Stories
Slash Boxes
Comments

SoylentNews is people

Attackers Use Decade-Old SSH Flaw to Target IoT Devices

posted by martyb on Friday October 14 2016, @06:22AM   Printer-friendly
from the fast-forwarding? dept.

ticho writes:

Millions of IoT devices have already been compromised and abused for distributed denial-of-service (DDoS) attacks and millions more are affected by critical vulnerabilities that make them an easy target for malicious actors.

While in many cases attackers hack IoT devices and leverage them to conduct attacks directly, researchers at Akamai have come across a different type of mass attack in which the compromised systems are used as proxies that route malicious traffic.

These attacks, dubbed by Akamai SSHowDowN Proxy attacks, have abused vulnerable CCTV, NVR, DVR, networking, storage and satellite antenna equipment to conduct HTTP-based credential stuffing campaigns. The breached devices are also used as an entry point to the internal networks that house them.

Read more at SecurityWeek.com

Original Submission

 
This discussion has been archived. No new comments can be posted.
Attackers Use Decade-Old SSH Flaw to Target IoT Devices | Log In/Create an Account | Top | 23 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by LoRdTAW on Friday October 14 2016, @04:55PM

    by LoRdTAW (3755) on Friday October 14 2016, @04:55PM (#414361) Journal

    http://harmful.cat-v.org/software/ssh [cat-v.org]

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 3, Informative) by stormwyrm on Monday October 17 2016, @12:39AM

    by stormwyrm (717) on Monday October 17 2016, @12:39AM (#415029) Journal
    Rob Pike, while right behind Ken Thompson and Dennis Ritchie in the Unix pantheon, hasn't really made a name for himself in the realm of cryptography and security. There is a reason why cryptographic protocols like SSH are designed to support a plethora of authentication and encryption methods: there is a small but distinct possibility that mathematical or technological advancements will render any of them insecure. The same reason applies to why there is no one guaranteed protocol for authentication and encryption that one can always use as a fallback. If we had such a thing, what would we choose? The posts were written in 2001, so would you have as fallback RSA and Blowfish or 3DES maybe? (there was no official AES yet back then) What if someday a smart mathematician publishes a proof that it is possible to factor numbers in polynomial time, or that the RSA problem is not really equivalent to factoring and there is a short-cut, or if engineering advances lead to practical quantum computers? RSA is then completely broken, but since support for it is guaranteed by the notional protocol, everyone using the notional SSH is an instant MITM target, with no way to remove or disable the algorithm that makes it possible. Version downgrade attacks have long been a staple of the security penetrator's toolkit. People complain about how complicated SSH and SSL/TLS are but don't realise that no complexity is added to these protocols by their designers without a strong security rationale. As I have mentioned in another post, many people underestimate how difficult it is to design a secure cryptographic protocol. The designers of the CIPE, VTUN, and TINC VPN systems designed simple protocols in reaction to what they perceived as the baroque complexity of SSH/SSL/TLS, and as a result designed protocols that were so simple that they were easily breakable.
    --
    Numquam ponenda est pluralitas sine necessitate.