Security Trends in 2016: Pervasive Insecurity
The term pervasive insecurity defines widespread and unwelcome instability or weaknesses in standardized systems. These systems are usually complex and can include poverty, political landscapes, or civil unrest. It's also a fantastic term to illustrate the train wreck of information systems security failures and publicizedvulnerabilities last year. Over the last year we've seen booming trends against embedded device exploits, data ransoming, and similar public displays of nefarious behavior. Why was 2016 such a banner year for exploitation? Who got pwned? What's our next steps to not protect ourselves but prevent our selves from being unknowing agents in coordinated attacks across the internet? The Data Didn't Look Good Then, Do You Think It Got Better? In 2010 researchers at Columbia University published results of a internet scan including basic analysis of connected devices and their potential for exploit using only low or basic levels of effort. Researchers were trying to discern past exploits, large scale attack feasibilities, amount of discoverable devices, and potential methods of securing devices. The numbers they published would be intimidating by today's standards but given we've had 6 years to continue the trend of inscurity, it's only getting worse. Creepy Results Of Default Credential Scan (2010) IP's scanned: 3,223,358,720 Devices Targeted Post Discovery: 3,912,574 Vulnerable Devices: 540,435 Vulnerability Rate: 13.81% Section 4.1 of the paper specifically calls out the DDoS potentials of devices identified in the study. Remember... 2010 people. If this threat isn't new and was well documented back in 2010, why is 2016 special? Infecting the Internet Of Things In You House Mirai was your big news source of late 2016 not because it exploited what the Columbia researchers knew in 2010, it was the largest publicized example that insecure connected systems pose. First KrebsOnSecurity experienced a ~620Gbps DDoS attack and shortly after OVH Cloud Solutions experienced a 1Tbps peak bandwidth attack. The reported 150,000+ connected home devices participating provided from 1Mbps to 30Mbps of bandwidth; together it was the largest known DDoS attack published to date. The true reasoning theorized by Brian Krebs may or may not be true but we didn't witness the potential Mirai posed. By releasing the source code Mirai's secret weapon of quietly locking systems could be outdone by someone willing to modify the code further. Diluting the compromised devices with multiple sources reduce each command and control servers effective attacking potential and so far, exploiters haven't been known to work together yet. You Didn't Do What To The Database?!? And Our Data Is Where?!? Poor MongoDB. It was the first public name associated with a string of database ransom requests starting late in 2016 and extending to... well... it's still going. Bleepingcomputer's coverage on security researchers Victor Gevers and Niall Merrigan investigation of multiple groups responsible for deleting databases and leaving ransom notes (not per the norm of encrypting and leaving on service). To date the attacks are against MongoDB, CouchDB, Hadoop, and Elastic Server services. Reading the tweets by Victor and Niall, the fever pitch of updates is comparable to race track announcers. And just like the Columbia researchers warned, these are not high level complex attacks. The systems compromised were exposed instances with no modified access controls or elevated authentication and the combined tally of pwned systems is hitting 50,000. As of today, Cassandra databases are now receiving threats to secure data. This is becoming a Game Of Thrones nailbiter and I want to keep reading! Someone is warning unaware unprotected Cassandra database (https://t.co/2UcEiraM5l) owners by creating an empty "your_db_is_not_secure" db. pic.twitter.com/XDfvSPjeno — Victor Gevers (@0xDUDE) January 24, 2017 You Don't Learn Anything The Second Time The Horse Kicks You The leak of sexy swinging data from Adultfriendfinder.com and their subsidiaries was a lesson in failures to learn from prior mistakes and a lack of data governance. Using known local file inclusion exploits and demonstrated to CIO magazine by security researcher 1x0123, password files and database schema on Adultfriendfinder.com production servers were made publicly visible. This exact LFI exploit was later used to release user data. How many were affected you ask? Oh... a little over 412,000,000+ users and no my finger did not get stuck on the zero key. Frustratingly for their users in 2015 3.5 million Adult Friend Finder accounts were to be released unless a $100,000 was paid to an angry admin in Thailand who claimed company owned his friend money. Exposed from the more recent AFF hack database details showed deleted users accounts were only being updated with a @deleted.com suffix (read the below Leakedsource link for details). Anyone that created an account and then deleted it never really had their data removed. This sets up Adult Friend Finder for a large class action lawsuit if the 63 million current users file along with anyone who ever had an account; all are eligible to file. It could've been prevented. A security audit, basic data governance, basic understanding of exploit vectors. The business decisions or failure of AdultFriendFinder systems teams may never go public but it does illustrate that security failures happen to any company size and not small dev shops. Leakedsource.com's has great details of the breach for some nice happy hour reading. Moving