Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released (krebsonsecurity.com) 117
As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.
Oh great (Score:4, Informative)
Oh great, now every dickweasel and conehead in the world will be cranking out malware.
Re: Oh great (Score:1)
Let's see a list of manufacturers to never buy from. That would be one good thing coming out of this...
Re: (Score:1)
Your problem is that you think that bankrupting one company is going to change anything. The operators will just spin up a new operation (corporation), and create new botnet nodes under another IoT fad.
THE only way to stop these botnets from forming is to not buy IoT devices. As convenient as they may be, they don't outweigh the inconvenience of a completely broken internet (of things)
Re: Oh great (Score:5, Interesting)
Here's an idea: hold corporations accountable. Did you follow industry best practices? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did patch your code within a reasonable amount of time after being notified of the issue? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you have a security firm with proper recognized credentialing test your code for flaws? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.
It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.
Re: (Score:1)
Re: (Score:2)
Because over regulation is working so well for you right now. What's the street price of medical gear right now in the USA? 10x that of the rest of the world? 20x? could even be closer to 30x given I can buy an Epipen for $23.99
Re: (Score:2)
Re: (Score:2)
That's not because of overregulation, but because of a pricing strategy called "what the market will bear". This is quite a bit more for critical drugs and gear than for toys, as pharmaceutical companies have discovered.
If it was overregulation the price would have gone up everywhere, since pharmacovigilance regulations are pretty similar across the board. Okay, maybe some price disparity would have been there because some regulators require less proof. But still, this can never explain a 30x price differen
Re: (Score:2, Redundant)
You can't blame Ford for the bad driving of the people crashing their cars. You can blame Ford for faulty mechanics. Most of your comparison is based on bad drivers, not Mechanical Problems. For the Most part, cars are relatively safe until people start driving.
However, just about every IoT device that is faulty is broken by design. And they aren't being made by GE, Samsung or whatever, but by some Chinese fly-by-night cheap manufacturer for some IoT "inventor" who doesn't have the resources to pay out anyt
Re: (Score:2)
It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.
Yes because the law is only a problem for information security negligence and these massive lawsuits, payouts, etc have stopped every other form of short cutting.
Or not.
Re: (Score:2)
While it sounds extreme, I completely agree. Without that, nothing is going to change. As soon as anybody that did screw up this badly has to prove they followed best practices and had independent review OR ELSE (and the "ELSE" must be personal for senior management), this problem will mostly go away. One model could be IoT devices this insecure must be recalled and the owners compensated generously. Cannot assure that? No way for your trash to get through customs. Yes, regulation is generally not a good id
Re: (Score:1)
Issue with this: The presumption that product manufacturers can be held liable for how their products are used illegally. This idea is not new (see holding gun manufacturers liable for crimes committed with their products), and will not work.
Try an alternative route.
Re: Oh great (Score:5, Funny)
Right now I can purchase an IoT appliance that controls my lawn sprinklers for about $250 that adjusts the water output based on the weather in the area.
Your proposal would probably make that same IoT appliance cost around $250,000. No sane person would ever spend that much money on a device that controls a sprinkler system since that appliance would never pay for itself.
Well, good. You shouldn't be wasting water on lawns anyhow.
Paid too much (Score:2)
I built my own using a beagle bone and assorted parts (opto-triacs, P/S and xformer) for under a hundred.
Re: (Score:2)
THE only way to stop these botnets from forming is to not buy IoT devices. As convenient as they may be, they don't outweigh the inconvenience of a completely broken internet (of things)
No, you need to not buy IoT devices that ship with working default passwords and that can't patch themselves. The way we made that happen in the marketplace before with electrical safety issues was with an overpriced certification authority, like UL or CSA, something customers can recognize in the shops today by the shiny holographic label.
Re: (Score:1)
Re: Oh great (Score:5, Informative)
Almost all manufactures ship devices with default username and passwords
Changing them is your responsibility
Really? (Score:1)
Re: (Score:2)
Houses, for one, come with keys that are not unique at all.It's just not possible to know to which other houses you already happen to have a key.
It's also really inconvenient to go around to all the houses in your neighborhood, let alone your city, to see whether your key opens their lock. It's pretty easy to test a know User/Pass combination on a hundred million different IP addresses.
And this is precisely the problem with inter-connectivity, and the 'I' in 'IoT': HOBE, or at least Hack Once, Easily Scan For Open Doors.
The world of physically disconnected systems that can't be defeated without physical presence (or near-physical presence, like a couple of the more esoteric side-channel attacks reading keys from chip EM output) means that having successfully figured out the key to one house is basically useless. There's both a) no quick and easy way to know what other houses you can now g
Re: (Score:1)
Sure. Used to be in the UK if you bought say, a refrigerator, it didn't come with an electrical plug. Really. Whole fridge works, ready to go but no plug. That would come wrapped separately with just a bare lead on the fridge.
Obviously every year some number of imbeciles who bought a fridge but struggled to follow instructions that involve knowing the colours of things and operating a screwdriver would wire it up wrong and kill themselves or destroy the integrity of their electrical system (e.g. wiring neut
Re: (Score:3)
Almost all manufactures ship devices with default username and passwords
Changing them is your responsibility
The device should require the username and password be changed before it will function.
