Our new IoT overlords have arrived. (credit: peyri)

The distributed denial of service attacks against dynamic domain name service provider Dyn this morning have now resurged. The attacks have caused outages at services across the Internet.

But this second wave of attacks appears to be affecting even more providers. According to Dan Drew, the chief security officer at Level 3 Communications, the attack is at least in part being mounted from a "botnet" of Internet-of-Things (IoT) devices.

Drew explained the attack in a Periscope briefing this afternoon. "We're seeing attacks coming from a number of different locations," Drew said. "An Internet of Things botnet called Mirai that we identified is also involved in the attack."

Read 9 remaining paragraphs | Comments

Joomla! Huge-IT Slideshow Extension Multiple Security Vulnerabilities
IBM Security Guardium Database Activity Monitor CVE-2016-0236 Remote Command Injection Vulnerability
Joomla! Huge-IT Portfolio Gallery Manager Multiple Security Vulnerabilities
Adobe Acrobat and Reader APSB16-33 Multiple Memory Corruption Vulnerabilities
RETIRED: ISC BIND CVE-2016-2848 Remote Denial of Service Vulnerability

Dyn.com, a popular dynmic DNS provider and provider of commercial managed DNS services is currently experiencing a massice DDoS attack. As a result, many sites that are using Dyn.coms services are experiencing issues.

Affected are not just home/hobby sites that traditionally use dynamic DNS services, but also large name brand sites that use Dyn.coms managed DNS service. For example Twitter, Spotify, Etsry, Github and others (domains hosted by Dyn.com often use*.dynect.net nameservers)

You can find status updates from Dyn.com here:https://www.dynstatus.com

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

(credit: Jürgen Telkmann)

Update (12:04p ET): A second wave of DDoS attacks against Dyn is underway, as of noon Eastern Time today. Dyn is continuing to work on the issue. Our original story follows below; further updates will be added as information becomes available.

A distributed denial of service attack against Dyn, the dynamic DNS service, affected the availability of dozens of major websites and Internet services this morning, including Twitter and Reddit. The attack, which began this morning at 7:10am Eastern Time (12:10pm UK), is apparently focused on Dyn’s US East Coast name servers.

“This morning, Dyn received a global DDoS attack on our Managed DNS infrastructure in the east coast of the United States,” Doug Madory, Director of Internet Analysis at Dyn, said in an e-mail sent to Ars this morning. “DNS traffic resolved from east coast name server locations are experiencing a service interruption during this time.” By 9:20am ET this morning, Dyn had mitigated the attack and services returned to normal.

Read 5 remaining paragraphs | Comments

WordPress hero-maps-pro Plugin 'index.php' Cross Site Scripting Vulnerability
WordPress hdw-tube Plugin 'mychannel.php' Cross Site Scripting Vulnerability
WordPress infusionsoft Plugin CVE-2016-1000139 Cross Site Scripting Vulnerability
WordPress heat-trackr Plugin 'heat-trackr_abtest_add.php' Cross Site Scripting Vulnerability

For a number of years now, Apple has been implementing Activation Lock and Find my iPhone to deter the theft of iOS devices. According to some statistics, this effort has had some success. But with millions of users carrying devices costing $500 and more loosely secured in their pockets, mobile devices far exceed the value of an average wallet.

Activation Lock links a device to a users iCloud account. If a user configures a new device,the user is asked for iCloud credentials or offered to set up a new iCloud account. A device can not be activated without providing this information. If you sell or pass on a device, deleting the data from the device is not sufficient, but you will also have to remove the link to your iCloud account, for example by turning off Find My iPhone. Changing the setting always requires at least a password (and if configured two-factor authentication). Biometrics can be used to unlock the phone, but it can not be used to remove the iCloud link.

But iOS devices are still being stolen, and thieves have come up with some rather ingenious methods to unlock them:

1 - Phishing E-Mails

If you lose track of an iOS device, you have the option to register it as stolen via Find my iPhone. Once the device is found, you will receive an e-mail or a pop-up on another iOS device. Thieves have used this technique tophishthe owners iCloud credentials. If they are aware of the owners phone number ore-mail address (it is often displayed as part of the Lost Phone message), then they will send a Found e-mail to the address or an SMS to the phone number claiming that the phone has been found. The user is then sent to an iCloud look alike site which is asking the user to log in. The attacker will then use the harvested credentials to unlock the phone. [1]

2 - Purchase Offer

Making an offer to buy your device is probably the most brazen approach. The finder of the phone will contact the displayed phone number, and offering you to buy the phone from you. Making a purchase offer is in particular popular if the phone was found in a foreign country and the owner is already back home. Shipping the phone back to the owner would often be quite expensive. The finder then asks the owner to unlock the phone before payment is received to proof that the owner is legitimate.

3 - Password Resets

In many cases, your phone is critical to reset your password because you configured various sites (including iCloud) to use SMS messages to your phone for reset codes. On a locked phone, SMS messages may still appear on the screen, so will many messages from other applications (like iMessage, Whats App). An attacker can also remove the SIM card from a phone and plug it into another phone to receive messages unless your SIM card is secured with a PIN code.

How to Secure Your Devices

- Set up two-factor authentication

Apple offers two-factor as well as two-step authentication. If you enable it, make sure you keep the recovery code in a safe place. Apple does not offer a way to turn off two-factor authentication if you lose your recovery options. This can be the case in particular if your iPhone is lost/stolen and the only device you configured for two-factor authentication. Try to setup multiple devices to receive the code so you have a backup. [4]

- Enable Find my iPhone.

This will allow you to locate a lost device if the device is connected to a network (WiFi or Cellular). You should also configure the feature to transmit its location before the device runs out of power.

- Limit messages displayed on the lock screen

You can configure what is displayed on the lock screen for each application. It may be ok to see things like news items, but you should not display e-mail content, SMS messages or output from other messaging applications like Skype.

- Protect your SIM card with a PIN

I find that in the US, most SIM cards arrive unlocked. In Europe, SIM cards are often locked via a PIN. But even if your SIM card is not locked, you can usually configure a PIN for it. Before you do so, make sure that you have the current PIN code (usual default is 1111 or 234) and the PUK code, which can be used to recover a locked card. In many cases, you can look it up on your carriers website, or it may be included with your SIM card. Write the PUK down and keep it in a safe place. Your phone will allow you to configure a new PIN (but the PUK is fixed). Now you will have to enter the PIN whenever you power up the phone or whenever you remove the SIM cards and plug it into a new phone.

- Test Lost my iPhone.

It is important to test the Lost my iPhone feature to make sure you have it setup correctly. See this article at Macrumors for more details [3].


Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Nuuo NT-4040 Titan CVE-2016-6553 Insecure Default Password Vulnerability
Intellian Satellite TV t-Series and v-Series CVE-2016-6551 Insecure Default Password Vulnerability
Green Packet DX-350 CVE-2016-6552 Insecure Default Password Vulnerability
Multiple Synology DiskStation Products CVE-2016-6554 Insecure Default Password Vulnerability
Internet Storm Center Infocon Status