Re: "War on the internet" or "Why we can't have nice things"

i heard someone suggest that the u.s. take down the russian electric grid. no doubt that would end all cyberhostilities at little risk to the u.s.. duh.

it would seem that the botnets that reside in e.g. ip connected cameras will only be prevented by regulation that requires some form of strong security in all such "things" sold in this country. this is another instance of a market failure that will only be corrected by regulatory action.

the current ddos attack is actually a useful wake up call. if the cost is having a tough time accessing twitter for a while, it seems well worth it if it leads to proper security measures being implemented. i shudder to think of the consequences of e.g. an attack on the u.s. grid.

the most effective cyberattack of which i'm aware is still stuxnet, in which an attack occurs and achieves its goals without creating any awareness that it is even underway.

Re: "War on the internet" or "Why we can't have nice things"

It's not just periodically connected cameras, we now have things like "smart" refrigerators that are pretty well always connected and always on the net, and apparently these types of devices serve as highly vulnerable access points.

Re: "War on the internet" or "Why we can't have nice things"

they ALL need mandatory strong security.

Re: "War on the internet" or "Why we can't have nice things"

Two worth mentioning are:

Russian based DDOS attack on Estonia in 2007 was a bit of a wake up call for some(Estonia and NATO as an org, not as member countries). Estonia is often called the first "e-nation" or "digital nation".

Last December Ukrainian electrical utility infrastructure was successfully attacked leading to a broad but temporary blackout:

https://ics-cert.us-cert.gov/alerts/...RT-H-16-056-01

https://www.wired.com/2016/03/inside...es-power-grid/

-----

The good news with attacks like Stuxnet, is that they are exceptionally expensive and well customised to each highly specific target's attack surface.

Unlike the movies/TV, Stuxnet can't be directly used to meltdown a nuclear reactor with the push of a button(although the tools used to deliver Stuxnet can be re-engineered for evil until zero day vulnerabilities are mitigated.

So thankfully Stuxnet is not like a general purpose military bomb.

Although large populations of unfixable connected IP devices will continue to act as easily targetable weapons of disruption.

-----

I would imagine that if the benign internet of things is to blossom, regulation would be required.

Maybe an Underwriters Limited(UL) type of certification as found on consumer electronics.

Maybe also liability for owner/installer of non certified IP devices.

-----

In my opinion, US/Western relations with Russia souring to the point of zero enforcement of cross border IP theft and internet crime alone will lead to a return to the 1970's-1980's Cold War climate with new digital versions of Weather Underground, Action-Directe, Baader-Meinhoff, Red Army Faction, anti-nuclear rallies, and Solidarity......both independent and proxy.

Re: "War on the internet" or "Why we can't have nice things"


The objective of stuxnet isn't to meltdown a nuclear reactor. That's not the objective of any government. But there's nothing to stop a terrorist organization of the future from creating a malware that can do that by making the sensors malfunction, resulting in a meltdown.

http://www.bbc.com/news/world-europe-13592208

Re: "War on the internet" or "Why we can't have nice things"

Of course, Stuxnet was specifically designed to infect PLCs on Iranian centrifuges and physically destroy them.

But sadly, the media have far too often portrayed the sabotage of very complex targets by hacking as one sized fits all, quick, and easy. Which like war movies, feeds highly inaccurate public perceptions of how it actually works.

It's the kind of effort that requires extremely detailed planning and reconnaissance, a broad/deep diversity of skill set, and enough of an attack surface to execute and exploit a successful attack.

Certainly possible for committed sovereign states with the capability(human & cash capital) and the desire to commit the considerable resources required. Stuxnet would have cost a fortune, but the cost of simpler/easier attacks are collapsing in cost quickly.

Surreptitiously encrypting files via spearphishing ransomware for profit or just stealing photos/emails/files by the same methodology is a HUGE difference from the many layered and far more complex and highly customised job of something like a Stuxnet type attack.

