#so like. definitely guessability varies!! | Explore Tumblr Posts and Blogs

amberdscott2 · 6 years

Text

Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K

A monster distributed denial-of-service attack (DDoS) against KrebsOnSecurity.com in 2016 knocked this site offline for nearly four days. The attack was executed through a network of hacked “Internet of Things” (IoT) devices such as Internet routers, security cameras and digital video recorders. A new study that tries to measure the direct cost of that one attack for IoT device users whose machines were swept up in the assault found that it may have cost device owners a total of $323,973.75 in excess power and added bandwidth consumption.

My bad.

But really, none of it was my fault at all. It was mostly the fault of IoT makers for shipping cheap, poorly designed products (insecure by default), and the fault of customers who bought these IoT things and plugged them onto the Internet without changing the things’ factory settings (passwords at least.)

The botnet that hit my site in Sept. 2016 was powered by the first version of Mirai, a malware strain that wriggles into dozens of IoT devices left exposed to the Internet and running with factory-default settings and passwords. Systems infected with Mirai are forced to scan the Internet for other vulnerable IoT devices, but they’re just as often used to help launch punishing DDoS attacks.

By the time of the first Mirai attack on this site, the young masterminds behind Mirai had already enslaved more than 600,000 IoT devices for their DDoS armies. But according to an interview with one of the admitted and convicted co-authors of Mirai, the part of their botnet that pounded my site was a mere slice of firepower they’d sold for a few hundred bucks to a willing buyer. The attack army sold to this ne’er-do-well harnessed the power of just 24,000 Mirai-infected systems (mostly security cameras and DVRs, but some routers, too).

These 24,000 Mirai devices clobbered my site for several days with data blasts of up to 620 Gbps. The attack was so bad that my pro-bono DDoS protection provider at the time — Akamai — had to let me go because the data firehose pointed at my site was starting to cause real pain for their paying customers. Akamai later estimated that the cost of maintaining protection against my site in the face of that onslaught would have run into the millions of dollars.

We’re getting better at figuring out the financial costs of DDoS attacks to the victims (5, 6 or 7 -digit dollar losses) and to the perpetrators (zero to hundreds of dollars). According to a report released this year by DDoS mitigation giant NETSCOUT Arbor, fifty-six percent of organizations last year experienced a financial impact from DDoS attacks for between $10,000 and $100,000, almost double the proportion from 2016.

But what if there were also a way to work out the cost of these attacks to the users of the IoT devices which get snared by DDos botnets like Mirai? That’s what researchers at University of California, Berkeley School of Information sought to determine in their new paper, “rIoT: Quantifying Consumer Costs of Insecure Internet of Things Devices.”

If we accept the UC Berkeley team’s assumptions about costs borne by hacked IoT device users (more on that in a bit), the total cost of added bandwidth and energy consumption from the botnet that hit my site came to $323,973.95. This may sound like a lot of money, but remember that broken down among 24,000 attacking drones the per-device cost comes to just $13.50.

So let’s review: The attacker who wanted to clobber my site paid a few hundred dollars to rent a tiny portion of a much bigger Mirai crime machine. That attack would likely have cost millions of dollars to mitigate. The consumers in possession of the IoT devices that did the attacking probably realized a few dollars in losses each, if that. Perhaps forever unmeasured are the many Web sites and Internet users whose connection speeds are often collateral damage in DDoS attacks.

Image: UC Berkeley.

Anyone noticing a slight asymmetry here in either costs or incentives? IoT security is what’s known as an “externality,” a term used to describe “positive or negative consequences to third parties that result from an economic transaction. When one party does not bear the full costs of its actions, it has inadequate incentives to avoid actions that incur those costs.”

In many cases negative externalities are synonymous with problems that the free market has a hard time rewarding individuals or companies for fixing or ameliorating, much like environmental pollution. The common theme with externalities is that the pain points to fix the problem are so diffuse and the costs borne by the problem so distributed across international borders that doing something meaningful about it often takes a global effort with many stakeholders — who can hopefully settle upon concrete steps for action and metrics to measure success.

