Insecurity Cameras

How 1.5 million connected cameras were hijacked to make an unprecedented botnet _(September 2016 article )_. Hacked Cameras, DVRs Powered Massive Internet Outage _(October 2016 article )_.

Hackers found a vulnerability, which affects most of DAHUA's cameras, that allows anyone to take full control of the devices' underlying Linux operating system just by typing a random username with too many characters. The hackers then planted malware on the devices to turn them into bots and use them for both DDoS attacks as well as for extortion campaigns using ransomware. A security researcher put online six virtual machines designed to look like ADSL routers running Linux operating systems just like the ones targeted by Miraiā€”in other words, a set of honeypots. It took only an average of 15 minutes for these to get hit with Mirai malware

.

Perverse irony that pervasive installation of cameras to deter crime should create a platform for such massive criminal attacks. Poetic justice revealing the threat of surveillance.

Recent news of related attacks. FBI's urgent request to reboot your router (May 2018 article )

This morning I bumped into my friend Ben who is Chief Security Officer for the City of Boulder. His main focus has been increasing herd immunity through persistent education about basic cyber security among city employees.

People in parks and recreation install wi-fi enabled sprinklers. Do they know to change the admin passwords? Do they know _how_ ? Will they choose good random passwords? How much more effective is it to educate people vs having Network Security people routinely drive by all the parks to scan them for vulnerabilities?

He and his peers, elite security professionals, have fallen for spear phishing scams. He shares that with profound humility and sobriety.

> None of us will fare any better if the phishing scams can fool the best of us.

Considering even well trained employees:

> No business professional can safely ignore an email with the subject "invoice overdue" with an attached PDF file. Nor can they responsibly choose to _not_ open that PDF.