Posted on 10/21/2016 8:48:16 PM PDT by snarkpup
Updated Today, a huge army of hijacked internet-connected devices – from security cameras to home routers – turned on their owners and broke a big chunk of the internet.
Compromised machines, following orders from as-yet unknown masterminds, threw huge amounts of junk traffic at servers operated by US-based Dyn, which provides DNS services for websites large and small.
We're told gadgets behind tens of millions of IP addresses were press-ganged into shattering the internet – a lot of them running the Mirai malware, the source code to which is now public so anyone can wield it against targets.
The result: big names including GitHub, Twitter, Reddit, Netflix, AirBnb and so on, were among hundreds of websites rendered inaccessible to millions of people around the world for several hours today.
Dyn tells us it has weathered the storm for now, and services are coming back online. Here's what we know:
...
El Reg has been banging about IoT security for ages: Mirai is now targeting cellular gateways. Not enough is being done to patch insecure gadgets. Do gizmos need some sort of security-warning labels? The blame here is not with Dyn. It is not even with the owners of the hijacked devices. It lies with the botnet operators – and, perhaps more crucially, the dimwit IoT manufacturers who crank out criminally insecure hardware that can be compromised en masse.
Until there is a standards crackdown, and vulnerable devices are pulled offline, this will continue on and on until there is no internet left.
(Excerpt) Read more at theregister.co.uk ...
I would also bet that, tomorrow, users will not be disconnecting these devices, even though what these things are doing should now be obvious to the public.
The really scary vulnerability that no one seems to want to discuss involves SCADA interfaces.
Dyn is a crucial component in the internet's infrastructure...
One of the features of the internet that is commonly hyped is that it is supposed to be fundamentally reliable because it does not have crucial components. This is another part of the problem.
M4L
Web Hack
Our SCADA system is an intranet. Only connected to itself, and not to the internet. Now things can happen to communication systems that can disrupt but there is backups for that too. Not saying it’s not impossible, but it would be really tough. I’d like to know what it is like in other places.
For those who want to learn more, an article on SCADA (Supervisory control and data acquisition) here discusses some of these security issues, beginning with:
SCADA systems that tie together decentralized facilities such as power, oil, gas pipelines, water distribution and wastewater collection systems were designed to be open, robust, and easily operated and repaired, but not necessarily secure.
Dyn is used because it lets big sites outsource their DNS servers cheaply and reduce staff. A lot of them are probably regretting that now.
I think a lot of sites are going pull back their primary DNS in house and use Dyn only as a secondary (if that). There are other services like GoDaddy that they could also use for secondary.
Meanwhile the idiot Chinese manufacturer that put the same freaking password on a million DVRs and cameras should be sued out of existence. Although knowing China they just might arrest them.
The article mentions OpenDNS. Anybody had any experience with this?
http://www.nirsoft.net/utils/wireless_network_watcher.html
Wireless Network Watcher v2.02
Copyright (c) 2011 - 2016 Nir Sofer
OpenDNS is supposed to be a good client DNS. (They do caching which is why end users could still reach a lot of sites.) I’m not sure of their rep as a server DNS though.
I talked to a couple of those types today. They’re not amused. In fact they’re scared.
L
The alleged IoT technique is pretty slick. As if.. my toaster or iron is contributing to the meltdown and downfall of the cloud — oh, the irony...
This is going to serve as a wakeup call for a lot of device manufacturers and infosec in general, I think.
US and Japanese manufacturers seem to be better about security than the Chinese. (For example I’ve never heard of a remote hack on a Comcast X1 or a TiVo with default settings.)
One thing I would suggest is that there should always be a physical button to gain initial access to the device, and so only then can the user configure their own pw/cert/key for remote management.
I have it from a very high level source that the United States in planning a cyber attack on Russia. This is a covert operation so don’t tell anybody about it. Just joking. Only an idiot would say something like that. Foreign intelligence services have budgets in the billions of dollars. You can pay someone to hack a gmail account for $129. If some guy in Romania in his mother’s basement can hack into gmail accounts what can a billion dollar organization do? The Russians are being accused of providing WikiLeaks with information. The Russians deny it. Who are you going to believe, Vladimir Putin or Hillary Clinton. This incident is a Godsend. I might wake people up to the fact that our entire society can be shut down. We should not be threatening other tech savvy nations.
>> This is going to serve as a wakeup call for a lot of device manufacturers and infosec in general, I think
You think well...
Just had a short discussion with Alexa to make sure that I’m still the boss.
Thank God robotics technology is still in its primitive stage.
I’m thinking there are plenty of good people protecting our Constitutional way of life.
>> The Russians are being accused of providing WikiLeaks with information.
No doubt Wiki-gate is total entertainment for the Russians.
>> We should not be threatening other tech savvy nations.
Agreed. Wag the dog BS perpetrated by domestic degenerates.
All you have to do to get around this is to use Tor browser, so if it happens again, download Tor.
It redirects you around all the DDOS chaos.
BUMP!
I think the uniparty did this to get credibility for their ‘Russian Hackers’ meme.
Had to be the Russian Intelligence Agency, they're desperately trying to help Trump win........./s
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.