Here's an idea for grey-hat hackers:
If you find a vulnerability in a webcam/router/IoTthingy, configure all the vulnerable units to DDoS the company that produced them.
StarHub in Singapore is the latest large network to get hammered with attacks on its DNS infrastructure – apparently by compromised kit owned by its customers. In keeping with an emerging openness about what's sending networks dark, it posted its troubles to Facebook. Yesterday Singapore time, the company said it saw a spike …
I believe text may be viewable on Facebook to non-members. The point is taken though about Facebook practising open sharing of data in both directions.
In semi-related news, I recently looked up details of personal luggage on web, and now that is about the only thing that I am seeing personalised advertising for. I think I need to invent some more interesting interests. Lightly dressed ladies... no (although, yes). Sports? Not particularly. I suppose perhaps sports practised by lightly dressed ladies... I'll think about it. For quite a while, probably.
What are you on about?
There's no mention of any of the equipment being StarHub's unless I missed something? It seems to reference kit bought by its customers from other sources that may not be providing the best practice in its equipment.
Or, if you're talking about it being karma on the customers for having insecure kit, then subsequently getting knocked off due to a DDOS, then you're an idiot. People need to stop screaming that people should know how to operate every bit of tech kit they've got and how to make it secure. You don't hear the same arguments about cars - that's because there are garages that look after them for you.
Oh, right, cars. Perfect comparison. The wild west of IoT is totally comparable to vehicles which are regulated, drivers licenses which are only given with government authorization, and let's not forget police which have radars and helicopters and can even just stop you to randomly control your papers.
I do agree that the day that IoT is as heavily controlled and regulated as vehicles, such DDoS attacks will undoubtedly be a thing of the past.
"No, well why would it? It's a DDOS not an intrusion."
Totally agree however it is now perceived as a 'security' incident for better or for worse. Verizon started including it in its Data Breach Investigation Report two or three years back possibly because it's a headline grabbing incident caused by malicious activity. Providers of security tech and services are providing advice and 'solutions'. So for now it's hear to stay as a security incident and therefore will likely be accompanied by the batteries not included, no bunnies were harmed, all your PII are still belong to us press releases.
Should ISPs be responsible for sending technicians "to sanitise customer kit"? It sounds great, but very expensive. I don't know whether ISPs have "greedy pockets", but I suspect that such a competitive business works to fairly narrow margins. Either way, the cost of the roaming technicians is going to find its way on to customers' bills.
The real responsibility should be with the manufacturers of insecure kit, but they currently have little incentive to increase their prices in pursuit of security. Perhaps ISPs should restrict connectivity to certified kit. In the UK, Post Office Telephones (the predecessor to BT) used to do that with modems. The trouble with that is that a 300 bd modem used to cost £300.
ISPs are missing a trick here. Instead of going on about the cost and complexity being too much to handle, they should come up with a solution that will manage the insecure kit and then make it a requirement for internet access that either their or a third party solution be put in place to keep the insecure stuff from being accessible from or talking to the outside. Checking for these things should be automated and not take a lot of effort. The rest could be done with... I forget...I think it's called a "firewall"... Instead, we get crap like "buy connected devices only from reputable vendors" as if there are any that make even a vague attempt at securing their products.
"The trouble with that is that a 300 bd modem used to cost £300."
That was more of a scale issue than anything else. By the time 9600baud came along, they were a lot less than that but still subject to costly approval. By the time 56k modems became ubiquitous, the installed base was much, much larger, they cost £30-£40, came with free answerphone and fax software and were still getting costly approval from BABT (Note that BABT was not part of BT)
I think BT still have conformance requirements for consumer equipment but AFAIK it's self-certified these days so about as reliable as a CE mark.
Too many people claim that paying more for a product from a reputable vendor will protect you. The issue in the recent attacks was that a core component in products made by others included a service with hard-coded credentials that couldn't be changed. There is no Good Security Housekeeping Seal of Approval that can be used by supply chain managers to check the security habits of parts suppliers, nor for consumers to check the security habits of manufacturers.
For web-based products that you don't pay for, it's even worse. There's no way to tell in advance whether a website uses Adobe Flash, or whether a blog post is hosted on a compromised Wordpress or Joomla site. You can't find out how quickly a web site owner address known flaws, or does penetration testing. The only signal you can get from the noise is whether the web site vendor notifies you about a recent vulnerability, and what they're doing to avoid the issue in the future. 99.9% of consumers won't be able to assess the vendor from this info.