Customer-Facing Enterprise Services Bearing the Majority of DDoS Attacks – Disposable mail news

Out of 8.4 million DDoS attacks recorded in 2019 alone, two-thirds of customer-facing enterprise systems bear the brunt of it all.

Aimed for disrupting online services, a surge of illegitimate traffic is produced by PCs, Internet of Things (IoT), and a few other gadgets which send many requests, and these questions, in the long run, overwhelm a service. 

Certified users are then incapable to get through. There are various types of DDoS that target specific parts of a service, yet resource exhaustion and HTTP floods, in general, tend to be common.

Slave systems, incorporating gadgets infected with botnet-based malware, are utilized to dispatch DDoS attacks, of which threat actors are known to offer DDoS-for-hire services in the web’s underground for a pittance.

As per Netscout’s most recent report on the topic, DDoS attacks keep on being a thistle in the side of big business organizations and the attack frequency is on the sharp ascent. 

Netscout’s research, says that there has been an expansion of 87% in exploit endeavors between the second half of 2018 and 2019. Also, DDoS attack frequency worldwide has expanded by 16%, with 16 DDoS attempts occurring almost every minute.

Wired and mobile communications, data processing, and hosting providers are the most widely recognized targets; there has likewise been an uptick in DDoS campaigns against satellite communications, chemical manufacturing, and trades including computer equipment sellers and vehicle vendors. 

With regard to quality, the most powerful DDoS attack recorded by the organization during H2 2019 was 622 Gbps. Be that as it may, as verified by Netscout, such attacks can, by and large, be considered “overkill” and are known to draw the attention of law enforcement; and in that capacity, attacks are presently by and large within the 100 – 200 Gbps range.

This year, it is ‘forecasted’ that up to 20.4 billion IoT devices will be connected with the Internet. 

While these devices – including mobile gadgets, intelligent home appliances, and smart speakers – are convenient, security isn’t generally at the cutting edge of development lifecycles and there are as yet numerous situations when default, hardcoded certifications and vulnerabilities are misused to add them to botnets. 


Nonetheless in the meantime, legacy IoT devices will keep on adding to the issue of DDoS attacks taking place across the globe, as they won’t really be the beneficiaries of improving security standards.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Bot List Containing Telnet Credentials for More than 500,000 Servers, Routers and IoT Devices Leaked Online – Disposable mail news

This week, a hacker published a list on a popular hacking forum containing Telnet credentials for over 515,000 servers, home routers and IoT (Internet of Things) “smart” devices. The massive list which reportedly was concluded by browsing the whole internet in search of devices that left their Telnet port exposed, included IP addresses of all the devices, username and password for the Telnet service and a remote access protocol that can be employed to control devices over the internet.

After scanning the Internet in search of devices exposing their Telnet port, the hacker attempts to use either factory-set default usernames and passwords or custom but guessable combinations, as per the statements by the leaker himself.

These lists, generally kept private – are known as ‘bot lists’ that are built after hackers scan the Internet and then employed them to connect to the devices and install malware. Sources say that although there have been some leaks in the past, this one is recorded as the biggest leak of Telnet passwords till date.

As per the reports of ZDNet, the list was made available online by one of a DDoS-for-hire (DDoS booter) service’s maintainer. There’s a probability that some of these devices might now run on a different IP address or use other login credentials as all the leaked lists are dated around October-November 2019. Given that using any of the listed username and password to access any of the devices would be illegal, ZDNet did not use it. Therefore, they were not able to comment on the validity of these credentials.

A security expert in the field of IoT, requesting for anonymity, tells that even if some of the listed credentials are invalid by the time for devices now have a new IP address or password. However, the listings still hold a lot of value for a skillful and talented attacker who can possibly use the present information in the list to identify the service provider and hence update the list with the current IP addresses.

Certain authentic and verified security researchers are given access to the list of credentials as they volunteered for it.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Should we regulate the Internet of Things? – 10 minute mail

The Internet of Things is new, exciting, and unregulated. What could possibly go wrong? Security analyst Emma Lilliestam highlights the shortcomings of IoT security and explains why self-regulation is a necessary step towards increased IoT security. 

Should we regulate the Internet of Things?

I am terrified of flying. As a security analyst, I know it doesn’t make sense. Planes are the safest way of traveling – at least when you fly regular traffic. But why is it so safe?

Imagine that the airplane that you were about to board was constructed by an average agile software team.

  • Initial sketches drafted with interior design and entertainment system in mind.
  • Documentation is in part old, but mostly nonexistent.
  • Tail wing is patched in at the last minute in the spirit of continuous deployment.
  • The Definition of Done does not include any safety testing.
  • There’s no regulatory body controlling, and no legal repercussions if the plane crashes into a kindergarten.
  • The body of the plane is made of Duroplast, proven not to withstand lightning. When you ask the material engineer about this, he says that it’s okay, “A skilled pilot avoids lightning anyway. Besides, we wrote it on page 532 in the manual.”

Would you board that plane? I sure wouldn’t.

