MAJOR security flaw found in Belkin WeMo, "deathtrap"
- Thread starter ChrisCicc
- Start date
Dean Roddey
Senior Member
Well, the difference is that the one can be done with almost zero chance of getting caught, while the other entails considerable risk to the fire bomber. And the first is something that you can randomly get targeted with, it's crazy how many people are out there constantly attempting to hack into any system available. If you run a web site and look at the logs you'll see how common it is. It's extremely unlikely ayone is going to firebomb you unlee they know you and have something personally against you. Large numbers of people's computers get hacked every day, while the number of fire bombers is quite small.
There are appreciable differences in risk.
There are appreciable differences in risk.
drvnbysound
Senior Member
This is exactly what I was referring to. At work, we checked into the syslogs of a few different routers that we've put online... There were literally thousands login attempts on each router within a couple of weeks. The majority of which seem to originate from other countries.Dean Roddey said:
Dean Roddey
Senior Member
The internet, as I've said elsewhere before, is effectively The Lord of the Flies writ large. It is proof that, even in this modern world, if allowed to be immoral without consequences, a large percentage of people will do so. If it's not trying to hack into other people's systems for malicious reasons or for personal profit, it's stealing the work of others by the containerful. It's what the world would be without laws (and enforcement of them to some reasonable degree.) If you don't protect yourself, you will get whacked.
And yeh, these days there are people, often government or terrorist sponsered, who are constantly trying to create havoc, steal information, interrupt services and so forth. On top of that are lots of people who are anti-this or anti-that or just generally malicious who will do it just for the thrill of it, as well.
Eventually, either the internet is going to have to be tightened up, or it's going to cease to be a useful tool. And it'll be an interesting process because a lot of people will fight to the death to prevent it from happening, and they will be from a broad spectrum of interests. Such a tightening will likely make it far harder to steal stuff (and get away with it trivially anyway), and that in and of itself will cause a huge backlash. But I can't see how the internet can continue to become more central to our lives and still remain a completely anarchic system in which it is almost impossible to catch anyone doing anything to anybody.
And yeh, these days there are people, often government or terrorist sponsered, who are constantly trying to create havoc, steal information, interrupt services and so forth. On top of that are lots of people who are anti-this or anti-that or just generally malicious who will do it just for the thrill of it, as well.
Eventually, either the internet is going to have to be tightened up, or it's going to cease to be a useful tool. And it'll be an interesting process because a lot of people will fight to the death to prevent it from happening, and they will be from a broad spectrum of interests. Such a tightening will likely make it far harder to steal stuff (and get away with it trivially anyway), and that in and of itself will cause a huge backlash. But I can't see how the internet can continue to become more central to our lives and still remain a completely anarchic system in which it is almost impossible to catch anyone doing anything to anybody.
tmbrown97
Senior Member
Interesting perspective... I'd bet I'd have less of a chance of getting caught tossing the bottle myself than having my IP address tied to a targeted attack... High Tech Forensics are pretty good these days and with the CALEA requirements of ISP's and the logging that goes on everything you do is tracked/logged somewhere - if you're a big enough target, they'll find you.
Dean Roddey
Senior Member
If you are in another country it doesn't matter, and even less so if you are being paid by that country to attach other countries, which is clearly going on out there. Even if you are in this country it's pretty simple to hide your tracks. If you are in the business of hacking other people's computers, all you need is a trojan running on their machines and you just do the attack through their infected machine. There's about zero chance it would ever get traced back to you if you know what you are doing. There are lots of available proxy servers out there as well, which will provide another layer of anonimity for attackers or theives.
And the other problem is that there's about zero chance you are going to get any serious government investigate someone attacking you through your home automation system anyway. It's pretty unlikely to happen. And even if you are a more high profile victim, there are lots of known attacks and lots more that never get publicized, but how many convictions a year occur? I imagine it's a tiny percentage, right?
