Monthly Archives: October 2016

US Should Help Private Sector ‘Active Defense,’ But Outlaw ‘Hacking Back’, Says Task Force

US Should Help Private Sector ‘Active Defense,’ But Outlaw ‘Hacking Back’, Says Task Force

Task Force at George Washington University suggests ways for government to clear up legal quagmires, improve tools, keep us all out of trouble.

The US government should explicitly prohibit private entities from “hacking back,” but empower them to use other methods of so-called active defense against threat actors, according to members of the Active Defense Task Force at the George Washington University’s Center for Cyber and Homeland Security (CCHS) in a report today.

The report authors are very clear that active defense is “not synonymous with ‘hacking back'” and the two should not be used interchangeably. Active defense, rather, includes technical interactions between defenders and attackers, operations that enable defenders to collect intelligence on threat actors, and policy tools that modify the behaviors of malicious actors — things like sinkholes, honeypots, beaconing, threat hunting, and gathering intel on the dark Web. It’s the “gray zone” between hacking back and doing nothing.

When it comes to active defense, many companies are either “doing nothing or doing them in the dark,” says Christian Beckner, deputy director of CCHS.

The trouble is that these activities — even those in the gray zone — may or may not fall afoul of laws like the Computer Fraud and Abuse Act. (As the report explains: “Under US law, there is no explicit right to self-defense by private companies against cyber threat actors.”) 

Plus, what really worried the task force, says Beckner, are the companies that think they’re doing the right thing, and engage in active defense activities that ultimately lead to escalation. They make a bad situation worse — either by causing massive collateral damage or by creating a political conflict between nation-states where there might have been none.  

There have been discussions about this before, says Beckner, but the CCHS effort has aimed to delve into more in-depth operational issues, rather than just legal issues. The Task Force includes over 30 individuals from academia, government, and industry, and is co-chaired by former Director of National Intelligence Admiral Dennis C. Blair, currently chairman and CEO of Sasakawa Peace Foundation USA; former Secretary of Homeland Security Michael Chertoff, currently executive of the Chertoff Group; Nuala O’Connor, President and CEO of the Center for Democracy & Technology; and CCHS director Frank J. Cilluffo.

The Task Force suggested 15 key short-term actions for the US federal government and the private sector to make, in order to enhance the ability of the private sector to legally and safely use active defense technologies and policies. Some of those recommendations are:

  • The Department of Justice should issue guidance to the private sector about what they will and will not prosecute — in both criminal and civil cases — when it comes to active defense of a company’s own security. Although the DOJ just made public some guidance it had issued to cyber crime prosecutors two years ago, this guidance does not specifically cover organization’s active defense.
  • The Department of Homeland of Security should develop operations for public-private coordination on active defense, using existing groups like industry ISACs, ISAOs and NCCIC.
  • The US State Department should work with foreign partners to develop standards and norms on active defense.
  • The White House should develop guidance for federal agencies on when and how it is appropriate to provide active defense support to the private sector. Beckner points out that while a large company in the financial industry might be able to carry out their active defense well enough on their own, other organizations may try to stretch beyond their capabilities. Better cooperation between the private and public sector to begin with will help agencies identify when it is appropriate to step in.  
  • NIST should develop guidelines, risk levels, and certifications for carring out various active defense guidelines. 
  • Federal agencies that conduct or fund research and development should invest more in active defense. Beckner said that there is a particular need for “tools that facilitate attribution.”   
  • Amend the Computer Fraud and Abuse Act and Cybersecurity Act of 2015 to allow low- and medium-impact active defense measures. 
  • The creation of best practices for coordination between ISPs, hosting providers and cloud providers on active defense. The task force notes that third-party service providers like these will play a particularly significant role in active defense, particularly since so many companies also use security-as-a-service. They point to Google’s aid in Operation Aurora as an example.

Not all members of the Task Force, however, were in full support of its final recommendations. The report includes an appendix written by O’Connor, expressing her measured dissent. O’Connor wrote “the report advocates a more aggressive posture than I believe appropriate, and does not give adequate weight to security and privacy risks of some of the techniques it favors.”

