Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×

Submission + - Huge Necurs Botnet Adds DDoS Module (securityledger.com)

chicksdaddy writes: One of the globe’s largest networks of infected systems (or “botnets”) is now equipped with features that will allow it to launch denial of service attacks that could dwarf anything seen to date, the security Anubis Networks, a division of BitSight Technologies, reported.(http://blog.anubisnetworks.com/blog/necurs-proxy-module-with-ddos-features)

Research by Anubis found that the Necurs botnet, a global network of more than one million machines infected with the Necurs malware added a module in recent months that permits it to launch distributed denial of service (or DDoS) attacks against designated targets. The botnet has mostly been used for distribution of spam email to date and has not be enlisted to launch DDoS attacks.

Necurs has been documented since 2014 and spreads via infected email attachments. It is often installed as a secondary program by other “downloader” programs, according to an analysis by Trend Micro. To date, Necurs has been employed almost exclusively to send out spam email messages. However, the software is modular and supports other features, as well, Anubis notes. A module added in late August appears to provide DDoS attack features to the botnet, Anubis researchers said. Reverse engineering of the module identified commands used to send HTTP or UDP requests to arbitrary Internet addresses in an endless loop – typical denial of service activity.

DDoS features are not uncommon in botnet malware. What is different is the size of the Necurs botnets compared with others, including the recent Mirai botnet that took down managed DNS provider DYN, The Security Ledger notes (https://securityledger.com/2017/02/locked-and-loaded-huge-botnet-updated-for-ddos/). Mirai, which launched the largest denial of service attacks on record, topped out at around 200,000 infected hosts. But research by BitSight puts the number of nodes in the Necurs botnet at more than 650,000 as of June, 2016. The number may be smaller now, but an infection map currently puts the number of Necurs hosts at 208,000 – almost three times the size of the Mirai botnet (77,000 hosts).(https://intel.malwaretech.com/botnet/necurs)

Submission + - Too Few Women in Cyber Security? Blame Mr. Robot. (securityledger.com) 1

chicksdaddy writes: Women are under-represented in the field of technology, where they make up only 26% of professionals in the field of computing -that's actually down from their share of the workforce in 1990. At Facebook, just 17% of technical positions are occupied by women. (http://www.huffingtonpost.com/2015/03/27/women-in-tech_n_6955940.html) But the numbers in information security are even worse. There, just 11% of information security workers are women. (http://www.forbes.com/sites/stevemorgan/2016/03/28/calling-all-women-the-cybersecurity-field-needs-you/#68022bfb5ca4)

Why aren't more women drawn into the information security field, with its high salaries and flexible, family- and lifestyle-friendly workplaces? Blame Mr. Robot, says Chenxi Wang, a Computer Science Ph.D and the Chief Strategy Officer at the firm Twistlock. Wang says that the image the show promotes of hackers: young, hoodie clad, anti-social and male is the exact opposite of what young, highly educated women are likely to be drawn to. "Whenever you think about security you think of a guy in a hoodie in a dimly lit space, hacking a remote computer," Wang said on RSA Conference TV. (https://youtu.be/Fsz5IAeJZsE) "Mr. Robot really personifies that, but if you talk to high school girls, I'm not sure how many of them would consider that an attractive field," she said. "We need to change the rhetoric and how we talk about our work."

Want to attract women to the field? Talk about the pro-social aspects of computer security, not the anti social ones. (Wang uses the example of a researcher applying fraud detection algorithms to help the World Bank spot development aid fraud.)

The stakes are high. The US faces a massive information security worker shortage of over 200,000 workers.(http://www.forbes.com/sites/stevemorgan/2016/01/02/one-million-cybersecurity-job-openings-in-2016/#49b12aba7d27) Absent qualified candidates to fill jobs, companies are looking to invest in automation and machine learning solutions — raising the possibility that many of those white collar jobs will be "filled" by computers, if at all.

Submission + - 14,000 Domains Drop Dyn's DNS Service After Mirai Attack (securityledger.com)

chicksdaddy writes: How much does a DDoS attack cost your business? That's a difficult question to answer and often depends on the type of business you operate. But in the case of managed DNS provider DYN, the answer is pretty concrete: about 8%.