The paper’s authors explain the misaligned incentives on two sides of the IoT security problem:

-“On the manufacturer side, many devices run lightweight Linux-based operating systems that open doors for hackers. Some consumer IoT devices implement minimal security. For example, device manufacturers may use default username and password credentials to access the device. Such design decisions simplify device setup and troubleshooting, but they also leave the device open to exploitation by hackers with access to the publicly-available or guessable credentials.”

-“Consumers who expect IoT devices to act like user-friendly ‘plug-and-play’ conveniences may have sufficient intuition to use the device but insufficient technical knowledge to protect or update it. Externalities may arise out of information asymmetries caused by hidden information or misaligned incentives. Hidden information occurs when consumers cannot discern product characteristics and, thus, are unable to purchase products that reflect their preferences. When consumers are unable to observe the security qualities of software, they instead purchase products based solely on price, and the overall quality of software in the market suffers.”

The UK Berkeley researchers concede that their experiments — in which they measured the power output and bandwidth consumption of various IoT devices they’d infected with a sandboxed version of Mirai — suggested that the scanning and DDoSsing activity prompted by a Mirai malware infection added almost negligible amounts in power consumption for the infected devices.

Thus, most of the loss figures cited for the 2016 attack rely heavily on estimates of how much the excess bandwidth created by a Mirai infection might cost users directly, and as such I suspect the $13.50 per machine estimates are on the high side.

No doubt, some Internet users get online via an Internet service provider that includes a daily “bandwidth cap,” such that over-use of the allotted daily bandwidth amount can incur overage fees and/or relegates the customer to a slower, throttled connection for some period after the daily allotted bandwidth overage.

But for a majority of high-speed Internet users, the added bandwidth use from a router or other IoT device on the network being infected with Mirai probably wouldn’t show up as an added line charge on their monthly bills. I asked the researchers about the considerable wiggle factor here:

“Regarding bandwidth consumption, the cost may not ever show up on a consumer’s bill, especially if the consumer has no bandwidth cap,” reads an email from the UC Berkeley researchers who wrote the report, including Kim Fong, Kurt Hepler, Rohit Raghavan and Peter Rowland.

“We debated a lot on how to best determine and present bandwidth costs, as it does vary widely among users and ISPs,” they continued. “Costs are more defined in cases where bots cause users to exceed their monthly cap. But even if a consumer doesn’t directly pay a few extra dollars at the end of the month, the infected device is consuming actual bandwidth that must be supplied/serviced by the ISP. And it’s not unreasonable to assume that ISPs will eventually pass their increased costs onto consumers as higher monthly fees, etc. It’s difficult to quantify the consumer-side costs of unauthorized use — which is likely why there’s not much existing work — and our stats are definitely an estimate, but we feel it’s helpful in starting the discussion on how to quantify these costs.”

Measuring bandwidth and energy consumption may turn out to be a useful and accepted tool to help more accurately measure the full costs of DDoS attacks. I’d love to see these tests run against a broader range of IoT devices in a much larger simulated environment.

If the Berkeley method is refined enough to become accepted as one of many ways to measure actual losses from a DDoS attack, the reporting of such figures could make these crimes more likely to be prosecuted.

Many DDoS attack investigations go nowhere because targets of these attacks fail to come forward or press charges, making it difficult for prosecutors to prove any real economic harm was done. Since many of these investigations die on the vine for a lack of financial damages reaching certain law enforcement thresholds to justify a federal prosecution (often $50,000 – $100,000), factoring in estimates of the cost to hacked machine owners involved in each attack could change that math.

But the biggest levers for throttling the DDoS problem are in the hands of the people running the world’s largest ISPs, hosting providers and bandwidth peering points on the Internet today. Some of those levers I detailed in the “Shaming the Spoofers” section of The Democraticization of Censorship, the first post I wrote after the attack and after Google had brought this site back online under its Project Shield program.

By the way, we should probably stop referring to IoT devices as “smart” when they start misbehaving within three minutes of being plugged into an Internet connection. That’s about how long your average cheapo, factory-default security camera plugged into the Internet has before getting successfully taken over by Mirai. In short, dumb IoT devices are those that don’t make it easy for owners to use them safely without being a nuisance or harm to themselves or others.

