Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Locked thread
Arsenic Lupin
Apr 12, 2012

This particularly rapid💨 unintelligible 😖patter💁 isn't generally heard🧏‍♂️, and if it is🤔, it doesn't matter💁.


Many of the fundamental pieces of the Internet were designed through an RFC process that was created for a world where everybody was cooperating with one another, and where intentional bad actors weren't really envisioned. This worked pretty well for a couple of decades or so, until the Internet stopped being a smallish set of corporations and universities trading data and became what everybody everywhere used all the time. [Feel free to denounce the history here, which is based entirely on my memory; I started using Usenet in 1983.]

Nowadays we're stuck with an infrastructure that isn't designed to detect spoofing, and that isn't designed to identify and reject selected traffic. Approaches like making mail originators authenticate and sign their messages are moving at a glacial pace.

Tell me about what redesigns and reimplementations are taking face, what changes are needed and will never happen, how you tell the difference between state actors and criminal actors, and anything else you think is relevant.

e: Major security dude Bruce Schneier wrote an excellent essay last month called Someone Is Trying to Take Down the Internet.

Arsenic Lupin fucked around with this message at 22:50 on Oct 21, 2016

Adbot
ADBOT LOVES YOU

Moridin920
Nov 15, 2007

by FactsAreUseless
Worth noting that apparently the tool that was used is Mirai, which apparently just connects to DVRs and CC cameras and other networked devices and checks a list of 61 default passwords to see if it can get access. Not surprisingly, it gets a hold of shittons and then can use them to launch an attack.

Gee just randomize an alphanumeric password and print it on the manual no? Require a physical button to reset it to a temporary default for a couple hours in case you are locked out?

Stinky_Pete
Aug 16, 2015

Stinkier than your average bear
Lipstick Apathy
If you're still having connection issues, try pointing your network at Google DNS or OpenDNS

Google DNS is

8.8.8.8
8.8.4.4

I forget OpenDNS


Anyway, as I said in the GBS thread:

Services like Google Shield have dedicated machines do the filtering out of attacker IP addresses on a server's behalf, but I guess DYN didn't have that, or it took them until a half hour ago to put something like that in place

Stinky_Pete
Aug 16, 2015

Stinkier than your average bear
Lipstick Apathy

Moridin920 posted:

Worth noting that apparently the tool that was used is Mirai, which apparently just connects to DVRs and CC cameras and other networked devices and checks a list of 61 default passwords to see if it can get access. Not surprisingly, it gets a hold of shittons and then can use them to launch an attack.

Gee just randomize an alphanumeric password and print it on the manual no? Require a physical button to reset it to a temporary default for a couple hours in case you are locked out?

If I were a router manufacturer, I would generate a random set of 3 or 4 words for user ease and have it attached via sticker like the MAC address. People discard manuals and manage their routers infrequently enough that forgetting is the primary reason for having a default that you can just something search.

Arsenic Lupin
Apr 12, 2012

This particularly rapid💨 unintelligible 😖patter💁 isn't generally heard🧏‍♂️, and if it is🤔, it doesn't matter💁.


Stinky_Pete posted:

If I were a router manufacturer, I would generate a random set of 3 or 4 words for user ease and have it attached via sticker like the MAC address. People discard manuals and manage their routers infrequently enough that forgetting is the primary reason for having a default that you can just something search.

Default passwords make customer service's life so much easier. Every time I have to call Comcast I say "no, I'm not using the default password, I'm using blahblah". Once a CSR tried to convince me that changing the default password and network name were causing my problem. People who use the default username/password are much easier to walk through problems.

Stinky_Pete
Aug 16, 2015

Stinkier than your average bear
Lipstick Apathy
Is it so hard to ask someone to pick up their router and--yes. Yes it is. Of course it is.

Burt Sexual
Jan 26, 2006

by Jeffrey of YOSPOS
Switchblade Switcharoo
Geographically distributed, real time load balancing, next.

Arsenic Lupin
Apr 12, 2012

This particularly rapid💨 unintelligible 😖patter💁 isn't generally heard🧏‍♂️, and if it is🤔, it doesn't matter💁.


Per Krebs on Security, the vast majority of the devices in this botnet are traceable to one company that hard-codes the Telnet and SSH passwords into the device. :cry:

quote:

According to researchers at security firm Flashpoint, today’s attack was launched at least in part by a Mirai-based botnet. Allison Nixon, director of research at Flashpoint, said the botnet used in today’s ongoing attack is built on the backs of hacked IoT devices — mainly compromised digital video recorders (DVRs) and IP cameras made by a Chinese hi-tech company called XiongMai Technologies. The components that XiongMai makes are sold downstream to vendors who then use it in their own products.

“It’s remarkable that virtually an entire company’s product line has just been turned into a botnet that is now attacking the United States,” Nixon said, noting that Flashpoint hasn’t ruled out the possibility of multiple botnets being involved in the attack on Dyn.

“At least one Mirai [control server] issued an attack command to hit Dyn,” Nixon said. “Some people are theorizing that there were multiple botnets involved here. What we can say is that we’ve seen a Mirai botnet participating in the attack.”

As I noted earlier this month in Europe to Push New Security Rules Amid IoT Mess, many of these products from XiongMai and other makers of inexpensive, mass-produced IoT devices are essentially unfixable, and will remain a danger to others unless and until they are completely unplugged from the Internet.

That’s because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called “Telnet” and “SSH.”

Telnet and SSH are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” to reach a username and password prompt at the target host).