New data suggests that some 14,500 web domains stopped using Dyn's Managed DNS service in the immediate aftermath of an October DDoS attack by the Mirai botnet. That is around 8% of the web domains using Dyn Managed DNS, The Security Ledger reports. (https://securityledger.com/2016/10/shoddy-supply-chain-lurks-behind-mirai-botnet/)

The new estimate comes from data compiled by the firm BitSight (https://www.bitsighttech.com/).

The October attack on Dyn by the Mirai botnet caused short-lived pain for Internet users trying to reach popular web sites like PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify. The Bitsight data suggests the attacks may have had more lasting implications for Dyn – and other Internet companies like it.

“The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai),” said Dan Dahlberg, a Research Scientist at BitSight Technologies in Cambridge, Massachusetts. Dahlberg was speaking at an event in Cambridge on January 24.

To determine the impact of the Mirai attack on the firm, BitSight, which provides security rating services for companies, analyzed a set of 178,000 domains that were hosted on Dyn’s managed DNS infrastructure before ad immediately after the October 21st attacks. Around 145,000 of those exclusively used Dyn as their managed DNS provider. While around 33,000 used Dyn as one of their authoritative DNS providers.

Following the attack, 139,000 of the 145,000 domains continued to use Dyn exclusively, a loss of 6,000 domains or around 4% of the total. Among those domains that used Dyn along with other managed DNS providers, 25,000 continued to use Dyn after the attack, a loss of 8,000 domains or 24%. The absolute numbers are a sample based on observed domains using Dyn prior to the attack occurring, BitSight said.

Submission + - SPAM: 14,500 Domains Dropped Dyn After Mirai Attack

chicksdaddy writes: The Mirai botnet attacks that took managed Domain Name System services from New Hampshire based Dyn offline in October caused short-lived pain for Internet users trying to reach popular web sites like PayPal, Twitter, Reddit, Amazon, Netflix, and Spotify.

The attacks may have had more lasting implications for Dyn – and other Internet companies like it. New data suggests that around 8% of the web domains relying on Dyn’s managed DNS service dropped the service in the immediate aftermath of the attack, The Security Ledger reports. ([spam URL stripped])

Approximately 14,500 web domains that used Dyn’s managed Domain Name System services prior to the Mirai attack stopped using them immediately following the attack, according to data compiled by the firm BitSight ([spam URL stripped]) – a big blow to the company that was on the receiving end of the global Internet of Things botnet attack.

“The data show that Dyn lost a pretty big chunk of their customer base because they were affected by (Mirai),” said Dan Dahlberg, a Research Scientist at BitSight Technologies in Cambridge, Massachusetts. Dahlberg was speaking at an event in Cambridge on January 24.

To determine the impact of the Mirai attack on the firm, BitSight, which provides security rating services for companies, analyzed a set of 178,000 domains that were hosted on Dyn’s managed DNS infrastructure before ad immediately after the October 21st attacks. Around 145,000 of those exclusively used Dyn as their managed DNS provider. While around 33,000 used Dyn as one of their authoritative DNS providers.

Following the attack, 139,000 of the 145,000 domains continued to use Dyn exclusively, a loss of 6,000 domains or around 4% of the total. Among those domains that used Dyn along with other managed DNS providers, 25,000 continued to use Dyn after the attack, a loss of 8,000 domains or 24%. The absolute numbers are a sample based on observed domains using Dyn prior to the attack occurring, BitSight said.

Link to Original Source

Submission + - Trump Wasn't Wrong To Secure @POTUS with a Gmail Account (securityledger.com)

chicksdaddy writes: The world is having a collective freak out about the serial (https://www.nytimes.com/2017/01/25/technology/donald-trump-phone-social-media-security.html?_r=0) security lapses (https://www.rt.com/usa/375109-trump-administration-private-server-rnc/) of the newly enshrined Trump administration. That includes the revelation, this week, that the Leader of the Free World is using a lowly Google Gmail account to secure @POTUS, the official Twitter account of the U.S.’s Chief Executive. (https://theintercept.com/2017/01/26/donald-trump-is-using-a-private-gmail-account-to-secure-the-most-powerful-twitter-account-in-the-world/)

For a President and Administration as unconventional as Mr. Trump, the news about how The Most Powerful Twitter Account in the World was being secured was just another data point in a raucous and singularly unprofessional first week in office – the online equivalent of trash talking the United States’ second largest trading partner. (https://www.nytimes.com/2017/01/26/us/politics/mexico-wall-tax-trump.html)

But is having the Chief Executive’s Twitter account secured by a Google Gmail account really a security lapse? Not necessarily, according to security experts. In fact, Gmail may offer superior security to government-run platforms, The Security Ledger argues. (https://securityledger.com/2017/01/trump-securing-potus-with-gmail-is-reasonable-heres-why/)

“Companies like Google and Microsoft have invested billions of dollars in securing their infrastructure,” said John Ackerly, the CEO at the firm Virtru, a secure email provider. “If want your data to be secure, it’s tough to beat Google, Microsoft or Amazon’s cloud,” he said.