She specifically takes issue with the technological tools of “dye packs” and “whitehat ransomware” — tools that allow for too loose of an interpretation of the CFAA’s rulings on unauthorized access to a computing device, even if the computing device in question is that of an attacker.

She further observes, “When it comes to risky defensive conduct that may cross the line and be unlawful, the report makes two observations that give me pause. First, that some cybersecurity firms might be given a license to operate as agents of the federal government and engage in conduct that would be unlawful for other private parties. Second, that the Department of Justice forbear prosecution of companies that engage in unlawful active defense measures.” She points to the collateral damage caused by Microsoft when it brought down millions of innocent websites during a 2014 botnet takedown operation.

Beckner says, however, that organizations need more security tools available to them. “What we’re trying to articulate,” he says, “is what rules should be in the toolkit going forward?”


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2foA0iZ
via IFTTT

Microsoft Launches Security Program For Azure IoT

Microsoft Launches Security Program For Azure IoT

As part of the program, Microsoft has partnered with security auditors who will examine customers’ IoT infrastructure, find problems, and provide guidance.

Microsoft has launched a new program for its Azure cloud platform to help business customers strengthen their security posture amid the rise of the Internet of Things.

Security and privacy concerns are top of mind for IT pros as the IoT continues to grow within the enterprise. Many struggle to verify the security of their IoT infrastructure and may delay product implementation as they establish best practices.

Microsoft’s new Security Program for Azure IoT is a response to customer requests for increased security assurances as they assemble and deploy IoT products, the company says.

Microsoft has partnered with security auditors to evaluate customers’ IoT infrastructure, detect security problems, and provide recommendations. Customers can choose an auditor to conduct examinations from the ground up, verifying devices, assets, gateways, and communication with the cloud.

Partners so far include Praetorian, Casaba Security, CyberX, and Tech Mahindra, but Microsoft plans to add more as the program continues to grow. It will also work with standards organizations including the Industrial Internet Consortium (IIC) to create industry protocols and best practices for security audits.

“In today’s connected world, the perception of security risk alone, even if not realized, can still negatively impact consumer confidence necessary for new technologies to meet their full market potential,” says Paul Jauregui, VP Marketing and IoT Business Lead at Praetorian. 

High-profile data breaches have increased consumer awareness of issues surrounding data security, Jauregui explains. Adoption of enterprise and consumer IoT may suffer until vendors can address their privacy concerns.

The massive DDoS attacks on Dyn on October 21, which were launched mainly via infected IoT devices, were a wakeup call for businesses. Most of the devices used in these attacks were surveillance cameras, indicating how seemingly benign objects can cause widespread problems.

Jauregui explains how for businesses, security is both an economic and technical challenge. IoT product teams struggle to balance risk with the pressures of quickly bringing products to market.

“Resources allocated towards security-related activities throughout product development, assessment, and maintenance will increase as viable IoT business models and value creation opportunities solidify across every industry,” he says.

As businesses work to solve IoT security problems, Jauregui explains how the entire ecosystem must work together. Hardware manufacturers, product teams, developers, cloud providers, product teams, service providers, and consumers need to collaborate to ensure security “from chip to cloud,” he notes. 

Praetorian, as a partner in the program, will review organizations’ full IoT solutions while focusing on vulnerabilities. By helping them close security gaps, Praetorian and other partner companies will help Microsoft’s business customers balance risk and time-to-market.

“Solving and managing IoT security is going to take a village,” says Jauregui.

Related Content:



Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2fybISX
via IFTTT

US Should Help Private Sector’s ‘Active Defense,’ But Outlaw ‘Hacking Back’, Says Task Force

US Should Help Private Sector’s ‘Active Defense,’ But Outlaw ‘Hacking Back’, Says Task Force

Task Force at George Washington University suggests ways for government to clear up legal quagmires, improve tools, keep us all out of trouble.

