IoT Botnet Can DDoS Your Webserver

Ok it happened as some predicted last year:

A botnet was found¹ (a collection of computers or in this case devices that are controlled by another computer) controlling a number of IoT (Internet of Things). These IoT devices were then told to attack a website thus causing a DDoS (Dynamic Denial of Service).  The website then crashed as it was too busy.

image from valuewalk.com²

Botnets_valuewalk

So let’s back up a bit what are IoT’s? http://iotlist.co/ has a list.

An IoT can be many things – camera is one, espresso machines, samsung VR headset, indoor night light,wifi smart plug, speakers, indoor air quality monitor, samsung galaxy connected screen, keypad, oven, watch, light switches, and many more.

Director of National Intelligence (DNI) James Clapper Feb 25 hearing in congress:

“I want to briefly comment on both technology and cyber specifically. Technological innovation during the next few years will have an even more significant impact on our way of life. This innovation is central to our economic prosperity, but it will bring new security vulnerabilities,” he said. “The Internet of things will connect tens of billions of new physical devices that could be exploited. Artificial intelligence will enable computers to make autonomous decisions about data and physical systems and potentially disrupt labor markets.”

threat_hearings_3

 

So our esteemed leaders are keeping an eye on IoT’s but what are they really?

The attack happened from CCTV devices connected to the Internet (which have a specific bug noted below that can be exploited by criminal hackers).

KerneronSecurity³ wrote about this in March 22, 2016.   70 CCTV vendors have a remote code execution bug. And apparently this has been going on since 2014.

So this is a big problem and will continue to be one it looks like will not be fixed until the vendors of most CCTV devices fix this issue.

 

goldeneyeIRcamera

GoldenEye IR camera http://www.goldeyecctv.com/

technomate

http://www.technomate.com/categories/Products/Security/Cameras/

 

Above are just 2 of the supposed 70 according to KerneronSecurity that are susceptible to this big Cybersecurity problem.

This blog post does not imply that the above 2 vendors (GoldenEye and Technomate) have the bug as i have not independently verified these 2 models with  that specific remote code execution.

I imagine the criminal hackers are working on new attack angles with this many potential attack points.

In fact according to Google – 5.9 mil in Britain CCtv’s and 245 million in world. Likely most of them are susceptible to this attack.

securitycamerasinworld

As it seems that over 25,000 attack points came into the website DDOS attack. There seems to be a potential for much bigger mischief.

You may not realize this, but the hackers also have problems with their software, especially since it is custom built, and thus they cannot come into controlling hundreds of thousands of devices, first have to control 25,000.

So what to do if we know a major Cyberstorm is coming?

According to Kerneron Security these devices all are white label devices coming from TVT a Chinese company.

TVT  5F,North Block,CE Lighting House, Hi-Tech Park, Nanshan District, Shenzhen,GuangDong,P.R.China

And I have found an actual CVE 2013-6023 that explains this Cross Web Server vulnerability(4)

And specifically check Exploit-db.com

Which discusses the directory traversal vulnerability.

 

Now if we try to find the actual market share of TVT devices (H.265) then we find:

chinatvttakeslead

from https://technology.ihs.com/api/binary/520143

It looks like most vendors are coming from China and the market in 2013 was $13.5Billion  for professional video surveillance.  So as usual Security not as important as sales.

 

My recommendation? If you have TVT video camera – REPLACE it. with a technology that is different than this one. As it seems the TVT devices are not security tested.Run your own security tests.

It looks like you have to test and fix this problem.

Contact me to discuss

This is what I do as a security vulnerability analyst among others… https://fixvirus.com/sigma-service/

 

 

1)https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

2)http://www.valuewalk.com/2015/12/iot-based-botnets-will-be-major-problem-by-2017-iid/

3)http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

4) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6023

Cybersecurity and Internet: Too Complicated?

Brian Krebs- KrebsonSecurity¹ has a story of Cici’s Pizza with a data breach on June 3rd .

krebsonseccicipizzabreach

 

 

This credit Card breach story is interesting but not what I want to discuss.

Instead let’s discuss “Todd”‘s response in the comments

1st response:

todd1stresponse

So obviously Todd wrote this response as an immediate reflex action and does not have an understanding of how Internet Cybersecurity works.

