to connect to the router on the local network from the victim's browser and abuse security shortcomings – such as known default passwords or programming blunders – to commandeer the gateway and change its DNS settings to rogue name servers. Then when computers join the local network, they may, depending on their configuration, pick up the bad DNS settings from the router and run domain-name lookups through hacker-controlled name servers. Whoever controls those servers can make people's browsers connect to malevolent systems masquerading as legit websites that steal login information; inject more malware onto the victim's PCs by redirecting downloads; serve them dodgy ads rather than real ones the browser was supposed to display; and so on. Proofpoint's diagram showing the infection path ... Click for full diagram Some of the infection exploits also start up vulnerable services on the routers that nasties like the Mirai botnet can attack to also joyride the gateway. Devices known to be vulnerable to DNSChanger EK include: D-Link DSL-2740R COMTREND ADSL Router CT-5367 C01_R12 NetGear WNDR3400v3 (and likely other models in this series) Pirelli ADSL2/2+ Wireless Router P.DGA4001N Netgear R6200 "When attackers control the DNS server on a network, they open up the possibility of carrying out a wide range of malicious actions on devices connecting to the network," Proofpoint said last week. "These can include banking fraud, man-in-the-middle attacks, phishing, ad fraud, and more. In this case, the DNSChanger exploit kit allows attackers to leverage what is often the only DNS server on a SOHO network – the internet router itself. In general, avoiding these attacks requires router manufacturers to regularly patch their firmware and users to regularly apply these patches." At present, it looks as though the DNSChanger masterminds are purely looking to reroute connections to legitimate advertising brokers to other networks, via the hijacked DNS settings, thus forcing browsers to display adverts the crooks can make money off. Fogzy and TrafficBroker appear to be getting the most of this redirected traffic at the moment, and both companies have been advised that there's something dodgy going on. We were told on Monday that Fogzy has now blocked the redirection. "Unfortunately, there is no simple way to protect against these attacks. Applying the latest router updates remains the best way to avoid exploits," Proofpoint said. Changing the username and password for the admin interface is also a good idea, as is logging out of the router when you're not fiddling with its settings. Some gateways can still be vulnerable even if you've taken these precautions. "Changing the default local IP range, in this specific case, may also provide some protection. Neither of these solutions, though, is a typical action performed by average users of SOHO routers," the biz continued. ® Sponsored: Customer Identity and Access Management

Home routers under attack in ongoing malvertisement blitz

Gionnicoreader comments 13 Share this story As you read these words, malicious ads on legitimate websites are targeting visitors with malware.

But that malware doesn't infect their computers, researchers said.
Instead, it causes unsecured routers to connect to fraudulent domains. Using a technique known as steganography, the ads hide malicious code in image data.

The hidden code then redirects targets to webpages hosting DNSChanger, an exploit kit that infects routers running unpatched firmware or are secured with weak administrative passwords. Once a router is compromised, DNSChanger configures it to use an attacker-controlled domain name system server.

This causes most computers on the network to visit fraudulent servers, rather than the servers corresponding to their official domain. Patrick Wheeler, director of threat intelligence for security firm Proofpoint, told Ars: These findings are significant because they demonstrate clearly that ubiquitous and often-overlooked devices are being actively attacked, and once compromised, these devices can affect the security of every device on the network, opening them up to further attacks, pop-ups, malvertising, etc.

Thus, the potential footprint of this kind of attack is high and the potential impact is significant. Lots of moving parts The ads first check if a visitor's IP address is within a targeted range, a behavior that is typical of many malvertising campaigns, which aim to remain undetected for as long as possible.
If the address isn't one the attackers want to target, they serve a decoy ad with no exploit code in it.
In the event the IP address is one the attackers want to infect, they serve a fake ad that hides exploit code in the metadata of a PNG image.

