Slashdot Mirror
BrickerBot, the Permanent Denial-of-Service Botnet, Is Back With a Vengeance (arstechnica.com)
An anonymous reader quotes a report from Ars Technica: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. Pascal Geenens, the researcher who first documented what he calls the permanent denial-of-service botnet, has dubbed the fiercest new instance BrickerBot.3. It appeared out of nowhere on April 20, exactly one month after BrickerBot.1 first surfaced. Not only did BrickerBot.3 mount a much quicker number of attacks -- with 1,295 attacks coming in just 15 hours -- it used a modified attack script that added several commands designed to more completely shock and awe its targets. BrickerBot.1, by comparison, fired 1,895 volleys during the four days it was active, and the still-active BrickerBot.2 has spit out close to 12 attacks per day. Shortly after BrickerBot.3 began attacking, Geenens discovered BrickerBot.4. Together, the two newly discovered instances have attempted to attack devices in the research honeypot close to 1,400 times in less than 24 hours. Like BrickerBot.1, the newcomer botnets are made up of IoT devices running an outdated version of the Dropbear SSH server with public, geographically dispersed IP addresses. Those two characteristics lead Geenens to suspect the attacking devices are poorly secured IoT devices themselves that someone has compromised and used to permanently take out similarly unsecured devices. Geenens, of security firm Radware, has more details here.
BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices
Denial-of-Service botnet? Sounds more like a Public-Service botnet to me.
The hero the Internet of Things both deserves _and_ needs.
This Space Intentionally Left Blank
Is it a plane?
No it's Super Hacker Nerd!!
Leaping the Internet Of Things in a single bound
Build a Man a Fire, and He'll Be Warm for a Day. Set a Man on Fire, and He'll Be Warm for the Rest of His Life.
Looking at my firewall logs I think BrickerBot v3.0 may have actually been unleashed on the 18th, not the 20th. There was a huge decline in scanning for port 5358 that started on the 18th, which is now less than half the activity level it was at on the 17th, and less than 15% of the levels it was peaking at prior to BrickerBot v1.0. There are further, but smaller, falls in some of the other typical IoT ports like 2323 that started around the same time as well.
:)
If you're reading, Janit0r (or whatever your current pseudonym is), keep up the good work! Might be worth taking a look at what's going on with Port 81 as well... Just sayin'
UNIX? They're not even circumcised! Savages!
Nothing is completely secure and anyone who claims otherwise is full of shit. I'm not going to get into an OS war, but event he most secure OS has it's flaws, the biggest being the users. You can't fix stupid and stupid people are going to make stupid decisions with security. If you hardcode password/key that is the same on every device, put in a back door, install outdated software, or make other bad configuration mistake you are going to get hacked no matter how secure your OS is. The majority of these IoT devices are cheap throw-away devices by manufacturers that couldn't give two shit about security and don't care if they make the above mentioned mistakes.
The idea behind the IoT isn't bad. The execution is horrible.
The idea that you can use the internet as a medium to access parts of your home isn't that bad an idea. That the whole shit is done by corporations that only care about their bottom line and offer your gimmicky toys that are security nightmares is the horrible execution thereof.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
If Linux is so secure, then why is it being exploited in this case,
'Linux' isn't being exploited, the crappy applications people wrote to run on Linux are.
Any app that accepts incoming data from the internet can be vulnerable to buffer overflows, etc.
Apps written by the cheapest available people in a 3rd world country? Doubly so.
No sig today...
Any OS can be made insecure by idiots. Linux has the potential to be secure. The source code is also available and it is still administered by humans. This means any idiot can create an insecure Linux distribution or turn an out of the box secure one into an insecure one. Linux isn't a panacea, but Windows is a petri dish. HTH
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
This is 100% correct, and it baffles me that obstensibly intelligent people can't see the difference between a good idea and a flawed implementation.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Vigilante definition, from Online Webster:
: a member of a volunteer committee organized to suppress and punish crime summarily (as when the processes of law are viewed as inadequate); broadly : a self-appointed doer of justice
Note the parenthetic comment - "when the processes of law are viewed as inadequate".
In this case, the processes of law are NON-EXISTENCE. It is by definition inadequate. Yes, this is vigilante justice, mainly because our governments have totally failed to properly regulate these issues.
We need a simple government agency to report internet based vulnerabilities. Once reported, the manufacturer should have one month to fix it - and push the fix out. With monetary fines for a failure to do that - calculated so that 1 vulnerability in 100% of their products cuts 10% of their gross profit (note gross, not net).
excitingthingstodo.blogspot.com
The problem is threefold.
Firstly lack of updates, SoC vendors are notorious for porting one or two versions of Linux, throwing it over the wall to device vendors and then doing nothing to keep it up to date. Some SoCs can be use with upstream kernels but very often with reduced functionality. The device vendors in turn add their own customisations to that kernel that the SoC vendor threw over the wall. Quickly you end up with something that cannot reasonablly be updated to a new upstream version. It is possible to some extent to backport security fixes, but it's a lot of work so it is likely to get skipped entirely or at least restricted to the most-severe vulnerabilties.
Secondly the vendors doing the work often do it without really caring about security which can lead to busting big holes in the user-security model. Remember "exynos-mem"?
