Mirai Botnet Attacks Likely Pulled Off By Teenagers

The recent Mirai botnet DDoS attacks were the largest on record – and they were likely masterminded by teenagers.

In October, a massive DDoS attack on the Dyn DNS “Managed DNS” infrastructure brought down a number of major websites, including PayPal, Twitter, Amazon, Netflix, and Spotify. The attack was accomplished through the use of the Mirai botnet, a piece of open source malware that works by compromising Internet of Things (IoT) devices and turning them into “zombies.” It was the largest DDoS attack in history, and it illustrated the significant vulnerabilities posed by insecure IoT devices.The recent Mirai botnet DDoS attacks were the largest on record – and they were likely masterminded by teenagers.

In the aftermath of the Mirai attacks, cyber security experts went to work to find out who was behind them. Was this the work of foreign or domestic terrorists? Nation-state hackers? Organized crime groups? Turns out, the largest DDoS attack ever recorded was most likely orchestrated not by organized terror groups or criminal masterminds, but teenagers, Vice News reports:

…[T]he world’s leading cybersecurity experts have been following clues to track who is responsible. They’ve come to a disturbing conclusion: the biggest DDoS attack in history was probably not caused by a state-sponsored actor, organized crime, terror groups, or anyone with a geopolitical or financial motive. So who’s left?

“Kids,” said Mikko Hypponen, chief research officer with security firm F-Secure. “Kids who have the capability and don’t know what to do with it.”

“The source code that was released could have been written by a high school student, a smart high school student, but a high school student nonetheless,” security expert Rob Graham said after examining the malware used in the attacks. “It wasn’t particularly sophisticated.”

The notion that a rank amateur could manage to pull off such a massive cyber attack is not unprecedented. In 2008, a Polish teenager hacked into the tram system of the city of Lodz, Poland, derailing four trains and injuring a dozen people. When questioned by authorities, he claimed that the hack was done as a “prank.”

Anyone can download the source code for Mirai. It’s available online, along with helpful, step-by-step instructions. As the recent DDoS attacks prove, it doesn’t take a computer science degree, the financial backing of a nation-state or terror group, or much skill to use it. This begs the same question that was asked after the Lodz tram debacle: If a high school kid motivated only by the desire to stir things up a bit can do this much damage, what could an organized, skilled, well-funded group of highly motivated cyber terrorists accomplish?

Insecure IoT Devices No Match for Mirai

The Mirai malware takes advantage of a very simple but extremely serious vulnerability that plagues IoT devices, from routers to printers to DVRs: Many, if not most users have never changed the default passwords their devices came with because they don’t know how, they don’t understand why they should, or both. Even in cases where a security-conscious user realizes they need to change their device’s password, they may not be able to; on some devices, the login credentials are hard-coded into the firmware, making it difficult or impossible for end users to change them.

Part of the PCI DSS standards that retailers and credit card processors must follow dictate that no hardware should ever be connected to a network unless its default login credentials have been changed. There are two good reasons for this. First, the majority of data breaches are the result of hackers obtaining legitimate login credentials into a system, and second, manufacturer default passwords are widely available online. The Mirai source code contains 68 user name and password combinations. Since manufacturers often use the same login credentials for multiple devices, just one set could allow a hacker to access hundreds, possibly thousands of devices.

Mirai works by scanning the internet for specific devices, then attempting to access them using manufacturer default credentials. Once Mirai successfully compromises a device, hackers can turn it into a “zombie” – often without the device’s owner even realizing it. Once an army of “zombie” devices has been amassed, it can be used flood specific web servers with so many junk requests that they slow to a crawl or crash.

Mirai DDoS Attacks the “Canary in the Coal Mine” for IoT Security

In the wake of the Mirai attacks, Chinese manufacturer Hangzhou Xiongmai voluntarily recalled its home webcams, and it’s possible more manufacturers will follow suit. However, in light of the serious issues raised by Mirai, much more has to be done. The situation is so bad, and IoT manufacturers have dragged their feet for so long, some experts are now calling for the federal government to step in and regulate IoT security.