I think you would have vastly more likelihood of getting caught tossing the bottle than a reasonably well planned cyber attack. Foot prints, security cameras, traffic cameras, chemical traceability of the gas, tire tracks, human witnesses you never realized were there, etc... It's vastly easier to do crime on the internet and not get caught. You never have to get any where near (physically or even digitally) the victim. The internet was never designed to be remotely secure. It developed in an open academic environment and without fundamental changes it will never be particularly safe, AFAIK.
And the other problem is that there's about zero chance you are going to get any serious government investigate someone attacking you through your home automation system anyway. It's pretty unlikely to happen. And even if you are a more high profile victim, there are lots of known attacks and lots more that never get publicized, but how many convictions a year occur? I imagine it's a tiny percentage, right?
I think you would have vastly more likelihood of getting caught tossing the bottle than a reasonably well planned cyber attack. Foot prints, security cameras, traffic cameras, chemical traceability of the gas, tire tracks, human witnesses you never realized were there, etc... It's vastly easier to do crime on the internet and not get caught. You never have to get any where near (physically or even digitally) the victim. The internet was never designed to be remotely secure. It developed in an open academic environment and without fundamental changes it will never be particularly safe, AFAIK.
Dean Roddey
Senior Member
Even that won't help really fix things. A huge problem is that there's almost no reasonable (and no widely used) way to insure that an e-mail you receive is from who it claims to be. That in and of itself is a key factor in so much of the mayhem that goes on out there, from bounced e-mail spam attacks to DOS attacks to phishing e-mails. It's trivial to fake source e-mail addresses, and servers can't even report legitimate failures back to senders because that will just be used by spammers or DOS hackers.
The notifications I get from my bank or credit card company or various other folks are almost useless because I get so many fake ones from hackers. I often get hundreds of bogus BBB complaint notifications a week, so if I did actually get a real one, I'd never know it since I just can't spend the time required to find the legitimate ones. Not that I expect to get any, but if I did I'd want to know.
I spend a stupid amount of my already almost non-existent life going through e-mails to make sure I'm not failing to respond to a customer, and it gets harder and harder to weed the wheat from the chaff. If you don't use a spam filter you will have to manually go through them. If you do, then they will inevitably eat legitimate customer e-mails so you still have to go through them unless you are willing to risk pissing off your customers. Many customers just assume that e-mail is a robust means of communications when it's not, and if you don't respond, they typically assume it's your fault. I see so many people on fora screaming about how no one should do business with so and so because they don't respond to e-mails, when the company (when finally contacted by another means) never saw any such e-mails or their own replies never got there. Spammers send hundreds of e-mails using your e-mail and you get on various server black lists without ever knowing it, and responses are not forwarded.
It's becoming a joke really. It's not going to be a useful business tool eventually.
The notifications I get from my bank or credit card company or various other folks are almost useless because I get so many fake ones from hackers. I often get hundreds of bogus BBB complaint notifications a week, so if I did actually get a real one, I'd never know it since I just can't spend the time required to find the legitimate ones. Not that I expect to get any, but if I did I'd want to know.
I spend a stupid amount of my already almost non-existent life going through e-mails to make sure I'm not failing to respond to a customer, and it gets harder and harder to weed the wheat from the chaff. If you don't use a spam filter you will have to manually go through them. If you do, then they will inevitably eat legitimate customer e-mails so you still have to go through them unless you are willing to risk pissing off your customers. Many customers just assume that e-mail is a robust means of communications when it's not, and if you don't respond, they typically assume it's your fault. I see so many people on fora screaming about how no one should do business with so and so because they don't respond to e-mails, when the company (when finally contacted by another means) never saw any such e-mails or their own replies never got there. Spammers send hundreds of e-mails using your e-mail and you get on various server black lists without ever knowing it, and responses are not forwarded.
It's becoming a joke really. It's not going to be a useful business tool eventually.
Dean Roddey
Senior Member
And see the other thread that was just posted about security flaws in security camera systems. These systems also use UPnP to open up a router port if it's not disabled on the router, to make the cameras available to the outside world, on top of the other security issues they are discussing in that quoted article, just as I was talking about above.