He keeps trying to impugn the integrity of Brian Krebs  and reduce the actual faults (which he acknowledges) on his ‘placeholder’ website.

This is the problem Todd:  Even a placeholder can be an attack vector and obviously Todd does not understand this. Also have you heard of watering hole attacks? Where a website is attacked and compromised, the subsequent visitors on the website would then get attacked not knowing that happened.

Almost like saying please hack us we don’t pay attention to this site (last updated in 2012).

The other thing is – when PR is concerned if you don’t know what to say – saying nothing is better.

Now let’s go to Todd’s 2nd response:

todd2ndresponse

This response just confirms Todd’s inexperience and naivete.

But the worst is yet to come….

 

Yes – 3rd response:

todd3rdresponse

His last response does all the wrong things again –  admits to not caring about their website and so what if we had adware injections to potential customers or our customers.

The third response proves that his responses are just reactionary and not well thought out – even though the first started June 5, 2016 at 1:45 pm   then 2nd at June 6, 2016 at 12:25 am with final at June 5, 2016 at 10:47 pm  (so obviously the  responses were quickly being sent while Brian was making sure this was not spam and he finally allowed them to go on the site) But there was at least 9 hours and finally almost 12 hours between responses (explains why there were no substantive changes in his response)

 

Even though Todd claims to be part of  a POS (Point of Sale) technology company apparently Todd believes there is no correlation with being up-to-speed with your unimportant (in his eyes) website that discusses POS technology. Confirming it was not updated for 4 years is not a plus.

 

Also claiming  to “have a home page” because we have to have one. Misses the point of cybersecurity. You must protect all your assets not just the ones 1 person is aware of.

Or at least fix them, update them on a regular basis. Not every four years (i.e. when we get around to it).


So what can we learn from this Todd vs Brian exchange?

I would say do not try to engage with journalists even if they are wrong unless you have a crafted response and stick to your points.

the points should not be

A. We did not do it that badly  (this is a bad argument on all accounts)

B. Our xyz property is not important – and none of our customers got hacked as a result of our mistake.

 

It is better to figure out the right response and maybe even ask someone else before actually responding.

 

Forgive me but I want to point out the obvious –  Saying we did not screw up so bad is not what should be said. If you will accept blame apologize without saying someone else is at fault. then fix the problem ASAP and say that.

Tell us how you will keep things together in the future, don’t start arguing with the journalist on minor semantics just to win a small battle.

But most of all remember to do risk analysis and the following concept(your limited impact items are likely already hacked – and thus the attacker is already in the network trying to attack more interesting targets):

failed-risk_management_model

And more info in this past post² (Feb 8th, 2016)

So contact me to review your “non-essential” properties before they get hacked.

 

Finally – realize that the Internet is 24/7/365 – if you don’t get that would you accept no more Netflix at 2am on a Saturday? It is at 2am when you get attacked. Don’t whine about writing a story on Friday and needing a response at 2pm on Friday.  Now we know why your company has problems.

 

Also it looks like Brian’s comment software had a hiccup in orienting the comments when Brian took a little while (Friday evening) in sorting the comments once approved.  I took them to be 1st , 2nd , and 3rd responses as they are listed top to bottom.

  1. http://krebsonsecurity.com/2016/06/banks-credit-card-breach-at-cicis-pizza/
  2. http://oversitesentry.com/not-patching-in-time-can-hurt/

Script Kiddie Breaks Into v3.9 WordPress

What happens when an enterprising young person is in front of a computer too long?

Oh yes one thing leads to another and WordPress is something to conquer.

It does require patience and diligence.  Every day somebody is finding new vulnerabilities in new and old software (this problem was uncovered by ‘speckz’ poster on reddit).

wordpressscriptkiddieattack

So in the image above (which are snippets of the website¹ that speckz placed). I did not place the details of his analysis because I do not want to get in the weeds (php code etc).

That is what a criminal and good hacker does.  Diligently pursue code snippets until they reveal more information about the website technology.

 

 

The idea is for you to have someone that will keep an eye on your security, preform vulnerability analysis and more.

Either way you will pay some money to someone… Either to ethical hackers or as in the next point from unethical extortionist hackers.

