Home Tags Massive Attack

Tag: Massive Attack

ARM Boosts IoT Security With New Chips, Cloud Platform

ARM processors already power much of the Internet of Things. Now the company is turning its attention to security. As the US deals with the aftermath of last week's major cyberattack, the company that makes many of the chips embedded in the IoT devices used in the attack unveiled a new product intended to boost their security. Called Mbed Cloud, it is the first software-as-a-service offering from ARM, the British chip maker whose designs are present in a vast array of devices, from Rokus and Fitbits to 99 percent of the world's tablets and smartphones. Many ARM-powered devices are already connected to cloud infrastructure, of course, and ARM offers advanced hardware and software security for its chips.

But Mbed Cloud provides device manufacturers a crucial new tool: over-the-air software updates.

That means consumers won't have to worry about whether or not their baby monitors have the latest firmware to guard against threats.
It will simply be delivered automatically. It is an appropriate—albeit ominous—time for ARM to branch out into cloud security. Until recently, its cloud offerings have been limited, but it is now marketing Mbed Cloud to companies that make wearables, smart city infrastructure, and smart home devices like lights, thermostats, and baby monitors.

The company says it has 200,000 developers building products compatible with Mbed. Those products have exploded in popularity in recent years, and many of them—especially Internet-connected video cameras—were compromised and used in a massive attack that took Netflix, Twitter, and many other websites offline last week. Xiongmai, the Chinese firm that made many of the cameras, recalled them this week after they were identified as aiding the Web attack. It's unclear how much of a role over-the-air firmware updates could play in preventing such attacks, which often gain access and control the devices simply by using a publicly available database of manufacturers' default usernames and passwords. What is clear is that ARM, which sells 25 times more chips than Intel does, wants to take greater responsibility for the security of the vast Internet of things that it already powers. "As IoT technologies become more pervasive, it is time for a complete solution that secures data from the sensor to the service," ARM VP Pete Hutton said in a statement. "The IoT already runs on ARM but the goal now is scale, which we are enabling today through a uniquely comprehensive set of technologies and services built to work together seamlessly." In addition to Mbed Cloud, the company also announced new chips for IoT devices at its developers conference in Santa Clara, Calif., on Tuesday.

They include the Cortex M-23, which is smaller than the point of a pencil and can be powered by kinetic energy, such as that released when a user takes the cap off of an insulin pen.

DDoS Attackers Exploited Insecure IoT Gadgets From Chinese Company

Hangzhou Xiongmai Technology admitted weak product passwords were partly to blame for last week's massive attack. A Chinese electronics manufacturer admitted that its products inadvertently contributed to last week's massive cyberattack that knocked popular Web services offline. On Friday, a number of major sites—Twitter, Etsy, GitHub, SoundCloud, Spotify, Shopify—experienced outages as the result of a DDoS attack on DNS provider Dyn. One big part of the problem: the Mirai botnet, which scours the Web for poorly protected IoT-connected devices and enlists them to overwhelm a target with online traffic, causing an outage. "We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet. We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack," Dyn said in a statement. In this case, a Mirai-based botnet latched onto hacked DVRs and IT cameras made by Hangzhou Xiongmai Technology, which used weak factory-default usernames and passwords to safeguard its products. "Mirai is a huge disaster for the Internet of Things," the Chinese firm told Computerworld. "[We] have to admit that our products also suffered from hackers' break-in and illegal use." Xiongmai patched its flaws in September 2015, the company told Computerworld.
Its devices now ask customers to change the default password upon first use, but products running older versions of the firmware remain vulnerable.

As a result, they should update and change the default username and password.

