Monthly Archives: June 2017

DDOS Attacks on the Rise

Distributed Denial of Service (DDoS) attacks leverage compromised devices to generate a flood of traffic, overwhelming online services and rendering them unresponsive. DDoS services are widely available on the internet, with research by Trend Micro finding that the small cost of US$150 can buy a DDoS attack for a week. (It also brings organised crime into your life – but that’s a different point!) The latest statistics from Cisco reveal that the number of DDoS attacks grew by 172% in 2016. Combine this with an average DDoS attack size of 1.2Gbps, capable of taking most organisations offline, and there is real cause for concern among cyber security experts. It is hard to trace DDoS attacks to their proprietors, as the majority of devices used in attacks belong to innocent users. Organisations must understand the risk and impact posed by DDoS attacks, and implement mitigation strategies that promote business continuity in the face of these attacks. Industry peers must share knowledge where appropriate, and keep government agencies adequately informed, to deter hackers from launching a DDoS attack. Cisco expects that the number of DDoS attacks in the future will only get worse, with 3.1 million predicted attacks in 2021 globally. Source: http://www.natlawreview.com/article/ddos-attacks-rise

See the original article here:
DDOS Attacks on the Rise

It’s 2017, and UPnP is helping black-hats run banking malware

Pinkslipbot malware copies Conflicker for C&C channel Another banking malware variant has been spotted in the wild, and it’s using UPnP to pop home routers to expose unsuspecting home users, recruited as part of the botnet.…

