Hacktivist crew claims it launched last week's DDoS mega-attack A group called New World Hackers has claimed responsibility for a DDoS attack that rendered significant portions of the web unreachable last Friday. A series of assaults carefully targeted at Dyn, the managed DNS provider, knocked the service offline for much of the day, causing disruption to multiple sites that rely on its …
More about the laws then having the organizations on the internet handle it like they do now. Dyn handled the attack very well in my opinion as a paying enterprise dyn customer. It was likely the largest attack in history. Most other orgs would be down for days or weeks but dyn recovered quickly.
History shows lawmakers lack technical expertise and any law reaction to this to me is likely to do more harm than good.
In a perfect world perhaps we are able to get a very targeted and concise rule or law to cover this but reality to me is they will mess it up even with technical guidance from tech giants because that's what happens when laws are made.
If reasonable safety laws can be written products from cars to phones you'd hope that fridges and webcams wouldn't be too much to ask. Not having a default username and password that gets metaphorically written in the sky or can be updated to patch vulnerabilities should be the minimum manufactures are required to do.
In this, the market can actually come to the rescue.
When those large client organizations get tired of this robbing them of the ability to conduct their business of making money, they'll create enough pressure for some form of backbone rapid response.
Let's face it, if the C2 traffic was sent to the bit bucket, the attack would've gotten nowhere very fast. I mean, seriously, two flipping Cloudflare IP's?!
Meanwhile, TOR was broken long ago and the control station remained connected to the botnet C2 for the entire attack. Someone's going to get nicked for it.
I am amazed that so many people (not saying you particularly but Tech folk in general) claim to hate regulation & believe government should let industry do what it does & have the market clean up the mess but then demand government regulation the minuet it hits the fan. Had a politician suggested regulations 2 weeks ago many of the people now demanding action would have been all up in arms about bureaucratic interference with the free market.
Yeah sorry I don't hate regulation or government (I also don't get upset about my ~42% income tax rate). I just fear such regulations will have unintended side effects. There have been several examples in recent years where interpretation of the law dramatically changed the impact of it and I believe it was not the law makers objective to have it viewed like that. Sorry don't have a link handy but I know I have read such articles on el reg in recent past.
This post has been deleted by its author
And what do you base that on? This is clickbait gold for tech rags. They are playing on FUD big time. I enjoyed this crap from the BBC.
"Before the rise of the IoT it was tricky to set up a network of hijacked machines as most would be PCs that, generally, are more secure. "
LOL, all those Windows PC's all spewing malware.. There is nothing inherently insecure about IOT, many run Linux, or other embedded OS's that are infinitely more secure than Windows, AS LONG AS A UNIQUE PASSWORD IS USED...
"There is nothing inherently insecure about IOT, many run Linux, or other embedded OS's that are infinitely more secure than Windows, AS LONG AS A UNIQUE PASSWORD IS USED..."
This is just evidence that you haven't begun to understand the hacks. A unique password does not help in cases where the inherent security of the system is flawed and it is far from true to claim that "many run... OS's that are more secure than Windows". Many embedded devices use unsupported and out of date versions of Windows, mostly Windows CE. As shipped today many IoT devices *are* inherently insecure. If you read the detail on how these hacks are achieved you will find that in the worst cases the connections to the devices are not secured at all and that the devices will, on request, give you the passphrase of the WiFi router they are connected to.
PCs, bad as they are, are generally better secured than IoT devices. All the "LOL"ing in the world won't make that change.
As the malware is designed to hack into routers, web cams, DVR's and assorted other IoT devices, "just one webcam" is about the stupidest thing I've heard since Trump responded to this "a new thing called a cyber attack".
For The Donald, there is this new thing called fire. Fear it.
For you, the same general chipset can be used in a camera, router, DVR, garage door opener, light bulb or sex toy. As that implementation can also contain a reference filesystem and OS, if they're also using the same inane admin|admin username|password, that same malware will work on each and every device - even grannie's computerized back scratcher.
Oh well, back to doing some things the old fashioned way, remembering all of those IP's that I *really* have to connect with.
"This is nothing to do with IOT"
It's everything to do with IoT. Almost every IoT device punted by the consumer electrical/electronics industry has significant flaws. Many of these flaws manifest because of a triumvirate of stupidity.
1) Naïve developers;
2) Cheap components;
3) Lack of awareness of the issues.
These flaws affect a wide range of devices. Kettles, Coffee makers, fridges, Smart TVs (Proof of concept announced but not yet published), Media boxes, thermostats, doorbells, Your kid's toys and, yes, CCTV/Webcams.
It's worth keeping up with Pen Test Partners via their blogs because they are rattling through shonky IoT trash as quickly as they can.