Re: (Score:2)
Almost all manufactures ship devices with default username and passwords
Changing them is your responsibility
With the source code for Mirai that became a whole lot easier for me to do ;)
Re: (Score:2)
Actually, making sure you change username and password is their responsibility. The well-established way to do that is that unless you do, the device just displays a page asking you to. So this is indeed a massive screwup on the manufacturer's side.
Re: (Score:2)
I think a better use of this botnet would be to flood the manufacturers' websites. Maybe then they'll start caring about security.
just now (Score:2)
Re: (Score:2)
Quite a few experts have been warning about this problem for years. People never listen until something bad happens....
Re: (Score:1)
The $1000 is still yours, if you or one of your mental midget followers can manage to demonstrate a flaw in my design.
Summary here: https://slashdot.org/comments.... [slashdot.org] The preamble is a loose working definition of hash. My stances and claims are enumerated below.
Re: (Score:2)
Go away, noob. Stalking does make your credibility even lower. As does trying to deride actual experts.
Re: (Score:2)
And I'm not going to take etiquette advice from someone who uses sock puppets or minions, thanks. I'm performing a useful service; I'll be fact-checking all of your stuff for a little while. Won't take me 5 minutes a day. Don't worry, all other posts will be strictly on-topic from here on out.
I don't mind losing debates, but I no longer abide frauds. Particularly not frauds who apologize for incompetence.
Re: (Score:2)
Stalking and deriding are not "fact checking". They are just immature revenge for a bruised ego. Your "usefulness" is just going even wider into the negative this way.
Re: (Score:1)
Re: (Score:2)
Keep kidding yourself. You are doing the "mad stalker" act now. I just checked whether I should return the favor, but your postings are not interesting enough for that. I am simply going to ignore you now, encouraging a petulant child is never a good idea.
Re: just now (Score:1)
Re: (Score:2)
Nice! ;-)
Re: (Score:2)
Headline translation (Score:2)
Headline translation: "We're Doomed."
Re:Headline translation (Score:4, Funny)
I fully expect that we are facing nothing less than total apocalypse
This is the end people!
Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...
Re: (Score:2)
More like this is the start of Skynet. Just wait until the AI we are creating get a hold of all the IoT devices ...
Re: (Score:2)
Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...
Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline. If all the people who worked on it hadn't, it would have been a rather terrible impact.
Unfortunately, there isn't (yet) an irresistible incentive or imperative to fix the ToI problem. Even for those recognizing it as a problem, there is no deadline nor any good predictions that will sway management to
Re: (Score:3)
Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.
This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.
Re:Headline translation (Score:4, Insightful)
Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.
This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.
Hell yeah. In our first tests after the bugs were fixed, literally NOTHING worked. They had forgotten to patch the login module and every password valid date was now suddenly in the past. 50 testers went home again that day, after an hour, on a saturday. Much grumbling ensued.
But... you know, at some point noone who was present at Y2K will be alive, but the people who denied that there ever was a problem will still be in abundant supply. It's saddening to see that if you just deny something happened, no matter what it is and no matter the documentation and witnesses, eventually sheer stupidity and mental inertia will bring you victory. Fighting entropy is *hard*.
Re: (Score:2)
You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.
Re: (Score:2)
You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype
Yep.
You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.
This illustrates what is often said: the person that creates crisis after crisis and then fixes them (just in time to avoid serious disaster) will be appreciated more than the unsung hero who prevents the problems from developing in the first place. Sometimes I think we should have just let Y2K happen and then fixed things. But meh, what's done is done and besides it is our job to keep things running. Leave it to the amateurs to run from one fire to another - engineers are proud to run things so there a
Re: (Score:2)
I fully expect that we are facing nothing less than total apocalypse
This is the end people!
Start doling out the Kool-Aid and make sure each cup is filled to the brim...bottoms up!
But seriously, this is likely to make things worse, much much worse.
Re: (Score:3)
Their security was fine, as long as you changed the default password.
Devices really do need a recovery mechanism from someone losing their password and a hard reset back to a default is fine with me.
That people buy a security camera and then leave it with its default password is the problem.
Re: (Score:2)
Sorry, telnet's just not cool in 2016.
>> That people buy a security camera and then leave it with its default password is the problem.
Some manufactures HAVE figured out a better way: a different default password for each device. Any company that still has a single common password for multiple devices these days is asking for a lawsuit.
Re: (Score:2)
Their security was fine, as long as you changed the default password.
And, you know, don't connect them directly to the Internet....
Good (Score:2)
Better that it's out in the open than hidden in the shadows, out of reach of security researchers.
This will motivate competent admins who, for whatever reason, haven't secured these kinds of devices already to get around to taking care of the issue. As for the incompetent admins and the average home user, they'll figure it out when their bandwidth costs go through the roof and be forced to take action one way or another.
But long story short, if a tool exists (good or bad) it's better that everyone can acces
Re: (Score:3)
Most of these are not on any administrated system. These are baby monitors, home security cameras, "smart" toasters, and similar junk. We are selling piles of internet connected junk to the masses, but with no responsibility for anyone to make them secure after the fact. It is in fact getting harder to find widgets that are NOT internet connected just for the sake of being able to label it "smart".
