ROCA Rocks the Crypto Industry That Was KRACK’d Only Days Ago

The security/cryptography industry has recently taken a battering. Hot on the heels of the KRACK WiFi network vulnerability comes an even bigger, more calamitous and more widespread hazard – the ROCA hack has exposed millions of smartcards, laptops, devices and secure systems to potential criminal activity.

Infineon Technologies AG is a multi-billion dollar, 18-year old German chipmaker that was originally part of Siemens, with 36,000 employees in 166 locations in over 25 countries. It claims to be “the leading provider of security solutions with robust, future-proof embedded security hardware”.

Infineon developed an encryption code library around 2012 that is compliant with recognized global security certification standards, yet it contains a deadly flaw. The fault means that many of the public cryptography keys it generates can be decomposed relatively easily to reveal the corresponding private key. That means that all of its keys are suspect and would not stand up in a court of law as proof that a named party digitally signed a document, or a piece of software, or government identity cards (e.g. Slovakia, Estonia). It also means that criminals could impersonate the true signatory. Hackers could inject malicious code into genuine software products and distribute them as though they were authenticated and digitally signed by the manufacturer.

Infineon did not perform adequate due diligence QA on the code library. As a result, some of its public keys, or moduli, are easily factored. At the core of many encryption system is often a very large integer that is calculated by multiplying two prime numbers together to arrive at a semiprime number. Some of Infineon’s public keys can be factored, since the component prime numbers can be reverse-engineered. Researchers can identify, or fingerprint, which public keys are vulnerable. Wikipedia defines key fingerprinting in public-key cryptography as, “a short sequence of bytes used to identify a longer public key.”

In the ROCA hack (“Return of Coppersmith’s Attack”), researchers developed a version of an existing decryption method. It leveraged the vulnerability that the modulus, or public key, can be factored to reveal the crucial primes. Factorizing the public key still requires considerable computing power and time, and the researchers used Amazon cloud compute services as a benchmark to illustrate the effort and cost. Once a public key has been fingerprinted as being potentially factorizable using this tool, a 1024-bit key would take just a few minutes to break, at a mere cost of approximately $75. A 2048-bit key would cost about $40,000 to crack, and would take a little more than two weeks. A properly-factored key would take millions of years and could not be broken in practical terms. These estimates illustrate the relative strengths and weaknesses of weak and strong keys.

How widespread is this?

There are tens of millions of these Infineon RSA keys in the field. Also, Trusted Platform Modules (TPMs) are embedded chips that are designed to safeguard hardware by integrating crypto keys, and can generate secure keys and facilitate remote login by authenticating credentials. Many Windows devices manufactured by HP, Fujitsu, and Lenovo are impacted; Google Chromebooks are similarly affected. Any devices that utilize Infineon RSA technology must be patched.

Concerns for the security industry

The organization that leads global certification of encryption methods is the National Institute of Standards and Technology (NIST) and the most important standards are FIPS 140-2 Level 2 and the Common Criteria. This is the second credibility hit to affect encryption technology since four years ago, when Taiwan’s certified digital ID secure technology was discovered to contain a flaw that could enable a hacker to adopt another user’s persona. Standards and certification will surely be reassessed and strengthened to reclaim credibility.

Is there any good news?

Yes. The vulnerability applies only to keys that were generated by the Infineon RSA encryption technology. RSA keys generated with software such as PGP, OpenSSL, and similar are not impacted. Neither are non-RSA keys, such as those using Elliptic Curve Cryptography and other technologies. In any case, only keys that were generated by a smartcard or an embedded device using the Infineon code library exhibit this flaw.

Every WiFi Network in the World is Potentially at Risk

They have called it KRACK — Key Reinstallation Attack – and it uncovers a vulnerability in practically every modern WiFi network in the world. The flaw lies at the heart of the WPA2 security protocol that controls access and encrypts traffic. It can be leveraged to snoop on confidential information such as emails, credit card details, passwords and so on.

Who is impacted?

Businesses and individuals, institutions and enterprises, personal and corporate networks – every network that uses WPA2 or the older WPA1. Ciphers GCMP, AES-CCMP and WPA-TKIP. Windows, Linux, Apple, Android, Linksys, MediaTek, OpenBSD, have all been shown to be vulnerable to KRACK attacks. In fact, Android 6 users are most vulnerable

What exactly is the flaw?

