SANS issues call to arms to battle IoT botnets The SANS Institute is hoping sysadmins can help it to do what vendors won't: improve Internet of Things security. The call comes in the wake of not one but two IoShitT-based botnet attacks – the 600 Gbps-plus slam that sent security publication Krebs on Security from Akamai to Google Shield, and the same botnet escalating to …
I can't help thinking this is a post-bolt attempt to shut stable doors.
Assuming these login attempts aren't from white hats it means that insecure stuff is out in the field in sufficient numbers that not only have criminals discovered the weaknesses but have concluded that it's worth attacking. If the manufacturers patch it in future production that's at least something but unless the installed base gets patched the problem isn't being dealt with.
The root problem is that insecure stuff gets marketed in the first place. We need enforced standards comparable to those regulating other hazards, e.g. chemical and electrical. What's more likely is that the current crop of trade negotiations - which ought to incorporate this - would enable manufacturers to sue governments that tried to introduce such regulation.
In the meantime, given that the problem exists there should be mitigation. One approach would be for manufacturers to take responsibility for the stuff out there by scanning for it and using the same open doors to patch it, removing any unauthorised S/W that's been installed and closing the doors for good. That's likely to be a race as any criminal takeover has probably changed default passwords already.
Another would be to draw up lists of such installations by ISP and pressure the ISPs to liaise with their customers, the pressure being that ISPs who don't cooperate get disconnected from the net and customers who don't respond to the ISP get disconnected from the ISP. This might be draconian but with the current state of affairs draconian is what's needed.
Consumer protection law could be upgraded/enforced better - if the IoT device you bought was used in a botnet, you get to pay damages to the victim - but you also get to recover those damages from the supplier. Once people get the idea that cheap tat isn't a saving but a liability, the suppliers will beef up security pretty quickly if they want to sell anything.
I don't think you can blame consumers who bought a DVR in good faith, connected it to a network following the manufacturer's guidelines and never knew their machine was part of a DDoS attack.
The article highlights the problems:
Log in using the default credentials;
Disk is writable from telnet;
Target will build binaries.
If a manufacturer really needs to write to the disk from telnet and build binaries, then they really, really, really need to make telnet secure.
And default credentials aren't secure.
Any networked device can be used as a weapon online. You have to protect yourself and your network. There's a great article that explains why I say that. From that article: "Research conducted by the Ponemon Institute reported that 60 percent of companies surveyed had a data breach involving printers, requiring an average of 46 days to resolve a cyberattack." The bitly is /2ctpAK9
So how do you fix this problem? I don't think taking a DIY strategy is going to work. Maybe it's time for more vendors and organizations to start working together. The hackers are smart enough to do it. Why shouldn't we?
--Karen Bannan for IDG and HP.
"Maybe it's time for more vendors and organizations to start working together."
No maybe about it, it's time. But it still isn't going to happen until someone makes them.
Back in the C19th unscrupulous shop-owners adulterated food by adding cheap but not necessarily safe substances to bulk it out. It was time for them not to have done that but it required legislation to prevent it.
Children were employed* in mines. It was time for them not to have been but the practice wasn't stopped until legislation took place after a disaster at Silkstone.
The whole history of advances in safety of products and of working practices is the history of legislation and/or regulation. There's no reason to think that this is different. It's simple: until you can't bring such a device to market unless it's secure insecure devices will be sold and deployed.
*Yes, I know "employed" is an over-simplification.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
