As a follow-up to my previous post on DDOS attacks [1,2], I’ve seen a lot of so-called ‘solutions’ to the problem, which really aren’t solutions at all.

While it’s still not explicitly clear that the StarHub DDOS was executed by Mirai, a recently released malware built specifically for DDOS, the timing and similarity of it to other Mirai attacks leave little room for doubt–at least to me.

If indeed, StarHub was a victim of a Mirai based attack, it would seem extremely odd that their CTO would reference phishing emails as a vector for infection. So a few things don’t quite line up here, including the advice from the CTO to change the default username and password, when Brian Krebs already reported that doesn’t quite help:

Several readers have pointed out that while advising IoT users to change the password via the device’s Web interface is a nice security precaution, it may or may not address the fundamental threat. That’s because Mirai spreads via communications services called “telnet” and “SSH,” which are command-line, text-based interfaces that are typically accessed via a command prompt (e.g., in Microsoft Windows, a user could click Start, and in the search box type “cmd.exe” to launch a command prompt, and then type “telnet” <IP address> to reach a username and password prompt at the target host).

The trouble is, even if one changes the password on the device’s Web interface, the same default credentials may still allow remote users to log in to the device using telnet and/or SSH.

If you're more technically inclined, I strongly suggest listening the feature interview on last week's risky business podcast.

But the last piece of advice that the StarHub CTO gave, that didn't make sense to me at all was this:

"If you were to buy a webcam from Sim Lim Square, try to get a reputable one"

Again, this may seem like good advice, but it doesn't conform to the evidence. Brian Krebs has a list of devices that are hack-able, and they include the likes of Panasonic, RealTek, Samsung and Xerox. All of which regular consumers would consider 'reputable'.

So StarHub claimed that you should change your passwords--but doesn't protect you from Mirai.

StarHub claim that you should buy equipment from 'reputable' suppliers, but even reputable suppliers produce hackable IOT devices, that can't be secured.

Finally StarHub are going to be sending technicians out in the field to help subscribers, and while this is laudable, it's not a sustainable solution. It only fixes a short-term problem, because as long consumers continue to buy hack-able IOT devices, the threat isn't going to go away.

And how often can StarHub afford to send technicians to make home visits before the cost start becoming un-bearable?

The way to view this issue is from a legal, economical and technical perspective--and in that order.

Customers of Singaporean ISP StarHub, suffered two major disruptions to their service over the past week, in what the telco said was a result of a “intentional and likely malicious distributed denial-of-service (DDoS) attacks”.

Oh the humanity!!

In what appears to be a copycat of the Dyn attack we saw (at roughly the same time), the attack signals the first local salvo in the war of IOT devices. But is it really that serious?

If you’re wondering what the hell happened, let’s walk this through step-by-step, from the attackers perspective.

In 2 days time, the South-East Asian nation of Malaysia will go through its 13^th General Election since 1955. Some might look negatively on the number 13, but for the vast majority of Malaysians the coming few days will either raise our hopes or shatter them.

Malaysia has had only 1 party in power since it’s independence—that’s a long time to be in power, and for the first time since 1955 the ruling party in Malaysia is under threat, not just to lose it’s 2/3rd majority in Parliament, but the entire elections altogether, and with it control of the Federal Government.