The US government should explicitly prohibit private entities from “hacking back,” but empower them to use other methods of “active defense” against threat actors, according to members of the Active Defense Task Force at the George Washington University’s Center for Cyber and Homeland Security (CCHS) in a report today.

The report authors are very clear that “active defense” is “not synonymous with ‘hacking back'” and the two should not be used interchangeably. Active defense, rather, includes technical interactions between defenders and attackers, operations that enable defenders to collect intelligence on threat actors, and policy tools that modify the behaviors of malicious actors — things like sinkholes, honeypots, beaconing, threat hunting, and gathering intel on the dark web. It’s the “gray zone” between hacking back and doing nothing.

When it comes to active defense, many companies are either “doing nothing or doing them in the dark,” says Christian Beckner, deputy director of CCHS.

The trouble is that these activities — even those in the gray zone — may or may not fall afoul of laws like the Computer Fraud and Abuse Act. (As the report explains: “Under US law, there is no explicit right to self-defense by private companies against cyber threat actors.”) 

Plus, what really worried the task force, says Beckner, are the companies that think they’re doing the right thing, and engage in active defense activities that ultimately lead to escalation. They make a bad situation worse — either by causing massive collateral damage or by creating a political conflict between nation-states where there might have been none.  

There have been discussions about this before, says Beckner, but the CCHS effort has aimed to delve into more in-depth operational issues, rather than just legal issues. The Task Force includes over 30 individuals from academia, government, and industry, and is co-chaired by former Director of National Intelligence Admiral Dennis C. Blair, currently chairman and CEO of Sasakawa Peace Foundation USA; former Secretary of Homeland Security Michael Chertoff, currently executive of the Chertoff Group; Nuala O’Connor, President and CEO of the Center for Democracy & Technology; and CCHS director Frank J. Cilluffo.

The Task Force suggested 15 key short-term actions for the US federal government and the private sector to make, in order to enhance the ability of the private sector to legally and safely use active defense technologies and policies. Some of those recommendations are:

  • The Department of Justice should issue guidance to the private sector about what they will and will not prosecute — in both criminal and civil cases — when it comes to active defense of a company’s own security. Although the DOJ just made public some guidance it had issued to cyber crime prosecutors two years ago, this guidance does not specifically cover organization’s active defense.
  • The Department of Homeland of Security should develop operations for public-private coordination on active defense, using existing groups like industry ISACs, ISAOs and NCCIC.
  • The US State Department should work with foreign partners to develop standards and norms on active defense.
  • The White House should develop guidance for federal agencies on when and how it is appropriate to provide active defense support to the private sector. Beckner points out that while a large company in the financial industry might be able to carry out their active defense well enough on their own, other organizations may try to stretch beyond their capabilities. Better cooperation between the private and public sector to begin with will help agencies identify when it is appropriate to step in.  
  • NIST should develop guidelines, risk levels, and certifications for carring out various active defense guidelines. 
  • Federal agencies that conduct or fund research and development should invest more in active defense. Beckner said that there is a particular need for “tools that facilitate attribution.”   
  • Amend the Computer Fraud and Abuse Act and Cybersecurity Act of 2015 to allow low- and medium-impact active defense measures. 
  • The creation of best practices for coordination between ISPs, hosting providers and cloud providers on active defense. The task force notes that third-party service providers like these will play a particularly significant role in active defense, particularly since so many companies also use security-as-a-service. They point to Google’s aid in Operation Aurora as an example.

Not all members of the Task Force, however, were in full support of its final recommendations. The report includes an appendix written by O’Connor, expressing her measured dissent. O’Connor wrote “the report advocates a more aggressive posture than I believe appropriate, and does not give adequate weight to security and privacy risks of some of the techniques it favors.”

She specifically takes issue with the technological tools of “dye packs” and “whitehat ransomware” — tools that allow for too loose of an interpretation of the CFAA’s rulings on unauthorized access to a computing device, even if the computing device in question is that of an attacker.