So I would agree it's possible significant and complex infrastructure sabotage from hacking could occur, but I think the high requirements in human & $ capital for highly customised/individualised attacks would preclude it coming from small and poorly resourced entities.

The worst we've seen so far beyond Stuxnet that I'm aware of is:

The Shamoon spearphishing malware at Aramco in 2012 (following Stuxnet) that bricked up to 35,000 PCs/drives. There's a good chance that was state sponsored by Iran, but it's possible it could have been executed by another enemy of the Saudi regime. If Stuxnet is a 10, this would be a 2 or a 3 in terms of sophistication and complexity of attack.

The Ukrainian electricity utility attack a year ago used a number of existing attack methodologies in complex and mutually supportive ways that indicate a very high level of detailed planning, training, and coordination placing it a bit higher on that 1 to 10 Stuxnet scale than the Shamoon malware spearphishing attack.

Hopefully, sovereign states don't go off the rails with future cyber attacks.

While I could imagine politically motivated individuals and groups wanting to conduct high profile attacks, I reckon that less broad/deep cyber attack capabilities would be better applied towards cyber crime for revenue generation.

Low Risk, Low & Narrow Skill, Medium Reward

over

High Risk, High & Broad Skill, High Reward

Re: "War on the internet" or "Why we can't have nice things"

They all need it but how many are ever going to get it? I wouldn't hold my breath based on the race-to-zero behavior of the corporations. Many of the companies would be far better off not making the control systems of their appliances inaccessible through a network. How many people really care whether they can control or monitor their refrigerators over the Internet?

Meanwhile, it seems the culprit used as the instrument of the massive DDOS attacks is a Chinese-made CCTV camera. Cough syrup in a base of diethylene glycol instead of glycerine, melamine "enhanced" milk other food products, lethally dangerous counterfeit chargers, and now cameras that is actually a malware platform with an embedded camera control system. I wonder if the countries addicted to cheap sh*t such as the U.S. will ever do anything to ban the importation of this garbage.

From Bloomberg, "Chinese Firm Says Its Cameras Used To Take Down Internet":

I can hardly wait for Chinese medical devices to be sold in the U.S.!

Re: "War on the internet" or "Why we can't have nice things"

the solution must be regulatory but as you point out the problem is global so it's doubtful u.s. regulation will do it. even if the u.s. bans importation of non-secure devices, we can't ban their internet traffic without building a great firewall of our own, which would bring with it a raft of other problems.

Re: "War on the internet" or "Why we can't have nice things"

It seems to me there is a qualitative difference between IOT devices running embedded firmware, and general purpose computers intended to load and run software and apps.
Firmware devices seem easier to protect once we decide to do it.

Right now all our IOT devices are wide open and subject to a stuxnet-style firmware attack, but it seems fairly easy to design around that using things like switches in the data lines, fuse and anti-fuse bits, or read-only memory.
Since most widgets are rarely upgraded for new firmware, those techniques are more acceptable.
Until now designers have been naive and left things open for convenience, intentionally making it easy to get into the device.
Ease of upgrade has been a feature to brag about, so there was no need to try at all to secure a device like a temperature controller or a motor drive unit.

I suppose we should expect a some hacks against things we have unprotected right now. Smart tvs. Security cams. Set-top boxes.
My nice TV is always on the web and able to upgrade it's firmware whenever it finds one available, and it has upgraded itself a few times, not even letting me know it has done so.
One can imagine a hacked TV firmware upgrade that shuts down or disables my TV, or even burns out hardware.

lakedaemonian makes a good point that hacking any device is a lot of trouble, and the internal details of industrial equipment or consumer firmware devices are far harder to know and understand.
The details of working with MS Windows or OSX are widely known and published, but the internal working of your Samsung smart refrigerator is proprietary.
Only the designers in that department at Samsung understand it, and if it is documented at all, it's probably awful documentation.
Even those scattered and poor documents are not available to you or me or any random hacker.