Read the article:
It’s 2017, and UPnP is helping black-hats run banking malware

Bigger & smaller – DDoS threats here to stay with conflicting trends

The noise created by distributed denial of service attacks is higher than ever – with vendors and attackers complicating the picture – but what do enterprises need to worry about? Distributed Denial of Service (DDoS) attacks were one of the most talked about threats at InfoSecurity Europe 2017. One of the things vendors couldn’t agree on however, is the trend for their size and thus whether we should be defending against increasing numbers of small attacks or more frequent mega-attacks. Corero Network Security, who met with SC during the conference, said in a press release that, “the greatest DDoS risk for organisations is the barrage of short, low volume attacks which mask more serious network intrusions”. Research from the firm says that “despite several headline-dominating, high-volume DDoS attacks over the past year, the vast majority (98 percent) of the DDoS attack attempts against Corero customers during Q1 2017 were less than 10 Gbps per second in volume.” It added: “they are just disruptive enough to knock a firewall or intrusion prevention system (IPS) offline so that the hackers can target, map and infiltrate a network to install malware and engage data exfiltration activity.” Ashley Stephenson, CEO at Corero Network Security, explains: “Short DDoS attacks might seem harmless, in that they don’t cause extended periods of downtime. But IT teams who choose to ignore them are effectively leaving their doors wide open for malware or ransomware attacks, data theft or other more serious intrusions. Just like the mythological Trojan Horse, these attacks deceive security teams by masquerading as a harmless bystander – in this case, a flicker of internet outage – while hiding their more sinister motives.” DDoS protection has traditionally been something that major enterprises were able to deploy by having their traffic run through a supplier network at huge cost. The alternative was to switch traffic over to their DDoS protection provider in the event of an attack – but this could cause a delay of about 20 minutes while the company under attack found who to call and explain what was happening, the whole time that the attack was escalating. Instead, Laurent Gil, co-founder at Zenedge, explained to SC Media UK how his company’s approach to DDoS protection is different. “We have an always-on monitoring system on the cloud so there is nothing to install for the customer, it’s the same SSL as an ‘always on’ solution, but always on in the cloud for monitoring and analysing of traffic patterns and when the early signs of an attack are spotted, we automatically re-route traffic to our scrubbing centre within 60 seconds – down from the 20 minutes it takes non-automated systems,” Gil told SC. He added that because the traffic only switched on demand, when there is an attack, it is less cost than if it had to be handled all the time and with a 60 second response, it still mitigated against the attack ramping up. “It’s a tectonic shift in the market,” says Gil, adding, “We we can onboard many more enterprises, without them spending millions of dollars, which is what’s needed for a for mid-market enterprise. DDoS protection did not exist for these companies because they couldn’t afford it. It’s not that the traditional prime protection providers are losing revenues, but the market is much wider now than it was previously.” In contrast to Corero, veteran vendor Imperva, hosted sessions which could be misconstrued as ‘humble-brags’ named “how we stopped a 650Gbps DDoS attack over lunch”. Imperva points out that the source code of the Mirai botnet going open source has meant that the Tools, Tactics and Procedures (TTP) of botnet criminals have taken a step up. And naturally, it is prepared to protect against this threat with one of it’s “behemoth” data centre appliances. Imperva’s Robert Hamilton, director of product marketing, hosted the sessions and said “DDoS attacks aren’t going away anytime soon”. Raj Samani, chief scientist of Mcafee told SC: “The number is completely subjective. When we saw the beginnings of DDoS as an extortion tactic it was brushed off since the throughput wasn’t significant enough to worry most enterprises, then all of a sudden the firepower increased to in excess of 50Gbps. Whilst this number for many organisations can be easily managed (as we saw with DDoS providers withstanding 620Gbps attacks), the reality is that the firepower of DDoS attacks are on the up. What is the magic number that will cause concern? Well, it will be whatever hasn’t been tested against!” That may be the case, but then Akamai, another DDoS protection giant says in its Q1 2017 State of the Internet report that “the mega attacks are outliers that represent the limits enterprises must be prepared to defend against. However, the overwhelming number of smaller attacks means that these mega attacks have little impact on the trend lines that defend the median attack size, which is a better indicator of what an organisation is most likely to see.” Akamai raises another important point: the rise in use of IoT devices which are compromised for malicious use – such as using an “internet-enabled toaster to mine bitcoins” – are likely to end up contributing to harsher DDoS attacks as these devices are eventually recruited into the mega-botnets which carry out such attacks. A new report from Kaspersky Lab, also released after InfoSec, shows that when organisations are attacked by a DDoS, “customer-facing resources suffer more in banking, than in any other sector.” “For example, 49 per cent of banks that have suffered a DDoS attack have had their public website affected (compared to 41 percent of non-financial institutions) and 48 percent have had their online banking affected when they’ve been targeted by DDoS.” “Recovering from DDoS is also more expensive for banks than non-financial organisations. The report shows that a DDoS incident can cost a financial institution US$ 1,172,000 (£917,427) to recover from, compared to US$ 952,000 (£745,000) for businesses in other sectors.” Kirill Ilganaev, head of Kaspersky DDoS Protection, Kaspersky Lab said in a press release, “In the banking sector reputation is everything, and security goes hand-in-hand with this. If a bank’s online services come under attack, it is very difficult for customers to trust that bank with their money, so it’s easy to see why an attack could be so crippling. If banks are to protect themselves effectively from the price tag of an online banking cybersecurity incident, they first need to become more prepared for the dangers DDoS attacks pose to their online banking services. This threat should be featuring higher on banks’ security priorities.” Kaspersky Lab is encouraging financial institutions to share security intelligence to be better prepared for dealing with the threat of an attack on their online banking services. Source: https://www.scmagazineuk.com/bigger-smaller–ddos-threats-here-to-stay-with-conflicting-trends/article/668725/

Read this article:
Bigger & smaller – DDoS threats here to stay with conflicting trends

