黑客攻击摄像机,DVR和其他连接互联网消费电子设备被安装谁肇事者僵尸网络恶意软件的征召,引起上周五的互联网中断. The national media reported the event, but it failed to tell consumers what they need to know about buying those types of devices. For example, before making a purchase, consumers need to ask:
- 制造商是否定期更新安全补丁此设备吗?
- 我可以更改默认的密码,当我安装的设备?
The national media could have talked to someone who has first-hand experience with this type of attack, such as Brian Krebs, former Washington Post journalist and now one of the leading security industry bloggers, who would have repeated what hepostedon Friday:
“正如我在审查的民主化指出,解决从硬件设备,如互联网路由器,DVR和IP摄像机是附带默认不安全设置,我们可能需要一个行业的安全关联,与公布的标准的大规模扩散的威胁所有成员都遵守并针对定期审计。”
相反,媒体采访了从风云删除源二,三度。
更糟的是,这种类型的攻击是不是一个新的威胁。四年前,这个这类漏洞was widely reported in the technology press.
+同时在网络世界:有个足球雷竞技app如何在DYN DDoS攻击展开+
The perpetrators of last Friday’s DDoS attack did what the manufacturers failed to do. They updated 100s of thousands of internet-connected consumer devices with the Mirai-based botnet. Think about it like the regular update patches to Windows and smartphone apps.
Defending devices is an ongoing battle. Perpetrators look for zero-day exploits, which are undiscovered holes in defenses. Operating system (OS) developers and independent security analysts search for these zero-day exploits before or after there’s been an incident. Zero-day exploits are valuable because properly executed can provide access to the operating system without detection. Trusted OS developers create patches to cover these holes that are automatically and securely downloaded and applied.
互联网连接设备并不总是更新
需要透明度的重要的一点是一些互联网连接的消费电子设备没有定期获得软件更新。很多运行Linux,因为它是免费的。尽管流行的Linux版本,如Ubuntu,薄荷和Debian是定期更新补丁的安全原因,一些互联网连接的消费电子设备后,他们离开工厂未打补丁。
此外,他们船使用默认口令的消费者很少改变。经常肇事者不必用复杂的方法来发现这些密码,因为密码通常包括消费者文档。有时,安全意识的消费者无法更改密码,因为他们是硬编码。哎呀!
The problem is that some internet-connected consumer devices do not have robust updating systems. If a device has not been patched in a year or two, then it is subject to a whole year or two of zero-day exploits.
准备攻击
In advance of last Friday’s outage, the perpetrators scanned the internet for systems that showed signs of running the vulnerable hardware and found more than 515,000 reported by Krebs that were vulnerable. They picked the largest populations of vulnerable devices, logged in using default passwords and patched the devices with their botnet malware. Then they issued a command to hit Dyn. Dyn, a large provider of DNS services that maintains the namespace translation of URLs to IP addresses, was flooded with requests, cutting off access to sites such as Spotify and Github.
Obviously, given the sheer number of conscripted devices, theperpetrators built an automated system to carry out this exploit. Except for verifying the authenticity of digital certificate and the checksum of the malware, the perpetrators did everything the manufacturers of the vulnerable devices should have been doing all along, applying patches to protect the devices from malware.
Solutions to these vulnerabilities exist
Proven open-source solutions to these vulnerabilities exist. Pick any widely adopted OS such as Ubuntu or Windows or an application such as Firefox. All are patched using a package management system. Device manufacturers should have used a package manager all along to apply patches. Manufacturers do not have an excuse for failing to make regular updates. Many包管理器都是免费的,开源的,更广泛采用的包管理器,如的dpkg有利于增强和补丁大型社区。制造商不必创建大多数补丁;他们只需要跟踪Linux的开放源代码树,除非该补丁修复了厂家的错误独立开发的软件变化。
The manufacturers either independently or jointly should have an update distribution system, not too dissimilar from an app store or the way Linux and Windows update. When patches are available, they are signed with a digital certificate and a checksum calculated. When the OS starts a centrally controlled update, the digital certificate is checked for the authenticity of the developer and the checksum recalculated and confirmed. If the certificate is authentic and the checksum matches, the patch is applied.
如果主流媒体并没有在大说明问题对公众的威胁会越来越大。它不是那么简单解释三星Galaxy Note 7个电池的燃烧问题, but in the long term, it’s a more important issue.
值得一提的是,作为微软加强Windows 7因此,Windows 8和Windows 10,攻击者显然都力求更容易利用的设备。