You’ve mentioned these before

Back in #WeekendWisdom number 76, where I talked about connecting devices to the internet and #WeekendWisdom number 84, where I talked about distributed denial-of-service attacks, I mentioned botnets.

What are botnets?

A botnet is a collection of a large amount of compromised devices that are connected to the internet.

How do they get formed?

There are legitimate services out there that scan the entire internet and every device that is connected to it and it keeps a database of all these devices.

Criminals then using these legitimate services are able to tailor their searches and locate:

• CCTV cameras
• Baby monitors
• Digital video recorders
• In-house IP cameras
• Any other type of device that may be connected to the internet in a very insecure manner

If they can detect these through this database, what they can do then is compromises it using maybe:

• Default credentials
• Known compromise
• Weak vulnerabilities

in those devices. Take them over, add them to their botnet and then they have control of these devices. They give them instructions to carry out a distributed denial of service attack.

So that’s how these botnets get formed.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 093 Botnets appeared first on L2 Cyber Security Solutions.

What are distributed denial of service attacks?

A denial of service attack is where a bad actor will use some thing to deny you access to some other service. So for example, a ransomware incident, is where the criminals, they are using ransomware to deny you access to the service of your computers.

A distributed denial of service attack is slightly different in that the criminals are going to use many, many, many thousands of devices that they control that are called bots and they’re all in this kind of thing that they call a botnet.

What can a botnet do?

It is then used to target an online service or application that your business depends on. Thus they flood it with requests which therefore then drowns out any legitimate requests that you’re trying to put there to make use of that service.

So how can you prevent this type of thing?

Well usually your internet service provider or your application service provider may have some facilities that they can use that control these type of distributed denial of service attacks. So you should contact them if you are in such a situation. It costs money but it’s well worth it if you want to get access back to your online service.

You can refer back to #WeekendWisdom number 76 where I talked about connecting cheap devices to the internet which don’t have really good security on them and these are usually the devices that make up these botnets.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 084 Distributed Denial of Service Attacks appeared first on L2 Cyber Security Solutions.

Where does this term Backdoors come from?

A lot of cyber security terminology uses common terms that relate to the real-world. In the real-world, a backdoor is usually the door of a house or building that is around the side or the back. This door cannot seen from the front of the building.

In cyber security terminology?

In cyber security terms a backdoor is a way in that is unseen, into an appliance or device or to a network.

Back in #WeekendWisdom number 61, I talked about a backdoor to a set of firewalls. This was where the manufacturer had put in place a hardcoded password. This password enabled them to be able to sign into those firewalls through the backdoor.

What way can hackers use Backdoors?

But hackers tend to use a bit more sophisticated methods to establish their backdoors. If they break into your network they usually want to try and keep their access on there. So they will usually install some program, some piece of software on one of the devices on the network to establish what we call a persistent connection, where they can just keep coming back.

That’s just a piece of software that opens up a backdoor. Sets up a communication with the outside world that the hacker controls and that they can use to come back in and continue doing whatever they want to do on your network.

So that’s what a backdoor is in cyber security terms.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 075 Backdoors appeared first on L2 Cyber Security Solutions.

What is the source of this overwhelming attack?

A vulnerability was discovered recently with certain servers that are exposed to the internet. If a certain type of packet was sent to the server with a small amount of data, the server would reply to the packet with a much greater quantity of data – in some cases up to 50,000 times more data.

Now most of you are thinking, well that would mean the server would reply to the sender with a big hunk of data and so overwhelm the bad guy.

The thing about the type of packet in question (officially known as User Datagram Protocol or UDP) is that the sender can change the source address of the packet to “spoof” where the packet came from. The vulnerable server will blindly believe that the reply should go to the victim and add lots of additional data. This is all because there is no verification of the source address when UDP packets are used.

So all the evil doer needs to do, is locate a large number of vulnerable servers, send them each a packet of data with the same spoofed source address and the servers will send a greater amount of data back to the victim address and cause an overwhelming attack on any services they have exposed to the internet. The following is a simple diagram of how this works – in this case a 1 Megabyte request gets amplified to 15 Megabytes:

So what can I do if I get hit?