Folks can also disconnect the gadget from the Internet altogether. Xiongmai Technology did not immediately respond to a request for comment. Friday's disruption "globally might be the beginning of a new era of Internet attacks conducted via 'smart' things," Chester Wisniewski, principal research scientist from Sophos, said in a statement. "Clearly they aren't as smart as we think, if they can be so easily commandeered by random deviants from the Internet to impact major services like Twitter, Reddit, and Spotify. "There are [tens] of millions more insecure 'smart' things that could cause incredible disruptions, if harnessed," Wisniewski added. DDoS attacks skyrocketed in 2015, and don't show any sign of slowing down.
Security researcher Brian Krebs last month became the latest high-profile victim when his website suffered "a historically large" raid, which he claimed was revenge for exposing two hackers who provided DDoS services. Now that the source code behind the raid has been released online, Krebs suggested "the Internet will soon be flooded with attacks."

Internet of Things Devices Used to Boost Scale of DDoS Attacks

NEWS ANALYSIS: More than a million security cameras, video recorders and other devices were used in attacks on a U.S. security researcher and French network service provider. For the past several days, security researcher Brian Krebs has been battling a cyber-attack on a scale unlike any ever previously observed on the internet.Krebs, who writes the security blog Krebs on Security, was on the receiving end of a distributed denial-of-service (DDoS) attack that delivered connection requests at the rate of nearly 700 gigabits per second.

Equally alarming, the attack was generated by well over a million video cameras as well as other internet-connected devices ranging from set-top boxes to video recorders.This is the first time network-connected devices have been used in such a massive attack, although it's worth noting that smart devices, especially laser printers, have been used to launch malware attacks for several years.

And although this is also not the first time video cameras have been used as part of a DDoS attack, it is the first time they have been marshaled for an attack on this scale.Krebs has said that he was attacked in retaliation for a story he reported about an Israeli attack-for-hire service called "vDOS" that was earning its operators hundreds of thousands of dollars per year.

After the story appeared on Krebs' blog, the principals of the company were arrested, fined and placed under house arrest.

Apparently the internet of things (IoT) attack on Krebs was done to prove that vDOS still had teeth. Since then, Krebs has moved his website to the protection of Google's Project Shield, which was created to protect human rights advocates and journalists from censorship by DDoS. Previously Krebs was protected by the Akamai content delivery service, but that company dropped him because handling the attacks was costing Akamai millions of dollars and Krebs was getting the service for free. The attack on Krebs highlights the growing security problem of the IoT. Unfortunately, while the problem has been growing for years, very little has been done to address the threat. Worse, very few organizations have taken any steps to develop a protocol for making sure that devices that connect to the internet are secure.

Adding to the problem is the fact that there's little indication that once acquired, the devices are kept secure through proper management and timely updates.The security cameras that were used in the attack on Krebs were mostly produced by Dahua Technology, which produces a wide variety of cameras used both in businesses and by consumers.

These cameras are typically delivered with a default user name and password, and relatively few customers change the passwords before installation.

Even fewer of these devices are ever updated once they're installed. While Dahua products were used in this attack, the company is not unique in how it delivers its products.
Very few connected devices have any security beyond a simple name and password, and quite a few don't even have that.
If you want a picture of how bad this problem is, just turn on a WiFi device in a crowded area and look at the list of SSIDs. Note how many are simply the name of the company that made the product.There are several things your organization can do to reduce the chance of your assets being used in a DDoS attack and that in turn will help you avoid any liability, and any expense for the traffic your network devices may generate. Here's a list to get you started:1. Develop and enforce a protocol for any network-connected device that enters your organization to ensure that it gets a secure name and password, is set up for secure WiFi and gets on the list of devices that need regular updates.2. Set your routers and firewalls to reject any attempt by your network devices to communicate outside of your internal network unless there's a legitimate need. Print servers, for example, probably don't need to have access to the internet.3. Make sure your intrusion protection system is set to scan for unauthorized devices and check to see if your firewall is set to trigger alerts when devices attempt to reach the internet.4. Confirm that any new devices that come into your organization will support your security requirements, including the ability to support secure WiFi.5. Where possible, try to use wired networking rather than WiFi.Perhaps most important, make sure your security staff knows that they have to remain vigilant for the introduction of new, insecure devices on to your network and realize that those devices can be attached to your network in seconds by nearly anyone in your company.

