SoylentNews is people
SoylentNews
An Ars Technica story from 17 April, 2017 introduced us to Hajime, the vigilante botnet that infects IoT devices before blackhats can hijack them. A technical analysis published Wednesday reveals for the first time just how much technical acumen went into designing and building the renegade network, which just may be the Internet's most advanced IoT botnet.
Hajime [PDF] was first reported on in October, 2016 by Sam Edwards and Ioannis Profetis, security researchers at Rapidity Networks, a Boulder, CO based ISP.
As previously reported, Hajime uses the same list of user name and password combinations used by Mirai, the IoT botnet that spawned several record-setting denial-of-service attacks last year. Once Hajime infects an Internet-connected camera, DVR, and other Internet-of-things device, the malware blocks access to four ports known to be the most widely used vectors for infecting IoT devices. It also displays a cryptographically signed message on infected device terminals that describes its creator as "just a white hat, securing some systems."
Not your father's IoT botnet
But unlike the bare-bones functionality found in Mirai, Hajime is a full-featured package that gives the botnet reliability, stealth, and reliance that's largely unparalleled in the IoT landscape. Wednesday's technical analysis, which was written by Pascal Geenens, a researcher at security firm Radware, makes clear that the unknown person or people behind Hajime invested plenty of time and talent.
From the Ars Technica piece:
Hajime uses a decentralized peer-to-peer network to issue commands and updates to infected devices. This design makes it more resistant to takedowns by ISPs and Internet backbone providers. Hajime uses the same list of user name and password combinations Mirai uses, with the addition of two more. It also takes steps to conceal its running processes and files, a feature that makes detecting infected systems more difficult. Most interesting of all: Hajime appears to be the brainchild of a grayhat hacker, as evidenced by a cryptographically signed message it displays every 10 minutes or so on terminals. The message reads:
Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED
Stay sharp!Another sign Hajime is a vigilante-style project intended to disrupt Mirai and similar IoT botnets: It blocks access to four ports known to be vectors used to attack many IoT devices. Hajime also lacks distributed denial-of-service capabilities or any other attacking code except for the propagation code that allows one infected device to seek out and infect other vulnerable devices.
Is it right for geeks to use their powers in this way?
(Score: 4, Interesting) by DannyB on Wednesday May 03 2017, @04:12PM (2 children)
Once again I'll repeat my thesis that the liability for all damages caused by hacked IoT devices should be upon the manufacturer of that hacked device.
It shifts the costs from the victims to where they should be. It puts the right incentives in place. The manufacturer is suddenly going to invest in security. No more default passwords or moving telnet to a non standard port for 'security'.
IoT devices could be much more secure. Start (but don't finish) by looking at what you would have to do to obtain PCI compliance to handle credit card information. They already have tons of publications. If people can and do that already for servers, networks and remote terminals, then IoT could do likewise. They would just have to invest in security.
But people might complain that this makes IoT devices too expensive? Really? So should the victims of hackable IoT devices bear the costs? Maybe if it is too expensive, then maybe your toaster shouldn't have an internet connection to a cloud server.
Manufacturers might work together toward common secure Linux distributions / configurations that they (and we) could all share. Spread the costs.
I'm not asking for regulations from the government. Just putting the financial liability upon manufacturers. I'm not asking that IoT devices have to conform to some standard test. Nor get some kind of certification. Just secure your IoT devices before selling them. If your devices get hacked, and cause damages you have to pay, then you didn't do a good enough job.
The lower I set my standards the more accomplishments I have.
(Score: 2) by bob_super on Wednesday May 03 2017, @05:41PM (1 child)
We make a big deal, and get recalls, when cars are unsafe...
Anyone making an IoT blender, since blood is what draws lawyers in and causes companies to act?
(Score: 2) by DannyB on Wednesday May 03 2017, @06:37PM
What if the damage is from a botnet of IoT devices. What if a million IoT thermostats brought down, say a regional power grid? Would that get lawyers and companies to act? Shouldn't the IoT manufacturer have liability?
What if an IoT security camera in a facility was the beach head used to hop systems and networks and cause a nuclear power plant meltdown? Would anyone take it seriously then?
The lower I set my standards the more accomplishments I have.