The Internet of Things = The Internet of Bots?

Discussion in 'Technical Corner' started by Palmpilot, Oct 25, 2016.

  1. Palmpilot

    Palmpilot Touchdown! Greaser! PoA Supporter

    Joined:
    Apr 1, 2007
    Messages:
    13,478
    Location:
    PUDBY
    Display Name:

    Display name:
    Richard Palm
  2. NoHeat

    NoHeat En-Route PoA Supporter

    Joined:
    Jul 27, 2009
    Messages:
    3,201
    Location:
    Iowa City, IA
    Display Name:

    Display name:
    17
    Yes, there is little incentive for the device manufacturers to take preventive measures. They can make cheap stuff, and it will sell, without bothering.

    And there's no incentive for device owners to do anything about it.
     
  3. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,898
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    the astonishing thing about this virus (Mirai) is that it utilizes a username/password dictionary of only 60 different items. This is not a sophisticated attack. A lot of this is highly preventable by merely changing the default password. Of course the next iteration will be more sophisticated, so it makes sense to use a strong password, especially for any device with edge exposure. But, millions of devices were compromised...
     
  4. cowman

    cowman En-Route

    Joined:
    Aug 12, 2012
    Messages:
    3,023
    Location:
    Danger Zone
    Display Name:

    Display name:
    Cowman
    You'll never have the level of security on these things that you see on say a PC. As much as we make fun of Windows security, Windows is the target of most malware/hacks by virtue of being the most widely used OS. Because of all that it is in a constant state of update. It's in a sense hardened and battle tested. Or to use a medical analogy Windows has been all around the world and caught every disease possible... now it's immune to most. These one-off devices and OS setups are a bit more like an isolated tribe of people.... soon as smallpox comes in they're done.
     
  5. Dr. O

    Dr. O Pattern Altitude

    Joined:
    Sep 4, 2008
    Messages:
    2,288
    Location:
    Hemlock, MI
    Display Name:

    Display name:
    denny
    Given that the purchasers of security cameras, baby monitors, and on and on, are not PC smart (most) we have to protect the internet from their ignorance.
    Perhaps a requirement on the manufacturers that the devices will not operate for more than the first hour (gives the user time to see that the unit works) until a strong password is entered by the purchaser and then changed every 30 days.
    Yeah, the user dummies will not be happy (shrug) - not my problem
     
  6. saha

    saha Filing Flight Plan

    Joined:
    Dec 5, 2016
    Messages:
    25
    Location:
    Oakland, CA
    Display Name:

    Display name:
    saha
    I really don't think blaming the victims of this is helpful. This is what regulation is for, and rightly so. Car deaths resulting from a plethora of shoddy car companies (there used to be hundreds in the US alone) resulted in the government stepping in so people wouldn't have to think about whether their car would blow up when they drove it off the lot. That's probably what needs to happen in these cases as well. We regulate lots of foreign goods as well - like produce and toys for kids. Unfortunately regulators have a mixed record on doing it once they get involved.
     
  7. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,898
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    I suppose regulation would seem to be an easy solution, but the government doesn't move fast enough to keep up with technology. I think pressure on the manufacturers from one of the standardization bodies, such as IEEE would probably be more effective.
     
  8. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    20,882
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    Until we have standards and enforcement - including recalls - that make the manufacturer responsible, this will continue to happen.

    Don't hold your breath.
     
  9. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    41,435
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    There's a bit of a little white lie in this sentiment, and I've heard it before.

    Here's reality: Windows, and all OSs are attacked...

    Because they can be.

    And software "engineering", really isn't.

    If you engineered structures as well as software is "engineered", more than 9/10 of them would fall down.

    The world needs a big "event" that knocks out really critical infrastructure for a while, before it'll get serious about software. Not quite integrated enough yet.
     
  10. mkosmo

    mkosmo Pattern Altitude PoA Supporter

    Joined:
    Jul 27, 2012
    Messages:
    2,173
    Location:
    Houston, TX
    Display Name:

    Display name:
    mkosmo
    To add to the above... Plenty of "IoT" devices are hardened more than any commodity PC. The problem is the new low-grade "IoT" devices that are quick to market and made of shoddy work. It's just often surprising how often critical infrastructure is cheaply developed. Folks still won't get serious about software after a critical event... they'll just "improve" the processes surrounding the development lifecycles.
     
  11. Tarheelpilot

    Tarheelpilot Cleared for Takeoff PoA Supporter

    Joined:
    Dec 5, 2010
    Messages:
    1,494
    Display Name:

    Display name:
    Tarheelpilot
    I do blame the consumer. No regulation needed
     
  12. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    41,435
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    How many consumers know jack crap about data networking and software development?

    All they know is someone offered them a wifi router for $20.

    They have no idea the software running it, wasn't written to any sort of security or safety standard.
     
  13. mkosmo

    mkosmo Pattern Altitude PoA Supporter

    Joined:
    Jul 27, 2012
    Messages:
    2,173
    Location:
    Houston, TX
    Display Name:

    Display name:
    mkosmo
    Some of it gets mildly audited by mediocre pentesters, at least... but those blog posts never get seen by the light of day nor do findings ever make it through proper channels for disclosure. One day I imagine there will be a nonprofit pentest group that does nothing but test these devices and publish results. I know there are some groups out there, but there's not near enough coverage to cover the sloppy culture.
     