When a user connects to a WiFi network, WPA2 uses what is called a 4-way handshake to validate the user’s credentials and connect authorized users to the network. Step 3 of that handshake process involves generating a unique session key. The flaw means that the key generation process can be manipulated to either use a key from a previous session or, in the case of Android 6, to use a key containing all zeros. Hence the name Key Reinstallation attack. Therefore a hacker could pose as an existing legitimate user and tap into the data going to and from that user. A hacker could also inject malware into a data stream to/from a user. A more technical low down can be found here and here.

Is there any good news?

Yes indeed. Most websites that handle confidential data, such as banks and eCommerce sites, use the HTTPS secure layer protocol to encrypt traffic. The WPA2 vulnerability cannot compromise data that is encrypted by some other method other than WPA2. This means that VPN traffic, for example, is not compromised. It is only plain old HTTP traffic that could be stolen. In any case, an attacker would have to be in close physical proximity in order to access any WiFi network, so it’s not like a vulnerability that can be leveraged from half way across the globe over the Internet.

Who is to blame and could it have been avoided?

Founded in 1999, Wi-Fi Alliance is the non-for-profit organization formed by the major players worldwide that create and deliver the Wi-Fi ecosystem, on which billions of people depend every day. It says, “Today, Wi-Fi carries more than half of the internet’s traffic in an ever-expanding variety of applications.” Its website carries the announcement of the vulnerability published October 16.
Seeing as this organization developed WPA2, then any finger pointing leads straight here, although it would be ultra-critical to lay blame with a product that has stood the test of time in the 13 years since its release in 2004. Could it have been avoided? Could Daimler have avoided the recall of over one million Mercedes Benz automobiles recently for an air bag flaw? Of course, the answer is yes, in theory, but no product can lay claim to be 100% foolproof or flawless.

What next to protect WiFi users?

The researchers quite responsibly informed the relevant bodies discreetly such that manufacturers like Microsoft had a month to develop security patches before the word got out. Users should update their devices. Microsoft users who subscribe to automatic updates will already have been upgraded. Android users should upgrade asap. However, as routers are almost always not on an automatic upgrade program, many may never receive firmware upgrades. That may not be an issue as long as clients (users) upgrade devices.

Here’s How Cybercriminals Stole $100 Million From EU Banks and Vanished Without Trace

A wave of financially-motivated cybercrime has hit European and former Soviet banks to reveal profound security weaknesses in the technology infrastructure that handles transactions and funds worth billions of dollars. But how do we stop the next generation of tech-savvy criminals? What security measures must institutions enact to prevent further hemorrhaging of funds in the wake of escalating attacks? First, let’s analyze what happened and why the criminals were so successful.

Yesterday’s drug mule is today’s cyber-foot soldier

The concept of a ‘mule’ is nothing new. Criminals offer tourists, truck drivers, and other working-class individuals (with clean records) who have citizenship and a passport to travel across borders carrying a dubious package they know little about in exchange for a quick payday.

Today, hackers use mules to create bank accounts with fraudulent or stolen IDs. The mules then take the legitimate debit cards and pass them on to other mules who later make simultaneous withdrawals from ATMs in other countries.

While the mules perform the legwork and prep for the attack, hackers use targeted phishing scams to plant keylogging software on employee terminals where bank tellers and credit card processors work. Over time, they acquire access to the bank’s network and plant legitimate software like Mipko, a software package used to monitor employee terminals remotely. The minimal use of malware is one of the key reasons why these attacks failed to raise any red flags with the banks involved.

Modern banking institutions are frequently interlinked with third-party credit card processors, allowing hackers to freely move between networks and spy on employees until they get the credentials needed to access and modify the bank’s risk scores and overdraft protection limits. As soon as the online attack happens, mules on standby in numerous countries make simultaneous cash withdrawals from ATMs using the legitimate debit cards issued by the institution. This kind of attack exploits both the logistical weaknesses of ATM infrastructure and law enforcement’s ability to track down such a large number of co-conspirators who know very little, if anything, about the actual masterminds.