Indeed, Gmail offers a wide range back-end and front end security features that make it among the most difficult platforms to compromise – providing users take advantage of those features. Among them: detection of nation-state attacks, protection against account takeovers, strong encryption for all Gmail data both at rest and in transit, and the availability of strong second-factor authentication options such token based authentication and soft second factors like SMS codes and Google Authenticator.

In contrast, the U.S. government has struggled to secure its own IT assets. In fact, a report by GAO in 2015 listed “personal identity verification” (http://www.gao.gov/assets/680/670936.pdf) as a top cyber security challenge for government agencies. By GAO’s accounting, only 41 percent of user accounts at 23 civilian agencies had required these credentials for accessing agency systems.

Submission + - Second Ukraine Power Outage Linked to Russian Hackers (securityledger.com)

chicksdaddy writes: A December power outage in the city of Kiev in December has been linked to hacking activity by groups believed to be working on behalf of the government of Russia, according to published reports. (https://securityledger.com/2017/01/second-ukraine-power-outage-linked-to-russian-hackers/)

Russian hacking crews were behind a brief power outage at the Pivnichna remote power transmission facility last month, using software based attacks to shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour. Hacking crews appear to be using the Ukraine as a test bed to hone skills that could be used against other adversaries, according to Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, the website Dark Reading reported on Tuesday.

Speaking at the S4 Conference in Miami on Tuesday (http://www.cvent.com/events/s4x17), Krotofil said that the outage at Pivnichna was part of a month-long campaign by Russian hacking groups that included attacks on railways and other critical infrastructure. While not intended to cripple the country, the attacks were designed to sow confusion and chaos, she said.

Research was conducted by Information Systems Security Partners (ISSP) (https://www.issp.ua/contact.php?l=en), a Ukraine firm. Speaking to the conference via a pre-recorded video, Oleksii Yasynskyi, head of research at the company, said that the attacks were the work of more than one cyber criminal group that worked in concert with each other. Attacks against Ukraine critical infrastructure and other interests began over the summer, ISSP said, with spear phishing attacks directed at a Ukraine bank.

Submission + - Vermont Utility Hack Story shows why Gov's Grizzly Steppe Report is so bad (securityledger.com)

chicksdaddy writes: The Washington Post’s story, Saturday, which claimed that Russian hacking groups had penetrated the United States electrical grid (https://www.washingtonpost.com/world/national-security/russian-hackers-penetrated-us-electricity-grid-through-a-utility-in-vermont/2016/12/30/8fc90cc4-ceec-11e6-b8a2-8c2a61b0436f_story.html) is a great example of why the Obama Administration's Grizzly Steppe report was a big mistake. It is also a case-in-point against casual attribution of cyber attacks, The Security Ledger writes. (https://securityledger.com/2017/01/opinion-confusion-over-vermont-utility-underscores-risks-of-cyber-attribution/)

As we now know, the Washington Post used claims that “code associated with the Russian hacking operation dubbed GRIZZLY STEPPE" had been detected within a system owned by Burlington Electric as proof that the Russians had hacked into the U.S. grid.

But no such hack of the electrical grid took place. The computer infected with the malware was not connected to the operation of the grid, Vermont Public Service Commissioner Christopher Recchia told The Burlington Free Press on Saturday (http://www.burlingtonfreepress.com/story/news/local/vermont/2016/12/30/russia-hacked-us-grid-through-burlington-electric/96024326/)

The Washington Post subsequently corrected its article, saying that no hack of the U.S. grid took place.Though it did NOT retract the story as some have claimed. Still, the confusion over “the Vermont incident” gets to the heart of criticisms that followed the release of the DHS and FBI Joint Analysis Report (JAR) on Russian hacking activity on U.S. shores. Specifically: the U.S. Government’s Report lumped together under one banner a wide range of hacking groups and hacking tools – some of them long used and widespread. In some cases, the groups in questions have only tangential connections to the government of Russia. In other cases, tools and techniques for attacking organizations – including whole families of malware – were thrown under the GRIZZLY STEPPE umbrella. The effect was to water down the report while dangerously muddying the public’s understanding of what Russian government hackers are and are not doing.

