back to article Spooks, plod and security industry join to chase bank hacker

A group of security boffins have joined police and intelligence spooks in a clandestine mission to identify those behind distributed denial of service (DDoS) extortion attacks against major banks. An attacker using the handle DD4BC (DDoS for Bitcoins) is launching large DDoS attacks against banks and other big business in the …

Silver badge

WTF

SSDP is supposed to be used only over multicast.

Listening on a unicast address and replying to a unicast datagram for it is a BUG. Similarly, you should never listen to SSDP from outside your local network as it is a massive security risk - this is effectively opening your UPnP to the world.

The idiot vendors who do (and ship such buggy implementations) should be named, shamed and removed from sale (that is the only way to deal with it - we should start removing CE and FCC kitemarks from SOHO crapware running non-standards compliant software). After all, if something does not comply to f.e. wireless standards it can be removed from sale. I do not see why this should not apply to network standards as well. In fact, it can be removed under a whole raft of consumer legilslation (the stuff usually enforced by trading standards) too. All of that if anyone was _REALLY_ bothered by this. As long as it is not being removed, I find it difficult to believe that this is the case.

13
0
Anonymous Coward

Re: WTF

Wise words, sir.

A consumer protection approach which systematically addresses security flaws in household and commercial kit is the way forward. Maybe the banks and other businesses that are currently getting bashed will start pushing for this. Unfortunately, most security issues aren't fully understood by regulatory agencies or their political masters as the security landscape changes all the time. The public at large is equally clueless. Once this bad guy is caught (or goes off the radar) everyone will go back to sleep.

What we really need is a good housekeeping seal of approval that visibly and accurately identifies locked-down, secure-by-design hardware and software (something like a fair-trade sticker on bananas, penguin anyone?). Any respected security consortium could be funded to carry out this approval process. Manufacturers could voluntarily submit their products for approval to get the coveted sticker. Safety standards could be designed, enacted and enforced. If consumers knew they were buying secure, audited (and re-audited) hardware/software (instead of tools like McCrappee, which expires and leaves them vulnerable) they might actually do so. At least they would have a choice.

As it is now, only the security-savvy and some intel agencies (cue TLAs) seem to react quickly after flaw discoveries, usually after the horse has bolted and the stable has already burnt down. Some people patch, others bury the petrol-soaked rags and pretend it didn't happen.

There really ought to be a law.

4
0
Thumb Up

Re: WTF @ AC

What you are proposing is the Underwriters Laboratories of silicon valley. How 'bout we simply give the job to UL and give them support through the industry, and VOILA! Your idea becomes reality.

0
0
Silver badge

Prosperous Body and Soul Missions in Austere Hearts and Minds Operations

Aren't banks criminalising enterprises? And when such, surely legitimate targets for authorised attention and executive action from intelligence agencies protected by smarter entities and ethereal bodies?

Was Henry Ford not wrong when he shared? ...... It is well enough that people of the nation do not understand our banking and monetary system, for if they did, I believe there would be a revolution before tomorrow morning. ...... http://www.brainyquote.com/quotes/authors/h/henry_ford.html

4
2
Silver badge
Terminator

"extortion attacks against major banks"

Wrong move, bud.

Never threaten the money. You'll spend the rest of your life looking over your shoulder.

4
0
Silver badge

PPI ...... Extortion on an Epic Scale?

Wrong move, bud.

Never threaten the money. You'll spend the rest of your life looking over your shoulder. .... Pascal Monett

That's the nightmare terrorist scenario for bankers, Pascal. Them being personally targeted rather than just their institutions being bombed in whatever fashion is effective and devastating.

Although Bishopsgate, London 23rd April 1993 was a real genre game changer.

1
1
Anonymous Coward

History of UPNP

UPNP was borked years ago

0
0

Suggestion

Improve the M-SEARCH discovery function of SSDP...

You can test vulnerability here --- https://www.grc.com/su/upnp-exposed.htm

0
1
Bronze badge

DD4BC is

the callsign of a German Amateur Radio station.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017