DDoS attacks continue to morph

According to Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks, while reflection and amplification techniques have come to characterise a large number of complex, multi-vector DDoS attacks, the latest approach is to use reflection to exploit connection-less lightweight directory access protocols (CLDAPs). Traditionally, large attacks based on reflection or amplification were the likes of NTP, DNS, SNMP, SSDP, SQL RS or Chargen. “But this new trend has now been discovered ‘in the wild’, with the force to generate highly efficient and destructive results,” he says. What is CLDAP? CLDAP is essentially a computer networking protocol designed for legitimate users to query and modify stored data on X.500 directory systems. It is typically used on Windows Exchange servers and domain controllers. By providing directory and access control, one can use CLDAP to locate printers on a network, find a phone number of an employee, or see the security groups a user belongs to, for instance. The modus operandi involves the attacker spoofing the source of a connectionless protocol, pinging the server with ultra-small queries. The server then responds to the victim with a far larger response. Initial findings suggest that this approach can amplify the initial response in the region of 46 to 55 times the size. “This makes CLDAP attacks highly efficient. A well-orchestrated attack that exploits an organisation’s vulnerabilities could very quickly achieve massive total attack size, and bring down the digital systems of all but the largest and best-protected organisations.” Primary targets Reports* from cloud giant Akamai show that the largest example of CLDAP reflection as the sole vector resulted in a payload of 52 bytes, amplified to as much as 70 times in this case – creating an attack data payload of 3,662 bytes, a peak bandwidth of 24Gbps, and 2 million packets per second. CLDAP attacks have primarily targeted the software and technology industry. Other industries targeted include internet and telecom, media and entertainment, education, retail and consumer goods, and financial services. Fighting back To effectively resist this type of DDoS attack, organisations need to thoroughly address the potential threat at a network level, by covering a number of bases: Prevent abuse: Ensure that you have anti-spoofing deployed at the edges of your networks. Detect attacks: Leverage flow telemetry exported from all network edges to Arbor technology, to automatically detect, classify, traceback, and alert on DDoS attacks. Ready mitigation techniques: Deploy network infrastructure-based reaction/ mitigation techniques such as Source-Based Remotely-Triggered Blackholing (S/RTBH) and flowspec at all network edges. Mitigate attacks: Deploy intelligent DDoS mitigation systems at strategic points within your network. Minimise damage: Deploy Quality-of-Service (QoS) mechanisms at all network edges to police CLDAP traffic down to an appropriate level. Remediate CLDAP services: Proactively scan for and remediate abusable CLDAP services on the ISP and customer networks to reduce the number of abusable CLDAP servers. “Like many other reflection techniques, organisations must always have ingress filtering in place. Unless there is a real need for your firm to have CLDAP available over the internet, you shouldn’t expose this protocol,” concludes Hamman. Source: http://www.bizcommunity.com/Article/196/661/163351.html

Excerpt from:
DDoS attacks continue to morph

Don’t all rush out at once, but there are a million devices ripe to be the next big botnet

As bad as Mirai was, it could have been much worse A wormable vulnerability involving an estimated one million digital video recorders (DVR) is at risk of creating a Mirai-style botnet, security researchers warn.…

More:
Don’t all rush out at once, but there are a million devices ripe to be the next big botnet

US Blames North Korea For Series Of DDoS Attacks

The Department of Homeland Security and the Federal Bureau of Investigation issued a rare cybersecurity bulletin linking North Korea to a series of attacks that have targeted global businesses and critical infrastructure since 2009. The alert focuses on a malware strain called DeltaCharlie, which DHS and FBI say was used by the North Korean government to launch distributed denial of service attacks. DDoS attacks use floods of web traffic from compromised devices to knock websites or services offline. North Korea targeted “the media, aerospace, financial, and critical infrastructure sectors in the United States and globally,” the alert says. The US government refers to North Korea’s hacking team as Hidden Cobra, but cybersecurity firms often use the slightly less sinister name Lazarus Group. The North Koreans have also been linked to the WannaCry ransomware that spread virally in May and shut down hospitals and businesses. WannaCry primarily targeted unpatched Windows machines, and it sounds like the Lazarus Group’s DDoS malware is also primarily exploiting devices that run old versions of Windows. “The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation,” the alert notes. Windows typically stops issuing patches for older operating systems after they have been retired, but the company today released patches that thwart WannaCry on outdated devices, ZDNet reports. Although DHS and FBI released data that will help detect and mitigate Lazarus Group attacks, the agencies said more research is necessary to “understand the full breadth” of the group’s capabilities. Source: https://www.gizmodo.com.au/2017/06/us-blames-north-korea-for-series-of-ddos-attacks/

More:
US Blames North Korea For Series Of DDoS Attacks

Internet hygiene still stinks despite botnet and ransomware flood

Millions of must-be-firewalled services sitting wide open Network security has improved little over the last 12 months – millions of vulnerable devices are still exposed on the open internet, leaving them defenceless to the next big malware attack.…