If IoT manufacturers do not step up to the plate and clean their own houses, they are setting themselves up not only for onerous government regulations but also cyber attacks that are far more destructive than the Mirai DDoS attacks.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. We offer full-service risk assessment services provided by Lazarus Alliance and our award winning Continuum IRM GRC software to protect companies from data breaches, ransomware attacks, and other cyber threats.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure your systems.

[bpscheduler_booking_form]

Cyber Security Due Diligence and the Yahoo Breach

Cyber Security Due Diligence Has Become a Fundamental Part of M&A Transactions

Data breaches and a failure to comply with governmental and industry standards can impact a company in many ways, as Yahoo is finding out the hard way. The company’s recent disclosure of a massive data breach, which resulted in 500 million user accounts being compromised, resulted in multiple class action lawsuits being filed against the company and may trigger a government investigation into why it took so long to disclose the breach.

Cyber Security Due Diligence Has Become a Fundamental Part of M&A Transactions

The Yahoo breach and what it says about cyber security due diligence has also shaken up the mergers and acquisitions (M&A) world, and the hack may have put its planned acquisition by Verizon at risk. CSO Online reports:

Verizon has signaled that Yahoo’s massive data breach may be enough reason to halt its US$4.8 billion deal to buy the internet company.

On Thursday, Verizon’s general counsel Craig Silliman said the company has a “reasonable basis” to believe that the breach involving 500 million Yahoo accounts has had a material impact on the acquisition. This could give the company room to back out or get a large discount.

“We’re looking to Yahoo to demonstrate to us the full impact,” he added. “If they believe that it’s not, then they’ll need to show us that.”

As data breaches, ransomware, DDoS attacks, and other cyber attacks escalate in frequency, severity, and cost, cyber security due diligence has emerged as a serious issue in the M&A sector. Information security issues at an acquisition target could significantly impact a deal’s price, keep the deal from going forward at all, or, if the problems are not detected during the due diligence process, inflict a world of pain on the acquirer company; should its deal to acquire Yahoo go through, Verizon is reportedly planning to put $1 billion in reserve to cover the costs to clean up the breach.

While the Yahoo breach has put cyber security due diligence into the spotlight, scenarios where M&A deals were negatively impacted by cyber security issues have been occurring for some time. A recent survey of senior M&A executives by consulting firm West Monroe Partners, published several months before the Yahoo hack, found the following:

  • 80% of respondents felt cyber security issues were “highly important” to M&A due diligence
  • 40% of acquirers had discovered a cyber security issue at an acquired firm after a deal had gone through
  • 32% of respondents pointed to a lack of qualified personnel involved in the diligence process in recent deals

Respondents also reported that the three most common cyber security problems uncovered during the M&A due diligence process were compliance issues (70%), the lack of a comprehensive data security infrastructure (40%), and vulnerability to insider threats (37%).

What Can Acquirers and Acquisition Targets Do?

The Yahoo hack did not happen out of thin air; it was the result of years of the company repeatedly putting the product user experience ahead of security and refusing to implement even the most basic proactive cyber security measures. Acquisition targets must take their cyber security as seriously as they take their accounting practices. This includes not just protection against breaches but ensuring that the company is compliant with all applicable regulatory and industry standards. Conversely, acquirers must pore over a target company’s cyber security and compliance practices as carefully as they would the company’s books.

Additionally, nearly 1/3 of the respondents to the West Monroe survey complained of a lack of qualified personnel to perform cyber security due diligence. This is not surprising. Cyber security is a complex, dynamic field; new threats and technologies are emerging daily, and most firms do not have the monetary or human resources to handle their own information security in-house. Outside cyber security experts should be involved in the M&A process on both ends. Target companies should have security vulnerability studies conducted before putting themselves on the market, and acquirers must enlist help to perform due diligence during the acquisition process.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems.

Schedule some time with our Superheroes for a Free Assessment!

    Vote Hacking: Could Cyber Criminals “Rig” the Election?

    Vote hacking is a legitimate concern, and election officials need to take it seriously.

    Right alongside immigration, healthcare, and the minimum wage, cyber security has emerged as a major – and contentious – issue in this year’s presidential election. First, the Democratic National Convention’s email server was hacked, and thousands of embarrassing emails were published on WikiLeaks. Now, concerns about vote hacking have arisen in light of breaches of voter databases in Illinois and Arizona, which compromised the personal information of as many as 200,000 voters.

    Vote Hacking: Could Cyber Criminals “Rig” the Election?It’s important to note that these breaches involved state voter databases, not voting machines themselves, and there is no evidence to suggest that cyber criminals have ever managed to breach voting machines. However, between disturbing results from recent studies on voting machine cyber security, including one by Princeton researchers that found some machines to be less secure than iPhones, another study showing that nearly all Americans are “unsettled” about data breaches in general, and GOP candidate Donald Trump suggesting that the election could be “rigged” and encouraging his supporters to “monitor the polls,” American voters are understandably concerned as they prepare to go to the polls.

    The notion that cyber criminals could influence the outcome of an election is a legitimate concern that must be addressed with proactive cyber security.

    How safe are voting machines?

    Unfortunately, not very. Many voting machines are very old, dating back to just after the infamous Bush-Gore race of 2000, when they were – ironically – embraced as an allegedly “safer” and “more accurate” alternative to paper votes. Those claims may have been true when the machines were first built, but voting machines run on computers, and computers need to be updated. Many voting machines never were. Thus, there are situations where voting machines still run antiquated, unsupported systems such as Windows 2000 and XP. Even worse, some machines provide no paper audit trail, which means that allegations of vote hacking can be neither proven nor disproven.

    Some election officials argue that voting machines are generally not connected to the internet, thus enjoying “security through isolation.” But “security through isolation” is no match for a determined cyber criminal; the Stuxnet virus made its way into an air-gapped industrial control system at an Iranian nuclear plant through an infected thumb drive brought into the facility by a malicious insider.

    Others who seek to downplay the possibility of vote hacking point to the logistics of manually installing malware; there are tens of thousands of voting machines across the U.S., and getting to every one of them would be nearly impossible. However, it would not be necessary to compromise every single voting machine in the country to alter the election results. Cyber criminals could focus on swing states, and then hone their targets even further to specific voting districts where the results are expected to be very close.

    Vote hacking isn’t the only way to influence the election or call the results into question.

    Hackers could also choose not to actually hack votes at all, and instead seek to cause enough havoc to discourage some Americans from voting and sow widespread doubt regarding the election results. Cyber criminals could, for example, delete or alter voter registration data, which would prevent some voters from being able to cast ballots. They could also launch Election Night DDoS attacks on polling places that use the internet to verify voter records or hack media feeds and prevent news networks from accessing exit poll information and election returns.

    Election officials need to take proactive cyber security measures immediately.

    A good first step to combat allegations of vote hacking are two bills recently introduced by Rep. Hank Johnson (D-Ga.), the Election Integrity Act of 2016 and the Election Infrastructure and Security Promotion Act of 2016. The first bill would address the cyber security vulnerabilities that make voting machines susceptible to vote hacking by prohibiting the machines from being connected to the internet and requiring regular audits, frequent software updates, and the ability to produce a paper audit trail. The second bill would designate voting machines as part of the nation’s critical infrastructure, which would put them under the authority of the Department of Homeland Security and put them in the same category as the U.S. power grid and water supply.

    However, cyber security efforts cannot stop with voting machines; voter databases and polling places must be secured. Since election officials are not information security experts, the help of qualified cyber security experts should be sought to identify and patch vulnerabilities. In this volatile political climate, the integrity of our electoral system is a matter of national security. If American voters refuse to accept the legitimacy of November’s election results, irreparable damage could be done to our nation. Time is short, and election officials need to act immediately to secure voting machines, voter databases, and polling places, and reassure a nervous voting public.

    The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from internal threats and external security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

    Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization secure its systems.

    [bpscheduler_booking_form]