Lack of standardized crypto frameworks

“One of the most singular characteristics of the art of deciphering is the strong conviction possessed by every person, even moderately acquainted with it, that he is able to construct a cipher which nobody else can decipher.” – Charles Babbage, 1864.

When I create a new server, I can implement state-of-the-art communication security in an hour. Everything I need is documented and peer reviewed and there are tons of free tools to use to test my HTTPS configurations.

As of October 2016, more than half of the requests on the web are encrypted. But keep in mind that the SSL/TLS that we now take for granted wasn’t conceptualized until 1994, and the first two versions were more or less immediate failures. It took a long time of prototyping and failing to reach the standardized frameworks for encryption that we use today.

For me, the warnings about not rolling your own crypto seemed meaningless for a long time – why would you even think that you need to do it when implementing great and cheap standards is so easy? However, in the world of microcontrollers it’s a different story.

I really avoid talking about security as something hard – it isn’t. But implementing good security on an IoT device is nowhere near as easy as when all your end points are servers.

Software running on regular computers is seldom constrained by hardware resources. It doesn’t matter if the size of your artifact is 199 or 202 kilobytes, but in the embedded world it can make all the difference.

Hardware components

“Cryptography transforms (communications) security problems into key management problems.” – Dr. Dieter Gollman, 2011

There are components of varying quality on the market. Available communication chips may have support for good encryption but will leave the key management as a bleeding wound!
This is not necessarily a problem if you order a few million units, but the firms that manufacture chips will often not even talk to small scale companies. The Arduino hobbyists and startups are left with products where good security is harder to implement.

Culture

“As security enthusiasts it is our obligation to create a culture of sharing and non-blame.” – Johan Rydberg Möller, 2017

I wrote earlier that I avoid talking about security as something hard. There’s a myth flourishing out there that security is something mysterious that common techies can’t understand. This myth is nourished by security people and non-security people alike. Both groups have something to gain from it: security people can keep an air of importance and their consultancy fees high, while non-security people are excused for screwing up on basic IT hygiene.

Cloudpets on sale

Cloudpets: 40 dollar teddies on sale for 99 cents. Monetary damage from IoT insecurity can be harsh. (Source: Twitter)

When asked what they know about security, many programmers say they don’t know anything. Then they get to work and do input validation, ssh into their servers, perform code analysis and code review… As soon as a security practice is commonplace, it stops being “security”. It’s just something that one does.

Truth is, most tech people need a bit of mentoring, googling and interest in order to become decent security analysts. There are tons of easy and open resources that are already available to you such as OWASP cheat sheets.

Regulation

“The market can’t fix this because neither the buyer nor the seller cares. … the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.” – Bruce Schneier, 2017

Security researcher Bruce Schneier proposed in February that security-interested IT businesses need to lobby for regulation of the Internet of Things. He argues that the days of security as an afterthought in a benevolent computer network are over. If we don’t set the agenda now, regulation will happen to us – by legislators and lobby groups that don’t understand the fundamentals of the connected world.

Schneier’s reasoning revolves around an American context. With the year-old EU General Data Protection Regulation, GDPR, negligence to secure data will in a best case scenario be punished with substantial fines. I say best case, because the regulation will not be used for another year. There are vested interests with big money that want to set a precedence rendering the legislation an expensive but toothless paper tiger.

A few months back, non-secured IoT cameras brought down parts of the internet. Information Technology security is now a question of Physical World Security.

My proposal – a voluntary IoT security seal

Bruce Schneier sees the IoT security issues as a market failure, and thus we must resort to legislation. I am much less pessimistic! Should we regulate the Internet of Things? My answer is “No! Not yet.” I think that the huge brand damage that IoT insecurity has proven to be in recent time will continue, and the incentive for companies to do something about it increases.

I would argue that self regulation is more effective than legislation.

I would like to suggest a seal for voluntary certification of products, following the lead of the pioneers of organic food seals like Swedish KRAV. A non-profit funded by the members would handle the issuing and auditing.KRAV seal

The seal would cover the most important and IoT relevant parts of ISO 27000, GDPR, Hacker Ethics, and relevant OWASP best practices. Moreover, it must be communicated to the general public so that they can make an active choice for a reasonably secure product.

I would suggest the following simple baseline:
* Ensure that the product is protected from trivial or cheap attacks
* Commit to patching critical vulnerabilities
* Commit to following the intentions of GDPR
* Having and following a Security Vulnerability Disclosure Policy
* Not prosecuting security researchers and reverse engineers

Even if this seal only reaches a small percentage of the market, it will be a huge win.

If self regulation fails, sooner or later, a tedious, and in the worst case ineffective, compliance process on the EU level will be forced upon us. And if that day comes, it’s much better to showcase a proven and continuously improved framework that will provide actual security and not just another layer of costly bureaucracy.


About the author:

Emma Lilliestam is an IT security technician and DevOps manager of the IoT company Ewa Home. She will talk at Security Fest in Gothenburg the 1st of June.

Twitter: @emalstm


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.