A Year After Mirai: DVR Torture Chamber Test Shows Two Minutes Between Exploits (sans.edu) 36
UnderAttack writes: Over two days, the Internet Storm Center connected a default configured DVR to the internet, and rebooted it every 5 minutes in order to allow as many bots as possible to infect it. They detected about one successful attack (using the correct password xc3511) every 2 minutes. Most of the attackers were well known vulnerable devices. A year later, what used to be known as the "Mirai" botnet has branched out into many different variants. But it looks like much hyped "destructive" variants like Brickerbot had little or no impact.
Re: (Score:2)
No impact? Didn't Brickerbot take down an ISP?
This story was brought to us by the International Internet of Things Manufacturers happy fun consortium.
Sally forth good citizens, nothing to fear of these aids to humanity. Purchase with great impunity!
Honey pot? (Score:3)
Wouldn't it have just been simpler to create a honey pot that answered to the correct password?
Re:Honey pot? (Score:5, Interesting)
Wouldn't it have just been simpler to create a honey pot that answered to the correct password?
Malware authors are getting increasingly good at detecting honey pot environments. Using the real deal is a good call, IMHO.
PhD? (Score:4, Informative)
He claims "Traffic from the DVR outbound was blocked by the firewall to prevent it from infecting other systems." But, of course, if that were true then the camera wouldn't be able to create a telnet session.
This, from someone claiming to be "Ph.D., Dean of Research, SANS Technology Institute?" A quick search says "The SANS Technology Institute is regionally accredited by the Middle States Commission on Higher Education...", which is itself a DBA for a corporation created in 2013.
OK, so they're the successor to ITT Tech, but without the reputation.
Re:PhD? (Score:5, Informative)
OK, the drawing accompanying the report could have used something other than a "camera" icon for the DVR under test, and yes, it was probably an "Anran" DVR. Having said that, Dr. Ullrich has a PhD in physics from SUNY Albany, and the SANS Institute has been a well-respected source of systems administration and network security education since the mid 90s, at least.
I really don't understand why GP felt the need to throw shade on the producer of the report, rather than address the findings themselves, but whatever.
Re: (Score:3)
It's a very short article, based on a very simplistic premise, which produced nothing new. OTOH, it was a marketing opportunity which somehow counts as "News for Nerds."
Re: (Score:2)
I really don't understand why GP felt the need to throw shade on the producer of the report,
Because for SANS Institute is a for-profit private organization with self-study accreditation. According to their accreditation they have 294 enrollments (http://www.msche.org/institutions_view.asp?idinstitution=595), and have a campus in Courtyard by Marriott Madison East, Madison, WI hotel.
Really?
And not to forget, they charge $47,000 for an online degree program. I completed my MSc for $9,000, also through distance learning.
Re: (Score:2)
You're not familiar with SANS? I'd expect any sysadmin or syasadmin-wannabe would know of them...
Re: (Score:3)
FTFY.
Re: (Score:1)
He claims "Traffic from the DVR outbound was blocked by the firewall to prevent it from infecting other systems." But, of course, if that were true then the camera wouldn't be able to create a telnet session.
While you were busy pontificating they invented these things called Stateful Firewalls. It's really simple to block outbound TCP connections from devices while allowing incoming TCP connections that can establish and maintain sessions. i.e.: it blocks outbound "SYN" packets while still allowing "SYN-ACK", "FIN", "FIN-ACK" and "ACK" packets.
Re: (Score:1)
But, of course, if that were true then the camera wouldn't be able to create a telnet session.
why not?
He is saying he is blocking outbound that is initiated from inside. So the DVR can't actively create connections/sessions to infect other machines.
However, when a host from outside tries to establish a connection, firewall lets that through, when dvr responds, it is responding to an existing connection (initiated from outside) firewall will permit that cause the block rule only applies to session starting from inside.
Re: (Score:2)
The cameras accept incoming telnet connections, so that they can be remotely controlled. Even basic firewalls can allow outgoing packets for a TCP connection that was established from the outside, although usually it's the other way around.
Mandatory XKCD (Score:3, Funny)
The Virus Aquarium
https://xkcd.com/350/
Re: Mandatory XKCD (Score:2)
Wonder how bad receivers are... (Score:2)
I've held off getting any internet connected devices (besides computers of course) for a long time, but I did break down and get a receiver that is connected and gets firmware updates from time to time...
I should really someday look for traffic coming from the thing but I've not bothered so far... the only condolence I have is hoping that it has limited throughput.
Re: (Score:2)
(1) Why connect a receiver at all. It if doesn't work out of the box it's already failed.
I'm just going to guess here, but I believe there are these things called audio files that you can download and listen to.
Re: (Score:2)
I might have thought the same thing, but i also have phones and printers connected to my router. I also wanted some lights but held off.
Re: (Score:2)
Oh, and a NAS
Re:What about NATs? (Score:4, Interesting)
You know when things say "just port-forward" and people just do that?
There ya go.
One of the reasons that I look upon any port-forward as incredibly suspicious, professionally, and only like doing it if it goes via a device capable of connection-limiting, rate-limiting and performing intrusion-protection and sanitisation for the exact protocol in question.
"Hey, just bash a hole in your house so the postman can deliver your parcels. Hey, just bash another hole so the gas man can read your meter. Hey, just bash another hole so your lightbulbs can talk out."... at the point it starts sounding silly, that's the point it already is silly.
Re:What about NATs? (Score:5, Insightful)
UPNP: Hay, just let anyone who wants access to your house bash a hole in the wall!
Re: (Score:2)
Precisely.