Thirdly if your application layer is full of holes then attackers will be able to get whatever privilages that application has. If that is root then the attacker has full control of the device. Even if it is not root the attacker may well be able to elavate to root due to the first and second points.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Nothing is so secure that a complete idiot can't screw it up and render it insecure (consider, fort Knox but someone stands the guards down and leaves the doors and vaults open).
When we say Linux is more secure, what we mean is that a reasonably competent person has a better chance of coming up with a reasonably secure Linux machine than they do using another OS.
Maybe we need to forget trying to secure devices and instead try to secure the router. Each device would have a profile, something like "can only access this short list of IP addresses, rate limited to X bytes/second and capped to X bytes/day." Literal alarm bells when limits are exceeded, with the device auto quarantined.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Don't forget they're trying to hit impossible price points with terrible economies of scale. Any feature that's not directly visible to the consumer (like quality software engineering) is a non-starter.
People want to be able to put code in a box, and have code to function without unwanted side effects. The consistent cognitive bias is towards placing blame on certain groups or practices as being at fault, then piling on.
This approach consistently ignores the root cause, the lack of a widely used, secure operating system for anything smaller than an IBM mainframe.
If your OS can't be counted on to limit the side effects of a program to those chosen at runtime, you can't trust it.
Windows doesn't do this, nor does any other common operating system on PCs or embedded systems.
The reason mainframe systems are secure is that you specify the everything to be tossed into running a program prior to its execution, and it can't ever exceed those capabilities.
We need to make things GNU Hurd or Genode a viable choice for programmers and hackers, then for the average home user. If this is done, then we can finally actually fix things for once and for all.
Until then, enjoy being the sump pump for the world of IT.
Hmm.
Nobody likes vigilantes! (Not even Batman).
But a serious question: How can people be protected?
While the techies can home brew something, what real products or solutions are
there for the "casuals", the civilians and the "tech-vulnerable" ??
Are there are any fairly cheap, zero configuration overhead solutions out there right now?
Any options?
(R)ule in Hell or (S)erve in Heaven [R]?
Insecurity isn't a necessary component of corporate data-harvesting... it's quite possible to make a device with robust, impenetrable security that encrypts & transports vast quantities harvested data to its corporate masters.
These are the REAL problems with most IoT devices:
1. Devices with 8-bit MCUs that treat the internet like a UDP-implemented serial port & have no meaningful security of their own.
2. Linux's (intentional) lack of a stable kernel ABI, which makes it all-but-impossible for end users to take control of their own destiny and upgrade devices long after they've been abandoned by their manufacturers.
3. The lack of meaningful public documentation of the underlying SoC. If MediaTek, Qualcomm, etc. doesn't make proper datasheets available to the public, reverse-engineering some generic nameless webcam is going to be *really* hard unless you have access to the hardware & software tools usually owned only by companies or universities.
If somebody can name a sub-$60 IP camera with official open-source firmware, I'd *love* to be proven wrong, but the fact is, sub-$60 IP cameras are practically large-scale integrated circuits *themselves*. Seven times out of eight, not even the nominal *manufacturer* of the camera has access to the full sourcecode to its firmware... they buy some SoC, assemble it into a camera based on some generic reference design, and get all the firmware & drivers verbatim from the SoC's manufacturer (like the thousands of knock-off "Foscam-type" IP webcams).
1. Customers buy your insecure IoT devices.
2. BrickerBot renders them nonfunctional.
3. Customers no longer have a working IoT device, so they're in the market for a replacement.
4. Profit!
TODO:
Change your US warranty laws, so such bricked device must be replaced for free. (See europe for an example)
(It's a device. It was used as it is supposed to be by the end user. The end user didn't subject it to any abuse.
The device suddenly stopped working unexpectedly. It has to be replaced under warranty).
That will teach the manufacturer of shitty goods.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
5. Consumers have to return broken device or re-purchase cheap IoT until they felt it is no longer worth constantly replacing broken device. Lowering the demand for IoT device.
6. IoT developers have to constantly replace broken device until they either drop the IoT design, update security or face bankruptcy.
they may sell more IoT device in the short term, but overall they will fail to profit in the long term.
The real problem is that IDIOT (Insecurely Designed Internet Of Things) devices can be accessed from the net via telnet, with default passwords, or even no passwords. I don't care if you're running linux, Windows, BSD, OS/2, or whatever; using telnet is begging to be owned.
Telnet is an ancient, insecure protocol, from "a kinder/gentler time". When DARPAnet was started as a US-only project, you needed security clearance to access a mainframe or mini computer that could access the net. Every April 1st, there would be spoofed messages from "KREMVAX" (Kremlin minicomputer); that was fun, and nobody seriously believed it would happen. Telnet was appropriate for the conditions at that time.
The authors of telnet had no way of knowing that DARPAnet would become accessable by the average person worldwide, and cheaply made crap devices, and organized criminals in 2nd and 3rd world countries.
I'm not repeating myself
I'm an X window user; I'm an ex-Windows user
The lack of stable interfaces (both ABIs and APIs) mean that not only can you not upgrade the propitary bits but you can't easilly upgrade the rest of the kernel either. Your hardware drivers stop you from easilly upgrading your network stack or the code that manages privilage seperation.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Hyderabad escort service, escort service in Hyderabad, best escort service in Hyderabad. http://hyderabadbeauty.service...