If you fall victim to one of these attacks, the evil doers may contact you and demand a ransom payment to stop the attack.

Your first place to call is your Internet Service Provider (ISP). They may have a facility to mitigate such attacks or they can engage a third party company to do so. These services may not be cheap however – so you’ve got to balance this cost against any ransom that may be demanded.

Bear in mind, that if you do pay the ransom once, the chances are you’ll do so again (at least one more time).

My advice is don’t pay the ransom.

Engage the good guys to mitigate the attack.

Finally report the crime to An Garda Síochána.

What? Why???

A crime was committed.

No, they probably won’t be able to do anything about it.

But the more reports that the Gardai record on cyber crime, these will begin to factor in their statistics, which will mean once the scale of cyber crime is seen, they will begin to receive an adequate budget to deal with this type of crime, which they badly need.

The post Overwhelming attack sets new record. appeared first on L2 Cyber Security Solutions.

The first time I saw that picture of the Dr. Evil meme, I never thought that it might be possible for the numbers to reach those nonsensical values, but if Internet connected brooms are in our future (see below), we might be in serious trouble, if the manufacturers of such devices keep ignoring the need for easily configured security settings on their gear.

The Mirai Botnet, which was responsible for the historic attack on Brian Krebs website, amongst others last month has grown dramatically. I came across this Botnet tracking website, which gives details of the number of infected hosts in the Mirai Botnet a few hours ago. At that time the total number of hosts was 1,479,110. It is now showing 1,547,552 (it’ll be higher by the time you read this ?) That means on a Wednesday morning in late October, another 68,000 devices have been hacked and are ready to be used for evil purposes. It is believed that last Friday’s massive attack on Dyn, which crippled such services as Twitter, Amazon, Spotify, PayPal and Netflix, was partly as a result of the Mirai Botnet according to Flashpoint.

Granted the total number of affected hosts is likely to be a lot lower as some of the earlier compromised devices may have been reset or disconnected from the internet either by their owners or by ISPs who detect such devices and block them.

Following the initial attack on Brian Krebs in September, I had blogged encouraging everyone to change the default passwords on their IP cameras and DVRs. However, it has become apparent that a particular make of these devices has a hard coded backdoor which is not under the control of the user. According to Brian Krebs:

The scary part about IoT products that include XiongMai’s various electronics components, Flashpoint found, was that while users could change the default credentials in the devices’ Web-based administration panel, the password is hardcoded into the device firmware and the tools needed to disable it aren’t present.

These affected devices will need new firmware to be installed on them to remove this backdoor, but (a) there is no sign of any and (b) given the numbers involved, it would be unlikely that even 1% would get updated, and that is me being wildly optimistic. ?

I want to finish on a couple of light notes … as whimsically stated by Jeff Jarmoc, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters,” How very, very true. ?

And if you wondered what I was talking about in regards to an Internet connected broom above – this is where that came from – the Internet of Evil Things:

The post The Internet of Evil Things continues to grow. appeared first on L2 Cyber Security Solutions.

The post Details emerge about the huge internet attack last Friday. appeared first on L2 Cyber Security Solutions.

• Security Cameras or Digital Video Recorders (DVRs)
• Baby monitor
• Smart sockets
• Smart light bulbs
• Smart Thermostat
• Energy usage monitor
• Smart fridge
• Media Server

Octave Klaba, the founder and CTO of French hosting company OVH, sounded the alarm on Twitter on the 22nd September when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799 gigabits per second alone, making it the largest ever reported.

According to Klaba, the attack targeted Minecraft servers hosted on OVH’s network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.

With the ability to generate traffic of between 1 megabit per second and 30 megabits per second from every single device, this botnet is able to launch DDoS attacks that exceed 1.5 terabits per second, Klaba warned.

The post Have you any smart internet connected IoT devices in your home? appeared first on L2 Cyber Security Solutions.