Internet of Things Cybersecurity Improvement Act – Finally, IoT Security?

internet-of-things-the-crime-shop

U.S. Congress to American’s – This Act Won’t Cover You American Simpletons  

As being reported by multiple news agencies Congress feels that Iot Security just Sucks and you know what, Congress is absolutely right.

IoT-Security-CrimeShop

IoT is a hot topic, everyone wants to make a smart device, yet they fail to think about security. Even smart toothbrushes can be hacked, smart cars, refrigerators, watches, baby monitors, adult toys, medical devices like pacemakers, you name it, if its a connected device, it can be hacked.

Including all of these home routers people buy and just put into their homes. It’s getting to the point where you need an IT security team just to manage the security of the connected devices that you have in your homes.

As you all know, security on internet-connected devices hasn’t kept pace with the market, basically it’s pretty much been ignored and the market is going to continue to grow.

While having this bill sounds great, here’s the fine print:

The reality is that it is Congress who sucks for suggesting this bill.

Why?

Because the bill would only protect the the Federal Government, it’s not for the rest of us.

The bill would would require IoT devices sold to the federal government to have the ability to be patched and not use hard-coded passwords which are usually generic and easily figured out.

Being able to patch a device isn’t exactly advanced security to be honest, and maybe Congress should refrain from purchasing IoT devices.

The Federal Government does currently utilize certain smart devices:

The National Oceanic and Atmospheric Administration has sensors for studying whale migrations and underwater volcanoes.

And The The Centers for Disease Control and Protection uses connected devices to monitor mining environments.

Just to name a couple and that still doesn’t explain why Congress feels that they need a special bill on the books to protect them? While I agree IoT security is important, I find it really hard to believe that a hacker really gives a shit about the study of whale migrations and underwater volcanoes much less, intel monitoring mining environments.

So what is the real back story or reason?

How many times have any of you made a purchase under a work account and repaid the company or just had the vendor charge it to a personal credit card because the purchase made under your corporate account came with a significant discount?

Happens a lot in businesses around the country. Employers are typically pretty cool about it because the company is paying for the purchase themselves and the employees reap the benefit from the discount.

So I have to wonder, how many purchases are going to be made under this new Cybersecurity Act in the name of being sold to the Federal Government, that end up being personal purchases just to get the better security.

These members of Congress should learn to think before speaking, acting or doing much of anything that is geared only for themselves.

They don’t make it to Congress on their own merits after all and if any of them are under the very misguided impression that they did they may want to take a step back and look at that picture again only this time in vivid color.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop on twitter

And https://gab.ai/thecrimeshop

The cyber-attack that exposed the internet’s security issues

ddos-attack_the-crime-shop

Mafiaboy

I keep seeing headlines pop up that hint at a large scale cyber attack that is inevitable, warnings that cyber criminals are hiding in every nook and cranny on the web, the next DDoS attack will be bigger and better. Recently a hacker attacked the San Francisco Muni Transportation System, Russia’s Central Bank was just hacked for $31 million…

Usually Cyber Criminals have no face. We never know why or who it was that brought down a network, hijacked/spoofed an email address and stole money, or who might have held a network for hostage.

We almost always never figure out who was truly behind a large scale DDoS attacks, like the one a few months back that knocked out half the internet using IoT.

DDoS attacks, have been around for quite some time…but does anyone know who really brought them into the spotlight?

jk08 1009 mafia boy 067

Meet Michael Calce, aka: Mafiaboy, a high school student from West Island, Quebec

Back in February 2000, a 15-year old Canadian boy who went by the name Mafiaboy, liked playing around with botnets, and he happened to program his botnet to attack the highest traffic websites that he could find.

CNN, Yahoo, Amazon, eBay, Dell, Fifa.com and E*TRADE.

That move brought DDoS attacks into a worldwide spotlight.

He also launched a series of failed simultaneous attacks against 9 of the 13 root name servers.