More here:
Internet hygiene still stinks despite botnet and ransomware flood

DDoS attacks hitting ‘record-breaking’ levels as volumes increase 380%

DDoS attackers are hitting hard, fast and with no breaks in between, leading to record-breaking attacks over hours or even days, according to Nexusguard’s Q1 2017 Threat Report. Those record-breaking attacks over Valentine’s Day, Chinese New year and other ‘typically quiet’ periods during the season. “In APAC, a lengthy attack January 28-31, the period of Chinese New Year, lasted 2 days, 19 hours, and 40 minutes. It was a widespread, disruptive event that left celebrants weary and exhausted upon returning to work,” the report says. DDoS attack volumes have also risen 380% since the same time last year, according to Nexusguard’s statistics, based on 16,600 attacks. While 51% of attacks lasted fewer than 90 minutes, 4% exceeded 1440 minutes. 77.3% of attacks were less than 10Gbps, while 20% were between 10-200Gbps and 2% exceeded 200Gbps. The United States, China and Japan rounded out the top three sources for attacks. The rest of APAC was relatively unused as an attack source. However it’s not just DDoS attacks that are on the rise: HTTP flood attacks jumped 147% in the last quarter alone. It is now one of the leading volumetric attacks, exceeding both TCP and DNS attacks. The company cites the Internet of Things as a major weak point, particularly as the range of insecure devices and connections expodes. DDoS attacks can be persistent and long-lasting, which is a major area of concern. “IoT botnets are only the beginning for this new reign of cyber attacks. Hackers have the scale to conduct gigantic, continuous attacks; plus, teams have to contend with attacks that use a combination of volumetric and application aspects,” comments Nexusguard’s CTO Juniman Kasman. Those attacks are not happening in isolation. 93% of attacks combine application and volumetric vulnerabilities. Multiple DDoS attacks can also overwhelm systems. The company warns that organisations that haven’t invested in – or haven’t upgraded – multi-layered defense mechanisms run the highest risk of attack exposure. “This early data for 2017 shows that enterprises need to employ multi-layered defenses that use nimble resources, including large, redundant scrubbing networks and around-the-clock security operations if they hope to keep from drowning in the deluge of new attacks,” Kasman adds. Source: https://securitybrief.co.nz/story/ddos-attacks-hitting-record-breaking-levels-volumes-increase-380/

Continue reading here:
DDoS attacks hitting ‘record-breaking’ levels as volumes increase 380%