Hackers then cover their tracks by crashing systems they used and rendering them unbootable, meanwhile the mules disappear with the cash long before authorities have even been notified that a heist is underway. In fact, because of the legal nature of the withdrawals, most banks are completely unaware of the attack until someone notices the spike in ATM traffic hours or days later.

What does this mean for the future of banking?

Thus far, these cyber-attacks have yet to spark a serious change in banking infrastructure because they have yet to affect a rich super-power. However, Trustwave issued an Advanced Threat Report that claims these organized attacks are likely to spread globally over the next few years, increasing both the frequency and intensity of the attacks as the organizers grow in influence and power.

While banks and credit card processors can double down on internal security and in-house training, human error (in the form of falling for phishing scams) remains one of the key weaknesses that hackers exploit—and that isn’t something anyone can just eliminate. Preventing hackers from getting a toe-hold into the network is a crucial countermeasure, but that doesn’t excuse the lax security on integrated networks that should have multiple layers of authentication or the ease of which criminals open new accounts with phony or stolen personal information.

The only other option is to limit the functionality of ATMs to the point where it is too time-consuming (and therefore costly) to engage in this kind of heist. However, this will undoubtedly irritate consumers who rarely opt to sacrifice convenience for security.

Petya: A Useless Ransomware that Wreaked Havoc

On June 27, 2017, opportunistic cybercriminals took advantage of exploits leaked by Shadow Brokers, a group that had previously released cyberweapons used by the National Security Agency. The latest exploit was a variant of Ransom: Win32/Petya that was initially seeded through the update mechanism of an accounting software program used in Ukraine. Since then, the ransomware has compromised 12,500 machines in Ukraine and spread to 64 countries across the globe. The virus exploits EternalBlue vulnerability in Microsoft Windows, encrypts data on the compromised hard drives and asks for a $300 ransom for data decryption.

A Wiper in Disguise

Experts believe the over-smart attempt to victimize unsuspecting users for financial gains has the potential to spread faster than the largest ever ransomware attack in WannaCry. In achieving this goal however, the virus is inept to the point of such uselessness that the entire ransom payment mechanism is flawed and guarantees failure to recover encrypted data despite payment.

The virus requests payment to a static Bitcoin address and a proof of payment message to the email address hosted by the company Posteo. As expected, transactions to the single hardcoded Bitcoin Address are traceable and the webmail company has already disabled the email address. Despite the large-scale impact, cybercriminals behind the attack hardly managed to receive $10,000 across 45 ransom payments.

It looks like the intent behind the attack is far more malicious and clever. Perhaps the creators never intended to decrypt the compromised data after receiving payments. While it looks like a school-boy hacker’s attempt to get rich quick, the virus has actually turned out to be something worse: a Wiper malware.

A Wiper malware is essentially a cyberweapon designed to destroy a data stored on the compromised hard disk. Whether Petya was intentionally designed as a Wiper malware is debatable, but it has certainly yielded its fair share of the fodder feeding the media frenzy toward the mysterious cybercrime actors. Previous episodes of Wiper malware had their roots entrenched in state-sponsored attacks. Notable attacks in history include the Wiper attack on Iran and Shamoon attack on Saudi Arabia, sharing its roots with the destructive Stuxnet attack.

Here’s What You Can Do About It

Petya exploits the Server Message Block (SMB) vulnerability in Microsoft Windows to spread across machines. This is the same vulnerability used to spread the WannaCry, the largest ransomware attack in history. Microsoft had already issued security patches to the address vulnerabilities, and users running updated machines remain secure from the Petya attack.

The first step to ensure protection from the Petya attack lies in running the latest stable versions of Windows OS.

Users running outdated Windows OS should meanwhile watch out for unwarranted attempts to reboot and repair system files. If that happens, you should power off your machine immediately, because it’s actually the encryption process taking place. Your files remain unencrypted until this process is completed in its entirety.

If your computer has actually been compromised, there’s no way to recover your data since the email address stated in the ransom message has been disabled. Reformat your hard drive, recover your data from the available backup and keep your software, anti-virus and OS up-to-date at all times.