The FBI and the Royal Canadian Mounted Police first noticed Mafiaboy when he bragged in IRC chatrooms that he was in fact, responsible for the attacks.

He became the ideal suspect when he claimed to have brought down Dell’s website, an attack that had not been publicized at that time.

If you look at Mafiaboy’s DDoS attack it pales in comparison to today’s versions, but it serves as a constant reminder that anyone including a 15 year old with an axe to grind and some knowledge about how to hack, can launch a cyber attack using a botnet.

Botnets are what makes DDoS attack’s so successful, they can make DDoS attacks the ultimate smoke screen.

They have been used to punish organizations like Spamhaus, hackers launched an attack on Spamhaus for adding Cyberbunker to it’s spam list. Spamhaus creates blacklists that help email providers such as Google block spam from known ip addresses, servers etc.

Paypal, Visa and Mastercard were also punished back in 2011 for failing to release donations to WikiLeaks.

iot-graphic-the-crime-shop

Government’s have been attacked, as well as attacked each other using DDoS and a botnet, online gaming sites have been attacked, hospitals, businesses, banks etc.

They even have companies that offer DDoS attacks on competitor sites for a pretty decent price.

What’s truly concerning however, is that while some of the DDoS attacks seem sort of inconvenient or funny, even deserving in some cases, they can also be used as a smokescreen to camouflage or draw attention away from other criminal activity, such as stealing data from the victim’s network.

DDoS attacks went from simply bogging down an entire network, to becoming the newest way to mask the real score taking or stealing things to an all new level.

internet-of-things-the-crime-shop

And while you are thinking of all of the bad things, sometimes the attacks have been used for the common good, by exposing truths about our governments.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop

Security – is the Internet of Things ready for the next big one?

internet-of-things-the-crime-shop

IoT

The big question this week is whether or not the world can secure its Internet of Things devices in time for the next attack, after last Friday’s attack, which left many in the tech industry reeling.

I know a lot of talk has gone around about who might have been responsible for it as well but that is truly the wrong question at this point because it is the least important right now.

ddos-crime-shop

The attack that disabled websites across much of the continental US and Europe last week was what is known as a DDoS attack.

DYN-crimeshop.jpg

Dyn, who happens to be a very a major provider of internet infrastructure, was swarmed by data requests from a network of hijacked devices. Normally it’s machines but, in this case it turned out to be connected devices.

It has been reported that last Friday’s attack appears to have been caused by hijacked DVRs and web-enabled cameras. As it turned out many of the DVR’s and web-enabled cameras contained circuit boards and software manufactured by the Chinese tech firm Hangzhou Xiongmai.

The firm is well known for selling completely insecure cameras and DVR’s, not to mention as we now know, many have been hacked and placed into botnets such as the Mirai botnet where they participate in DDoS attacks.

Many of the used devices are in fact infected by Mirai.

Hangzhou Xiongmia initially shot out that it was the fault of end users who failed to change passwords…Hangzhou Xiongmia did end up recalling something like 4.3 million circuit boards used in cameras.

mirai-botnet-crimeshop.jpg

Mirai botnet…

By the way, it is rumored that over half a million IoT devices are already infected Mirai IoT malware.

Mirai was built for 2 core purposes:

  1. Locate and compromise IoT devices to further grow the botnet.
  2. Launch DDoS attacks based on instructions received from a remote C&C.

What’s really interesting about Mirai was that it was hardcoded with an avoid list. That’s right, a list of IP’s it is to avoid infecting. The list includes the USPS, the Department of Defense, HP, GE, The Internet Assigned Numbers Authority…

That list is pretty intriguing to say the least. I can see some of the groups to avoid on the list but the USPS? No offense to the USPS, but why?

It’s left some speculating that the code’s author (s) were concerned with being exposed while others have speculated that list indicates the author (s) learned the art of coding from a Wiki page or from popular media which makes some think the author (s) are not pros.

