Security expert and writer Brian Krebs was the victim of a distributed denial of service attack that used the Mirai botnet. His site discusses the source code used on the compromised computers. Others have provided analysis of the code. The software is used to infect Internet of Things or IoT devices. Examples include webcams, DVRs, and other connected devices that don’t have obvious computer interfaces.
The malware accesses victim computers through services such as telnet that have often unchangeable default passwords. I guess the manufacturers are neither reading this blog nor taking Learning Tree’s System and Network Security Introduction. Both are routine topics on this blog and in the course.
I have written about default passwords here repeatedly. My frequent suggestion is to change them immediately. Unfortunately, it appears that isn’t always an option. Some manufacturers have hard-coded the passwords into the devices to simplify configuration to make devices easier to install and use. That’s a tradeoff we often see in cyber security: ease of use vs. security.
[I had planned on posting a link to the list of passwords Mirai used to compromise its targets, but one reported pair – actually in use or not – is comprised of inappropriate language, so it is left as an exercise for the interested reader to search out the list.] Interestingly, in the list of passwords checked, there are passwords matching usernames, empty passwords, and passwords from lists of commonly discovered ones (e.g. ‘12345’ and ‘password’).
I have no idea about the success rate of the passwords tried by the software. Some may be defaults, and some may be user-set – there is no way to tell.
Most of the compromised IoT devices seem to have been webcams. That’s not necessarily because webcams are the easiest devices to attack, but rather because they are often exposed directly to the Internet without the protection of a firewall. We are back to the security vs. convenience tradeoff. Multiple websites link to unsecured webcams. Insecam is a popular one. I’m not one to spend time watching webcams at laundromats or windmills, but people like to watch pubs and such. Insecam does not include home cams or classroom cams, but some other sites do. I can understand making the camera of a spinning windmill open access, but not one of a child’s room. And those that are open to watching (and some that are not) probably have unsecured access that could be compromised by malware such as Mirai.
You can probably think of more. If you do, please share them with me on twitter @jjmcdermott
To your safe computing,