Quotulatiousness

November 2, 2016

Online security theatre: “We sell biometric authentication systems to people who need a good password manager”

Filed under: Technology — Tags: , , , — Nicholas @ 09:06

Joey DeVilla linked to this discussion of the Mirai botnet and the distressing failures of online security … not for the brilliance and sophistication of the attack (it was neither), but the failure to address simple common-sense security issues:

I’ve written about 1988’s Morris worm, and I wanted to dig into the source of the Mirai botnet (helpfully published by the author) to see how far we’ve come along in the past 28 years.

Can you guess how Mirai spreads?

Was there new zeroday in the devices? Hey, maybe there was an old, unpatched vulnerability hanging — who has time to apply software updates to their toaster? Maybe it was HeartBleed 👻?

Nope.

Mirai does one, and only one thing in order to break into new devices: it cycles through a bunch of default username/password combinations over telnet, like “admin/admin” and “root/realtek”. For a laugh, “mother/fucker” is in there too.

Default credentials. Over telnet. That’s how you get hundreds of thousands of devices. The Morris worm from 1988 tried a dictionary password attack too, but only after its buffer overflow and sendmail backdoor exploits failed.

Oh, and Morris’ password dictionary was larger, too.

No Comments

No comments yet.

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress