The niner noteworthy and the 12 recaps of 2016 (day 3)

Looking at the history of our planet the Internet is actually a pretty new thing. But is the Internet as we know it doomed or actually already destroyed without us realising it?
With the massive DDoS attacks of recent months we have come pretty close to that already costing some freedom of speech and access to certain services in different attacks.
Should we therefore rename the Internet to the InternOT? Read on to get a picture of what current developments mean for the worldwide network that we merely can’t do without anymore.

In chronological order:

Def Con: Do smart devices mean dumb security?

At the time this article was published (early August) the massive use of IOT devices for until then unseen massive distributed denial-of-service attacks was just a prediction. At time of writing of this article we know that prediction became true probably sooner then some may have thought possible.
If there ar two lessons to be learned out of this article it is that secure coding could have saved a lot of trouble (which btw isn’t that more difficult then regular coding methods) and that we really need to think about holding technology companies accountable for bad products and insecure code. It is always an interesting discussion point to see why we don’t accept a company selling an exploding phone whilst at the same time companies get away with lousy programming and no security by default products.
source: BBC News (external link)

How to Hack Nearly Any Wireless Device

Extremely interesting story, although for me as a hamradio (amateur radio) operator not really that surprising. Software defined radio is becoming one of the main radio research tools available to hams worldwide and yes those research projects are all legal if you have a valid amateur license.
That most or if not all of those techniques can be used for malicious purposes too is hopefully no surprise anymore if you have regularly read articles on my site.
source: Purch (external link)

Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net

Besides the companies named in this article that should be worried about being knocked offline by massive DDoS attacks, how about large news outlets like e.g. the BBC? If people already take offence against a website like “Krebs on Security”, what would happen if a similar attack was blasted at the BBC for a series of stories they ren on a particular topic somebody didn’t like?
Although we now slowly see some calls for industry wide security standards on IOT devices, this is certainly one call that falls into the category of “too little, too late” as there are already millions of insecure devices out there which won’t go away overnight.
Is this the end of the Internet as we know it? Let’s hope not but don’t hold your breath on it either.
source: Ars Technica (external link)

Why the internet of things is the new magic ingredient for cyber criminals

And here is another piece of that same very disturbing puzzle. If you can only do good investigative journalism if one of the largest companies on the internet is “protecting” your website, then something is starting to become very wrong indeed.
Think of it this way: you want to tell the truth and protect the internet against cyber crime, yet you are protected by a company that makes money by spying on and profiling the entire online population. Okay I know a couple of internet behemoths that are even worse then Google because they aren’t as truthful and open themselves (look at any articles on the recent fake news headlines and you know what I mean), but in general this is not a good sign.
source: The Guardian (external link)

How hard is it to hack the average DVR? Sadly, not hard at all

I know, this recap instalment is getting pretty depressing doesn’t it? Believe me the entire truth of the matter is probably much worse then this. It is pretty sickening that only 63 passwords and maximum number of guesses therefore can nearly destroy the internet. All because companies are simply too lazy to do a decent job.
Yes, customers of these devices too as they never change the default passwords either. But with all the technology becoming more complex, you can hardly blame them can you?
I remember an old episode of the BBC’s program “Click online” who put a Windows XP machine on the internet, unprotected and with nobody using it. Within 60 minutes it crashed under the load of malware already present on the machine. With DVR’s being overwhelmed in mere minutes, you may get a picture of where we have come on internet security in the last 10 years. Which is a very disturbing picture.
source: Ars Technica (external link)

Ex-NSA Hacker Creates Tool To Warn You Of Webcam Spies

An interesting concept to say the least. There are other tools available like “little snitch” that warn of camera activation. Even the newer tool “little flocker” now warns of camera and microphone activation. However it seems this tool is going one step further and is looking at the data stream during legitimate usage as well.
Oh yeah and sorry Windows users, for a change this one is MacoS only.
source: Motherboard (external link)

Webcams used to attack Reddit and Twitter recalled

At least one pinprick of light in the gloom of the IOT doom of the InterNOT. Will this help? Probably not at all or at least not in a significant way unfortunately, but it is a start.
The notion that, as this article states, writing secure code costs money is simply not true. However, if you want secure code, you probably have to pay more for really good developers that also know what secure code is and can determine possible attack factors in net connected program to mitigate the effects. Then again, even less knowledgeable developers can use the plethora of cheatsheets available from e.g. the OWASP project. Yes it won’t be as good as understanding why you are taking certain measures in your code, but it’s at least better then doing nothing at all.
source: BBC News (external link)
I know I’m probably pissing off (UK English) a lot of developers, if they even read this, but in my line of work I have seen too much examples of shoddy programming and stupid vulnerabilities that could easily not have been there if secure coding methods and techniques would have been used from the start.

Sony kills off secret backdoor in 80 internet-connected CCTV models

Hurrah Sony, or should I say “So ny”. Default passwords, which people don’t have to change probably as well as a double backdoor left in the production code by developers. And there I thought Sony had enough lessons these last years with the massive Playstation network hack and the Sony pictures hack.
Okay, there is a patch now and if all devices are indeed patched then this one seems to be fixed. Kudos too for the Austrian guy who found and reported it to Sony. But it really is time for the IOT industry to get their security act together.
source: The Register (external link)

Home routers under attack in ongoing malvertisement blitz

Some other tips that may help: ad blockers, updating your routers firmware if possible.
Technically this is not directly an IOT thing, though as the DSL, cable or fiber modems are actually the only security barrier most people have between the internet and the home network, it’s vendors sometimes seem as guilty as IOT vendors of lapsing security practices.
Another, often overlooked, fact here is that the malware is distributed through legitimate advertisements on legitimate websites. That’s why my first advice “install an ad blocker” not only will get rid of those annoying banners but is a security measure as well.
source: Ars Technica (external link)