She further observes, “When it comes to risky defensive conduct that may cross the line and be unlawful, the report makes two observations that give me pause. First, that some cybersecurity firms might be given a license to operate as agents of the federal government and engage in conduct that would be unlawful for other private parties. Second, that the Department of Justice forbear prosecution of companies that engage in unlawful active defense measures.” She points to the collateral damage caused by Microsoft when it brought down millions of innocent websites during a 2014 botnet takedown operation.

Beckner says, however, that organizations need more security tools available to them. “What we’re trying to articulate,” he says, “is what rules should be in the toolkit going forward?”


Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2e6Q4Q8
via IFTTT

Google Reveals Windows Kernel Zero Day Under Attack

A Windows zero-day vulnerability is being used in an unknown number of attacks, Google disclosed today, 10 days after it privately reported the issue to Microsoft.

Google’s disclosure follows its internal policy, which states that companies should fix or publicly report flaws that are under attack after seven days.

Microsoft has yet to issue an advisory—or patch—for the flaw, which Google says is a local privilege escalation vulnerability in the Windows kernel. The vulnerability can be used to escape the sandbox and execute code on the compromised machine. Microsoft said Google’s disclosure puts customers at risk.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk. Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible,” a Microsoft spokesperson told Threatpost. “We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

A request for additional comment from Google was not answered in time for publication.

Google researchers Neel Mehta and Billy Leonard of the company’s Threat Analysis Group said they disclosed the vulnerability to Microsoft on Oct. 21, the same day Google also disclosed a separate code execution flaw in Flash Player to Adobe. Adobe rushed an emergency patch last Wednesday for CVE-2016-7855; it too was being used against organizations in targeted attacks. The Flash Player bug affected Windows 7, 8.1 and 10 systems, Adobe said.

Google shared few details on the bug, essentially sharing its existence with users and simultaneously putting pressure on Microsoft to rush a fix of its own. Google’s scant description of the bug:

“The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

Google said the vulnerability is mitigated in the Chrome browser.

“Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” Google said.

Google’s disclosure policy gives vendors 60 days to patch critical vulnerabilities, or notify users about the risk and any workarounds or temporary mitigations. The policy was published in 2013 and included the seven-day deadline on critical flaws under active exploitation.

“The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised,” Google said at the time. “Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information.”

Google has not been shy about acting on its strict deadlines. In early 2015, Google published details on three Windows bugs days ahead of Patch Tuesday, forcing a stern response from Microsoft calling for improved coordinated disclosure. Weeks later, Google disclosed details on three OS X bugs that exposed Macs to code execution. None of those vulnerabilities, however, were being publicly attacked like the vulnerability today.

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability,” Google said.

from Threatpost – English – Global – thr… http://bit.ly/2esIsIV
via IFTTT

Nymaim Dropper Updates Delivery, Obfuscation Methods

A new variant of the Nymaim dropper has been identified that includes updated delivery and obfuscation methods, and the use of PowerShell routines to download its payloads.

The updated dropper, used primarily to download banking Trojans in the past, has also been spreading ransomware, according to security company Verint, which has been monitoring an increasing number of attacks during the past year. Attacks using Nymaim are up 63 percent compared to 2015, said Verint security research manager Moshe Zioni.

In a report published last week, Zioni and colleague Oren Biderman said the latest generation of the dropper has “gone through some dramatic changes” and “deserves renewed attention” by security researchers.

Unlike the 2013 variant of the dropper, which was almost exclusively distributed via drive-by-downloads, the new incarnation brings to the table new features and is spread through spear phishing.

“New features and capabilities that have not yet been seen (in previous Nymaim variants), including new delivery mechanisms, obfuscation methods, PowerShell usage and even an interesting form of ‘anti-security solution/analysis’ blacklisting,” wrote Zioni and Biderman.

According to researchers, the latest Nymain samples target victims with emails that contain malicious Microsoft Word document attachments. “When opening the attachment, it looks like a classic phishing attempt, which tries to convince the user to enable (the) macro since the document is protected,” researchers said.