Smart toilet paper that tells you when the roll is about empty and automatically re-orders from Amazon will
Re: (Score:2)
Then I see a lucrative business opportunity in selling and configuring home router/security appliances to end users.
Or to user ends, as case may be...
Re: (Score:2)
It will only be smart toilet paper when it wipes me by itself, dumps itself in the toilet, and then flushes itself away.
Make the systems appear crappy? (Score:4, Interesting)
Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.
Apparently power cycling the IoT device will reset it to normal, whereupon it can be reinfected.
Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.
The owners would have to keep power-cycling the devices, they'd get pissed at the manufacturers for making a poor product, and maybe they'd replace the devices with newer ones.
This should be simple to do, much less effort than making the code try to contact the owner with "hey - change your password" and such.
Would just making the products appear crappy work?
Re: (Score:2)
Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.
"Do unto others before they do it to you."
I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.
Re: (Score:2)
"Do unto others before they do it to you."
I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.
Given our history with new technology going mainstream, it'll take a few front page level incidents involving these gadgets before people take their security (or lack there of) seriously.
Re: (Score:2)
...or also regulated the propane flow in a barbecue grill?
Holy fuckballs. Anyone stupid enough to allow as IoT device to control something the propane flow in a barbecue grill deserves to have their house blown to bits in a huge fuckin' fireball.
No, really- there are some things that simply should not be automated unless absolutely necessary. And that goes double if the controlling is done through an IoT gadget.
It's like trusting your newborn's oxygen supply to some ten-dollar gizmo sourced in China. No. No, NO NO.
Re: (Score:2)
The problem there is that the group behind it would probably be liable under the Computer Fraud and Abuse Act - all it would take is a few calls from the managers at the IoT device companies to the FBI and the security group behind it would be arrested and probably jailed for violating it. The CFAA is so wide-reaching that even something as simple as hacking into the devices to display a simple "This device is vulnerable and could be used at any time as part of a botnet to DDoS websites" could be punished b
Re: (Score:2)
Prior art [wikipedia.org]
Re: (Score:2)
Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.
History repeats itself [wikipedia.org]
Duplicate story (Score:3, Informative)
Re:Duplicate story (Score:5, Informative)
More seriously, here's the list of usernames/passwords the bot exploited. Might be worth adding to your personal collection to make sure your scanned notices these.
root xc3511, root vizxv, root admin, admin admin
root xmhdipc, root default
root (none)
root pass
root password
guest 12345, , guest 12345, admin1 password
ubnt ubnt
root system
admin 1234
admin meinsm
Re: (Score:2)
If you can point me to luggage that accepts the username/password "mother fucker" then I'd buy it. (Unless Samuel Jackson bought the last one.)
Re: (Score:1)
Re: ISP responsibility as much as anyone else! (Score:1)
Re: (Score:2)
Eye twitch... (Score:1)
This just in: Post Title for Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released Deemed 'Not Enough Like That Brain Freeze Feeling' on Slashdot
502: And his new DDOS protector is .. (Score:2)
.. loosing the battle
Duplicate story (Score:1)
Burn it to the ground (Score:5, Interesting)
Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.
Re: (Score:2)
So they lock themselves out of a *third* sale? Doubtful. Easier to just change brand names; boxes and labels are cheap to make in the Pacific Rim.
Re: (Score:3)
The real problem is how authorities are likely to react to someone breaking these devices. Breaking every hackable IoT device out there is likely to cause much more consumer backlash than the occasional DDOS does. I bet the authorities would expend more against the person breaking the devices than the ones using them in the botnets.
Re: (Score:2)
Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.
That sounds ethical. While you're at it, why not have them first DDOS the websites of political entities you find objectionable?
Re: (Score:2)
why not have them first DDOS the websites of political entities you find objectionable?
Because manufacturers don't give a shit about someone else being hit with a DDOS from their products.
Your argument is based on the completely fallacious idea that a manufacturer suffering the consequences of making shoddy products is exactly the same as randomly suppressing someone's political views. It's a stupid argument.
Until not having real security reduces their profit more than the cost of adding security, nothing will happen. Malware that disables the functionality of devices and makes it obvious t
Re: (Score:1)
Why not have them first DDOS the websites of their manufacturer?
Re: (Score:2)
Sidestep the ethical problem with that (Score:2)
Re: (Score:2)
I mean, what would happen if you used a strong passphrase?
Some of the Things on Internet (ToIs) would heat up and catch fire, because hashing algorithms on long strings is the straw that breaks the camel's CPU, busy as it is running looping ajax applications and digesting log files for sending to the mothership.
Re: (Score:2)
Until then its just getting their brand into each home and online hype about the internet been on their easy to use devices.
Security is a cost to buy on an another chip, a cost to design, to keep cool, test, add, build, then support.
When standards change, a device is stranded with a user looking for their passphrase. The box or some pa
Re: (Score:1)
Re: (Score:2)
I wouldn't really call it an exploit to try a set of default passwords on telnet connections.