To experts, cybersecurity is a two-way street, something that should be looked at and taken care of by both vendors and users.
The distributed denial-of-service (DDoS) attack on an Internet performance and management company back in October again raised renewed concerns over cybersecurity, especially at a time when devices, including those for security, are more and more migrating towards IoT. And according to a local expert, cybersecurity is a two-way street, something that should be looked at and taken care of by both vendors and users.
In the October incident, a DDoS attacked was launched against Dyn, an Internet performance and management company based in New Hampshire. The result was a shutdown of service across various famous sites including Amazon, the Financial Times and Netflix. It was suspected that various networkable devices, including those related to security such as cameras and NVRs, were used as robotic attackers after being affected by a malware called Mirai (ミライor Japanese for “future”). The source code of the malware includes various default username-password pairs that, upon close examination, came from known Chinese and Taiwanese security brands, according to the blog Krebs on Security.
Bowen Hsu, Project Manager at Devcore Co., said that the use of default usernames and passwords has its historical reasons. “In the past, to facilitate maintenance and repairs, and to enable the user to enter the administration page quickly, the hardware vendor usually wrote one or multiple sets of username/passwords into their device. For malware like Mirai, it exploits this kind of vulnerability and takes control of the hardware. Without changing the default username/password the user literally stands defenseless against this malware,” he said.
Yet, as security and non-security devices migrating to IoT, converging networkable equipment on the Internet has become an inevitable trend. What vendors and end users should do, therefore, is to take the necessary measures to protect themselves and minimize cybersecurity risk as much as possible.
For vendors, Hsu suggested that they can take the following measures:
- To force the user to change the default username and password;
- To force the user to refrain from using weak passwords, using the top 500 weak passwords provided by various network security companies as a reference;
- Never to store the password as is, but rather to add a salt or PBKDF2 value to make it harder to crack;
- To encrypt the firmware so as to render it illegible even if a hacker has downloaded it;
- Alert the user of major security upgrades with obvious, noticeable messages that pop up on the user’s device, for example;
- Conduct penetration tests periodically.
As for the user, they should also take precautions against intrusion. According to Hsu, they can take the following measures:
- Change the default username/password the first time they use the device to at least eight characters including large-cap and small-cap letters, numerals, and special symbols;
- Upgrade firmware periodically;
- Refrain from sharing accounts with others;
- Refrain from opening suspicious e-mails and related attachments so as to prevent hackers from planting a backdoor into the system.
Product Adopted:Others