" Kettles, Coffee makers, fridges, Smart TVs (Proof of concept announced but not yet published), Media boxes, thermostats, doorbells, Your kid's toys." - Can anyone give me a logical reason why any of these devices ever need web access. I can see some possible value for CCTV/webcam remote monitoring of infrastructure but not for most people.
Convenience. The kettle will boil just as you enter the house as it would have been tracking you on the way home, the fridge can order the extra milk when you're low, etc etc etc.
Its not for me but its the way things are going I'm afraid.
Now I'm out of bed I'm off downstairs to wait for the kettle to boil.... Oh crap I forgot to buy milk.
"Convenience. The kettle will boil just as you enter the house as it would have been tracking you on the way home, the fridge can order the extra milk when you're low, etc etc etc."
In reality no, that won't work. The kettle would have to be filled in advance and left ready to boil. It's easier and cheaper to stop off at the off-licence on the way home and buy a pint of milk than to have your fridge order a delivery for just a pint of milk. If always-on milk is your thing then you can consider having a pint of dog milk[1] in your nuclear Armageddon cupboard.
[1] Red Dwarf Series II, Kryten
Holly: Cow's milk. Ran out of that yonks ago. Fresh and dehydrated.
Lister: What kind of milk are we using now?
Holly: Emergency back-up supply. We're on the dog's milk.
Lister: [looks at his cup in horror] Dog's milk?!
Holly: Nothing wrong with dog's milk. Full of goodness, full of vitamins, full of marrowbone jelly. Lasts longer than any other type of milk, dog's milk.Lister: Why?
Holly: No bugger'll drink it. Plus, of course, the advantage of dog's milk is that when it goes off, it tastes exactly the same as when it's fresh.
"It's worth keeping up with Pen Test Partners via their blogs because they are rattling through shonky IoT trash as quickly as they can."
Yeah, but Christ, that's only the tip of the iceberg! There are so, so, so many more out there.
Enough that even I am having trouble keeping up and both my reading rate and retention are legendary and I'm infamous for not having a personal life, as we've been married for 35 years. ;)
Hmmm, next time a bunch of us get together, I'll bring it up with my peers. It *is* becoming difficult to keep track, perhaps we can get a board together to track things and keep us up to date via a dashboard of novel things. We've gotten blindsided a couple of times with annoyances, we don't want to miss something important.
And while we're at it, we'll share our toys. Well informed is well armed. :)
No, idiot programmers: more trouble than they're worth. Follow that with idiot sysadmins who can't be bothered to change the default password.
Any computer that doesn't have a terminal and a drive is a "thing." It doesn't matter if it's in a child's doll or a network router. The computer has a network connection, and it's going to be talking to something. Naturally, piss-poor practices will make the device vulnerable, and it will be abused by some jerkwad.
So we have the "New World Hackers" allegedly bringing down DNS resolution for a significant part of the internet. Were they the ones actually responsible? I have no idea. If they did it for the reasons stated, then we've got a problem with script kiddies who want to burn the world just to watch the embers glow.
I've advocated regulations about computer security for some time. There's a big difference between truly negligent security, and going to great lengths to weasel into a system.
I've advocated regulations about computer security for some time. There's a big difference between truly negligent security, and going to great lengths to weasel into a system.
How do you write a law (or regulation) that distinguishes between them, though?
You need to specify controls that wouldn't be regarded as expensive overkill by many/most manufacturers and end users, but which are useful and prevent all the trivial or semi-trivial attack vectors, AND that stays up to date as hacking techniques evolve and the constant arms race between attackers and defenders progresses.
Tricky.
>> How do you write a law (or regulation) that distinguishes between them, though?
You don't. You change the Computer Misuse Act to let us shoot back. And you petition the PM to treat this as the cyber attack that it was (no matter who perpetrated it) and instruct GCHQ & Co to take action to shut down the Bot Nets (we pay their wages, they might as well do something positive instead of just spying on our emails)
It's no different from asking the police to take duff lorries off the road because they're a danger to everyone.
Floods of Things getting returned to the seller because they have been bricked is probably the only thing that will cause a change. The non-technical buyers (most of the world) will eventually get the message that Brand X is no good, although the temptation to buy cheap cr*p is pretty huge (the missus still goes into Chinese Bazaars even though she knows the stuff is no good)
Plus ça change...
"You change the Computer Misuse Act to let us shoot back."
And when that shooting back involves GCHQ or US Cybercommand to shoot back at Russia, let the chips fall where they may.
As that could be construed as an act of war, oh well. There were a lot of vacant old buildings in those cities, now we'll have a construction boom.
"Follow that with idiot sysadmins who can't be bothered to change the default password."
Erm, most of those IoT devices were consumer grade devices. Most consumers don't have sysadmins.
But, not a lot of people need most of the current crop of IoT devices on the damned DMZ. Seriously, if you can't figure out how much goddamned milk you have in the fridge, you should just stay at home where you can look inside the thing yourself, you're too damned stupid to be allowed outside alone. We don't need to see inside of your nursery, the kid's ugly.* Oh, your printer? Sure, I'll happily print 200 pages of black.