Which is irrelevant at this stage because Mirai is doing it’s job quite nicely.

Mirai also comes equipped with an added bonus which leaves users who are trying to remove it pretty frustrated.

  1. Help Mirai maximize the attack potential of the botnet devices.
  2. Prevent similar removal attempts from other malware.

If you have had a chance to look at any of the code for Mirai you might have noticed that part of the code appears to be in Russian which leads many to believe that the author or some of the authors are in fact Russian hackers or hackers who are originally from Russia.

Still the question at the end of the day is pretty simple:

The real issue we face here is, with so many IoT devices that are already in homes and offices how can we secure them now?

People don’t normally think about securing a coffee maker when they buy it. The expectation is more or less that it is sold already secured, but what if it wasn’t?

The answer is, most don’t know and they don’t know how to begin testing for it.

I like ShieldsUP!

Before doing that I would make sure to Disable all remote (WAN) access to your devices. To verify that your device is not open to remote access.

Then you need to to scan the following ports: SSH (22), Telnet (23) and HTTP/HTTPS (80/443).

https://www.grc.com/x/portprobe=22

https://www.grc.com/x/portprobe=23

You will want to look for a status of “Stealth” which means that your port is secure.

You will also need to test your router which is no easy task for most. You can read information on that at routersecurity.org.

To be honest however, for most average everyday consumers, this can be very overwhelming so moving forward we need to be thinking of answers that fall in line with how consumers think.

They don’t think like tech experts or tech laymen, they think like consumers.

Some are calling for the Government to regulate IoT security, which is a fine idea but in the meantime…

With so many devices already exposed or at risk.

Some thought to the idea or notion that a fix that is pushed out to devices might be in order.

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop

Internet of things now helping cybercriminals 

IoT-Graphic-the crime shop.jpg

Is your networked device secure?

 

Cybercriminals just strolled past 2016 and took us right into the future.

So what is the internet of things?

internet-of-things-the-crime-shop

Small, networked devices, everyday objects that have network connectivity, allowing them to send and receive data.

They also happen to be wide open to intrusion which makes them so easy for cybercriminals to access, unleash malware on and lay in wait.

And we’ve been warned about this for quite some time.

We are used to seeing large scale DDoS attacks where one pc controls several pc’s worldwide, creating a botnet and releasing DDoS attacks.

ddos-grapic-the-crime-shop

They are very effective and very difficult to trace back to the original source no doubt.

Very recently however it was discovered that a rather large scale DDoS attack was utilizing well, the internet of things in an effort to attack a victim.

That victim as it turned out happened to be one of the world’s most respected and knowledgeable investigators of cybercrime.

ddos-attack_the-crime-shop

Brian Krebs, former Washington Post reporter turned cybercrime investigator recently encountered a DDoS attack unlike any other ever seen before.

Last Tuesday, his site was attacked using DDoS, what made the attack so unusual was that the size of the attack was so big that Akamia Technologies, a cloud based content delivery network, actually told Brian that they could no longer carry his blog because the attack was affecting many other customers.

Akamia for the record handles it’s been said something like 20%-30% of all internet traffic by the way.

The other reason that the attack was so unusual and this is important, is because it was later discovered that many of the devices that were used to attack Brian’s site and bring it down were coming from hijacked camera’s, networked TV’s, routers etc.

Not just PC’s like we’ve seen in the past.

Brian actually had to have Akamia redirect any tratffic for krebsonsecurity.com into the equivalent of a virtual black hole and that meant that his site vanished into thin air. Not to worry however because his site is back up and running.

This does however teach a powerful lesson in terms of giving more thought to the internet of things and how we manage security on devices that are networked outside of phones and PC’s.

So many devices are now networked these days…

So, when was the last time any of you checked to make sure that your networked TV, router, coffee maker, refrigerator, etc was secure and malware free?

Cristal M Clark

IOS users can find The Crime Shop on Apple News

@thecrimeshop