Ten steps for combating DDoS in real time

To the uninitiated, a distributed denial-of-service (DDoS) attack can be a scary, stressful ordeal. But don’t panic. Follow these steps by David Holmes, senior technical marketing manager: Security, F5 Networks, to successfully fight an attack: If you appear to be suffering a volumetric attack, it helps to have a historical sense of your own traffic patterns. Keep a baseline of normal traffic patterns to compare against. If you have determined that you are under a DDoS attack, record the estimated start time in your attack log. Monitor volumetric attacks. Remember to keep a monitoring web page open to indicate when the attack may be over (or mitigated). You will need to follow (up to) 10 steps for your DDoS mitigation: Step 1: Verify the attack Not all outages are caused by a DDoS attack. DNS misconfiguration, upstream routing issues, and human error are also common causes of network outages. You must first rule out these types of non-DDoS attacks and distinguish the attack from a common outage. · Rule out common outages: The faster you can verify the outage is a DDoS attack, the faster you can respond. Even if the outage was not caused by a misconfiguration or other human error, there may still be other explanations that resemble a DDoS attack. · Check outbound connectivity: Is there outbound connectivity? If not, then the attack is so severe that it is congesting all inbound and outbound traffic. Check with your usual diagnostic tools (such as traceroute, ping, and dig) and rule out all such possibilities. · Rule out global issues: Check Internet weather reports, such as Internet Health Report and the Internet Traffic Report, to determine if the attack is a global issue. · Check external network access: Attempt to access your application from an external network. Services and products that can perform this kind of monitoring include: Keynote testing and monitoring, HP SiteScope agentless monitoring, SolarWinds NetFlow Traffic Analyzer, and Downforeveryoneorjustme.com. · Confirm DNS response: Check to see if DNS is responding for your website. The following UNIX command resolves a name against the OpenDNS project server: % dig @208.67.222.222 yourdomain.com Step 2: Contact team leads. Once the attack is verified, contact the leads of the relevant teams. If you have not filled out any quick reference sheets or a contact list, create one now or use our templates. When an outage occurs, your organisation may hold a formal conference call including various operations and applications teams. If your company has such a process in place, use the meeting to officially confirm the DDoS attack with team leads. · Contact your bandwidth service provider: One of the most important calls you can make is to the bandwidth service provider. List the number for your service provider in your contact sheet. The service provider can likely confirm your attack, provide information about other customers who might be under attack, and sometimes offer remediation. · Contact your fraud team: It is especially important to invoke the fraud team as soon as the attack is verified. DDoS attacks can be used as cover to hide an infiltration. Logs that would normally show a penetration may get lost during a DDoS attack. This is why high-speed, off-box logging is so important. Step 3: Triage applications Once the attack is confirmed, triage your applications. When faced with an intense DDoS attack and limited resources, organisations have to make triage decisions. High-value assets typically generate high-value online revenue. These are the applications you will want to keep alive. Low-value applications, regardless of the level of legitimate traffic, should be purposefully disabled so their CPU and network resources can be put to the aid of higher-value applications. You may need the input of team leads to do this. Ultimately, these are financial decisions. Make them appropriately. Create an application triage list; it takes only a few minutes to fill one out, and will greatly assist in making tough application decisions while combating an actual DDoS event. Decide which applications are low priority and can be disabled during the attack. This may include internal applications. Step 4: Protect partners and remote users. · Whitelist partner addresses: Very likely you have trusted partners who must have access to your applications or network. If you have not already done so, collect the IP addresses that must always be allowed access and maintain that list. You may have to populate the whitelist in several places throughout the network, including at the firewall, the Application Delivery Controller (ADC), and perhaps even with the service provider, to guarantee that traffic to and from those addresses is unhindered. · Protect VPN users: Modern organisations will whitelist or provide quality-of-service for remote SSL VPN users. Typically this is done at an integrated firewall/ VPN server, which can be important if you have a significant number of remote employees. Step 5: Identify the attack Now is the time to gather technical intelligence about the attack. The first question you need to answer is “What are the attack vectors?” There are four types of DDoS attack types, these are · Volumetric: flood-based attacks that can be at layers 3, 4, or 7; · Asymmetric: designed to invoke timeouts or session-state changes; · Computational: designed to consume CPU and memory; and · Vulnerability-based: designed to exploit software vulnerabilities. By now you should have called your bandwidth service provider with the information on your contacts list. If the attack is solely volumetric in nature, the service provider will have informed you and may have already taken steps at DDoS remediation. Even though well-equipped organisations use existing monitoring solutions for deep-packet captures, you may encounter cases where you have to use packet captures from other devices, such as the ADC, to assist in diagnosing the problem. These cases include: SSL attack vectors and FIPS-140. Step 6: Evaluate source address mitigation options If Step 5 has identified that the campaign uses advanced attack vectors that your service provider cannot mitigate (such as slow-and-low attacks, application attacks, or SSL attacks), then the next step is to consider the following question: “How many sources are there?” If the list of attacking IP addresses is small, you can block them at your firewall. Another option would be to ask your bandwidth provider to block these addresses for you. · Geoblocking: The list of attacking IP address may be too large to block at the firewall. Each address you add to the block list will slow processing and increase CPU. But you may still be able to block the attackers if they are all in the same geographic region or a few regions you can temporarily block. The decision to block entire regions via geolocation must be made as a business decision. Finally, if there are many attackers in many regions, but you don’t care about any region except your own, you may also use geolocation as a defence by blocking all traffic except that originating from your region. · Mitigating multiple