Seriously, most consumers don't have a clue what a DMZ is, there is no reason that any automagic configuration should stick an IoT device onto a DMZ. Ever.
*Honestly, I am actually quite fun in parties.
"Follow that with idiot sysadmins who can't be bothered to change the default password."
Right now, endusers can't be expected to know that (or to set secure passwords) in the same way that they're not expected to be able to change the oil in a car in order to be a passenger in one.
Human factors apply. This is flat out laziness biting a large number of suppliers on the ass. Just because something can work like that in the lab doesn't mean it scales out to real world without extra work being done. These things are fundamentally insecure by default, but dressed up to be easy to install.
The problem is compounded by handwringing. DDoS attacks should be met with strict liabilty laws on the participating systems.
The instant a consumer gets prosecuted for allowing his kit to join in a DDoS, you're going to see supplier liability cases start popping up all over - the lessons from that will reverberate across the industry - and no, disclaiming liability using shrinkwrap won't fly.
Yes, and a huge dent in this problem would be made if IoT makers put unique default UserID's and passwords on their products, akin to how they already have to give them unique MAC Addresses. Put the unique default UserID's and passwords on the same sticker as well. Of course, even if they did that, we all know they will get lazy and make the the unique default UserID's and passwords be some standard hash of the MAC Address, which once word gets out, will open the devices back up to exploit...
"IoT makers put unique default UserID's and passwords on their products"
NO, completely wrong. Any passwords will be generated with an algo so will be compromised.
The simple answer is the device should only talk talk it's local subnet and only have the minimum management interface function until the owner logs in to said interface and sets a secure password.
.."default username & password"........
That's step one. Step two is leaving telnet and SSH directly accessible from anywhere on the Internet. Anyone that leaves a shell open to Internet attacks should be flogged, hanged, dismembered, and burned.
Of course, neither of these steps are specific to IoT at all. I do think IoT is a huge waste of time in general, but it's not the security nightmare that people imagine that it will be if these fucktards would just take an extra day to make sure they've implemented some security best practices.
/endrant
Cost me £55. Or at least I assume so. I had perfect internet until Friday. I'm assuming my router is a device currently at risk of some of these exploits, or is effected by the DNS systems being wonky. However, as it's a poor cheap one, I cannot change dns server (it's a fixed or bugged one by default, I'm assuming this was changed as a fix to the firmware having security holes they did not wish to fix properly).
So it may be my line got blown about by wind on Friday and I'm buying a new router for nothing. Or it may be the current attacks took out my router. I'll find out when the new one arrives... which is of cause a different brand.
This post has been deleted by its author
Quote : You know. Engineers.
You know how much it costs and how long it takes to train an engineer?
Naww lets stick this down to public relations and say "we've since fired anyone responible(except top management) and promise that our next IoT crap wont be as crap, and it will be cheaper"
"You know how much it costs and how long it takes to train an engineer?"
I have worked in companies where the view taken by management is that if the alternative is pushing broken product out of the door or employing an engineer to fix the design flaws before the product is punted then they will just sell the product. After all the cost of lawsuits and refunds tend to be a drop in the ocean compared to the costs of extending development and testing functionality. Those companies usually last long enough to burn the investment capital, make large salary and bonus payments to the senior managers and then collapse meaning no one can be recompensed for damages.
Meanwhile the senior managers boast about their impressive CV and push off to do the same again.
See: Lane-Fox, Martha for example.
"Those companies usually last long enough to burn the investment capital, make large salary and bonus payments to the senior managers and then collapse meaning no one can be recompensed for damages."
Laws are already on the books to make manglement personally liable for reckless or illegal activities.
The issue in this case is bringing them to bear.
How's the FUD on the "open and free internet" coming along?
Pretty good, the guys over at IoT central have sent out so much KfC (Kit for Compromise) the net is falling over itself, soon be unworkable sir.
Excellent, we''ll have them clamouring for data filters inside a week, who said you couldn't fool the geeks.
I don't understand why there needs to be legislation or additional costs associated with fixing this issue.
All you need to do is force the user to change the admin password the first time they log in to configure it. Coding wise, this is a minimal change and shouldn't incur much, if any, additional costs..
If they were going to take credit, they would have done it right from the get go. Not wait around for a weekend and then announce it.
It smells like "well no one else has stepped forward, it was obviously someone who wants to remain secret, so let's take credit for it and falsely increase our hacker cred".
They haven't done anything even remotely like this before. It would be like a golfer who had won some local events suddenly winning the British Open. You simply don't make such a big jump all at once.
Is that the copy the Behavioural Insights Team (BIT) has officially approved? Where does this constant Rusky bashing eventually take us, Putin doesn't seem like the thin skinned type to me.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
