When security firm Sucuri investigated the source of a 50,000-request/second DDoS attack on a jewelry shop, they discovered to their surprise that the attacks originated on a botnet made of hacked 25,500+ CCTV cameras in 105 countries.
These Internet of Things cameras were typical of IoT devices in that they ran with next to no security and inadequate patching systems. What's more, since they were always on and designed to transmit data over the public internet, they were especially powerful members of the botnet.
Sucuri researchers queried a sampling of the boxes and found that all of them showed they were running what was called the "Cross Web Server" that had a default Web page titled "DVR Components." The researchers later found the malicious IPs contained the company logos of resellers of CCTV services and that all the devices were running BusyBox, a collection of Unix-based utility tools that run on embedded devices. To make it harder to block the attack, the malicious devices had been programmed to emulate normal browser behavior by displaying a variety of common user agents, such as those associated with the Chrome, Internet Explorer, and Safari browsers. The hacked devices also displayed "referrers" falsely showing they had most recently visited sites including Engadget, Google, and USA Today.
Large botnet of CCTV devices knock the snot out of jewelry website
[Dan Goodin/Ars Technica]
(Image: Different Types of Cctv Cameras, Tamasflex, CC-BY-SA)
Troy Hunt, proprietor of the essential Have I Been Pwned (previously) sets out the hard lessons learned through years of cataloging the human costs of breaches from companies that overcollected their customers’ data; undersecured it; and then failed to warn their customers that they were at risk.
A security researcher has published a vulnerability and proof-of-concept exploits in Google’s Internet of Things security cameras, marketed as Nest Dropcam, Nest Dropcam Pro, Nest Cam Outdoor and Nest Cam Indoor; these vulnerabilities were disclosed to Google last fall, but Google/Nest have not patched them despite the gravity of the vulnerability and the long months […]
The DHS has advised some airlines that flights originating from some overseas airports will only be allowed to land in the USA if passengers are required to check any electronic device bigger than a phone (excepting medical devices) in the hold.
The Lightning port has thus far resisted the cruel fate that befell the headphone jack, and despite rumors that it may be disappearing come iPhone 8, for the present and foreseeable future, Lightning cables are a hot commodity for iPhone users. As such, we must make do in this strange time in which long, glorified […]
All the filters in the world won’t save your smartphone pics from a shaky hand. To really step up your mobile photography game, you’ll need some kind of mount to hold it steady. You could buy a smartphone attachment for a conventional camera tripod, but who wants to carry that kind of gear everywhere they […]
The forced transition from analog to digital TV signals was probably met with relative indifference from people with Netflix subscriptions and the “I don’t even own a TV” snoots. But anyone living in the vast swaths of the country that don’t have guaranteed high-speed internet, broadcast TV is a perfectly valid (and 100% free) way […]