The Internet of Things = The Internet of Bots?

Yes, there is little incentive for the device manufacturers to take preventive measures. They can make cheap stuff, and it will sell, without bothering.

And there's no incentive for device owners to do anything about it.
 
the astonishing thing about this virus (Mirai) is that it utilizes a username/password dictionary of only 60 different items. This is not a sophisticated attack. A lot of this is highly preventable by merely changing the default password. Of course the next iteration will be more sophisticated, so it makes sense to use a strong password, especially for any device with edge exposure. But, millions of devices were compromised...
 
You'll never have the level of security on these things that you see on say a PC. As much as we make fun of Windows security, Windows is the target of most malware/hacks by virtue of being the most widely used OS. Because of all that it is in a constant state of update. It's in a sense hardened and battle tested. Or to use a medical analogy Windows has been all around the world and caught every disease possible... now it's immune to most. These one-off devices and OS setups are a bit more like an isolated tribe of people.... soon as smallpox comes in they're done.
 
Given that the purchasers of security cameras, baby monitors, and on and on, are not PC smart (most) we have to protect the internet from their ignorance.
Perhaps a requirement on the manufacturers that the devices will not operate for more than the first hour (gives the user time to see that the unit works) until a strong password is entered by the purchaser and then changed every 30 days.
Yeah, the user dummies will not be happy (shrug) - not my problem
 
I really don't think blaming the victims of this is helpful. This is what regulation is for, and rightly so. Car deaths resulting from a plethora of shoddy car companies (there used to be hundreds in the US alone) resulted in the government stepping in so people wouldn't have to think about whether their car would blow up when they drove it off the lot. That's probably what needs to happen in these cases as well. We regulate lots of foreign goods as well - like produce and toys for kids. Unfortunately regulators have a mixed record on doing it once they get involved.
 
I really don't think blaming the victims of this is helpful. This is what regulation is for, and rightly so. Car deaths resulting from a plethora of shoddy car companies (there used to be hundreds in the US alone) resulted in the government stepping in so people wouldn't have to think about whether their car would blow up when they drove it off the lot. That's probably what needs to happen in these cases as well. We regulate lots of foreign goods as well - like produce and toys for kids. Unfortunately regulators have a mixed record on doing it once they get involved.
I suppose regulation would seem to be an easy solution, but the government doesn't move fast enough to keep up with technology. I think pressure on the manufacturers from one of the standardization bodies, such as IEEE would probably be more effective.
 
Until we have standards and enforcement - including recalls - that make the manufacturer responsible, this will continue to happen.

Don't hold your breath.
 
You'll never have the level of security on these things that you see on say a PC. As much as we make fun of Windows security, Windows is the target of most malware/hacks by virtue of being the most widely used OS. Because of all that it is in a constant state of update. It's in a sense hardened and battle tested. Or to use a medical analogy Windows has been all around the world and caught every disease possible... now it's immune to most. These one-off devices and OS setups are a bit more like an isolated tribe of people.... soon as smallpox comes in they're done.

There's a bit of a little white lie in this sentiment, and I've heard it before.

Here's reality: Windows, and all OSs are attacked...

Because they can be.

And software "engineering", really isn't.

If you engineered structures as well as software is "engineered", more than 9/10 of them would fall down.

Until we have standards and enforcement - including recalls - that make the manufacturer responsible, this will continue to happen.

Don't hold your breath.

The world needs a big "event" that knocks out really critical infrastructure for a while, before it'll get serious about software. Not quite integrated enough yet.
 
To add to the above... Plenty of "IoT" devices are hardened more than any commodity PC. The problem is the new low-grade "IoT" devices that are quick to market and made of shoddy work. It's just often surprising how often critical infrastructure is cheaply developed. Folks still won't get serious about software after a critical event... they'll just "improve" the processes surrounding the development lifecycles.
 
I do blame the consumer. No regulation needed

How many consumers know jack crap about data networking and software development?

All they know is someone offered them a wifi router for $20.

They have no idea the software running it, wasn't written to any sort of security or safety standard.
 
Some of it gets mildly audited by mediocre pentesters, at least... but those blog posts never get seen by the light of day nor do findings ever make it through proper channels for disclosure. One day I imagine there will be a nonprofit pentest group that does nothing but test these devices and publish results. I know there are some groups out there, but there's not near enough coverage to cover the sloppy culture.
 
How many consumers know jack crap about data networking and software development?

All they know is someone offered them a wifi router for $20.

They have no idea the software running it, wasn't written to any sort of security or safety standard.
I'm sure many don't and fact is if they gave a **** they would. It's not necessary to be able to write code to be an educated consumer. It's not the manufacturers responsiblity to protect people from their own ignorance and laziness. Nor is it the governments job to protect people from their own stupidity.
 
Some of it gets mildly audited by mediocre pentesters, at least... but those blog posts never get seen by the light of day nor do findings ever make it through proper channels for disclosure. One day I imagine there will be a nonprofit pentest group that does nothing but test these devices and publish results. I know there are some groups out there, but there's not near enough coverage to cover the sloppy culture.

Who would want do do pen testing for no profit? Pen testing is an awful way to spend a day/week/month/year/decade of your life.

Only people I know who are really good at it, are also making a LOT of money to do it, and they almost universally hate it.
 
I'm sure many don't and fact is if they gave a **** they would. It's not necessary to be able to write code to be an educated consumer. It's not the manufacturers responsiblity to protect people from their own ignorance and laziness. Nor is it the governments job to protect people from their own stupidity.

It's not the consumer who bought the thing, who's being attacked. The consumer devices are being used as someone else's megaweapon against much bigger things.

An example might be if everyone who purchased a firearm didn't know that those firearms were built in such a way that anyone with a weekend worth of figuring out the very bad built in design flaws, could give themselves remote control powers over all of them, and fire them at anything they pleased.

Realistically the Internet's problem is also it's weakness... non-identified machines may talk to other machines generally at will. Great inside academia and the military where this sort of networking started, but pretty stupid for a public network.
 
Who would want do do pen testing for no profit? Pen testing is an awful way to spend a day/week/month/year/decade of your life.

Only people I know who are really good at it, are also making a LOT of money to do it, and they almost universally hate it.
I never said they had to be good pentesters, just mediocre. Plenty of kids out there looking to make a name without enough experience or credibility to make money at it yet.
 
I never said they had to be good pentesters, just mediocre. Plenty of kids out there looking to make a name without enough experience or credibility to make money at it yet.

Ahh, that era is long over. Even fast food workers get paid, and pen testing isn't as easy as flipping burgers.

You need training to do it nowadays, and a lot of it. Anyone doing it deserves a buck or thousand.

Most successful pen tests that get real data out of places are SQL injection attacks and attacks against reasonably well thought out authentication schemes. If you're learning enough to do an SQL injection attack, you definitely deserve to get paid, and paid well. Slogging through that sort of thing, sucks.

Here's a clue though: If your garbage man makes more money than your pen tester...
 
It would go a long way if manufacturers just required a password change on first use and didn't allow things like admin admin.
 
Here's a clue though: If your garbage man makes more money than your pen tester...

Heck, my garbage man probably makes more money than my IA and A&P.

How much some people get paid isn't necessarily a good measure of their value or worth.
 
It would go a long way if manufacturers just required a password change on first use and didn't allow things like admin admin.
A lot of IoT stuff is imbedded and may or may not have password control.
 
A lot of IoT stuff is imbedded and may or may not have password control.
I was talking about the edge devices that were vulnerable on this particular attack. Most of the controller devices have password control, but not so much the light bulbs. If someone punches a hole in their firewall to get to their nanny cam a) someone had to have enough knowledge to do that b) therefore they should have known better. So, I guess there is blame to go around, but the manufacturers can really help prevent this type of attack and it would not take a lot of effort.
 
Heck, my garbage man probably makes more money than my IA and A&P.

How much some people get paid isn't necessarily a good measure of their value or worth.
I'll never forget telling my mom, when I was growing up, that I had heard that garbage men got paid a lot of money and that I thought I might become a garbage man when I grew up. She said, "YOU ARE NOT!!!" :hairraise:

On the other hand, if the garbage went uncollected for a few weeks, we might all have to adjust our thinking on what garbage men are worth. :eek2:
 
Ahh, that era is long over. Even fast food workers get paid, and pen testing isn't as easy as flipping burgers.

You need training to do it nowadays, and a lot of it. Anyone doing it deserves a buck or thousand.

Most successful pen tests that get real data out of places are SQL injection attacks and attacks against reasonably well thought out authentication schemes. If you're learning enough to do an SQL injection attack, you definitely deserve to get paid, and paid well. Slogging through that sort of thing, sucks.

Here's a clue though: If your garbage man makes more money than your pen tester...
I'm tired of seeing pentesters that only know how to execute some metasploit command handed to them... and having that output be their report... so I wouldn't pay most of them for that kind of crap tier service.

I'll agree with the SQL injection data exfil vector, obviously, but the decent auth schemes? Too many crappy auth schemes available to focus on unless it's a targeted attack.
 
I'm tired of seeing pentesters that only know how to execute some metasploit command handed to them... and having that output be their report... so I wouldn't pay most of them for that kind of crap tier service.

I'll agree with the SQL injection data exfil vector, obviously, but the decent auth schemes? Too many crappy auth schemes available to focus on unless it's a targeted attack.

Most are. If you're pen testing for script kiddies, a targeted attack will get right in. Just depends on what you're defending against and how much money and time you're willing to spend on it.

Most places stop at script kiddies. That's just the economic realities of it. Technically most places stop at whatever they're required to do by customers. Bigger customers, more money, larger security staff on their side, more requirements on vendors.

One can easily let a large customer's double or triple digit staff get out of hand wanting to keep their staff busy pestering vendors. We have a customer who's very nice head security guy visited us, he joked that he's the boss of all the people who work for their company who carry firearms. We had to explain some realities to his security staff who wanted some heavy things that were unnecessary.

Kept them happy but also bad to explain we weren't building Ft Knox for the data because the data wasn't identifiable to individuals or in any way usable even if it was all stolen, without someone also stealing much harder information to get from the customer themselves.
 
Back
Top