The report about the Vermont hack proceeded from that assumption, citing intelligence from unnamed government sources that malicious code found at the utility was put there and controlled by “the Russians,” who “did not actively use the code to disrupt operations.”

The truth is that if any evidence exists linking the malware discovered on a machine owned by Burlington Electric to operatives of the government of Russia, none was presented. It’s not clear if the Washington Post ever asked for such proof. As Robert Lee noted in a blog post on Saturday: “the indicators supposedly were related to Russia because the DHS and FBI said so – and supposedly that’s good enough,” he wrote.(http://www.robertmlee.org/analytical-leaps-and-wild-speculation-in-recent-reports-of-industrial-cyber-attacks/)

By ignoring context and a fair amount of private and public sector research in lumping together Black Energy and a wide range of other, similar threats under a common banner (GRIZZLY STEPPE), a report that was supposed to nail the lid shut on Russian hacking in U.S. elections has only raised more questions about the U.S. government’s evidence against Russia and whether that evidence is being interpreted in ways that distort its actual meaning or import. The Washington Post story marked just the first, errant conclusions drawn from that errant report. Others are sure to follow – blurring rather than sharpening our understanding of the risks posed by Russia and other online adversaries.

Submission + - NIST wants public's help with crypto-cracking quantum computers (securityledger.com)

chicksdaddy writes: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help (https://www.nist.gov/news-events/news/2016/12/nist-asks-public-help-future-proof-electronic-information) heading off what it calls “a looming threat to information security:” powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information, The Security Ledger reports.

In a statement Tuesday, NIST asked the public to submit ideas for “post-quantum cryptography” algorithms that will be “less susceptible to a quantum computer’s attack.” NIST formally announced its quest in a publication on The Federal Register. (https://www.federalregister.gov/documents/2016/12/20/2016-30615/announcing-request-for-nominations-for-public-key-post-quantum-cryptographic-algorithms)

Dustin Moody, a mathematician at NIST said the Institute's main focus is developing new public key cryptography algorithms, which are used today to protect both stored and transmitted information.

“We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” Moody said. They are FIPS 186-4, NIST SP 800-56A and NIST SP 800-56B.

Researchers have until November, 2017 to submit their ideas. After the deadline, NIST will review the submissions. Proposals that meet the “post-quantum crypto” standards (http://csrc.nist.gov/groups/ST/post-quantum-crypto/minimum-accept-reqs.html) set up by NIST will be invited to present their algorithms at an open workshop in early 2018.

Submission + - NETGEAR finds more routers vulnerable, pushes emergency patch (securityledger.com)

chicksdaddy writes: Consumer home networking firm NETGEAR has issued an emergency software patch for a serious vulnerability in its home routers, even as the company doubles the list of affected hardware.

The company said on Tuesday (http://kb.netgear.com/000036386/CVE-2016-582384?cid=wmt_netgear_organic) that it is providing a “beta version” of router firmware that addresses an arbitrary command injection vulnerability that was disclosed in firmware used by a number of wireless routers sold to consumers and small businesses. NETGEAR said the software update is still being tested and will only work on three versions of its routers: the R6400, R7000 and R8000. The company also acknowledged that five more routers are affected by the flaw and remain unpatched: the R7900, R7300, R7100LG, R6700 and R6250.

The company said the new firmware has not been fully tested and “might not work for all users.” The company offered it as a “temporary solution” to address the security hole. “NETGEAR is working on a production firmware version that fixes this command injection vulnerability and will release it as quickly as possible,” the company said in a post to its online knowledgebase early Tuesday.

The move follows publication of a warning from experts at Carnegie Mellon on December 9 detailing a serious “arbitrary command injection” vulnerability in the latest version of firmware used by a number of Netgear wireless routers. (https://www.youtube.com/watch?v=kOZs90BGPFk) The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. CMU urged NETGEAR customers to stop using affected routers until a fix can be found. (https://www.kb.cert.org/vuls/id/582384)

The vulnerability was discovered by an individual using the handle Acew0rm (@acew0rm1), who says he contacted NETGEAR about the flaw four months ago, and went public with information on it after the company failed to address the issue on its own.