Re: "War on the internet" or "Why we can't have nice things"

One thing I have noticed since the turn of the millennium (ever since Chinese garbage started flooding the U.S.) is that the control systems of devices are a lot more fragile. Back in the day before China was granted MFN status, I never remember having a CD player or a DVD player lock up on me. However, with the Chinese-made junk, I have seen DVD players get into a state where none of the buttons (Play, FF, REW, or eject) work. Even pressing the power button to "power off" the device and then pressing the power button again to power the device back on does not reset the state of the device since the power button puts the device into a soft power off mode. It was only possible to get the player working again by unplugging it from the wall, waiting a few seconds to allow the capacitors to discharge, plugging the player back in, and then pressing the power button.

I believe the cause of the above is that there is no real custom firmware due to the cost and expertise required to develop such a thing. Instead, dollars to doughnuts, it is some stripped-down Linux distro with some software (written by very inexperienced developers) slapped on to it to serve as a control system for a media player.

It's very likely that many of those devices manufactured by companies are running some variant of Linux so vulnerabilities are relatively easy to find and exploit. Other exploits that exist may be through Linux services that are not needed by the appliance but still enabled due to incompetence on the part of the manufacturer. Finally, the custom software developed for the device could be poorly written and fully of security vulnerabilities. Just search for the various reports of nasty security holes in wireless routers.

I would not trust putting a Samsung network-enabled refrigerator on the Internet as I suspect that Samsung uses some variant of Linux that has vulnerabilities just waiting to be exploited by someone who cares to put forth a bit of effort.

Re: "War on the internet" or "Why we can't have nice things"


Establishing the security and safety of even modestly complex code is daunting.
Back around 1990 a major railroad hired us to scrub some software in a track side controller that had a documented failure.
There was no question the device had failed spectacularly in a way that would have literally wrecked a train, only dumb luck avoided the accident.

Our team had the full cooperation of the controller manufacturer who sent us all the source code, drawings, specs, and even made their engineers available to discuss the details.
We went through it all line-by-line and analyzed the hardware circuits to the chip level.
Nada. Nothing. We could not identify any plausible explanation for the event that actually occurred.

I have little hope that microprocessor controlled devices can ever be examined by some regulator and found OK if the manufacturer is trying hard to avoid being caught.
If a manufacturer is hiding problems in a pace maker or dialysis machine, an autopilot or an engine controller, regulatory people won't spot it.

There are reports recently of removable SD memory for cameras and phones being counterfeited.
The chips are stamped and labeled as 64GB or 128GB but are actually only 8GB.
The firmware in the memory has been falsified so when interrogated the SD card replies it is a 128GB device when it really only has 8GB.
Here's an article at IEEE about the issue http://www.eetimes.com/document.asp?doc_id=1326059

Re: "War on the internet" or "Why we can't have nice things"

I see that too.
Even the firmware in my Hyundai Sonata is a bit glitchy.
Sometimes my iPhone syncs up right with the car, sometimes it doesn't.
When a certain sequence of opening the door and turning off the car occurs, the car alarm bell rings and the only way to make it stop is restarting the car and doing things again in the expected sequence.
I live with it.

Re: "War on the internet" or "Why we can't have nice things"

I wonder if a higher legal duty of care on the part of manufacturers, distributors, resellers, and commercial consumers of internet of things technology would provide momentum towards a better security focused environment?

If tangible damages can be determined by malignant use of IoT device attack arrays, could class action lawsuit be brough against IoT device owners and further upstream?

Does it equate to leaving a loaded firearm lying out in public view with a neon sign pointed towards it?

Re: "War on the internet" or "Why we can't have nice things"

That's a good idea.
The attractive nuisance doctrine might be a good tool to go after manufacturers and sellers of devices that are too easy to infect.

The news is full of reports right now about the DDoS attack in September that used perhaps a million web connected cameras, turning them into bots to attack and overwhelm servers.
Here's an article http://motherboard.vice.com/read/15-...et-brian-krebs