The source code for a large IoT Mirai botnet components was published in early October 2016. It was known that there were mainly IoT devices in the botnet, including CCTV and DVR, almost 400,000 devices — extremely powerful botnet for DDoS attacks.
We saw at least two major attacks through Mirai botnet: Brian Krebs’ website was subjected to DDoS attack at speed of about 620 Gb/s; the French OVH hosting provider underwent an even more powerful DDoS attack of 1 Tb/s.
Botnet’s logic of spreading and devices’ infection indicates that digital cameras or IoT were not initially the target of its creators. They focused on finding connected to the Internet devices with standard default factory passwords: as a result, ordinary home computers, servers and routers got easily into the botnet’s target area.
That is confirmed by 61 standard default passwords in the botnet code, which helped to create such an impressive network of infected devices. Mirai's logic is simple and effective: the program scans all available devices via telnet and then tries the passwords from the list to access them.
The password list of Mirai contains many popular combinations like "admin: admin" or "admin: password". Typically, these are default fabric passwords and are supposed to be changed by the user to its own strong one, but people very often forget or are too lazy to do it.
In some cases, home devices are "code-wired" to the service accounts, and users do not even have access to it because it is not documented or in manual. Such cases are not rare for major manufacturers product releases: it could be a mistake, or company specialists might forget to clear the code from the release version of some technical accounts used for development needs. As an example of such a mistake, there is the NX-OS operating system vulnerability used in the Cisco Nexus 3000 Series and 3500 Platform switches. There was found a password for Telnet access with root rights in the code, which can not be disabled.
We know, that the Internet of Things (IoT) is currently under an active development, but not all companies focused on security and implementing SSDLC standards in its development, as did telecommunication equipment manufacturers, for example.
That’s why Mirai botnet creators were able to create a malicious software for different architectures with such an ease.
Here are our recommendations for passwords security.
Tips for strengthening security
To keep the password strong follow these three simple rules:
- Forget about short easy-to-remember passwords;
- Forget about the same password to different resources;
- Forget about entering your password on computers you can not trust.
To remember strong complex passwords use a decent Password Keeper. It may generate random passwords for specified durability.
One reliable password must be remembered to protect the whole password database, but you may use a passphrase of 20-30 characters for it.
If your Password Keeper supports two-factor authentication using a smart card or USB Security Token, it dramatically increases the security level and narrows the "opportunity window" for the attacker.
Of course, Password Keeper programs may lead to the loss of all saved passwords if the master password is compromised. That risk must be taken into account.
Many password storage programs have versions for mobile operating systems and often synchronized through the cloud service. It is certainly convenient, but convenience is almost always inconsistent with security…
The best choice, IMHO, is KeePass on trusted computers with the database protected by a long passphrase, and no passwords in the clouds or on mobile devices.