1 2 years ago SSH vulnerability can also? IOT device security concern-vulnerability warning-the black bar safety net

2016-10-15T00:00:00
ID MYHACK58:62201680174
Type myhack58
Reporter 佚名
Modified 2016-10-15T00:00:00

Description

! Overview According to foreign media the latest report, Akamai is the company's security research experts this week found a new type of attack. According to the security expert described, the attacker can use the one there for twelve years, SSH vulnerability, and with some security of the weaker of the certificate to attack IOT devices and smart home devices. In acquisition to these networked devices over the control after the attacker they can be used as a proxy and steal the third-party Web applications credentials. Thus it seems that for the network the attacker is concerned, the networking device role has not only limited to used to launch distributed denial of service attackDDoS. Attack analysis This is referred to as“Credential Stuffing”the voucher fill the attacking manner in the degree of automation and brute force attacks are very similar, because such an attack will also continue to verify the stolen password's validity. Akamai company says that their customers from this year in February began to constantly to they report abnormal network activity, and the company's security researchers also realize that their customers are likely to suffer a network attack. The company estimates that there are at least two million of the IOT device and the network device has been attacked, and the attacker is using these devices as a proxy for“Credential-Stuffing”attacks. It is understood that the attacker is the use of the SSH configuration of a vulnerability, but it is said that this vulnerability, CVE-2 0 0 4-1 6 5 3)in the early 2 0 0 4 years when it has been repaired. Akamai senior security research team supervisor Ezra Caltum, said:“according to our found, the attacker has to try by brute-force attack to log in to our one of the customer's computer system. In order to avoid aggressive behavior is traced to, they usually need to use a different proxy, otherwise there will be the same IP address send a large number of network requests. As a result, their attacks will be marked as malicious behavior.” To this end, the Caltum and Akamai company's threat Research Center Senior Director of Ory Segal in this week Co-released a security Bulletin, interested students can read it. [Reports portal] Caltum said:“we found that the attacker now can still take advantage of this old vulnerability to attack IOT devices. The attack is successful, they will be these devices will be used as a proxy to use, and the attacker's purpose is to on the target host to identify valid credentials.” Although this SSH vulnerability early in the 2 0 0 4 year it has been fixed, but it is obvious that many IOT device manufacturers will still be in their products use the security weak SSH configuration. This also makes currently many surveillance cameras, network video recording devices, hard disk recorders, satellite antenna device, networked storage device, broadband modem, and router and other networking equipment will be in a security risk. ! In Akamai, the company's forensic investigation process, the safety of researchers against those from the network video recording apparatus of the suspicious traffic to HTTP/HTTPS analysis and detection. Results of the analysis indicates that the target device does not exist on any non-authenticated users, but when researchers tested the device system processes the ID, they found all the activities of the link are using the SSH daemon process, sshd, and have someone use the device's default login credentials admin:admin access through these devices. Administrators can use SSH to access the device? The strange thing is, the admin user is not allowed via SSH to the device to connect and communicate, if the administrator attempts to SSH to access the device while nologin command will forcibly disconnect the link. However, attacker can SSH to implement a SOCKS proxy, and so that you can bypass the nologin limit. Caltum said:“one of the most interesting places that this is a twelve years ago of the vulnerability, and on this vulnerability detailed information about the network feel free to get to. This is not a new type of security vulnerability, and it is already 2 0 1 6 years, but these IOT devices, but will still be affected by this vulnerability.” From the current can get to the information point of view, the attacker is the reason you want to test these credentials validity, it is likely that in order to these credentials the data in the other place changed hands sold. Akamai, the company warned that although the current situation, the attacker will only be for those who access the Internet server for brute force attacks. But attention is required, our internal network is also possible by such attacks. Mitigation programmes ! For this reason, Akamai is the company also to provide customers with some attack mitigation schemes. The company's security researchers said, the user can immediately modify the device's default credentials, if possible, it is best to disable the SSH service. In addition, the user can also be in the SSHd_config configuration file, add configuration item“AllowTCPForwarding=True”. Of course, users can also configure the appropriate firewall rules, so that you can effectively prevent others to use SSH from the trusted external IP address to access the networking device. At the same time, each big equipment manufacturers in the production of IOT devices, not only should be avoided for the device to configure the default login credentials, but also should not set any of the hidden account. In addition, the equipment in the factory when it should be disabled by default SSH, or disable the device in the TCP forwarding function. Summary With information security the continuous development of technology, networking equipment also gradually become the attacker in the hands of an assault weapon. It is understood that kerbsonsecurity. com and some other sites have been subjected to special large-scale distributed denial of service attack. With the previous different, to launch this specialDDoSattack the devices are IOT devices. Accordingly speculate that, by the IOT device consisting of a large botnet in the future will likely continue to launch more large-scale network attacks. On the current situation, and now most of the IOT devices, there are many security issues, and the attacker can use these vulnerabilities to control IOT devices, and the use of these devices to third-party Web service to initiate the attack. ! Caltum said:“in this regard seems, want to address IOT device security issues and to change the current security status quo, almost prohibitively difficult of. This is just my personal opinion, whether you agree with this perspective, I just want to Express your own fears and panic.” In fact, these IOT devices in the presence of security is far more than that. For example, many IOT devices simply are not configured possible update mechanisms. In General, when the manufacturers find the corresponding vulnerability, we can update the equipment to enhance security. But if the device is even feasible to update the mechanisms are not words that you want the user to how to is good? Caltum said:“First of all, these devices at the factory when there is security issues. Secondly, users cannot get to the available firmware update. Presumably you home more or less will have some networking equipment? You may recall that the last time you update the device firmware when is the thing?” We can be sure of is that technology is constantly moving forward, the future will certainly have more devices to access the Internet, the attacker will certainly not miss such an opportunity. So the major networking equipment manufacturers, please long some heart, is when the IOT devices of the security issues put on the agenda!