The code, in turn, causes the visitor to connect to a page hosting DNSChanger, which once again checks the visitor's IP address to ensure it's within the targeted range. Once the check passes, the malicious site serves a second image concealed with the router exploit code. Enlarge / DNSChanger attack chain. Proofpoint "This attack is determined by the particular router model that is detected during the reconnaissance phase," a Proofpoint researcher who uses the moniker Kafeine wrote in a blog post. "If there is no known exploit, the attack will attempt to use default credentials." In the event there are no known exploits and no default passwords, the attack aborts. Enlarge / A fake DNSChanger ad. Proofpoint DNSChanger uses a set of real-time communications protocols known as webRTC to send so-called STUN server requests used in VoIP communications.

The exploit is ultimately able to funnel code through the Chrome browser for Windows and Android to reach the network router.

The attack then compares the accessed router against 166 fingerprints of known vulnerable router firmware images. Proofpoint said it wasn't possible to name all the vulnerable routers, but a partial list includes: D-Link DSL-2740R COMTREND ADSL Router CT-5367 C01_R12 NetGear WNDR3400v3 (and likely other models in this series) Pirelli ADSL2/2+ Wireless Router P.DGA4001N Netgear R6200 The malicious ads are delivered in waves lasting several days at a time through legitimate ad networks and displayed on legitimate websites. Proofpoint's Wheeler said there isn't enough data to know how many people have been exposed to the ads or how long the campaign has been running, but he said the attackers behind it have previously been responsible for malvertisements that hit more than 1 million people a day.

The campaign was still active at the time this post was being prepared. Proofpoint didn't identify any of the ad networks or websites delivering or displaying the malicious ads. As Ars reported last week, a similar malvertising campaign—images with hidden code that double-check IP addresses—also reached more than 1 million people a day. Proofpoint said the two campaigns aren't related. DNS servers translate domain names such as arstechnica.com into IP addresses such as, which computers need to find and access the site.

By changing router settings to use an attacker-controlled server, DNSChanger can cause most, if not all, connected computers to connect to impostor sites that look just like the real ones.
So far, the malicious DNS server used by DNSChanger appears to be falsifying IP addresses to divert traffic from large ad agencies in favor of ad networks known as Fogzy and TrafficBroker.

But the server could be updated at any time to falsify lookups for Gmail.com, bankofamerica.com, or any other site.
In such a scenario, HTTPS protections wouldn't flag the impostor. The best defense against these attacks is to ensure routers are running the latest available firmware and are protected with a long password that's generated randomly or through a technique known as diceware.

Disabling remote administration and changing its default local IP address can also be helpful.

DDoS in 2017: Strap yourself in for a bumpy ride

2016 sucked. 2017 won’t be much better, sorry DDoS attacks have been around since at least 2000, and they’re not going away.
In fact, as the number of devices online grows, the volume and velocity of these attacks is also increasing. Whole industries have developed around launching and preventing DDoS campaigns as black hats and white hats battle for dominance, and 2017 promises to be the most dramatic year yet in that conflict. Here are some predictions about what’s likely to happen in the next 12 months. Whale-sized attacks will increase Historically, DDoS attacks have been relatively small: the majority of attacks – 93 per cent – are below 1Gbps in size, so when large attacks do happen, they tend to show up on the radar. We’ve seen some monster attacks in 2016 – most notably the Mirai-based attack on Brian Krebs’ Krebsonsecurity site during September that caused Akamai to withdraw support, and the attack on Dyn in October. These mega-attacks, totalling 100Gbps or more, are likely to increase in both number and size.
In its Q3 State of the Internet security report, Akamai spotted a 138 per cent increase in attacks over 100Gbps. Expect to see more of these, especially as attackers become more devious. New attack techniques applying the Lightweight Directory Access Protocol (LDAP could amplify DDoS attacks by 55 times, which could send already-mounting attack volumes into overdrive. Not only are we likely to see more mega-attacks, but the largest ones will push the envelope in size terms. The IoT will become a bigger factor in DDoS Expect to see the Internet of Things (IoT) play an important part in these attacks. Mirai, which warped DVRs into evil, traffic-spitting monsters, has already wreaked havoc in Liberia and across much of the rest of the web.

