Researchers hack Philips Hue smart bulbs from the sky. From PC World.
Security researchers in Canada and Israel have discovered a way to take over the Internet of Things (IoT) from the sky.
Okay, that’s a little dramatic, but the researchers were able to take control of some Philips Hue lights using a drone. Based on an exploit for the ZigBee Light Link Touchlink system, white hat hackers were able to remotely control the Hue lights via drone and cause them to blink S-O-S in Morse code.
- Your home’s online gadgets could be hacked by ultrasound. From New Scientist. This may have happened to you. You idly browse a pair of shoes online one morning, and for the rest of the week, those shoes follow you across the Internet, appearing in adverts across the websites you visit.
But what if those ads could pop out of your browser and hound you across different devices? This is the power of ultrasound technology, says Vasilios Mavroudis at University College London – and it offers a whole new way in for hacking attacks and privacy invasions. He and his colleagues will spell out their concerns at next week’s Black Hat cybersecurity conference in London.
- What IoT (and Security) Needs to Learn From the DeWalt Mitre Saw. From SANS Security Awareness Blog. I recently purchased my first power tool ever, a DeWalt Compound Mitre Saw, an intimidating piece of machinery that can not only rip through huge pieces of wood, but potentially chop your hand/arm clean off. As such I was very nervous when I received it, to include reading through the safety manual several times and numerous YouTube videos. Once I had reviewed everything and started playing with this tool, I came to an amazing realization. This device is so well designed from a safety perspective that I would have to try really hard to harm myself. Even better I did not have to really think about all the safety measures as they were built into the device, they were designed to work with me, not against me. I list some of the key safety features that impressed me at the bottom but something really else hit home for me. Why are we struggling so hard to do the same for security? Right now IoT is one of our biggest security challenges, with millions of IoT devices being used for DDoS attacks. The challenge? People are not changing the default passwords. Our communities response? Security professional around the world are lamenting why people are so stupid/lazy as not to change the default passwords.
Hacked Cameras, DVRs Powered Today’s Massive Internet Outage. From KrebsOnSecurity.
A massive and sustained Internet attack that has caused outages and network congestion today for a large number of Web sites was launched with the help of hacked “Internet of Things” (IoT) devices, such as CCTV video cameras and digital video recorders, new data suggests.
Earlier today cyber criminals began training their attack cannons on Dyn, an Internet infrastructure company that provides critical technology services to some of the Internet’s top destinations. The attack began creating problems for Internet users reaching an array of sites, including Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix.
- Mirai IoT DDoS Trojan Now Targets Cellular Network Equipment. From Softpedia.
Sierra Wireless, one of the biggest hardware manufacturers of mobile equipment, has issued an alert yesterday, warning customers not to use default passwords with their devices as they might be at risk of infection from the infamous Mirai malware.
The company says that Airlink wireless routers and gateways deployed with 3G and 4G LTE cellular networks are at risk.
Sierra says that network operators that use these devices across their infrastructure, and are using them with their default credentials are at risk of having the devices taken over and employed in DDoS attacks.
IoT Devices as Proxies for Cybercrime. From KrebsOnSecurity. Multiple stories published here over the past few weeks have examined the disruptive power of hacked “Internet of Things” (IoT) devices such as routers, IP cameras and digital video recorders. This post looks at how crooks are using hacked IoT devices as proxies to hide their true location online as they engage in a variety of other types of cybercriminal activity — from frequenting underground forums to credit card and tax refund fraud.
We Need to Save the Internet from the Internet of Things. From Motherboard.
Brian Krebs is a popular reporter on the cybersecurity beat. He regularly exposes cybercriminals and their tactics, and consequently is regularly a target of their ire. Last month, he wrote about an online attack-for-hire service that resulted in the arrest of the two proprietors. In the aftermath, his site was taken down by a massive DDoS attack.
In many ways, this is nothing new. Distributed denial-of-service attacks are a family of attacks that cause websites and other internet-connected systems to crash by overloading them with traffic. The “distributed” part means that other insecure computers on the internet—sometimes in the millions—are recruited to a botnet to unwittingly participate in the attack. The tactics are decades old; DDoS attacks are perpetrated by lone hackers trying to be annoying, criminals trying to extort money, and governments testing their tactics. There are defenses, and there are companies that offer DDoS mitigation services for hire.
Source Code for IoT Botnet ‘Mirai’ Released. From Krebs On Security.
The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.
The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.
- Latest IoT DDoS Attack Dwarfs Krebs Takedown At Nearly 1Tbps Driven By 150K Devices. From HotHardware. If you thought that the massive DDoS attack earlier this month on Brian Krebs’ security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via network of over 152,000 IoT devices.According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these types devices’ network settings are improperly configured, which leaves them ripe for the picking for hackers that would love to use them to carry our destructive attacks.
- Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net. From Ars Technica.
For the better part of a day, KrebsOnSecurity, arguably the world’s most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn’t like a recent series of exposés reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet.
The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service