News in brief: New IoT grief; Old patch lessons; Older voting tech


Linux IoT devices used for spam

In the past year, attackers have increasingly used Linux vulnerabilities in an attempt to target IoT (Internet of Things) devices. BrickerBot is one example, and it’s hard to forget Mirai, the IoT botnet that launched one of the largest and most powerful distributed denial of service (DDoS) attacks in recent history — striking DNS provider Dyn and its customers, impacting major services like Twitter, Reddit and Spotify last October.

Now comes a new IoT botnet out to turn those devices into spam recipients and relays rather than a DDoS platform.

Reports credit the malware with the ability to send about 2800 spam messages a week through each compromised device. That’s not a patch on the 5 million we think a compromised desktop can send in a week (without its owner noticing, by the way) but any amount greater than none is more spam than you want.

Industry experts continue to predict an increase in this type of malware — and big attacks like the one against Dyn last year.

Security expert Bruce Schneier has even predicted that the world is one big IoT attack away from government regulatory action.

Finance badly unpatched

During the WannaCry outbreak in May, we noted that it its spread was made possible in part by the unheeded lessons of the past. Few should have been shocked by its rapid spread – especially those who remember Slammer and Conficker.

Here was yet another case where malware was able to go global by exploiting old vulnerabilities long since patched by the vendors. From our article at the time:

Those contagions  – ancient malware by today’s standards – spread through exposed Microsoft vulnerabilities. WannaCry spread the same way. In each case, Microsoft had already released a patch for the security holes. And so for some, an important lesson continues to go unrecognized:  that organizations must keep a close watch for patch updates and deploy the fixes immediately.

Unfortunately, it seems, the lessons continue to go unlearned, especially in the financial sector. The Register cites a study from NCC Group Security saying that vulnerabilities across the the industry have increased more than fivefold. From the article:

NCC categorized vulnerabilities found in 168 financial services organizations using a number of different scanning methods. The results revealed that the number detected within the sector has increased sharply over the last four years, rising from an average per organization of 217 vulnerabilities in 2013 to 910 in 2016.

Of the security holes marked as high and medium risk, about 25% were web app framework flaws (frameworks such as the Apache Struts). Almost all could be fixed by updating the affected platforms or tools.

The lesson here is the same as it’s been for a long time: IT shops must keep an eye out for patches and other updates made to the technology they depend upon, and install patches as quickly as possible.

Hacking fears could bring back paper ballots

Alleged Russian attempts to disrupt the 2016 US presidential election has states that use electronic-only voting machines considering a return to paper ballots. A report from National Public Radio (NPR) focuses on one effort from the small city of Conyers, Georgia.

For more than a decade, voters in Conyers have clamored for paper ballots, but Georgia had long since abandoned paper for electronic voting. So has Delaware, Louisiana, New Jersey and South Carolina.

Indeed, fears of Russian meddling in the 2016 election have prompted more states to go back to a paper trail. From the report:

Recently, Virginia decertified the kind of electronic-only machines used in Georgia. And Delaware just put out a bid for machines that used paper. If one part of the voting system is compromised or even just questioned, paper can be a backup for audits and recounts.

Of course, swapping out the voting machines is an expensive business. As a result, a lot of cities and towns have pushed back on demand for paper ballots. But some officials appear to be scared enough by 2016 to put aside their desires to control spending.

Catch up with all of today’s stories on Naked Security