Slashdot Mirror

← Back to Stories (view on slashdot.org)

Who Should We Blame For Friday's DDOS Attack? (fortune.com)

Posted by EditorDavid on from the j'accuse dept.

"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune: Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."

24 of 190 comments (clear)

  1. Who should we blame? by iCEBaLM · · Score: 5, Insightful

    The people that did it.

    1. Re:Who should we blame? by Anonymous Coward · · Score: 5, Funny

      Nah, too much effort figuring out who did it. Just blame Russia. Works for everyone else lately.

    2. Re:Who should we blame? by AmiMoJo · · Score: 4, Insightful

      Also the people who didn't change the default passwords. Looking at the list, most of the devices are not particularly insecure or anything, it's just that their owners did not change the default login credentials but did manage to expose them to the internet.

      Also blame the engineers who didn't put in some interlocks, e.g. no requests from outside the LAN until the default password has been changed or simply force the user to change the password the first time they log in.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Who should we blame? by ArmoredDragon · · Score: 5, Insightful

      Regardless of who is behind it, it's about time that we treat DDoS as the censorship that it is. I'm sick of hacktivists trying to justify bringing down major websites just because they don't like whoever runs it, while at the same time talking about how they are pro democracy and pro free speech. DDoS is the opposite of both, no matter who the target is. People who justify it because they don't like Walmart or whoever are fucking hypocritical assholes.

    4. Re:Who should we blame? by wvmarle · · Score: 2

      Also blame the engineers who didn't put in some interlocks, e.g. no requests from outside the LAN until the default password has been changed or simply force the user to change the password the first time they log in.

      That's the problem. Not end users not changing default passwords - many may not even know that it can or should be changed, and why should they? They're not security managers or IT engineers or so. Having users change the password on first login before they can do anything else, that's the only reasonable way to go. Maybe also add a list of the 1,000 most common passwords out there, and reject all those, make them come up with something a bit more unique, or hackers would still easily get access to the first 10-20% of devices by just using those common passwords.

    5. Re:Who should we blame? by b0bby · · Score: 2

      The problem with some of these devices is that they also have a hardcoded root password. I have one like that - I kept it behind its own router since I didn't trust it, but took it offline a couple of months ago when I learned that it has a hardcoded root and no new firmware. I had changed the admin password of course, but that really didn't do anything.
      I'm no longer going to allow an open port for any device like this, but most people won't know how to set up a vpn for home.

  2. WRONG by darkain · · Score: 5, Insightful

    From TFA: "Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device."

    This advice is just plain wrong. It requires educating every single end user on security best practices. Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each, which is then printed out on a sticker and stuck to the side of the device. Without physical access to the device, nobody would know the credentials for it. This keeps the burden of security within the realm of those who know what they are doing and making good decisions. The act of using a poor password would then end up on the end user, having to type in the secured password, and then change it to something less secure.

    1. Re:WRONG by thegarbz · · Score: 2

      Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each ...
      This keeps the burden of security within the realm of those who know what they are doing and making good decisions

      Next time you look at the device compare the randomly generated password with the mac address. I would put it to you that many of the ISP provided routers with "random passwords" were not at all designed by people who know what they are doing. :-)

  3. Re:Windmills by chipschap · · Score: 4, Funny

    I believe global warming increases the severity of these attacks. Look at the facts: it's getting warmer every year, and the intensity of these attacks is likewise increasing.

  4. The Usual Suspects by Fire_Wraith · · Score: 4, Interesting

    So here we go through the pros and cons of each. This is not to rule any of them out, as I don't think you can at this point, but to lay it all out there.

    Hacktivists (Specifically New World Hackers):
    Pro - claimed responsibility. Anonymous/offshoots responsible for lots of past DDoS activity.
    Cons - Several security firms called BS on the evidence, and cited past history of false claims of responsibility to boost DDoS for hire business. Also the complexity and sophistication make this unlikely.

    Cybercriminals:
    Pro - probable originators of Mirai botnet, likely responsible for preceding DDoSes of Brian Krebs and OVH.
    Con - No stated ransom demands (at least none reported) or other identifiable material benefit. Lacks a direct reason.