Maybe what we need to fight this onslaught of dumb devices are more network operators turning to ideas like IDIoT, a network policy enforcement architecture for consumer IoT devices that was first proposed in December 2017. The goal of IDIoT is to restrict the network capabilities of IoT devices to only what is essential for regular device operation. For example, it might be okay for network cameras to upload a video file somewhere, but it’s definitely not okay for that camera to then go scanning the Web for other cameras to infect and enlist in DDoS attacks.

So what does all this mean to you? That depends on how many IoT things you and your family and friends are plugging into the Internet and your/their level of knowledge about how to secure and maintain these devices. Here’s a primer on minimizing the chances that your orbit of IoT things become a security liability for you or for the Internet at large.

from Amber Scott Technology News https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/

0 notes

nedsvallesny · 6 years

Text

Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K

My bad.

Image: UC Berkeley.

The paper’s authors explain the misaligned incentives on two sides of the IoT security problem:

from Technology News https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/

0 notes

jennifersnyderca90 · 6 years

Text

Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K

My bad.

Image: UC Berkeley.

The paper’s authors explain the misaligned incentives on two sides of the IoT security problem:

from https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/

0 notes

noahelaleman-blog · 6 years

Text

Cyber security A-Z

- Active attacks are what are most commonly thought of when the term “hacking" is used. Unlike passive attacks, which I will define a little later, an active attack would be something like a “denial of service” attack. The easiest way to avoid these types of attacks is by deleting potentially malicious spam mail, and not clicking on pop-up ads.

-Anti-Virus,

-Anti-Gapped network( Air gapping is a security measure that isolates a secure network from unsecure networks physically, electrically and electromagnetically. )

-Black hat( A black hat is a computer hacker who works to harm others (e.g., steal identities, spread computer viruses, install bot software). ),

-Brute force attack( Brute-force attacks can be made less effective by obfuscating the data to be encoded making it more difficult for an attacker to recognize when the code has been cracked or by making the attacker do more work to test each guess ),

-Back door A backdoor is a means to access a computer system or encrypted data that bypasses the system's customary security mechanisms. ,

-Botnet A portmanteau of "robot" and "network." Refers to networks of sometimes millions of infected machines that are remotely controlled by malicious actors.

-Criptologia is the practice and study of techniques for secure communication in the presence of third parties called adversaries.

-Cyber crime n its broadest definition, cybercrime includes all crime perpetrated with or involving a computer.

-DDOS he disabling of a targeted website or Internet connection by flooding it with such high levels of Internet traffic that it can no longer respond to normal connection requests. Often mounted by directing an army of zombie computers

-Data mining The process of extracting hidden information and correlations from one or more databases or collections of data that would not normally be revealed by a simple database query. ,

-Dumpster diving A method of obtaining proprietary, confidential or useful information by searching through trash discarded by a target.

- Data Breach: “The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information”

- Digital Forensics: “The process and specialized techniques for gathering, retaining and analyzing system-related data (digital evidence) for investigative purposes”

-Exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic

-Firewall is a network security system that monitors and controls incoming and outgoing network trafficbased on predetermined security rules.

-Glitch is a sudden break in function or continuity, sometimes of a transient nature, with a varying degree of seriousness.

-Hacker Advanced computer users who spend a lot of time on or with computers and work hard to find vulnerabilities in IT systems. ,

-Honeypot A computer, network or other information technology resource set as a trap to attract attacks. Honeypots may be used to collect metrics (how long does it take for an unprotected system to be breached), to test defenses, to examine methods of attack or to catch attackers. A honeypot system may also be used to collect SPAM so it can be added to a blacklist.

Identity fraud The exploitation by malevolent third parties of unwarranted access to clients' or consumers' identities. Often the result of lax data security or privacy measures. ,

-Internet relay chat A method of real-time Internet communication often used by criminals to buy and sell purloined information such as credit card numbers and personal identity information. IRC chatrooms may be open or private. ,

-Internet is the global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link devices worldwide.

