A Massive Botnet of CCTV Cameras Involved In Ferocious DDoS Attacks (softpedia.com) 79
An anonymous reader writes: "A botnet of over 25,000 bots is at the heart of recent DDoS attacks that are ferociously attacking businesses across the world with massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites," reports Softpedia. This botnet's particularity is the fact that attacks never fluctuated and the attackers managed to keep a steady rhythm. This is not a classic botnet of infected computers that go on and off, but of compromised CCTV systems that are always on and available for attacks. The brands of CCTV DVRs involved in these attacks are the same highlighted in a report by a security researcher this winter, who discovered a backdoor in the firmware of 70 different CCTV DVR vendors. These companies had bought unbranded DVRs from Chinese firm TVT. When informed of the firmware issues, TVT ignored the researcher and the issues were never fixed, leading to crooks creating this huge botnet.
I'm curious (Score:2, Insightful)
So TVT, despite being chinks, are actually a bunch of big lipped stinking nasty chocolatey worthless nigger jigaboo porch monkeys!!
I'm curious.
Does anyone know why these posts keep appearing? It seems like there's one at the top of every discussion.
I can't imagine a real purpose for this.
Does anyone know what the goal or intent is? Can anyone explain how this benefits the poster in any way?
Re: (Score:2)
Once in a while is OK (Score:3)
If you don't respond to it, then people browsing at >=1 will never know it exists. That is the good thing about this mod system. Plus, I don't think porch monkey is a racist term. My grandmother used to call me and my sister porch monkeys all the time.
Yeah - In that definition I'm probably a porch monkey as well. Similar to "couch potato".
I think a lot of people are responding "don't respond" as a reflex action from political correctness. That's fine, and we shouldn't respond, but...
It also prevents us from talking about it. I've noticed these in a *lot* of posts, they always seem to get first post, and they're blatantly garbage.
It doesn't hurt to start a discussion once-in-a-while, and I'm not promoting his view by quoting and asking "WTF?".
We have a lo
Re: (Score:2)
Would you rather have APK? Or the appy app app LUDDITE guy?
Don't feed the trolls, don't even try to understand them.
For any The Amazing World of Gumball viewers, these appy app apk racial epithet types probably look and feel *just* like TAWOG's representation of the Internet: An old-school 1990's tan PC with CRT monitor living in a basement [nocookie.net], surrounded by decades-old pizza debris, constantly hounded by his Mom.
If I were that, I'da tripped my own circuit breaker years ago.
Re: (Score:2)
Would you rather have APK? Or the appy app app LUDDITE guy?
No, and yes, in that order.
The APPY APP guy is just a clown, APK is a festering boil on the internet's anus.
Re: (Score:1)
So I stopped coming to /. for like 6 years.
Is this what replaced goatse links and gnaa?
Re: (Score:2)
So I stopped coming to /. for like 6 years.
Is this what replaced goatse links and gnaa?
Pretty much, yeah.
Re: (Score:2)
Re: (Score:1)
No-one is a real person 'til you are 18, or even 21. Even then you may only be able to find 'junior' positions and pay.
There's fewer frontiers (and they get further away each year). Everything is owned. A pittance is set aside for shared use, in limited and proscribed ways.
If you are talented, focussed, hard working and lucky you may be able to make a mark, exert some influence on the world around you. For every one that makes it, there are dozens, hundreds that don't.
The social contracts and covenants are
Re: (Score:2)
That is damn near poetic. Too bad you wrote it as and AC.
Re: (Score:2)
Does anyone know why these posts keep appearing?
Because some people have no life and just love to spew their nonsensical hatred.
Re: (Score:2)
I believed that the anonymous poster was very proud of his pangram and wrote a bot to spam Slashdot, but I just noticed that the X and Z letters were not used.
Owned (Score:2, Funny)
by the Chinease. What's new?
Re: (Score:2)
Re: (Score:2)
Can we crowd fund a DDoS attack on TVT? Any takers?
No. This is what diplomacy is for.
Re: (Score:1)
So why hasn't this happened already? Because of the famous step 3: Profit! If some one at the federal level takes this seriously enough to intervene, then it sets a precedent that compani
Re: (Score:2)
Until some part of the Federal Government takes responsibility for stopping this crap it will continue
Why is it the responsibility of the government and not you?
Here is a thought. You (not you personally, but you the collective) have gone the route of buying the cheapest CCTV systems in the world, should be held civilly liable for their use and maintenence. This means, that if I can trace any part of a DDOS to your CCTV system, I can sue you and your corporation for damages. And so can everyone else affected by your hacked and damaged system.