Submission + - Vulnerability in Netgear Wifi Routers Prompts Warning to Stop Using Them (securityledger.com)

chicksdaddy writes: A serious and easy to exploit security hole in the software that runs certain models of wifi routers made by the firm Netgear prompted experts at Carnegie Mellon to urge customers to stop using them until a fix can be found.

The warning comes in a vulnerability note (VU#582384)(https://www.kb.cert.org/vuls/id/582384) published on Friday by Carnegie Mellon University’s CERT. An “arbitrary command injection” vulnerability in the latest version of firmware used by a number of Netgear wireless routers.

The security hole could allow a remote attacker to take control of the router by convincing a user to visit a malicious web site. A proof of concept exploit for the hole was published online (https://www.exploit-db.com/exploits/40889/) on Wednesday by an individual using the handle Acew0rm (@acew0rm1).

Firmware version (and possibly earlier) for the R7000 and version (and possibly earlier) for the R6400 are known to contain the arbitrary command injection vulnerability. CERT cited “community reports” that indicate the R8000, firmware version, is also vulnerable.

The warning comes amid increased concern about the security of home routers, following widespread attacks in recent weeks that have targeted the devices in Germany, the UK and other countries.

In statements on Twitter (https://twitter.com/acew0rm1), AceW0rm said that he informed Netgear of the flaw more than four months ago, but did not hear back from the company since then. He released information on the hole as well as proof of concept exploit code.

A search of the public Internet using the Shodan search engine finds around 8,000 R6450 and R7000 devices that can be reached directly from the Internet and that would be vulnerable to takeover attacks. The vast majority of those are located in the United States.

Submission + - Bad Neighborhoods Theory Applies to Bots, Also (securityledger.com)

chicksdaddy writes: It turns out that the “bad neighborhoods” theory (http://ns.umich.edu/new/releases/8588) applies to computers, as well as people.

Researchers from the firm Recorded Future said that the company has developed what it described as a “support vector machine” model to analyze contextual open source intelligence (OSINT) data on malicious online behavior. (https://www.recordedfuture.com/artificial-intelligence-cyber-defense/) That is cross referenced to “CIDR neighborhoods” – blocks of Internet addresses identified using Classless Internet Domain Routing. The AI's output is a predictive risk score for specific IP addresses that are likely to turn to crime.

So far the results are promising. In one case, Recorded Future tagged an IP address as likely to be used in an attack a full 10 days before it actually was. In an analysis of 500 previously unseen IPs with a predictive risk scores that suggested they would become malicious, 25% turned up on independent, open source lists of malicious IP addresses within 7 days, the company said. By comparison, just %.02 percent of the entire population of global (IPV4) IP addresses are marked as malicious at any time, the company said.

As for why, the explanation that Recorded Future gives sounds similar to the findings of sociological and psychologic research on the effects of bad neighborhoods. The notion there is that “bad neighborhoods” – characterized by crime, poverty and a scarcity of good role models and economic opportunities – can affect the cognitive development of children and even of the children of those children.(https://psmag.com/growing-up-poor-has-effects-on-your-children-even-if-you-escape-poverty-df11e668378a#.a27begtv0)

In the case of Internet connected systems that are destined to ‘go bad,’ the issue is proximity to computers that are involved in malicious activity, Staffan Truve, CTO, Recorded Future told The Security Ledger.(https://securityledger.com/2016/12/bad-neighborhoods-predict-which-computers-turn-to-crime-also/)

Hackers and botnet operators are rational, economic beings, he observes. That means that they will eventually use infrastructure that they rent for a purpose (like virtual systems in a data center that might be rented out for use in a denial of service attack). By analyzing the “closeness” of IPV4 addresses, Recorded Future found a predictor of future malicious activity. Proximity to one of those bad apples makes it more likely that you’re a bad apple, also – or soon will be, he said. “There’s an underlying logic, which is that the neighborhood (the system) is in will be the core part of whether it becomes malicious, but also how your neighbors are talked about.”

Submission + - The Lack of Women in Cybersecurity is a Problem and a Threat (securityledger.com) 1

chicksdaddy writes: The devaluation of traditionally “soft” skills like empathy, communication and collaboration in the information security space may be hampering the ability of IT security teams to respond to human-focused threats and attacks, according to this article at The Security Ledger. (https://securityledger.com/2016/12/cybers-lack-of-women-a-problem-and-threat/)

Failing to prioritize skills like empathy, communication, and collaboration and the people who have them (regardless of their gender) and focusing on "hard skills" (technical expertise) "limits our conceptions of security solutions and increases risks to our systems and users."

The problem goes beyond phishing attacks and social engineering, too. “Studies have shown that projects that embrace diversity are more successful. It’s a simple truth that people with different life backgrounds and life experiences bring unique perspectives to problem-solving,” says Amie Stepanovich, the U.S. policy manager at Access Now.

In short: "when we keep hiring technologists to solve problems, we get keep getting technical solutions." Too often, such technical fixes fail to account for the human environment in which they will be deployed. “It’s prioritizing a ‘tech first’—not a ‘human first’ or ‘empathy first’—perspective,” says Dr. Sara “Scout” Sinclair Brody, the executive director of Simply Secure.

This isn’t the first article to raise a red flag over the technology sector's glaring shortage of empathy. (http://www.newyorker.com/business/currency/silicon-valley-has-an-empathy-vacuum).

And while instilling empathy and compassion in adults who lack it might seem like a tall order, the piece argues that it isn't an unsolvable problem: there are entire fields—like user experience and human-centered design—dedicated to improving the way humans and technology interact. “Shockingly little of that,” says Brody, “has made it into the security domain.”

Submission + - New Version of Mirai IoT Botnet Targeting Flaw in Millions of Devices (securityledger.com)

chicksdaddy writes: An online attack that took an estimated 900,000 Deutsche Telekom broadband routers offline in Germany was the work of the Mirai botnet, a global network of infected cameras, printers, digital video recorders and other Internet of Things devices. But the attacks go well beyond Germany and the true number of vulnerable devices that could be targeted is much larger – numbering in the millions, according to new analysis by the firm Flashpoint. (https://www.flashpoint-intel.com/new-mirai-variant-involved-latest-deutsche-telekom-outage/)

On Monday, Deutsche Telekom acknowledged (https://www.telekom.com/de/medien/details/13-fragen-zu-angriff-auf-router-445088) that broadband routers it operates were knocked offline by a large scale attack that attempted to infect broadband routers with malicious software. Deutsche Telekom said that around 4 percent of its customers were affected by the attack – around 900,000 routers. But DT customers were not the only target. Flashpoint said it has observed infected devices operating from the United Kingdom, Brazil, Turkey, Iran, Chile, Ireland, Thailand, Australia, Argentina and Italy, as well as Germany.

In contrast to earlier rounds of Mirai infections, which relied on brute force (or “dictionary”) attacks that guessed default administrator usernames and passwords, the latest attacks attempted to exploit a known vulnerability in a remote maintenance interface. Attacks were launched using the TR-064 and TR-069 protocols which are common for managing so-called “customer premises equipment” (or CPE) in wide area network environments, DT said. Deutsche Telekom said it is working with manufacturers on firmware updates to address the vulnerability and is rolling them out to customers as they become available. The TR- protocols are what telecommunications firms and others use to remotely manage broadband routers in homes and businesses, said Zak Wikholm, a security research developer at Flashpoint, The Security Ledger reported. (https://securityledger.com/2016/11/report-millions-and-millions-of-devices-vulnerable-in-latest-mirai-attacks/)

While the exact number of infected devices isn’t known, Flashpoint estimates the global population of infected devices to be “five million” endpoints. The total number of vulnerable devices is much, much larger, though. Some estimates put the total number of devices with port 7547 open at around 41 million, Wikholm told Security Ledger. However, only a fraction of those allow parties other than Internet Service Providers to access those devices. That may be around five million devices globally, he said, though the exact number is unknown.

Even that smaller number could spell disaster. Denial of service attacks in recent months that reached upwards of 700 Gigabits per second of traffic were launched from Mirai botnets with only 100,000 to 200,000 infected hosts. Wikholm said object of the attacks appears to be to build large botnets that can be used “as a commercial service.”

Submission + - Internet of Things Security is a Market Failure, Government Must Intervene (securityledger.com)

chicksdaddy writes: Some of the nation’s top experts on cyber security and the Internet of Things urged Congress to take a more forceful approach to securing a burgeoning population of Internet connected devices before security and quality issues undermine consumer confidence. (Video of testimony: https://energycommerce.house.g...)