Those new devices will probably be insecure and the people installing them won't be in a hurry to tell you about them.The devices on your network, whether they're intended to help you stay secure or simply intended to make your life easier, have a great potential to help, but they have an equally great potential to endanger your organization. You can limit the security risks by watching what those devices are up to, but only if you have a plan for handling them in the first place. 

Back Online, Krebs Laments Use of DDoS Attacks to Censor Speech

Security researcher Brian Krebs has a bone to pick with those who use the tactic to silence critics. Security researcher Brian Krebs is back online following a massive distributed denial of service attack last week.

And he has a bone to pick with tho...

Snapchat Blames 3rd-Party Apps After Hack Exposes User Photos

NEWS ANALYSIS: A hacker attack, dubbed the "Snappening," takes advantage of flaws in third-party apps that access Snapchat. Thousands of Snapchat images that users thought were erased have now been publicly posted in an attack that is being publicly referred to as the "Snappening." Snapchat is a popular temporary photo-sharing app for mobile devices that offers users the promise of ephemeral image sharing of pictures that aren't supposed to be stored. Yet, apparently, in a massive attack, those images were stored and have now been released. Many of Snapchat's users are teenagers, and there is a risk that some of the photos are indecent. For its part, Snapchat is claiming that its servers were not breached. "Snapchatters were victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our ToU [terms of use]," Snapchat stated in a Twitter message. It is currently unclear which third-party app is the one to blame or if multiple apps are at fault. Snapchat's blaming a third-party app's violation of Snapchat's terms of use for being the fault in the image leak is not likely to win the company much admiration. The simple truth of the way that access to any online app service works is that there is always a control point. For a service like Snapchat, that control point is its APIs. Third-party apps can only work and communicate with the Snapchat servers by way of an API. It's the same thing with Twitter and its ecosystem of third-party apps. In order for apps to work with a service's API, typically some form of access and authorization tokens are required. Those tokens need to be granted by the service and can also be revoked. So, to take the argument a step further, if in fact a third-party service was in violation of the Snapchat terms of use, the company could have—and should have—been able to revoke or otherwise cancel access to its API. That would, however, imply that, in fact, Snapchat was aware that the third-party app was in violation of its terms of use and that Snapchat has the ability to monitor third-party apps for abuse. Snapchat does not have a very good record of securing its service or its users. At the end of 2013, 4.6 million Snapchat user names and phone number were leaked and posted to a public database.  That attack was also linked to an abuse of Snapchat's API. The issue of API security is not reported on often, but it is obviously critically important. In this latest Snapchat incident, the lives of thousands of people are now being affected as their private pictures are posted publicly. The Snapchat photo leakage attack follows the high-profile celebrity Apple iCloud photo attack in September. In that incident, attackers were somehow able to gain access to the Hollywood celebrities' iCloud accounts through some form of phishing activity. In the latest Snapchat attack, it's not cloud security, but the security and usage of APIs by a third-party app that are in question. It is incumbent upon Snapchat to tighten up its security policies around third-party apps and the usage of its API. For end users, this incident underscores that it's likely safer to stick with official apps and not third-party apps. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.  

Amplified DDoS Attacks Increasingly Use Network Time Service

Attackers abused a feature of the network time protocol to flood networks with hundreds of gigabits per second of data, a situation which is happening with increasing frequency, according to DOS mitigation firm Prolexic. ...

Namecheap targeted in monumental DDoS attack

The service known for hosting millions of Web sites is the victim of a cyberattack that knocked out connections for domains around the world. February 20, 2014 4:10 PM PST The Web-hosting service Namecheap was hit with what it says was one the ...

Adobe hacked, 3 million accounts compromised

The massive attack exposes customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. October 3, 2013 2:31 PM PDT Adobe announced on Thursday that it has been the target of a majo...