Junk mail refers to unsolicited bulk messages being sent through email, instant messaging or other digital communication tools. It is generally used by advertisers because there are no operating costs beyond that of managing their mailing lists.

-Kinetic attack Traditional mode of warfare in which arms are used to kill opponents and/or destroy an opponent's infrastructure. Usually used to distinguish a cyber attack in which destruction of the opponent's resources is accomplished through targeted information system attacks without resorting to bullets, bombs or explosives. ,

-Key logger Software or hardware that monitors and logs the keystrokes a user types into a computer. The keylogger may store the key sequences locally for later retrieval or send them to a remote location. A hardware keylogger can only be detected by physically inspecting the computer for unusual hardware.

- Login,

-Lawfare The use of international law to damage an opponent in a war without use of arms.

--Malware A variety of computer software designed to infiltrate a user's computer specifically for malicious purposes. Includes, inter alia, computer virus software, botnet software, computer worms, spyware, trojan horses, crimeware and rootkits.

-Network computer network, also called a data network, is a series of points, or nodes, interconnected by communication paths for the purpose of transmitting, receiving and exchanging data, voice and video traffic.

-Online connected by computer to one or more other computers or networks, as through a commercial electronic information service or the Internet.

-Password weakness Security threats caused by the use of easily guessable passwords which protect vital stores of confidential information stored online. --

-Patching refers to the installation of a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance. Though meant to fix problems, poorly designed patches can sometimes introduce new problems. ,

-Phishing The criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

-Privacy law Laws which regulate the protection of confidential personal information stored in private records or disclosed to a professional. Also includes laws which regulate the gathering of electronic data in which personal information is accumulated or misappropriated.

- Passive Attack: “An actual assault perpetrated by an intentional threat source that attempts to learn more or make use of information from a system but does not attempt to alter the system, its resources, its data or its operations”

-Red team structured, iterative process executed by trained, educated and practiced team members that provides commanders an independent capability to continuously challenge plans, operations, concepts, organizations and capabilities in the context of the operational environment and from our partners’ and adversaries’ perspectives. ,

- Ransoftware is a type of malicious software from cryptovirology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. ,

-Research and development (R&D) addressing cyber security and information infrastructure protection.

-Software is a part of a computer system that consists of data or computer instructions, in contrast to the physical hardware from which the system is built

-Scareware Software or web site that purports to be security software reporting a threat against a user's computer to convince the user to purchase unneeded software or install malware. ,

-Shoulder surfing The process of obtaining passwords or other sensitive information by covertly watching an authorized user enter information into a computer system ,

-SPAM Unwanted or junk email usually sent indiscriminately in bulk selling illegal or near illegal goods or services. Even with low response rates and heavy filtering, SPAM can stil be economically viable because of the extremely low costs in sending even huge quantities of electronic messages. ,

-Sponsored attacks Computer network attacks commissioned by, supported by or carried out by a state or government.

-Trojan Malware which masquerades as some other type of program such as a link to a web site, a desirable image, etc. to trick a user into installing it. Named for the Ancient Greek legend of the Trojan Horse

-USB is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc.

-Virus A computer virus is malicious code that replicates by copying itself to another program, computer boot sector or document and changes how a computer works. ,

-Virtual military warfare Warfare made possible by advances in remotely controlled or semiautomated military technologies which remove the operator from risk of harm while attacking an opponent.

-White hat A white hat is a computer hacker who works to find and fix computer security risks. White hat consultants are often hired to attempt to break into their client's network to see if all security holes have been addressed. ,

-wanna cry WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017 ,

-whitelist A list of computers, IP (Internet Protocol) addresses, user names or other identifiers to specifically allow access to a computing resource. Normally combined with a default "no-access" policy. ,worm A type of malware that replicates itself and spreads to other computers through network connections.

-Xploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic

-Zombie is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic ,

-zero day exploit Malware designed to exploit a newly discovered security hole unknown to the software developer. "Zero-day" refers to the amount of time a developer has between learning of a security hole and the time it becomes public or when black hat hackers find out about it and try to use the security hole for nefarious purposes.

0 notes