“There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think... it's all about the information!" – Sneakers
Last week, another massive Distributed Denial of Service (DDoS) attack disrupted large swaths of the internet effecting both direct targets and causing collateral damage. This is the latest in a series of attacks that have the smell of a probing attack. The services and providers that are being targeted, along with the timing, and intensity of the attacks tickles a dormant part of my brain. The part that makes people not want to play Risk against me. These probing attacks are designed to evaluate the amount and duration of stress required to knock over critical pieces of the critical infrastructure that we rely on in our intensely connected world. Knowing what I know, and doing what I do for a living, this *scares* me. These are the warm-up bands. The headliners haven’t taken the stage. Yet.
The problem is multifaceted. Embedded devices are often overlooked from a security perspective, and this is a fact that our adversaries are taking advantage of to our extreme detriment. I’ve called this problem out in many of the presentations I do at conferences and user groups. The state of security for these embedded devices is stuck in what I’d guess is the mid to late 1990s. The time before software developers had a clue about security in a networked environment. The record 620 Gbps attacks against Brian Krebs blog leveraged mostly cameras and DVRs using unchanged, default credentials. The attacks on Friday, October 21st appear to be originating from the same botnet. Clearly, this is not going to be going away easily. I’m not sure that we’re going to be able to fix the root causes that allow malicious actors to build these botnets and engage in these attacks, but I’ve got a couple of ideas. Some of them will be unpopular. Some of these things even an inexperienced end user can do. Others require more extensive expertise.
The big problem here is that we have all these effectively unmanaged devices connected to our networks with huge vulnerabilities, including things like default passwords, which are allowing them to be co-opted by bad actors. It is the absolute responsibility for the owners of these devices to take measures to secure them. There should be consequences for negligence. If the motivation to clean up your devices isn’t enough to engender response, just wait. There will be regulation, and liability, and that’s no good for anyone. I’m just waiting for some enterprising legal team to seek to extend the attractive nuisance doctrine to cyberspace. Beyond that, we have an issue with hardcoded backdoor credentials and deeper vulnerabilities being present in these devices. We know that many of the manufacturers are unwilling, unable, unaware of the impact of their security failings, but you need to know what potential issues may be present in the devices on your network, whether they are directly exposed to the public internet or not.
If you’re considering the purchase of new embedded devices, it’s an excellent time to REQUIRE that the vendor supply a third-party security assessment on the devices, demonstrating that they are rigorously engineered for today’s threat environment, and that they are free of common defects, vulnerabilities, and backdoors. If the devices are already deployed, you need to know what you’re facing. It’s entirely possible, even probable, that these devices have already been compromised. Embedded device assessments are a difficult area to master, and there is a definite shortage of security professionals with that type of background and experience. It’s highly likely that your organization won’t have those types of skill-sets in house. That’s okay. It’s going to take this industry time to build up that expertise, and for the embedded device manufacturers to figure out how to implement secure devices.
In the meantime, Core’s Security Consulting Services and Vulnerability Research teams have extensive expertise in assessing these devices, evaluating your organizations potential vulnerabilities to these types of attacks, and helping you to make the right choices to reduce or prevent the impact of malicious actors, crappy code, and the Internet of Dangerous Things.