A Detailed Analysis of Pacemaker Ecosystem’s Failed Security Checkup

The pacemaker itself is not a new piece of technology.  Interfacing it with a network – including the publicly accessible Internet – is a relatively new concept and opens the door to potentially life-threatening security vulnerabilities. Recently, the newly developed Pacemaker Ecosystem, the technology framework for connecting next-gen Pacemakers to the Internet of Things (IoT) failed its cyber security check-up.

IoT Brings Major Security Challenges

The very concept behind the Internet of Things highlights the convenience of connecting device across a public facing Internet connection. The benefits of IoT connectivity are myriad. An IoT-enabled Pacemaker allow medical professionals to remotely monitor Pacemaker users, 24/7.

Potentially, the same healthcare professionals could remotely reconfigure a Pacemaker as well. But what happens if somebody other than the authorized healthcare specialist, without the necessary knowledge and expertise to manage pacemaker gains access of the IoT healthcare device? The implications of this are terrifying.

Transparency is a Potential Security Vulnerability

The Pacemaker Ecosystem failed its cyber security test due to the potential security vulnerabilities found within the integrated set of technologies that constitute the overall platform infrastructure.

Because of the open nature of IoT security protocols, it is possible to learn very quickly how the Pacemaker Ecosystem handles security. Since the platform uses standardized cryptography methods, finding security vulnerabilities is far easier, as compared to finding them in propriety cryptography methods.

Incorporating off-the-shelf, potentially vulnerable cryptography technology into a healthcare IoT device platform is not necessarily a great idea either. Many vendors of open technologies have a less-than-stellar reputation for promptly addressing security vulnerabilities.

Robust Cryptography is Necessary for Healthcare IoT Devices

Infrastructure security loopholes aside, the Pacemaker Ecosystem has been criticised for failing to leverage adequate encryption for data security.

Whilst governments around the world are moving toward restricting the strength of consumer grade encryption in favor of national security, there can be no valid reason for vendors not apply strong encryption to data and networks involved in maintaining a patient’s cardio functionality.

However, the Pacemaker Ecosystem failed to use top grade encryption, and furthermore, can potentially leak unencrypted data due to security vulnerabilities introduced by third-party vendor technologies involved.

Multiple Points of Failure

The security testing and subsequent failure of the Pacemaker Ecosystem was dramatic due to the sheer volume of potential security vulnerabilities uncovered. Across the entire software platform, over 8,000 potential security vulnerabilities were found in standard library functions alone. It was also found that certain private patient data was being stored in an entirely unencrypted fashion.

Although the concept of IoT-enabled medical devices promises great value propositions, the road to developing secure and reliable devices is going to be a long one, with many challenges to overcome. As such, strong encryption is the least fundamental security requirement.

United Airline Security Breaks at its Weakest Point: The Human Element

United Airlines seems to be lurching from one bad PR story to the another. This time, a United Airlines flight attendant accidentally posted the keypad access codes for airplane cockpit doors on a public website. The Wall Street Journal revealed the story, but did not identify the website or online forum where the codes were posted. Based on the available information, it appears the code leak was unintentional – pilots and flight attendants regularly use online forums such as Facebook groups for general discussion. This time however, one flight attended took the discussions a bit too far.

This was a significant breach of security without a hacker in sight. Just another case of the biggest security risk and the weakest link in the security chain – the human element.

Airlines maintain strict access control to the flight deck ever since 9/11. The keypad code alone would not necessarily grant access. The captain must also visually validate the person requesting access and only then unlock the door. Using the correct keypad codes does not entitle anyone to enter the flight deck. Access can be declined by the captain. United moved immediately to change all their cockpit door access codes and avoid the possibility of exploitation.

This story highlights the importance of staff training in the chain of ownership and control of security information, as well as regular training and refresher courses.

How significant is the human element in security procedures?

The alarming fact is that the human element contributed to 95% of all security incidents recorded globally by IBM in their Security Services 2014 Cyber Security Intelligence Index. The most common failures are opening unsafe email attachments, clicking on an unsafe website link, weak and easily identifiable passwords, losing laptops and mobile devices, not keeping software up to date or applying security patches, and so on. Humans quickly become blasé and bored by routine, losing sight of the rationale for maintaining alertness and sticking religiously to security procedures.