Members of the House Committee on Energy and Commerce were told in separate testimony that the inability of the global hardware and software market to produce secure products represented a critical market failure and that government intervention was likely to be necessary to create incentives for manufacturers to design secure, connected products, The Security Ledger reported (https://securityledger.com/2016/11/on-capitol-hill-calls-for-a-federal-role-in-securing-world-of-dangerous-things/).

Problems such as the recent denial of service attacks linked to the Mirai botnet will become more common and could threaten the integrity of the Internet and of the nation’s broader economy if left unaddressed.

The Committee heard from Dr. Kevin Fu of the University of Michigan, Bruce Schneier of IBM and a fellow at Harvard’s Kennedy School of Government and Dale Drew, the Chief Security Officer of Level3 Communications. All three, to varying degrees, advised a bigger government role in setting standards for devices connected to the Internet. And all three warned that a failure to deal with an epidemic of insecure devices could result in the public rejecting new technology for fear of the implications to their security and personal privacy.

Security problems in software are nothing new, Dr. Fu told the Committee, but the expansion of software-based devices into the physical world has drastically raised the stakes of software insecurity. “One of the core problems with the increasing number of IoT devices is the increased complexity that is required to operate them safely and securely. This increased complexity creates new safety, security, privacy, and usability challenges far beyond the difficult challenges individuals face just securing a single device,” Fu told the Committee.

Schneier, the CTO of Resilient Systems (now IBM) and a Fellow at the Harvard Kennedy School, said that the security problems were evidence of a clear market failure. “Basically, the market has prioritized features and cost over security,” Schneier told the Committee. “The teams building these devices don’t have the security expertise we’ve come to expect from the major computer and smart phone manufacturers, simply because the market won’t stand for the additional costs that would require,” Schneier noted."

Schneier said that a new agency to regulate IoT device security may be needed, just as new agencies were created to address safety and security issues engendered by automobiles and airplanes.

Fu called on more money to cultivate and train cyber security experts and an embedded device testbed akin to the crash and safety test beds operated for vehicles by the National Highway Traffic Safety Commission.

Submission + - Let's Get Cyber Physical: DDoS Turns off the Heat in Finland (securityledger.com)

chicksdaddy writes: A Distributed Denial of Service (DDoS) attack resulted in the loss of heating to two buildings in the city of Lappeenranta in eastern Finland according to a report by YLE (in Finnish here: http://yle.fi/uutiset/3-927849...), just the latest example of downstream effects of cyber attacks on connected infrastructure.

According to a published statement from a local IT management firm Valtia (http://www.valtia.fi/tiedote-tietoturvahyokkayksesta) the attack was noticed after a building automation system used in two properties began issuing strange alarms and could not be remotely accessed. The cause was a sustained denial of service attack that was flooding the building management system with bogus Internet traffic, causing it to restart every few minutes, and denying remote administrators at Valtia access to the device. The attack spanned November 3rd and 4th, according to Simo Rounela, the CEO of Valtia, who spoke with The Security Ledger. (https://securityledger.com/2016/11/lets-get-cyberphysical-ddos-attack-halts-heating-in-finland/)

The result? “The majority of the controlled systems, such as heat distribution, ventilation and hot water went temporarily ‘broken’,” the company said in a statement. To fix it, a technician visited the buildings and removed the affected hardware from the Internet until the malicious traffic could be filtered out. Once disconnected from the Internet, the building automation system returned to normal operation.

Around 50 people were affected, though Rounela said he doubts any noticed any change in the temperature as a result of the attacks because the building would maintain its current temperature when the system was down. Temperatures in Lappeenranta were expected to be in the mid 20s (F) this week, -6 (C).

In a conversation with The Security Ledger, Rounela said that there is strong evidence that vulnerable and Internet exposed devices manufactured by Fidelix (https://www.fidelix.fi/), a Finnish building automation firm.

“There are about 1000 similar automation devices (on the) public Internet in Finland,” Rounela said in an email, citing a search using Shodan, the hardware search engine. “Some of the affected systems were not using Dynamic DNS services, so I can’t really say how the targets were chosen.”

A report by the Finnish Communications Regulatory Authority said that the attacks appear to be part of a larger cyber criminal denial of service operation, not targeted at the building in question, YLE reported (http://yle.fi/uutiset/3-9278497).

Slashdot Top Deals

Every little picofarad has a nanohenry all its own. -- Don Vonada