-
This DDoS is just early days stuff - the number of internet-connected smart devices is tiny compared to what it'll be in a few years. A tiny fraction of those devices will be difficult to hack and the vast majority will be hooked up to the Internet in an uncontrolled manner.
Couple that with the frankly amateurish way most online services are operated and constructed and you have a terrifying prospect.
It's going to be a field day for the DDoSers (it already is, really). The only way I see out of it is for ISPs to filter DDoS traffic emanating from their networks via some kind of L7 RBL because dealing with it properly at the destination is already proving near impossible, even with BGP trickery, custom hardware and massive pipes. Good luck coordinating that. Most probably don't have and don't want to have kit capable of doing it and are (probably correctly) hostile to regulation.
-
These thoughts, from someone I've worked with in the past, are interesting;
http://blog.mobilephonesecurity.org/2016/10/dead-on-arrival-whats-next-for-iot.html?m=1
-
Guardian bigging up the Lib Dems again. Like the old days when they backed Clegg over Gordon Brown.
-
• #43032
A lib dem resurgence is probably good for labour as they largely compete against the tories in areas labour doesn't do so well in - especially the south west. Their collapse is one reason the tories managed to pull off a majority.
If only they and labour could work out a way to work together.
-
Just was wondering if dealing with it at the isp router end may work. Instead of just accepting any iot traffic it blocks it if there is a default password etc.
Some of the traffic is encrypted (that which is SSH), and so the ISP does not see the password.
Also, whilst we know which IPs are compromised and have a device behind that is part of the botnet, there is nothing about the traffic of the botnet that signifies that it is from a compromised IoT device.
Plain and simple port blocking is the way forward, as it will force anyone running devices to have gone to their device config and to change the configuration to use a different port... that is enough to obfuscate the endpoint, but ideally they'd change the default username and/or password whilst there.
-
Can there not be more security at the ISP router end?
At the ISP end, not the end user end.
First: You cannot trust anything from the end user even if you supply equipment. The same reason DRM fails is the same reason this fails, if you ship the device to the end user then the end user possesses everything they need to fake it or break it.
Second: It's long overdue, but the ISP should implement a per-customer software firewall. The defaults should be like a corp firewall, you have port 53 (DNS), 80 (HTTP) and 443 (HTTPS) outbound and everything inbound is blocked. It's severe, but it would work. Then the ISP should give a friendly page where you pick the services you want (Skype, Hangouts, some game, SSH, whatever) and it opens just those ports. The ISP should never give the option to disable the firewall.
That's what should happen.
No approved router no internet.
Doesn't work, see above.
-
Ah yeah I see what you mean...the routers can then be hacked or botnetted and we are no further.
With the password, I mean a scan from the router to devices on the customer network. If the IOT devices accepts a default password, block it.
That won't fix the issue a router can be botnetted though.
A lot of users are lazy, they won't try to break the router or fiddle with it if it's a big hassle. But yeah port blocking sounds a LOT easier and more secure.
So, eh, why are ISP not doing it yet...? :)
-
I mean a scan from the router to devices on the customer network. If the IOT devices accepts a default password, block it.
This is illegal.
You cannot attempt to access a computer you do not have the right to access, and the act of trying a password is to do that.
Either you prevent the spread of malware to avoid becoming part of a botnet (by blocking inbound traffic to certain ports) or you prevent a machine from doing anything to another once part of a botnet (by blocking outbound traffic to anything that isn't configured to be open by an end user).
That's it. No other legal or practical solution exists.
The ISP is the only one who could do either of the above, but unfortunately they have no incentive to do either right now (legal, economic, etc).
-
My ISP (plusnet) allows you to do just this.
The ISP firewall is turned off by default when you sign up though.
-
Companies do it via vulnerability scans. Doesn't seem to be illegal there?
But that's a business employing people, with the business either owning the assets, or the user agreeing with the scans, not a business to consumer relation.
There's a whole discussion on The Reg on improving the devices itself, but as they're made internationally with varying standards that's probably near impossible.
Well who knows... the EU/USA/UK could pass laws on port blocking.. ;)
-
So essentially the IoT is going to revolutionise home automation and simultaneously break the internet, sign me up.
Seriously though, is this vulnerability from simple plug and play devices and would it be stopped if there was some piece of kit sitting between the device and the net allowing full internal access but restricting communications with the internet. Ie is there a simple thing a lazy end user could do to prevent being part of the botnet?
-
Companies do it via vulnerability scans. Doesn't seem to be illegal there?
Anyone can scan and probe, document "this port appears to be accessible, it's port 22 so I'll presume this is SSH". This is legal.
What you can't do is scan and probe and try lots of usernames:passwords, this is covered by the Computer Misuse Act and various EU legislation. This is illegal.
When companies do it to other companies, via penetration tests and other tests. This is legal because it is not a misuse of a computer if you've gained permission in advance. In this scenario the company would have contracted someone to try and gain access so that they have a list of things to do to then make sure that they are not vulnerable to real attackers. This is the "white hat" (we do it with your permission to keep you safe, and we tell you what we found in a responsible way) vs "black hat" (we don't ask permission, and do it for our own profit).
Don't mistake the existence of white hat security companies to imply that their activities, if non-sanctioned by the party in question, would be legal. They would not.
Well who knows... the EU/USA/UK could pass laws on port blocking.. ;)
This would be naive.
No law should state which ports should be blocked, as this would inhibit innovation and the evolution of the internet.
A law should simply state that end user telecommunication services should be configured to provide minimal services at time of purchase, but to retain common carrier status the end user should be able to configure this to allow any service to be available.
Also, there are privacy implications. Imagine if an application could be identified by its' traffic or port numbers, the ISP having a database of which users have enabled that service means that they can be compelled to give up that information. So there are downsides.
-
Yes. Change the default password on any device you buy.
-
Do things like apple home kit help or compound the problem?
In theory they help centralise IoT communication. Which should help control it.
In practise they will inhibit innovation by forcing all vendors to be constrained by Apple's set of rules. You'll only be permitted to innovate if Apple likes you. Which sucks, because the majority of innovation does not occur within Apple or with Apple's consent (though they do a wonderful job of marketing the innovations they copy in a way that people believe that they do actually innovate).
As an industry, as a set of users, we've just been very blasé about caring about how our networks and devices worked. We know more about how our cars work, and put more effort into car maintenance, than we do with software and hardware. Basically, we're all negligent, and at some point need to start taking responsibility.
The ISP firewall is a good idea because it forces end users to become responsible. Forces device manufacturers and suppliers to document what they do, how they do it, and what ports they need open to do it.
-
So any law needs to be combined with a law on privacy to prevent identification of users?
More like: Any such law to increase internet security needs to be combed over to prevent UK Govt using it to slip in additional surveillance.
Privacy is a default, it's only the lawmakers who erode it.
Constable_Savage
rhowe
andyp
606
deleted
JWestland
Velocio
Stonehedge
Ramsaye
n3il-
Post a reply
About
In the news
Posted by
@Platini
He'll have to die first...