Small claims courts are great for death by a million paper cuts. I
Re: (Score:2)
Go look at the NVR or DVR in your employer's security center (if that's allowed). Can you tell who made it? Probably not. HikVision, Indigo, etc. don't make their own hardware, they contract it out. Possibly if you open the case you might see a label, but you might not. For a decade SuperMicro made all the DVRs for Lenel, and the only way you could tell is if you got into the password-protected BIOS. This issue was first discovered on an NVR from an Israeli company, would you automatically assume that
IoCT (Score:1)
The Internet of Compromised Things strikes again. Vulnerability as a Service isn't just for luddites and apps anymore.
Chinese CCTV (Score:1)
Network Design Flaw (Score:3)
A piece of hardware still provides that connection, from network to network. So why are those pieces of hardware designed to allow naughty unnecessary communications. There is no reason why that hardware should be capable of executing a DDOS attack, a simple timing issue, that should be hardware locked.
Re: (Score:3)
So why are those pieces of hardware designed to allow naughty unnecessary communications.
The problem is not that they're designed to allow naughty unnecessary communication, the problem is that they're not designed not to.
It's like designing a door with a knob but no lock- there was no thought given to keeping the bad guys out.
This is going to be a bigger and bigger problem with the advent of IoT crap (the Internet Of Trash).
Re: (Score:1)
So why are those pieces of hardware designed to allow naughty unnecessary communications.
The problem is not that they're designed to allow naughty unnecessary communication, the problem is that they're not designed not to.
It's like designing a door with a knob but no lock- there was no thought given to keeping the bad guys out.
This is going to be a bigger and bigger problem with the advent of IoT crap (the Internet Of Trash).
So they have no firewall on their network to prevent un-authorized access from outside the building? I think that's the point he was trying to make. No one should be able to connect to and manipulate this device in the first place.
Re: (Score:2)
So they have no firewall on their network to prevent un-authorized access from outside the building? I think that's the point he was trying to make.
Of course not, this is Joe and Jane Sixpack we're talking about here. They buy it, they plug it in. The End. They wouldn't know a firewall if they tripped over one.
-
No one should be able to connect to and manipulate this device in the first place.
Oh I totally agree, and that was the point I was trying to make. These things are designed without even a passing thought to security, and they get hacked because 99.999999999% of consumers don't have any firewall in place, nor do they even know that they need one. (Or that such a thing even exists.)
In other words, they aren't designed to not be
Re: (Score:2)
this is Joe and Jane Sixpack we're talking about here. They buy it, they plug it in. The End.
Oh, no, it's considerably worse than that. Most security hardware installers will happily drop the customer's NVR on the Internet outside of the company firewall,and then proudly show the customer that they can now access the cameras on their frelling smartphone. I have been railing for years on LinkedIn and other venues the necessity of protecting security equipment from the network, to no avail. Installing and
Re: (Score:1, Interesting)
The problem is that all these IoT things are being built conveniently using stock Linux kernels on top of cheap CPUs. This is general compute hardware in the most general sense - whole PCs serving really simple purposes. The reasons for this is simple; the skills required to assemble a kernel to perform a particular task are reasonably well known. There's lots of programmers around that can duct-tape together a system with these things.
These systems could be made much more secure if they could execute their
Re: (Score:2)
Booting them from ROM would actually make things worse, since you'd not be able to upgrade them the vulnerable version would remain there until the device was trashed. Those launching attacks could just exploit vulnerabilities and load their code into RAM, the backdoor would be lost after a reboot but these devices rarely reboot anyway.
And the problem with these devices is pretty much always due to their own crappy code and not the existing linux code the devices are running.
The same problem occurs with sma
Re: (Score:1)
Yes, you can. You can flash ROM. It's done all the time.
Time for a factory recall??? (Score:1)
Maybe it's time for the government to order a factory recall.
Re: (Score:2)
It's China, a nice deposit in a regulator's bank account and any such order evaporates.
It's likely that TVT has no clue where all the devices even went, they sell to wholesalers who sell to wholesalers who sell to rebranders who sell to wholesalers who sell to retailers. Good luck tracking that down.
Re: (Score:2)
I wonder how much money TFT is making by selling access to the Botnet they got other people to purchase and deploy for them.
Re: (Score:2)
The liability should be on those who purchase crappy IoT devices because they are "cheap". If they are compromised, they (the owners) should be sued into oblivion by those who are affected, and make the device owners go back to the manufacturer to recoup their losses. Right now, our legal system, the victim (the public DDOS recipient) has almost no way to recoup their losses from crappy products that have been hacked. These CCTV devices are on corporate networks, and as such they (the corporate networks) sh
TFT selling Botnet time. (Score:3)
I wonder how much money TFT is making by selling access to the Botnet they got other people to purchase and deploy for them.
Pretty ingenious really.
List of affected brands (Score:4, Informative)
(Extra characters to get past slashdot's minimum characters per line filter. Who the hell thought it would be a good idea to make a filter which basically prohibits lists, and also prevents you from putting the padding out of the way at the end of the post? Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.)
