Slashdot Mirror

← Back to Stories (view on slashdot.org)

Who Should We Blame For Friday's DDOS Attack? (fortune.com)

Posted by EditorDavid on from the j'accuse dept.

"Wondering which IoT device types are part of the Mirai botnet causing trouble today? Brian Krebs has the list," tweeted Trend Micro's Eric Skinner Friday, sharing an early October link which identifies Panasonic, Samsung and Xerox printers, and lesser known makers of routers and cameras. An anonymous reader quotes Fortune: Part of the responsibility should also lie with lawmakers and regulators, who have failed to create a safety system to account for the Internet-of-Things era we are now living in. Finally, it's time for consumers to acknowledge they have a role in the attack too. By failing to secure the internet-connected devices, they are endangering not just themselves but the rest of the Internet as well.
If you're worried, Motherboard is pointing people to an online scanning tool from BullGuard (a U.K. anti-virus firm) which checks whether devices on your home network are listed in the Shodan search engine for unsecured IoT devices. But earlier this month, Brian Krebs pointed out the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks..."

12 of 190 comments (clear)

  1. Who should we blame? by iCEBaLM · · Score: 5, Insightful

    The people that did it.

    1. Re:Who should we blame? by Anonymous Coward · · Score: 5, Funny

      Nah, too much effort figuring out who did it. Just blame Russia. Works for everyone else lately.

    2. Re:Who should we blame? by AmiMoJo · · Score: 4, Insightful

      Also the people who didn't change the default passwords. Looking at the list, most of the devices are not particularly insecure or anything, it's just that their owners did not change the default login credentials but did manage to expose them to the internet.

      Also blame the engineers who didn't put in some interlocks, e.g. no requests from outside the LAN until the default password has been changed or simply force the user to change the password the first time they log in.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Who should we blame? by ArmoredDragon · · Score: 5, Insightful

      Regardless of who is behind it, it's about time that we treat DDoS as the censorship that it is. I'm sick of hacktivists trying to justify bringing down major websites just because they don't like whoever runs it, while at the same time talking about how they are pro democracy and pro free speech. DDoS is the opposite of both, no matter who the target is. People who justify it because they don't like Walmart or whoever are fucking hypocritical assholes.

  2. WRONG by darkain · · Score: 5, Insightful

    From TFA: "Dormann said instead of hard-coding credentials or setting default usernames and passwords that many users will never change, hardware makers should require users to pick a strong password when setting up the device."

    This advice is just plain wrong. It requires educating every single end user on security best practices. Lately I've seen a trend from ISPs for their router admin pages and wifi access points: they come pre-configured with a randomly generated password for each, which is then printed out on a sticker and stuck to the side of the device. Without physical access to the device, nobody would know the credentials for it. This keeps the burden of security within the realm of those who know what they are doing and making good decisions. The act of using a poor password would then end up on the end user, having to type in the secured password, and then change it to something less secure.

  3. Re:Windmills by chipschap · · Score: 4, Funny

    I believe global warming increases the severity of these attacks. Look at the facts: it's getting warmer every year, and the intensity of these attacks is likewise increasing.

  4. The Usual Suspects by Fire_Wraith · · Score: 4, Interesting

    So here we go through the pros and cons of each. This is not to rule any of them out, as I don't think you can at this point, but to lay it all out there.

    Hacktivists (Specifically New World Hackers):
    Pro - claimed responsibility. Anonymous/offshoots responsible for lots of past DDoS activity.
    Cons - Several security firms called BS on the evidence, and cited past history of false claims of responsibility to boost DDoS for hire business. Also the complexity and sophistication make this unlikely.

    Cybercriminals:
    Pro - probable originators of Mirai botnet, likely responsible for preceding DDoSes of Brian Krebs and OVH.
    Con - No stated ransom demands (at least none reported) or other identifiable material benefit. Lacks a direct reason.

    North Korea:
    Pro - Past history of DDoS and malware attacks. Never claims responsibility. Suffers nothing if the internet goes down.
    Cons - Attack only targeted the USA, not perennial NK targets of South Korea or Japan. If this was North Korea, why ignore those two?

    Russia
    Pro - contacts/influence in Russian cybercrime community. Possible interest in interference in US politics.
    Con - No real rhyme or reason for doing so now. Widespread (as opposed to targeted) disruptions likely don't have any predictable impact to swaying the election.

    China
    Pro - Reports that many of the infected devices were Chinese in origin
    Con - China normally steals your business secrets rather than DDoS you. Chinese devices weren't the only ones, too - bad security is everywhere.

    US intelligence (NSA et al)
    Pro - False flag?
    Con - NSA wants to listen in on your data, not shut you off from communicating. Unlikely that there is anyone who supports Wikileaks/Assange/Anonymous/etc that would change their minds over this.

    This is by no means a comprehensive list, just off the top of my head.

  5. Re:Not who... but what should we blame? by msauve · · Score: 4, Insightful

    Oh, great. With IPV6, instead of only devices which punch their way through a NAT gateway using UPnP, every IOT device can be on the Internet. I'm sure that will help things tremendously. Unless, of course, you expect the same users who won't even change default passwords to learn about and configure firewalls.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
  6. Re:several people by myowntrueself · · Score: 4, Insightful

    ISPs that don't implement rfc2827
    Vendors that don't ship secure devices
    The people that did it

    Egress filtering would be nice too. If the source address of packets coming out of your network is not in your address space, don't let it out.

    --
    In the free world the media isn't government run; the government is media run.
  7. The attackers by Todd+Knarr · · Score: 4, Insightful

    Ultimately, it's the groups that initiated the DDoS who are to blame. But others have to take some responsibility for failing to do what they could to mitigate the opportunities to initiate attacks:

    1. ISPs could implement measures based on RFCs 3704 and 2827 that would make spoofed traffic difficult to impossible to generate.

    2. Router makers could implement RFC 3704 and 2827 rules in their firewalls by default, could implement default rules that blocked access to external DNS to everything except the router (with the option for the user to allow some or all access), could provide a separate network for IoT devices that defaults to no Internet access and the user has to specifically authorize access per device, and could make randomized default passwords the standard for factory-default configurations.

    3. IoT manufacturers could make randomized default passwords standard and design their devices to not require Internet access to configure.

    4. Consumers could acknowledge that they're responsible for their own networks and routinely make use of the available tools to check on the health of their networks and the status of the devices on it.

  8. That's Obvious by pipingguy · · Score: 4, Funny

    The Patriarchy!

  9. That'll be a million dollars, please... by SeattleLawGuy · · Score: 5, Insightful

    not only this but the inept users whose devices get pawned and used to attack other systems should be held legally responsible for the attacks.

    Only up to a point. It's not really fair to expect the random non-computer guy who owns an IoT light bulb to secure it against electronic attack. The company that manufactures the bulb and decides telnet is an appropriate protocol to use to connect to it, on the other hand...

    --
    Real lawyers write in C++