Threatpost² has a story which tells of 30 unsolicited bug poaching incidents.  Here is where the ‘bug poachers’ are telling companies: “You have a bug in xyz software or system” on your premise. Oh and by the way we already stole all your data.

So what you need to do is give us(the poachers) $10,000 so we will tell you where the problem is and we will not use the data we stole for nefarious deeds.

So do you believe these unethical criminal elements?

Paying Extortion is bad because guess what – it will happen again.

What you really need is to spend more money and resources on fixing all IT process problems that are causing this problem in the first place.  How can I say this with certainty?

Here is a quote from the Threatpost post:

“So far, none of the cases investigated use significant zero-day vulnerabilities, but rather tactics that could easily be prevented,” wrote Kuhn
It is a shame that some IT orgs don’t have the wherewithal  to get the resources in place.
 ostrich-head-insand
Am I being too critical? Are we as humans too weak to get the right info tech help that will cause us to have a good defensive umbrella? Is management just incapable of making good long term decisions?
The right methods in my opinion are the following:
A Next Gen Firewall,
Patching your systems within 30-60 days after new patches come out –(all patches should be performed after a good test)
Testing everything even though every function has been performed – there is no way around this “testing” as stuff happens and there is too much at stake for mistakes.
The problem is 1 mistake causes problems and problems turn into breaches … and extortion, ransomware etc.  script Kiddies are coming and they are not stopping… Because they can.
  1. https://notehub.org/5zo2v
  2. https://threatpost.com/hackers-find-bugs-extort-ransom-and-call-it-a-public-service/118360/

 

Contact Us to discuss

 

Why are There Cyber Security Issues?

Why are there constant patches for security problems that are inside software?  Why???

Why do we have  New Security breaches? every year new ones are found and hackers find them to hack computers (which happen to have this breached software).

At the end of last year (2015) everyone was being circumspect and reviewed what happened – why is it we get new breaches and attacks every year?

There are also several blogs that have taken umbrage with Verizon’s DBIR (Data Breach Investigations Report)

Here are some:

  • OSVDB¹ blog
  • Rapid7 Blogpost²

Found another interesting analysis of Verizon’s DBIR:  FoxGlovesecurity(6)

 

FoxGloveSecurity researched the types of vulnerabilities and categorized them (of the ones in the report). Foxglove says the focus should be on remote command execution and impact (51)

Remote Command Execution – 51 Instances

  • SQL Injection – 12 Instances
  • Default Credentials – 6 Instances
  • Insecurely Configured Application Server – 6 Instances
  • Guessed Password – 5 Instances
  • Outdated Software – 5 Instances
  • SQL User is SA – 5 Instances
  • Single Factor Authentication – 3 Instances
  • Command Injection – 2 Instances
  • Insecure File Upload – 2 Instances
  • Public Credential Leakage – 2 Instances
  • Unsafe Deserialization – 2 Instances
  • Reflected Cross-site Scripting – 1 Instance

 

Notice that there are a fair amount of errors in configuration or administration fault:

default credentials, insecure server config, guessed password,SQL User is SA, single factor authentication   (30 instances)  59% of the remote command execution impact table are errors of some kind.

The top10 vulnerabilities in the report were:

  1. SQL Injection – 38 Instances
  2. Insecure Authorization – 23 Instances
  3. Insecure Direct Object Reference – 15 Instances
  4. Stored Cross-site Scripting – 13 Instances
  5. Insecure Authentication – 9 Instances
  6. Insecure Password Reset – 9 Instances
  7. Guessed Password – 9 Instances
  8. Default Credentials – 8 Instances
  9. Single Factor Authentication – 8 Instances
  10. Insecurely Configured Application Server – 6 Instances

 

Foxglove took the 51 remote code executions out of the top10 (138 instances) which are the most dangerous.

So obviously there are many potential vulnerabilities and system administration pitfalls which many entities can’t seem to handle.

 

I have another question to ask:  Why is Security so Hard? I ask this because the hits just keep on coming.

“Hackers Breach Goldcorp, Lifeboat, Qatar national Bank”³  5/4/16 story

“The Future of our City Services? Cyberattackers target Core Water Systems”(4)  3/23/16 story

“Another Hospital Computer System Down to Ransomware”(5) 2/29/16 story

patchingvsattackersperfectsecuritynotpossible

My attempt at explaining the thoughts that may go through management (above picture).