    North Korea:
    Pro - Past history of DDoS and malware attacks. Never claims responsibility. Suffers nothing if the internet goes down.
    Cons - Attack only targeted the USA, not perennial NK targets of South Korea or Japan. If this was North Korea, why ignore those two?

    Russia
    Pro - contacts/influence in Russian cybercrime community. Possible interest in interference in US politics.
    Con - No real rhyme or reason for doing so now. Widespread (as opposed to targeted) disruptions likely don't have any predictable impact to swaying the election.

    China
    Pro - Reports that many of the infected devices were Chinese in origin
    Con - China normally steals your business secrets rather than DDoS you. Chinese devices weren't the only ones, too - bad security is everywhere.

    US intelligence (NSA et al)
    Pro - False flag?
    Con - NSA wants to listen in on your data, not shut you off from communicating. Unlikely that there is anyone who supports Wikileaks/Assange/Anonymous/etc that would change their minds over this.

    This is by no means a comprehensive list, just off the top of my head.

    1. Re:The Usual Suspects by AHuxley · · Score: 2

      Given the billions the 5 eye nations spend on the "internet" and all their bases, camps and shared site globally finding the command and control should be not hard?
      Even if its encrypted or p2p2 or via a commercial or staging server, VPN or lots of hops, or in unexpected nations or by a few people.
      Will they show what their tech can do or save it for "cyber" events?
      Strange how well former crypto gov "operators", open-source counterintelligence operations and contractors can work together and in the open with the media if the code litter helpful to one side of politics?
      Maybe they got a hint of who did it and why and its not for public consumption or shows a method of tracking or the intelligence services have staff/informants in groups and had to keep their cover?
      The next push could be a roll out of laws, product lines, contractors, internal ion cooperation and hardware to "stop" such events?

      --
      Domestic spying is now "Benign Information Gathering"
    2. Re:The Usual Suspects by ShaunC · · Score: 2

      There's also the "Bored Teenager" possibility. Some people just want to watch the world burn. For all we know, this is the work of some kid with lots of free time, fucking around for no benefit and without any real motivation.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    3. Re:The Usual Suspects by laughingskeptic · · Score: 2

      Your Russia con ignores the recent US/CIA saber-rattling about hitting back at Russia for their election related hacking. Russia may have been making it clear that they can hurt us more than we can hurt them because their criminal element owns most of our IoT devices and they can turn those against us at will.

  5. Re:Not who... but what should we blame? by msauve · · Score: 4, Insightful

    Oh, great. With IPV6, instead of only devices which punch their way through a NAT gateway using UPnP, every IOT device can be on the Internet. I'm sure that will help things tremendously. Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  6. Re:several people by myowntrueself · · Score: 4, Insightful

    ISPs that don't implement rfc2827
    Vendors that don't ship secure devices
    The people that did it

    Egress filtering would be nice too. If the source address of packets coming out of your network is not in your address space, don't let it out.

    --
    In the free world the media isn't government run; the government is media run.
  7. Re: How do you secure the unsecurable? by Anonymous Coward · · Score: 2, Insightful

    Ah, the DMCA approach.

    I can see it now.

    Since we can't figure out how to stop ddos attacks, we create mechanism wherein our Internet equivalent of the RIAA sends ISPs notifications about who is part of a botnet.

    The ISP, in turn, immediatly has to notify and throttle users who are part of the botnet. They have to do it otherwise they'll be airing and abetting internet pira...er, ddos attacks, and thus, are open to lawsuits. This creates the proper incentive to rubber stamp... I mean, streamline the process.

    The user, of course, has a chance to contest this throttling in case that the user is not part of the botnet (IP addresses are so easy to spoof these days). So it is totally fair. All they have to do is send a counterclaim and if it is rejected (which it will), they have the option to take this to court.

    Out of their own pocket of course. For something they didn't even do.

    Its a totally fair system and it will not at all be abused.

  8. Re: DNS... by chipperdog · · Score: 2

    Incorrect use of DNS...DNS was designed to be very fault tolerant, but when you publish records with 30 second TTLs, so the authoritative server has to be accessed twice a minute, making millions of caching nameservers useless.

  9. The attackers by Todd+Knarr · · Score: 4, Insightful

    Ultimately, it's the groups that initiated the DDoS who are to blame. But others have to take some responsibility for failing to do what they could to mitigate the opportunities to initiate attacks:

    1. ISPs could implement measures based on RFCs 3704 and 2827 that would make spoofed traffic difficult to impossible to generate.

    2. Router makers could implement RFC 3704 and 2827 rules in their firewalls by default, could implement default rules that blocked access to external DNS to everything except the router (with the option for the user to allow some or all access), could provide a separate network for IoT devices that defaults to no Internet access and the user has to specifically authorize access per device, and could make randomized default passwords the standard for factory-default configurations.

    3. IoT manufacturers could make randomized default passwords standard and design their devices to not require Internet access to configure.

    4. Consumers could acknowledge that they're responsible for their own networks and routinely make use of the available tools to check on the health of their networks and the status of the devices on it.

  10. That's Obvious by pipingguy · · Score: 4, Funny

    The Patriarchy!

  11. Re:Not who... but what should we blame? by neo00 · · Score: 2

    If the device is already hacked, you're absolutely right that NAT won't add any security. However, GP's point was that NAT could make it a little more difficult to get the device hacked in the first place.

  12. That'll be a million dollars, please... by SeattleLawGuy · · Score: 5, Insightful

    not only this but the inept users whose devices get pawned and used to attack other systems should be held legally responsible for the attacks.

    Only up to a point. It's not really fair to expect the random non-computer guy who owns an IoT light bulb to secure it against electronic attack. The company that manufactures the bulb and decides telnet is an appropriate protocol to use to connect to it, on the other hand...

    --
    Real lawyers write in C++
    1. Re:That'll be a million dollars, please... by execthis · · Score: 2

      I agree. I was thinking about cases where for example a device when purchased is secure and then the user changes the password to "password". If they have the capacity to actually log in to a configuration page and change the password, then they should also be held accountable for weakening the devices security by choosing a bad password.

  13. Re:How do you secure the unsecurable? by Anonymous Coward · · Score: 3, Insightful

    "I think the best way to handle this is to make people somehow accountable when they participate in a DDoS, whether they do it willingly or not."

    Well, you self important prick, answer me this:
    One manufacturer was quickly identified on Friday as contributing a major part of the Attack.
    Name them. No, you don't get to scour the Web now, you should _know_ this.
    Now, you as an enlightened Consumer goes out Monday to buy a new DVR. How can you tell if it has been compromised? At the least, you are going to have to take your toolbox with you, and start disassembling them on the floor of Fry's, (This is much more difficult if you favor Amazon...). You will need a cheat sheet to identify all of the compromised boards, and that doesn't yet exist.
    Now you take your new DVR home, and an hour later, you notice your Wifi has slowed to a crawl. Multiply that by the 3 million or so Xiongmai Electronics cards already out there in scours of products from dozens of manufacturers, (Oops, I gave the name away...), how do you "...think twice about buying insecure shit." How can you, baby shit for brains, possibly know? I think that it is best if you no longer have _any_ Internet Access from now on, until you are better informed, and learn some humility.

    https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/

  14. Re: The worst? by sg_oneill · · Score: 3, Insightful

    It struck me that there is a "nuclear option" solution that would be highly illegal but highly effective. Every time one of these shitty IOT devices is found exploitable and the manufacturer doesn't bother to update , scan the whole damn net for that device and tell it to DDOS the manufacturer and not stop. The manufacturer would pretty quickly realise they have to get a patch out if they wish to remain a citizen of the internet. For added niceness make sure the user understands why their baby monitor is attempting to murder it's creator

    --
    Excuse the Unicode crap in my posts. That's an apostrophe, and slashdot is busted.