attack vectors: If there are too many attackers to make blocking by IP address or region feasible, you may have to develop a plan to unwind the attack by mitigating “backwards”; that is, defending the site from the database tier to the application tier, and then to the web servers, load balancers, and finally the firewalls. You may be under pressure to remediate the opposite way; for example, mitigating at layer 4 to bring the firewall back up. However, be aware that as you do this, attacks will start to reach further into the data centre. Step 7: Mitigate specific application attacks If you have reached this step, the DDoS attack is sufficiently sophisticated to render mitigation by the source address ineffective. Tools such as the Low Orbit Ion Cannon, the Apache Killer, or the Brobot may generate attacks that fall into this category. These attacks look like normal traffic at layer 4, but have anomalies to disrupt services in the server, application, or database tier. To combat these attacks, you must enable or construct defences at the application delivery tier. Once you have analysed the traffic in Step 4, if the attack appears to be an application-layer attack, the important questions are: Can you identify the malicious traffic? Does it appear to be generated by a known attack tool? Specific application-layer attacks can be mitigated on a case-by-case basis with specific F5 counter-measures. Attackers today often use multiple types of DDoS attack vector, but most of those vectors are around layers 3 and 4, with only one or two application-layer attacks thrown in. We hope this is the case for you, which will mean you are nearly done with your DDoS attack. Step 8: Increase application-level security posture. If you have reached this step in a DDoS attack, you’ve already mitigated at layers 3 and 4 and evaluated mitigations for specific application attacks, and you are still experiencing issues. That means the attack is relatively sophisticated, and your ability to mitigate will depend in part on your specific applications. Asymmetric application attack: Very likely you are being confronted with one of the most difficult of modern attacks: the asymmetric application attack. This kind of attack can be: · A flood of recursive GETs of the entire application. · A repeated request of some large, public object (such as an MP4 or PDF file). · A repeated invocation of an expensive database query. Leveraging your security perimeter: The best defence against these asymmetric attacks depends on your application. For example, financial organisations know their customers and are able to use login walls to turn away anonymous requests. Entertainment industry applications such as hotel websites, on the other hand, often do not know the user until the user agrees to make the reservation. For them, a CAPTCHA (Completely Automated Public Turning test to tell Computers and Humans Apart) might be a better deterrent. Choose the application-level defence that makes the most sense for your application: A login wall, human detection or real browser enforcement. Step 9: Constrain resources. If all the previous steps fail to stop the DDoS attack, you may be forced to simply constrain resources to survive the attack. This technique turns away both good and bad traffic. In fact, rate limiting often turns away 90 to 99 percent of desirable traffic while still enabling the attacker to drive up costs at your data centre. For many organisations, it is better to just disable or “blackhole” an application rather than rate-limit it. · Rate shaping: If you find that you must rate-limit, you can provide constraints at different points in a multi-tier DDoS architecture. At the network tier, where layer 3 and layer 4 security services reside, use rate shaping to prevent TCP floods from overwhelming your firewalls and other layer 4 devices. Connection limits: Connection limits can be an effective mitigation technique, but they do not work well with connection-multiplexing features. Application tier connection limits should provide the best protection to prevent too much throughput from overwhelming your web servers and application middleware. Step 10: Manage public relations Hacktivist organisations today use the media to draw attention to their causes. Many hacktivists inform the media that an attack is underway and may contact the target company during the attack. Financial organisations, in particular, may have policies related to liability that prevent them from admitting an attack is underway. This can become a sticky situation for the public relations manager. The manager may say something like, “We are currently experiencing some technical challenges, but we are optimistic that our customers will soon have full access to our online services.” Journalists, however, may not accept this type of hedging, especially if the site really does appear to be fully offline. In one recent case, a reporter called a bank’s local branch manager and asked how the attack was proceeding. The branch manager, who had not received media coaching, responded, “It’s awful, we’re getting killed!” If the DDoS attack appears to be a high-profile hacktivist attack, prepare two statements: · For the press: If your industry policies allow you to admit when you are being externally attacked, do so and be forthright about it. If policy dictates that you must deflect the inquiry, cite technical challenges but be sure to prepare the next statement. · For internal staff, including anyone who might be contacted by the press: Your internal statement should provide cues about what to say and what not to say to media, or even better, simply instruct your staff to direct all inquiries related to the event back to the PR manager. Include a phone number. Anton Jacobsz, managing director at Networks Unlimited, a value-adding reseller of F5 solutions throughout Africa, notes that it is the organisations focusing on a holistic security strategy that are considered forward-looking and ahead of the digital economy curve. “In a digital age – where sensitive or personal information is at risk of being exposed, and where geo-location and sensor-based tools track movements – organisations need to be prepared for a cyber attack. It has become essential to scrutinise security throughout the entire operation and offerings in order to build the strongest cornerstones for establishing trust between company, employees and consumers,” says Jacobsz. Source: http://www.itnewsafrica.com/2017/06/ten-steps-for-combating-ddos-in-real-time/

Read More:
Ten steps for combating DDoS in real time

Where does the cyber security buck stop?

Late last year, Bruce Schneier testified before the U.S. House Energy and Commerce committee asking them to consider imposing security regulations on the Internet of Things (IoT). Schneier argued that neither IoT buyers nor sellers care about a device’s security. Sellers are interested in quickly releasing inexpensive products to market, while buyers only care about getting cool gadgets for cheap. This unhealthy and unsecure IoT market results in incidents like the Mirai botnet, in which … More ?

More here:
Where does the cyber security buck stop?