There is also an element of laziness, forgetfulness and the “it can’t happen to me” syndrome.

Planning for the human element in security defenses

Humans design the asset and facilities that security systems protect. They then design the security defenses around those assets, which are then used by humans. Humans make mistakes all the time and this critical characteristic needs to be addressed by security design, implementation and training.

The most effective remedy is frequent and relevant refresher training. Frequent and very short bursts that focus on a particular aspect of security work best and are least disruptive. The more dramatic and memorable they can be made, the better. The objective is to ensure as much as is possible, that the subject remembers this training at the point where it is needed. For example, when entering a door keypad access code, ensure that nobody can see the code being entered. It is the simple routine things that humans fail at, as time goes by.

The role of government in protecting human lives

The United Nations Human Security in Theory and Practice covers a much wider scope of what constitutes security, of course. However, it does acknowledge that “human security threats cannot be tackled through conventional mechanisms alone”. Governments have a duty to protect their citizens. While national security, anti-terrorism and highly visible security measures such as airport security screening are vital components, so is the education of the man and woman in the street. In wartime, the slogan was “Careless talk costs lives”. While not as dramatic, carelessness is the biggest threat to security defenses of all types and at all levels.

Governments can do more to raise public awareness of the need to maintain a simple but effective level of vigilance. Human security failings that lead to breaches cost money, reduce consumer confidence in technology, and are an attack vector for foreign and criminal hostiles. National security starts at home.

WannaCry? Meet the Biggest Ever Ransomware Attack in History!

The biggest global ransomware cyberattack on record has impacted over 130,000 individual computers across over 100 countries in just 48 hours. That figure is an estimate as of Saturday midnight May 13, and will certainly increase over the next few days as more victims are identified.

So What Exactly Happened?

Victims see a ransom demand on their screens, stating that their data has been encrypted. The criminals demand $300 in Bitcoin to unlock the data. This price increases to $600 within a few hours if the ransom is not paid. The attacks utilize malware – a worm called Wanna Decryptor (a.k.a. WannaCry). It infects the device of a user who has been tempted to open an email attachment and thereby unknowingly installs the virus. The malware encrypts the hard drive and searches for other potential target systems on the network to spread itself. Once inside an organization, it exploits a known vulnerability in the Windows OS that pertains to document sharing with other users on a network. Defense mechanisms to protect against harmful document sharing between trusted users within a network are usually less stringent. These loopholes combined to deliver the biggest ever ransomware attack in history.

A happy accident temporarily halted the spread of the infection when a UK security analyst discovered what amounts to a ‘stop button’ or so-called kill switch.

Who has been targeted?

The malware targets Windows systems that are not up to date or older versions of Windows that Microsoft no longer supports. For example, Windows XP was released in October 2001 and withdrawn from service, officially more than 12 years later in 2014. However, some organizations chose not to purchase a newer version of Windows and saved on the licensing costs only to risk security attacks like the latest ransomware incident. Other large organizations, such as the UK’s National Health Service paid Microsoft to continue supporting XP for them. However, the UK government decided to halt that spend in 2015, leaving the health care system vulnerable to the type of attack that occurred. The organization failed to access sensitive patient data, critical planned surgeries and procedures had to be cancelled, and hospitals had to shut down some units.

In general, government, university and health care networks using outdated Windows OS versions are likely to be hardest the hit.

What options do victims have?

There are only 3 options:

  • Pay the ransom
  • Restore the data from a recent backup – if one exists
  • Live without the data

In any event, users should work to apply the recommended security patches immediately. It is inevitable that the criminals will change their attack mechanisms and remove the temporary kill-switch capability, and then there are likely to be a number of copycat attacks using the same vulnerability in different ways.

Is the NSA at fault for this?

Not entirely. The NSA apparently did discover the vulnerability some time ago. They then weaponized it for their own use by building software code that exploited the vulnerability. The hacker group known as TheShadowBrokers made public this code amongst some of the NSA’s digital espionage toolkit as part of their exposure of NSA hacking tools. Reports indicate that the hackers behind this week’s attack simply did a copy and paste of that code into their worm. Microsoft did in fact release a security patch to fix the vulnerability in March. However, not all users were aware of the vulnerability or the patch, chose to run potentially vulnerable systems instead. The debate continues as to whether the NSA should alert software vendors regarding vulnerabilities that they uncover, rather than keeping the knowledge to themselves for surveillance purposes.