Ademco
ATS Alarmes technolgy and ststems
Area1Protection
Avio
Black Hawk Security
Capture
China security systems
Cocktail Service
Cpsecured
CP PLUS
Digital Eye'z no website
Diote Service & Consulting
DVR Kapta
ELVOX
ET Vision
Extra Eye 4 U
eyemotion
EDS
Fujitron
Full HD 1080p
Gazer
Goldeye
Goldmaster
Grizzly
HD IViewer
Hi-View
Ipcom
IPOX
IR
ISC Illinois Security Cameras, Inc.
JFL Alarmes
Lince
LOT
Lux
Lynx Security
Magtec
Meriva Security
Multistar
Navaio
NoVus
Optivision
PARA V
Why are these cameras even connected to the net? (Score:2)
As someone who has some experience with CCTV DVRs, all of the DVRs I've worked with are the same: fanless computers with cases so thick they're practically mil-spec that get set up once and then immediately locked up in a room (to which only a handful of people on-site are allowed to have a key). The DVRs themselves are on an intranet with the cameras that has no outside internet access. The process works because no one can hack the network without physically being present in the building (at which point th
Re: (Score:2)
All kinds of reasons...
Some people want to monitor the premises from a remote site...
Some companies want to centralise their cctv monitoring to save costs.
There is already an ethernet network present, cheaper than running separate cabling for ip cameras.
Re: (Score:2)
All of those things can be provided, by proper IT.
Remote Monitoring - Virtual Desktop Infrastructure. Only systems inside the firewall can use the CCTV system, and VDI provides a way into the inside of the firewall. The CCTV system is on a non-routable VLAN that traffic cannot leave the premises. No hacking ,no DDOS no nothing.
Centralized Monitoring - VLANs and VPNs. By setting up proper VPNs and VLANs, you can properly isolate systems from the outside, while providing the same level of service (perhaps eve
Re: (Score:2)
All of those things can be provided, by proper IT.
Remote Monitoring - Virtual Desktop Infrastructure. Only systems inside the firewall can use the CCTV system, and VDI provides a way into the inside of the firewall. The CCTV system is on a non-routable VLAN that traffic cannot leave the premises. No hacking ,no DDOS no nothing.
Centralized Monitoring - VLANs and VPNs. By setting up proper VPNs and VLANs, you can properly isolate systems from the outside, while providing the same level of service (perhaps even better service) for properly maintaining a single central monitoring service. The issue here is that in order to do this, you have to have an IT dept that can articulate why it needs to isolate networks from each other properly.
Ethernet Present - Yup, and probably the swiching/routing needed to properly VLAN and VPN the whole thing so that you can use existing infrastructure to isolate traffic from each other on the same equipment. Cheap ass networking gear excepted.
Good IT is expensive, bad IT is costly.
Well, I'm going to lose the mod points I provided, but what the heck.
The type of customer these products are targeted for - small businesses or homes - they do not have proper IT. Now, it is not a fault of these type of customers (to a degree). It is more the manufacturer's faults for not designing products that are *obviously* aimed that does not have dedicated/proper IT.
It should not be impossible to provide a COTS, drop-in CCTV solution that only connects from the cameras to the DVR and to pair the
Re: (Score:1)
All kinds of reasons...
Some people want to monitor the premises from a remote site... Some companies want to centralise their cctv monitoring to save costs. There is already an ethernet network present, cheaper than running separate cabling for ip cameras.
That still doesn't explain why it's insecure. VPN's are cheap. Install a router/firewall where you can VPN in and then manage from there.
Re: (Score:1)
So the cameras can be remotely monitored.
Re: (Score:2)
I monitor cameras at sites in 21 countries on every continent but Africa and Antarctica (and we're going to drop a site in South Africa next year). **NOT ONE** is directly on the Internet. There is absolutely no reason for any of these NVRs to be on the Internet, except laziness by the installer and salescritters. I have been barking up this tree for years on LinkedIn, that a VPN is cheap and easy to install, and the vast majority of even professional security system installers who work with Fortune 500
Insert free slashvertisment for Sucuri (Score:1)
Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri's main product, its WAF (Web Application Firewall)."
CCTV DoS can be fun (Score:2)
Many years ago I worked at a major networking hardware manufacturer (one who should know their stuff, but somehow let this happen). This was maybe '04 or '05 or so. Seems they had installed some kind of security camera system that ran on a Windows platform. Like one per camera or maybe one per four cameras or something. And because it's all wrapped up as a product, you can't just stick McAfee on it. Yes, I know, what the ever loving fuck. They were deployed all over the company. Hooked up via gigabit Ethern
Mind-numbingly Stupid That It's Even Possible (Score:2)
Why do CCTVs have outbound access to the internet at all?
If a CCTV feed really needs to leave the premises, that's what VPN is for.
Between the security and privacy issues, someone should be losing their job.