  14. Tarheelpilot

    Tarheelpilot Cleared for Takeoff PoA Supporter

    Joined:
    Dec 5, 2010
    Messages:
    1,494
    Display Name:

    Display name:
    Tarheelpilot
    I'm sure many don't and fact is if they gave a **** they would. It's not necessary to be able to write code to be an educated consumer. It's not the manufacturers responsiblity to protect people from their own ignorance and laziness. Nor is it the governments job to protect people from their own stupidity.
     
  15. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    41,435
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Who would want do do pen testing for no profit? Pen testing is an awful way to spend a day/week/month/year/decade of your life.

    Only people I know who are really good at it, are also making a LOT of money to do it, and they almost universally hate it.
     
  16. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    41,435
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    It's not the consumer who bought the thing, who's being attacked. The consumer devices are being used as someone else's megaweapon against much bigger things.

    An example might be if everyone who purchased a firearm didn't know that those firearms were built in such a way that anyone with a weekend worth of figuring out the very bad built in design flaws, could give themselves remote control powers over all of them, and fire them at anything they pleased.

    Realistically the Internet's problem is also it's weakness... non-identified machines may talk to other machines generally at will. Great inside academia and the military where this sort of networking started, but pretty stupid for a public network.
     
  17. mkosmo

    mkosmo Pattern Altitude PoA Supporter

    Joined:
    Jul 27, 2012
    Messages:
    2,173
    Location:
    Houston, TX
    Display Name:

    Display name:
    mkosmo
    I never said they had to be good pentesters, just mediocre. Plenty of kids out there looking to make a name without enough experience or credibility to make money at it yet.
     
  18. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    41,435
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Ahh, that era is long over. Even fast food workers get paid, and pen testing isn't as easy as flipping burgers.

    You need training to do it nowadays, and a lot of it. Anyone doing it deserves a buck or thousand.

    Most successful pen tests that get real data out of places are SQL injection attacks and attacks against reasonably well thought out authentication schemes. If you're learning enough to do an SQL injection attack, you definitely deserve to get paid, and paid well. Slogging through that sort of thing, sucks.

    Here's a clue though: If your garbage man makes more money than your pen tester...
     
  19. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,898
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    It would go a long way if manufacturers just required a password change on first use and didn't allow things like admin admin.
     
  20. Bob Noel

    Bob Noel Touchdown! Greaser!

    Joined:
    Jun 7, 2008
    Messages:
    13,177
    Display Name:

    Display name:
    Bob Noel
    Heck, my garbage man probably makes more money than my IA and A&P.

    How much some people get paid isn't necessarily a good measure of their value or worth.
     
  21. wsuffa

    wsuffa Touchdown! Greaser!

    Joined:
    Feb 22, 2005
    Messages:
    20,882
    Location:
    DC Suburbs
    Display Name:

    Display name:
    Bill S.
    A lot of IoT stuff is imbedded and may or may not have password control.
     
  22. John221us

    John221us En-Route PoA Supporter

    Joined:
    Jan 5, 2012
    Messages:
    3,898
    Location:
    Rocklin, CA
    Display Name:

    Display name:
    John
    I was talking about the edge devices that were vulnerable on this particular attack. Most of the controller devices have password control, but not so much the light bulbs. If someone punches a hole in their firewall to get to their nanny cam a) someone had to have enough knowledge to do that b) therefore they should have known better. So, I guess there is blame to go around, but the manufacturers can really help prevent this type of attack and it would not take a lot of effort.
     
  23. Palmpilot

    Palmpilot Touchdown! Greaser! PoA Supporter

    Joined:
    Apr 1, 2007
    Messages:
    13,478
    Location:
    PUDBY
    Display Name:

    Display name:
    Richard Palm
    I'll never forget telling my mom, when I was growing up, that I had heard that garbage men got paid a lot of money and that I thought I might become a garbage man when I grew up. She said, "YOU ARE NOT!!!" :hairraise:

    On the other hand, if the garbage went uncollected for a few weeks, we might all have to adjust our thinking on what garbage men are worth. :eek2:
     
  24. mkosmo

    mkosmo Pattern Altitude PoA Supporter

    Joined:
    Jul 27, 2012
    Messages:
    2,173
    Location:
    Houston, TX
    Display Name:

    Display name:
    mkosmo
    I'm tired of seeing pentesters that only know how to execute some metasploit command handed to them... and having that output be their report... so I wouldn't pay most of them for that kind of crap tier service.

    I'll agree with the SQL injection data exfil vector, obviously, but the decent auth schemes? Too many crappy auth schemes available to focus on unless it's a targeted attack.
     
  25. denverpilot

    denverpilot Taxi to Parking

    Joined:
    Nov 8, 2009
    Messages:
    41,435
    Location:
    Denver, CO
    Display Name:

    Display name:
    DenverPilot
    Most are. If you're pen testing for script kiddies, a targeted attack will get right in. Just depends on what you're defending against and how much money and time you're willing to spend on it.

    Most places stop at script kiddies. That's just the economic realities of it. Technically most places stop at whatever they're required to do by customers. Bigger customers, more money, larger security staff on their side, more requirements on vendors.

    One can easily let a large customer's double or triple digit staff get out of hand wanting to keep their staff busy pestering vendors. We have a customer who's very nice head security guy visited us, he joked that he's the boss of all the people who work for their company who carry firearms. We had to explain some realities to his security staff who wanted some heavy things that were unnecessary.

    Kept them happy but also bad to explain we weren't building Ft Knox for the data because the data wasn't identifiable to individuals or in any way usable even if it was all stolen, without someone also stealing much harder information to get from the customer themselves.