“The issue with these particular devices is that a user cannot feasibly change this password,” Flashpoint’s Zach Wikholm told KrebsOnSecurity. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist.”

Flashpoint’s researchers said they scanned the Internet on Oct. 6 for systems that showed signs of running the vulnerable hardware, and found more than 515,000 of them were vulnerable to the flaws they discovered.

Stinky_Pete
Aug 16, 2015

Stinkier than your average bear
Lipstick Apathy

Liquid Communism
Mar 9, 2004


Out here, everything hurts.




Arsenic Lupin posted:

Default passwords make customer service's life so much easier. Every time I have to call Comcast I say "no, I'm not using the default password, I'm using blahblah". Once a CSR tried to convince me that changing the default password and network name were causing my problem. People who use the default username/password are much easier to walk through problems.

They make everyone's life easier. I probably reset a half dozen enterprise grade Cisco devices to defaults a month for people.

Arsenic Lupin
Apr 12, 2012

This particularly rapid💨 unintelligible 😖patter💁 isn't generally heard🧏‍♂️, and if it is🤔, it doesn't matter💁.


My latest Comcast router at least has a permanent label with the randomly generated default password and network name.... On the bottom.

Jasper Tin Neck
Nov 14, 2008


"Scientifically proven, rich and creamy."

I believe it will at some point become necessary to institute an Internet connectivity tax to discourage people from buying cheap Internet-enabled coffee makers or buttplugs just for the novelty. If a product doesn't deliver an extra $20 worth by virtue of being internet enabled, you probably shouldn't buy it in the first place.

We're also going to need legislation. Connecting a device with remote control capabilities to the Internet without changing the default password is like putting a gun safe on your porch and leaving the keys in the lock. That level of negligence needs to be criminal.

Burt Sexual
Jan 26, 2006

by Jeffrey of YOSPOS
Switchblade Switcharoo

Jasper Tin Neck posted:

I believe it will at some point become necessary to institute an Internet connectivity tax to discourage people from buying cheap Internet-enabled coffee makers or buttplugs just for the novelty. If a product doesn't deliver an extra $20 worth by virtue of being internet enabled, you probably shouldn't buy it in the first place.

We're also going to need legislation. Connecting a device with remote control capabilities to the Internet without changing the default password is like putting a gun safe on your porch and leaving the keys in the lock. That level of negligence needs to be criminal.

Lol what?

You protect the assets that are valuable, like maybe a DNS server farm. Three olives kuierig isn't the problem.

Your tax plan sounds elitist too, not to mention your criminal charge plan to lock up your own grandma that run an aol browesrer

Jeb Bush 2012
Apr 4, 2007

A mathematician, like a painter or poet, is a maker of patterns. If his patterns are more permanent than theirs, it is because they are made with ideas.

Burt Sexual posted:

Lol what?

You protect the assets that are valuable, like maybe a DNS server farm. Three olives kuierig isn't the problem.

do you read the news

do you know what a botnet is

Jasper Tin Neck posted:

I believe it will at some point become necessary to institute an Internet connectivity tax to discourage people from buying cheap Internet-enabled coffee makers or buttplugs just for the novelty. If a product doesn't deliver an extra $20 worth by virtue of being internet enabled, you probably shouldn't buy it in the first place.

We're also going to need legislation. Connecting a device with remote control capabilities to the Internet without changing the default password is like putting a gun safe on your porch and leaving the keys in the lock. That level of negligence needs to be criminal.

Mandating minimum security standards for IoT devices seems better than prosecuting people for not knowing why their internet fridge is bad

Burt Sexual
Jan 26, 2006

by Jeffrey of YOSPOS
Switchblade Switcharoo

Jeb Bush 2012 posted:

do you read the news

do you know what a botnet is


Mandating minimum security standards for IoT devices seems better than prosecuting people for not knowing why their internet fridge is bad

Yes and agree. That was my point, badly made. Joe plumber can't be held responsible.

Jasper Tin Neck
Nov 14, 2008


"Scientifically proven, rich and creamy."

Burt Sexual posted:

Lol what?

You protect the assets that are valuable, like maybe a DNS server farm. Three olives kuierig isn't the problem.

Recent high profile DDOS attacks have been just shitloads of DVRs and webcams bombing servers with traffic.

Burt Sexual posted:

Your tax plan sounds elitist too, not to mention your criminal charge plan to lock up your own grandma that run an aol browesrer

Relax, I'm not coming after your elderly relatives. My point was maybe poorly worded, but poo poo like this:

Arsenic Lupin posted:

Per Krebs on Security, the vast majority of the devices in this botnet are traceable to one company that hard-codes the Telnet and SSH passwords into the device. :cry:
and this:

Arsenic Lupin posted:

Every time I have to call Comcast I say "no, I'm not using the default password, I'm using blahblah". Once a CSR tried to convince me that changing the default password and network name were causing my problem.
Absolutely needs to be criminal. Setting up your customers for easy hacking should be criminal in the same way it's criminal to sell your grandma Christmas lights that will set her house on fire.

Adbot
ADBOT LOVES YOU

Slime
Jan 3, 2007

Arsenic Lupin posted:

My latest Comcast router at least has a permanent label with the randomly generated default password and network name.... On the bottom.

Theoretically this means that apart from the vanishingly small odds of guessing a randomly generated password a potential attacker would actually need to break into your house, look under your router for the password and use it in which case gently caress, they've got physical access to the device anyway which means they can basically do whatever they want with it if they know how.

in practice comcast probably generated a few dozen passwords then called it a day

  • Locked thread