What can we do to help protect against ransomware attacks?

The least you can do is to keep your software updated, at all times. The next level of defense is the human element – Internet users should never click on email attachments unless they are absolutely certain that the files are coming from genuine, legitimate and known senders. These measures alone will suffice to curtail majority of ransomware attacks coming your way.

The WannaCry worm will potentially reappear in different guises over the coming days and weeks. The best advice is to take action now to protect your devices.

Revenge Hacking is The New Black in the Cybercrime Underworld

Revenge hacking encompasses the expansive set of motivations behind cybercrime. Every victimized industry has seen some form of cyber-attack backed that links back to their own hostile actions or policies toward the attackers.

Motives range from low profile disgruntled ex-employees to self-publicizing groups like Anonymous providing occasional media updates about their attacks on ISIS cybertargets. Sovereign states have long been suspected of hacking behavior and even Vladmir Putin is reported to be in on the act. Sexual revenge or jealousy was behind the infamous theft of subscriber data from the dating site Ashley Madison, specifically set up to facilitate affairs involving married individuals.

The latest set story circles around the Buzzfeed hack that surfaced in retaliation for identifying an alleged Saudi Arabian member of the OneMore hacking group.

Revenge hacking is not confined to the “outlaws”. Corporations have occasionally felt the urge to strike back at their tormentors, which is probably illegal everywhere in the world. Sometimes it’s considered as a pre-emptive strike to ward off a perceived threat. However, taking out a target server that appears to be the source of a threat could be extremely ill-advised. That server could be a component of a public utility, hospital, municipal authority or anything really. Hackers can compromise a server and use it as a proxy for launching attacks originating from half way across the globe.

No network or website can prevent hacking attempts from taking place. Even brand new simple WordPress blog sites are not immune. Automated systems are constantly probing for easily cracked access credentials. Such systems cost practically nothing to run and represent the bottom end of the attack spectrum. Strong passwords represent the simple and obvious defense, easily available through free online password generators.

At the other end of the scale are what could be considered “professional hackers” and the criminal element. Technically minded individuals with varying degrees of talent but with time on their hands occupy the middle ground. Large corporations present a happy hunting ground because the bigger the IT infrastructure, the greater the number of attack surfaces to be explored and exploited. This is the constant battleground between the security experts and technologies that form the defensive zone, and the attackers.

There is no central record for collating data on thwarted hacking attacks. That makes it impossible to measure the success levels of the security defenses. Security teams are only as good as their last failure, as in many walks of life. However, despite the high-profile names of the victims, the count of those that have not yet suffered the same fate greatly outnumbers the number of victims.

Every new technology and every new online service is highly likely to contain security vulnerabilities. The incessant drive to deliver newer functionality to outstrip the competition will constantly expose weaknesses. New functionality means new systems being exposed. The reality is that the game is loaded in favor of the hackers, who only have to breach a security system once to reach the prize and the headlines.

Corporations will continue to spend on security measures because there is no other option if they are to remain ahead of the risk of attack. Add the unpredictable nature of motivation for revenge hacking and the element of surprise is added to the mix. The only unknown is the motive for the next high profile attack.

The Slow Pace of Linux Kernel Updates is a Frightening IoT Security Problem

When patching holes in your core security kernel takes upwards of three years on average from discovery to patch release, it obviously raises concerns. Add in the view of security analysts that the basic approach of the security design is outdated and not responsive when under attack, and the picture grows ever more worrisome. It is a very big scenario indeed when you consider the vast number of devices out there that are exposed to the hacking fraternity and which probably never receive OS updates ever.

Linux drives the majority of the world’s Internet-connected devices. Its open source nature provides a stark contrast to proprietary platforms such as iOS and Windows in the speed of bug fixing and patch development. The security aspects being highlighted in recent debates have a lower impact on servers housed in data centers than they do on exposed devices in the IoT world. The latter is the real cause for concern.