Closer examination of the malicious document’s strings revealed visual basic for applications (VBA) macro code has been obfuscated using a non-standard ROT mechanism. Previous analysis of Nymaim’s “obfuscation technique observed a ROT obfuscation mechanism, but what we had on our hands was different,” researchers wrote.

According to Zioni and Biderman the new obfuscation uses two types of tactics. “One is an effort to obfuscate strings in particular, the other is to make Macro methods virtually unreadable and cumbersome for the reverse engineer,” the researchers said. “String de-obfuscation is implemented by calculating a cyclic group of numbers that will lead to the correct reordering of the string.”

Another change includes the order of execution and implementation within the first stage of the payload drop after the malicious macro has been triggered. For starters, the PowerShell routine is initiated to order to download the first stage of the payload from a command and control server. Second, an additional “pre-execution” connectivity test is executed via a GET request to “http://bit.ly/2e6ifie” with a user-agent value of “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)”.

“The user-agent in-place was implemented in Internet Explorer 10 platform preview (2011), a somewhat peculiar choice for an up-to-date variant – may point to the origin of the mechanism’s code,” said Zioni and Biderman.

And in an attempt to prevent detection, the malware used the IP-address data via the GET request to blacklist any particular analysis tools with the sub-strings Fortinet, Cisco, Palo Alto and others. “If the sub-string is found to be within the response – it won’t approach the function of downloading the first stage payload,” according to researchers.

Researchers also point out, particular attention is paid into the social engineering portion of the attack. Victims are typically high level managers and the attackers try to maximize a recipient’s chances of opening and enabling Word macros that triggers the next phase of the attack.

“The email message includes the recipient’s job title in the subject line (“Vice President – Human Resources”), while the body of the message includes such details as the recipient’s full name and office address,” Verint said.

Phishing email containing Nymaim Trojan with subject "Vice President – Human Resources" and containing a "draft" document for recipient's review.

Phishing email containing Nymaim Trojan with subject “Vice President – Human Resources” and containing a “draft” document for recipient’s review.

Distribution domains  hosting Nymaim payload, according to Zioni and Biderman, have included silkflowersdecordesign[.]com/admin/worddata.dat. Typically, the name of the document matches the name of the targeted company and the attachment is a Microsoft Word 2007 file or newer. Last week, Microsoft moved to neutralize the threat of malicious attachment attacks by allowing system administrators to configure Office 2013 to block Word, Excel, and PowerPoint macros. The capability had previously been introduced in March by Microsoft for its Office 2016 software.

from Threatpost – English – Global – thr… http://bit.ly/2fo6sSr
via IFTTT

Google Warns Of Windows Zero-Day Under Attack

Google Warns Of Windows Zero-Day Under Attack

‘Critical’ vulnerability found by Google has yet to be announced or fixed by Microsoft.

Google researchers today disclosed that they had found and reported to Microsoft a critical vulnerability in Windows that Microsoft has not yet fixed – and is being used by attackers in the wild.

This Halloween Day revelation by Google threat analysis group members Neel Mehta and Billy Leonard falls under Google’s policy for reporting active exploits of critical vulnerabilities. Google says it first reported the bug to Microsoft on October 21. 

“After 7 days, per our published policy for actively exploited critical vulnerabilities, we are today disclosing the existence of a remaining critical vulnerability in Windows for which no advisory or fix has yet been released. This vulnerability is particularly serious because we know it is being actively exploited,” the Google team said in a post today.

The Windows vulnerability is a local privilege-escalation flaw in the Windows kernel that can be used to bypass a security sandbox. “It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability,” the Google team wrote

“We encourage users to verify that auto-updaters have already updated Flash — and to manually update if not — and to apply Windows patches from Microsoft when they become available for the Windows vulnerability.”

 


Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2dVUf6u
via IFTTT

‘Do Gooder Worm’ Changes Default Passwords In Vulnerable IoT Devices

‘Do Gooder Worm’ Changes Default Passwords In Vulnerable IoT Devices

A security researcher has proposed an unusual approach for protecting Internet of Things devices against Mirai-like threats. It’s not likely to see the light of day, either.

