Botnet Uses Default Passwords To Conduct "Internet Census 2012" 222
An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space."
From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."
So this is what? (Score:3, Interesting)
267 months in federal prison?
Re:Door (Score:5, Interesting)
Man, some people are a paranoid bunch. If someone leaves a flyer on my door that says "You had 2 open windows and one unlocked door", and a similar flyer is on everyone's door, I'll actually thank the good Samaritan. If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to. If he's friendly and forthcoming, I'll thank him and send him on his way. If he's belligerent, then maybe I'll start to consider self-defense.
But to shoot someone just because they are walking around the neighborhood, surveying every house? Yeah, the US doesn't have a gun problem. We have a response problem.
Expand this into survey research (Score:3, Interesting)
Have a team go door-to-door during working hours, when most people are not home. If they find an empty house with an unlocked door, go inside and use the phone to call a bunch of people and conduct your research. As long as you publish the addresses of all of the houses for academic purposes, nobody should mind.
Re:After a reboot ...original state (Score:5, Interesting)
They didn't force the reboot. So they don't need to calculate for lost uptime.
But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.
What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.
That said, your test environment is rarely a perfect simulacrum for the real world.
It's a very scary grey hat project. I thought this finding was interesting though:
Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.
I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...
Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....
Inoculation can kill though...
Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.
Why are there no counter attacks? (Score:3, Interesting)
I mean it should be possible to create a system that emulates an "open" server, but when a hacker opens up a connection and tries to upload or download data, then fire off a counter measure that will cripple the hacker's system?
I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?
I can't believe that hackers are that smart as to outwit servers attempting to back-deploy payloads onto their systems, or even could block a counter attack. I mean with the mentioned botnet hack, it would seem pretty easy that if it "broke" into an unprotected server that server could send back a crippling packet or something. The botnet is running a service that scans and returns data so the violated server should be able to exploit that and dump terabytes of garbage data back to cripple the botnet. A Denial of Hack.
Actually if I was an active hacker I would rather enjoy luring other hackers to my "unprotected" servers only to f**k with them and mess up their systems.
Re:So this is what? (Score:5, Interesting)
Still, really cool hack (in the classic sense), it is conceptually similar to a Von Neumman probe [wikipedia.org].
Re:correction (Score:5, Interesting)
After 1 attempt for ROOT I blackhole the ip address for 90 days Nobody should ever try to log in as root, so any login attempt should black hole that IP forever. 3 minutes of script writing is all it takes to do that.
Re:Door (Score:4, Interesting)
Ostriches do not stick their heads in sand or ever try to simply ignore danger.
Ostriches are not cowardly, they will definitely put up a fight when they believe they have a good chance of winning. If you have ever seen an ostrich close up, you probably realize that they are big-ass birds that could easily wipe the floor with a good percentage of other creatures in the animal kingdom. If they encounter a situation that they cannot mitigate, however, then they will run away... being exceptionally good at it (they are the fastest running creature on two legs).
If, and only if, they have nowhere to run to, and they cannot mitigate the danger themselves, then they will lie very still, presumably in the hope that they will be ignored. They do not pretend that the danger is not there, however... and will generally resort to fleeing at the first opportunity. Their practice of lying still is where the myth that they stick their head in the sand comes from, and it's ironic that what is actually a very atypical behavior for that type of bird ever got to be somehow associated as something that they generally practice.
Where is the manufacturer's responsibility? (Score:4, Interesting)
I see a lot of people complaining about the actions of the researcher, but what about the actions of the manufacturer? If Medeco made a lock that had the equivalent of "admin/admin telnet" on it, they'd be strung up. I'm not saying the researcher is not responsible for his actions, however putting all the blame on him isn't reasonable either.
Re:Why are there no counter attacks? (Score:5, Interesting)
I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?
Because it is a terrible, terrible idea. If automated counter-attacks were to become the norm, then all it would take to start a "war" between two groups is for someone to compromise just one system at the first group and set it to attacking the second group. Think mutual assured destruction except Anonymous has their finger on the button and it's labeled "lulz."
Re:Why are there no counter attacks? (Score:4, Interesting)
This used to be done, back in the early dails of email and usenet. If someone was sending spam, someone else would send their server 10,000 email messages and knock if off line.
It doesn't really work anymore:
a) Users are dumb - they don't even know their account/computer has been compromised, and might not care even if it has.
b) One mail server serves millions of users. That means millions of people pay the price for the actions of one bozo.
c) Revenge mails look like spam. It gets the sender blacklisted.