On... I Hope Oh 2016, thank goodness you're over but I have a feeling 2017 isn't going to be any better. From the data we know the threats have been around and apparently we're not doing enough to mitigate them but how do you tell your mother or brother to remember to check that telnet is disabled and ssh is only allowed from internal ports? How do you tell your grandparents to "go be security experts" suddenly because they have an internet-connected picture frame? You can't so now what? ISP's and backhaul networks need to be more responsible about preemptive monitoring for elevating malicious traffic. The technology is there but why should they pay for our inabilities to secure our systems? Manufacturers need global accountability to prevent releasing vulnerable products. They know that, but no single entity is regulating their sales so until someone clamps down and imposes restrictions, c'est la vie right? But really: We don't need connected hairbrushes We don't need connected toasters We don't need remote notification that our laundry is done We don't need a lot of things... but we want them. Our desire drives consumption and in turn will drive the industry, secured or not. Like our friends at Columbia University illustrated, we are living in a world of pervasive insecurity and that's never going to change. I'll be at my boat now. There's no internet there, only ocean.Security Trends in 2016: Securing the Internet of Things
Whenever you connect anything to the internet, there is risk involved. Just ask the millions of IoT zombies infected with Mirai. Sure, there have been various stories over the years about hacking thermostats, refrigerators, cameras, pacemakers, insulin pumps and other medical devices along with cars, homes and hotel rooms…but Mirai took it to a new level. And it’s not the only IoT botnet out there nor are these nasty botnets going away anytime soon. There’s a gold mine of unprotected devices out there waiting to either have their/your info stolen or be used to flood another website with traffic. This is bound to compound in the years to come. A recent Ponemon Institute report noted that an incredible 80% of IoT applications are not tested for vulnerabilities. Let’s try that again – only 20% of the IoT applications that we use daily are tested for vulnerabilities. There’s probably no indication or guarantee that the one you are using now has been tested. Clearly a trend we saw in 2016, and seems to continue into 2017, is that people are focusing too much on the ‘things’ themselves and the coolness factor rather than the fact that anytime you connect something to the internet, you are potentially exposing yourself to thieves. There has been such a rush to get products to market and make some money off a new trend yet these same companies ignore or simply do not understand the potential security threats. This somewhat mimics the early days of internet connectivity when insecure PCs dialed up and were instantly inundated with worms, viruses and email spam. AV/FW software soon came along and intended to reduce those threats. Today it’s a bit different but the cycle continues. Back then you’d probably notice that your computer was acting funky, slowing down or malfunctioning since we interacted with it daily. Today, we typically do not spend every waking hour working with our IoT devices. They’re meant to function independently to grab data, make adjustments and alert us on a mobile app with limited human interaction. That’s the ‘smart’ part everyone talks about. But these botnets are smart themselves. With that, you may never know that your DVR is infected and allowing someone across the globe (or waiting at the nearest street corner) watch your every move. Typical precautions we usually hear are actions like changing default passwords, not connecting it directly to the internet and updating the firmware to reduce the exposure. Software developers, too, need to plan and build in security from the onset rather than an afterthought. The security vs. usability conundrum that plagues many web applications extends to IoT applications also. But you wouldn’t, or I should say, shouldn’t deploy a financial application without properly testing it for vulnerabilities. There the risk is financial loss but with IoT and particularly medical/health devices the result can be deadly. Mirai was just the beginning of the next wave of vulnerability exploitation. More chaos to come. ps Related: Rise of the Machines Report - Institute of Critical Infrastructure Technology (pdf) The Botnet that Broke the Internet Isn’t Going Away Mirai Strikeback - an iRule to kill IoT Bot Processes from your F5 Security Sidebar: Regulating the Internet of Things Hotel ransomed by hackers as guests locked in rooms 80% of IoT apps not tested for vulnerabilities, report says Awesome IoT Hacks (Github) RSA 2017: The Internet of Things security threatLightboard Lessons: Mirai Botnet and GRE Floods
The Mirai Botnet grabbed headlines at the end of last year when it used thousands of IoT devices to launch DDoS attacks on several targets. These attacks were larger than anything the Internet has ever seen. While it's certainly newsworthy to discuss the Mirai Botnet in general, we wanted to dig a little deeper into one of the actual DDoS attack vectors used by this botnet. So, in this video we talk about Mirai but we dig into GRE floods and how they work. Enjoy! Related Resources: Mirai Strikeback - an iRule to kill IoT Bot Processes from your F5 F5 Labs Analysis -- Mirai: The IoT Bot That Took Down Krebs And Launched A Tbps Attack On OVH