The challenge involved in securing millions of vulnerable home Internet of Things (IoT) devices like digital video recorders, routers, and IP cameras against threats like Mirai has prompted one security researcher to suggest a somewhat unusual approach to the problem.

Leo Linsky, a software engineer with network monitoring firm PacketSled, has released code on GitHub for a worm he developed that is capable of infiltrating IoT products protected only with default credentials and changing those weak passwords.

He describes this anti-worm worm as a nematode that is purely an academic research project and only intended to show proof-of-concept. “The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random,” he wrote.

“Such a tool could theoretically could be used to reduce the attack surface,” he said, cautioning that the code be tested only in closed research environments.

The likelihood that Linksy’s code will actually be used to secure IoT systems protected only with default credentials is remote to non-existent.

“This is the cybersecurity equivalent of vigilante justice,” says Jonathan Sander, vice president of product strategy at Lieberman Software. “People love a vigilante while what they are doing works. The moment a vigilante does something wrong, however, the public tends to turn against them.”

He points to the issues that are sure to arise if the worm starts messing up and locking people out of their devices, or if a bad actor uses it to take over devices. “This person’s heart is in the right place. But that won’t save them if their actions go to a very bad place,” Sander says.

There are some practical issues as well that such behavior entails, says Scott Tenaglia, a security researcher for Invincea Labs, who recently exposed flaws in the Mirai malware that theoretically could be used by DDoS mitigation services to thwart the botnet.

“My immediate question is, how does the owner of the device know the new login credentials that the worm has set?” he says. “Locking the user out of a service on their own device without their knowledge for the sake of security sounds like a great example of why end users don’t like security people.”

And anyone using the code to remediate devices will likely be operating well outside the law, Tenaglia cautions.

“Vulnerability scanners – bots that look for security issues like weak credentials – would be a boon to home users and small businesses that lack the technical skills to actively manage their own security,” says Ofer Gayer, product manager at Imperva. Even so, they could violate laws and compromise personal privacy, he says.

The better approach is for users to take a more proactive role in securing their IoT devices: “Though a drudgery, the consequences of inaction should be enough to compel someone to spend a few hours on the task,” Gayer says.

Linsky’s code is not the first time that someone has proposed a “do-gooder” worm capable of proactively fixing vulnerable IoT devices so they cannot be exploited by malware like Mirai.

Last year, Symantec blogged about a worm it dubbed Linux.Wifatch that compromised tens of thousands of home routers and other Internet-connected consumer products and applied patches on any security vulnerabilities that it discovered in them.

The worm was also designed to shut down telnet on devices it infected so other malware could not take advantage of the service to break into the system.

Linux.Wifatch included one module that appeared designed specifically to protect Dahua brand DVRs and CCTV systems by getting them to reboot once every week to flush out malware that might be running on them.

It even left messages on infiltrated systems informing the owners about shutting down telnet and urging them to implement strong passwords to prevent further compromise.

Such efforts appear to be the result of growing concerns over vulnerable IoT devices and the huge challenge involved in protecting them against malicious takeover and misuse.

A wave of distributed denial-of-service (DDoS) attacks on Domain Name Service provider Dyn that disrupted services at multiple major web properties including Twitter, Reddit, CNN, and others earlier this month hammered home just how effectively threat actors can use vulnerable IoT devices to cause widespread havoc.

Black Hat Europe 2016 is coming to London’s Business Design Centre November 1 through 4. Click for information on the briefing schedule and to register.

In fact, the attacks on Dyn were the third in the last few weeks involving the use of Mirai—an IoT botnet compromised of tens of thousands of devices protected only with default usernames and passwords. That same botnet had been used to launch DDoS attacks that were magnitudes greater in size that anything seen before, against the KrebsOnSecurity website and on OVH, a French ISP.

Related Content:


 


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories http://ubm.io/2f1QGeF
via IFTTT