And the software wasn’t even very good. Forrester Research predicts that IoT compromises will escalate a notch in 2017, arguing that 500,000 IoT devices will suffer from a single compromise, dwarfing the Heartbleed bug of 2014. The number of connected devices is going to increase greatly over the next few years, IDC estimates.
It’s time for IoT equipment suppliers to sort out their device security, warned Kevin Lonergan, who heads up security research at IDC Canada. “Attackers can easily gain access to these devices via unchanged default passwords and vulnerabilities in outdated firmware,” he said. “This problem is only going to get worse as connectivity is added to traditionally unconnected devices such as home appliances, cars, etc., by vendors who have little experience with creating secure code.” Making consumers change their default configuration before an IoT device will actually work might be a good idea.

The problem is that someone would have to regulate it, because vendors will be loath to do anything that introduces friction and increases customer support costs. DDoS will overshadow ransomware attacks As the volume of DDoS attacks increases, demand for mitigation services will increase exponentially. Nick Galletto, leader of Deloitte’s Canadian Technology Risk practice, believes that DDoS will take over from ransomware as a dominant risk to organizations worldwide. “Even before the recent [mega-]attacks, we saw that many of our clients were experiencing some level of attacks that mostly flooded their network environment,” he said.

The causes were multi-faceted, he said, adding that hacktivism played a part.

Disgruntled employees were also found to have hired DDoS attack services in some cases, Galletto added. Sub-saturating attacks will create a security vector DDoS may take over from ransomware as a cause for concern, but it’s also worth pointing out that one may act as a diversion for the other.

There’s a reason that the lion’s share of attacks operate on a relatively small (sub-saturating) scale: they could be distracting their targets while attackers compromise their systems.

This has happened before.
In 2015, attackers allegedly used a DDoS attack as a smokescreen to pilfer the personal details of 2.4 million customers. Larger DDoS attacks often show up as a network accessibility problem, but companies will increasingly find themselves experiencing them as a security issue.

These "dark DDoS" attacks are typically hard to detect, so companies will need to ensure that they have proper visibility over their network traffic to tease out attacks that could be an attempt to cloak something more insidious. Extortion via DDoS on the rise DDoS attackers are increasingly targeting companies for financial gain.

Expect to see more DDoS threats in which attackers hold companies to ransom, warn experts.

The DDoS mitigation firm Corero surveyed more than 100 IT professionals at the InfoSecurity Europe show in summer 2016, and found that eight in ten people expected their company to be on the sharp end of a DDoS extortion. Perhaps even more worrying is the news that 43 per cent of firms said they’d consider paying such a demand to keep their websites up and running. These extortion attacks come from a variety of sources.

The Amanda Collective was threatening companies as early as March 2016 (although its capabilities have been called into question). DD4BC, which also uses bitcoin as the payment currency for its DDoS blackmail campaigns, has drawn the attention of Interpol. DDoS-for-hire services will gain traction DDoS attack toolkits have been around for years, as have services that will enable you to pay for an attack.

Expect to see more of them. Why? Firstly, because they can be offered incredibly cheaply, and secondly, because there are still huge amounts of money to be made. Often offered as ‘stressors’ – sites used to stress-test targets legitimately – DDoS-for- hire services don’t ask too many questions about whether a ‘tester’ has permission to target a site. Others openly offer DDoS services. Stressors have been spotted in the wild offering these services for $5 an hour.
In spite of the low fees, DDoSas-a-service providers can make a pretty packet. When the British teeanager Adam Mudd was collared for offering such a service in November, he was said have made $385,000 from 1.7 million attacks against 1.7 million addresses. DDoS-for-hire is going to ramp up.

The IoT botnets, combined with an easy money-making opportunity, will bring more of this kind of thing in 2017.
Sceptical? Well, there’s already a 400,000 strong IoT zombie army for rent, using the Mirai malware. Some of these developments are brand new, while others chart future trends from current trajectories. One thing seems likely: if you think that DDoS activity made for a crummy, stressful 2016, then you’d better strap yourself in for the coming year. Sponsored: Want to know more about PAM? Visit The Register's hub