Apparently the difficulties of proper IT administration with security in mind has not been solved yet by most organizations.

What is so difficult to patch all your computers, change default admin passwords, and even to make sure the system administrator and userid are not the same. Single factor authentication might have to do with budget considerations or not having the technical ability to handle switching to 2FA (Two Factor Authentication).

So the effect of a constant change in security, the technical challenges as well as administrative changes is just difficult enough to give many companies problems.

One solution is to have an outside entity test your environment.

 

systemengineeringassecurity

 

I know my solution is somewhat technical – but the point is to have a person test your environment (firewall, software, websites, or wifi device) so that the administration or configuration problems can be reviewed and fixed by the staff themselves.

The answer to the title is there will always be cybersecurity issues with humans running things because stuff happens and nothing is perfect.

Contact Me to discuss

 

  1. https://blog.osvdb.org/2016/04/27/a-note-on-the-verizon-dbir-2016-vulnerabilities-claims/
  2. https://community.rapid7.com/community/infosec/blog/2016/04/29/the-2016-verizon-data-breach-investigations-report-the-defenders-perspective
  3. http://www.esecurityplanet.com/hackers/hackers-breach-goldcorp-lifeboat-qatar-national-bank.html?utm_source=dlvr.it&utm_medium=twitter
  4. http://www.zdnet.com/article/the-future-of-our-city-services-cyberattackers-target-core-water-systems/
  5. http://oversitesentry.com/another-hospital-computer-system-down-due-to-ransomware/
  6. https://foxglovesecurity.com/2016/05/10/why-dos-isnt-compromise-5-years-of-real-penetration-test-data-to-stand-behind/

Don’t Trust And Verify

I know the gipper had the famous saying:

trustbutverify-ronaldreagan

But that is only for the soviet union arms control in the 1980’s.

In the 1990’s and early 2000’s we have the following:

trustbutverifyalwaysbackupyourwork

“Trust but verify” and always back up your work.

But I think it is not enough in the 2010’s specifically March 10th, 2016.

Now the motto in Cybersecurity should be the following:

DON’T TRUST AND VERIFY ALL PLUGINS!!!

donttrustandverifyallplugins

Why ???  Why do we have to verify all plugins?

Sucuri Blog¹ has an interesting post

Have you heard of the Wooranker account at WordPress Directory? Where all the plugins are located?

 

The WooRanker  Developer took over the Custom Content Type Manager (CCTM) plugin.  with more than 10,000 installs.

customcontenttypemanager

This Wooranker ‘developer’  took over the CCTM plugin and created a hacked version 0.9.8.8 and thus over 10,000 installations unwittingly updated their plugins thus causing the hacked or backdoored version to be installed.

Sucuri found an infected site with CCTM 0.9.8.8

backdoorinCCTM

 

And as SucuriBlog continues to point out that on Feb 18th, 2016  “wooranker” made a change and added  auto-update.php with the following message “small tweeks by new owner”

So the new owner made a new plugin update with the backdoor included.

So as a dutiful PCI compliant person you updated the plugin and are now hacked.

This is why we “can’t trust the plugin and verify it”. We need to know about our suppliers and vendors. We need to review patches and plugin updates. On certain plugins we need to go an extra mile and review who is really working on plugins and verify authenticity. Otherwise a hacker will get into your site through the front door with you installing it. It looks like PCI needs another update to it’s standard, because one cannot install a patch that has a backdoor???

 

Since hackers are human and programmers and administrators are human new attacks will take us to places we did not suspect before.

You know OSI’s (open Source Interconnection) 7 layers network model.

The 8th layer (the human element) will always be a problem.

Even safeguards can fail if humans don’t pay attention.

Having safeguards for the safeguards does not make sense – it is better to have  principles that are simple to follow yet easy to remember.

Contact Me to discuss these “simple principles”

If you do have the CCTM plugin and 0.9.8.8 version you are infected – go here betanews.com² to fix  (it is not as simple as uninstalling)

  1. https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html
  2. http://betanews.com/2016/03/05/wordpress-plug-password-backdoor/