Device manufacturers deploy Linux on everything from digital video recorders to vacuum cleaners. The cost is attractive and it is customizable and scalable. The downside is that native Linux does not offer patch push functionality to devices in the way that, say, Microsoft does. Often derided for many aspects of Windows development, nobody can deny that Microsoft appears to do all in its power to ensure that connected devices receive frequent OS updates and patches. At the same time, a vast number of connected Linux devices may never receive an OS update in their lifetime.

At the core of the problem is the often very poor code quality and risible security of the countless device drivers that vendors add. This on top of the disjointed not-thought-through nature of the IoT landscape. The Linux security kernel faces challenges not of its own making but which potentially pose a major threat to the Internet itself. Recent massive DDoS attacks launched by botnets of zombie IoT devices generated an unprecedented a level of traffic. An attack measured at over 600 Gbps raises the possibility that even bigger attacks may be possible. Those traffic levels can swamp the routers that connect the Internet’s backbone with its spokes.

Manufacturers and vendors must take a share of the blame for failure to develop code that at least attempts to provide adequate security protection. One senses that the quick buck mentality overrules the genuine need to make drivers and the like robust enough. Of course, there is no money in building security features into vacuum cleaner device drivers. Only attractive functionality might increase the bottom line. Developing security aspects is a cost that may not be justifiable in the boardroom.

Criticism has been levelled at Linus Torvalds and the Linux community for taking a bug fixing approach rather than overhauling the security kernel design. Torvalds is infamous for his tendency to drive his own path forward and ignore arguments for change that potentially have merit. The security debate may be the single biggest challenge to his authoritative approach since 1991 when Linux was first released. Architecture that is 25 years old was not designed to cope with security demands and ever increasing hacking threats of 2016. It does appear that the time has come for a major rethink that will adequately cope with the nature and shape of foreseeable threats of the next 25 years.

IoT CCTV Devices Harvest the Biggest DDoS Ever Recorded

Security experts have long assessed the IoT (Internet of Things) as being a hacker’s paradise in its current format. Last week saw the biggest DDoS attack ever recorded, in terms of hostile traffic bandwidth. French web host OVH was the victim. DDoS attacks have been around for a long time in Internet terms. What is startling about this and at least one other recent attack is that the hostile botnets did not consist of infected PCs but of cameras, digital video recorders and other devices. About 150,000 of them at its peak.

The significant weakness of the IoT is that each and every connected device presents an attack surface. Any device that is connected to the Internet is a potential victim of hacking and hostile takeover, as major corporations are only too well aware. The growth in real life IoT networks is racing ahead of development of adequate security protection for their component parts. There are literally millions of Internet-connected devices that hackers can potentially harvest into zombie networks.

The devices involved in the OVH attack were capable of generating traffic totaling an estimated 600 Gbps when combined. This level of usage threatens to significantly disrupt the Internet for other users. Theoretically, multiple botnets with that capability could “break” the Internet in a geographical region by rendering it so slow as to be practically unusable. Even a 300 Gpbs flow may be enough to put at risk the heavy duty routers that connect the backbone and spokes of the Internet.

At issue is the sheer number of inadequately secured devices out there. The primary sources of a botnet DDoS attack on the website of security writer and independent journalist Brian Krebs in Jan 2015 were home routers. The attack was so heavy and prolonged that the DDoS mitigation service of his web host Akami could not cope over a sustained period. Back then, Krebs predicted that even CCTV cameras were potential zombies. That scenario came true in 2016 with a botnet attack from 25,000 of them.

There is no single solution that will protect all devices from hacking attacks. The most obvious and basic one is for users to change the default access credentials. For most home routers and connectable devices, the factory setting is admin/admin for user name and password. Users are also expected to apply frequent updates and patches to less-than-robust firmware. However, there is such a large percentage of homeowners who are simply either unaware or not technically competent, or both, that the onus must lie with vendors.

Not only that, but owners have no way of knowing if their devices have been compromised. Unlike PCs, laptops and mobile devices, there is no established practice of users hardening security on the majority of dumb-terminal devices. Until progress is made in this critical area of security, the IoT is the soft underbelly of the connected landscape. Devices are manufactured and supplied to perform a function. That is akin to having authority but no responsibility – having the capability to utilize the Internet but security is seen as being somebody else’s problem. This is that attitude that must be changed.